Level Extreme platform
Subscription
Corporate profile
Products & Services
Support
Legal
Français
SQL injection attack on our site
Message
From
18/08/2008 14:43:58
Naomi Nosonovsky
Wisconsin, United States
 
General information
Forum:
Microsoft SQL Server
Category:
Other
Title:
Re: SQL injection attack on our site
Environment versions
SQL Server:
SQL Server 2005
Miscellaneous
Thread ID:
01338988
Message ID:
01339623
Views:
7
I ran these two commands in our production server

DENY SELECT ON sys.sysobjects TO public
DENY SELECT ON sys.syscolumns TO public

>>I just recently dealt with this on some software my employer had purchased from a third party vendor years ago. I cleaned the tables too, but the next morning all the values were back. There are programs that will try to automatically execute the code on your site over and over again.
>>
>>I set up SQL Profiler to trace what was going on. Once I saw what they did, it was very simple, I modified two things. I denied select permissions on the sysobjects and syscolumns tables of the login that was using the site, and then I found the web page they were using and validated the parameter being passed in via the url - because they added a long string to the end. This prevented it from actually hitting the database at all.
>>
>
If it's not broken, fix it until it is.


My Blog
Previous
Reply
Map
View

Click here to load this message in the networking platform