My server was hacked like many others yesterday by this one SQL injection attack. I have two tables that have the alien script put in.
My options are:
-Manually delete the script from thousands of database entries.
-Find copies of the tables and replace them.
How I would like to have a SQL query that finds the script beginning with the **"></title>\****<script** and ending with **</script><!--** and removing it from all the database entries that have it.
Example:
So the query would see a databse entry like "></title><script> </script><!--Aland Islands
and remove "></title><script> </script><!--
leaving just Aland Islands behind.
P.S. I post the full script I want to remove just in case. Sorry for some reason stackoverflow isnt letting post some of this info.
One option is to take the DB offline, export the tables into load scripts, then use a text editor or sed to remove the malicious text, then truncate the tables and load them back in using the load scripts.
An example:
DELETE FROM infected_table
FROM
infected_table i
WHERE
i.script_column LIKE '>%'
Please do try the LIKE clause using a SELECT before running it though or run it in a transaction checking that the result is correct before committing.
1st find all the vulnerable Links on your site then change the version of mysql you are using because the error which help to attacker to find your site is vulnerable or not is due to the error. If your web application on php there are several other error which help to attacker to find site is vulnerable or not. You can use acunetix web vulnerability scanner for find all venerability on web application.
Related
I have a fairly complex database that has worked for quite a while. Today I went to troubleshoot something and I got a non-sensical error.
In my macro, first I create detail tables. Then I number each row sequentially in the detail table with a VBA script. Then I create a summarized version of that table including the just the key info like SKU and row number. (The rest of the details are added back later using the row number). The numbering script is working. The detail tables have the row numbers. However the summary table does not have the row numbers after running the macro. If I manually click the queries to add the summary tables, the numbers magically appear.
Please help. This database has worked for over a year without this problem.
Honestly it sounds like its corrupt. MS Access uses the Jet Engine which is known for bloating dB size and quite easily becoming corrupt.
You can see by the odd behaviour, the program is having trouble with the underlying file. If you open a new Access DB it won't exhibit the same problems.
The best bet is to recreate the dB from scratch or port it to SQL Server, PostGres, MySQL, SqlLite etc and put the application logic in a program - even if its a VB6 app, though I'd recommend .Net.
I've got the code to strip out every thing and recreate the MS Access dB here:
https://stackoverflow.com/a/16158027/495455
WSO2 Identity Server 5.0.0
I am wondering what the full path of SQL queries would be if i wanted to create and update Service providers via SQL queries. It's more than adding to the SP_APP table as a newly inserted entry by that means doesn't show in the UI. I was looking through the identity-core code and got a little lost, since it seems to abstract out some intricate registry stuff.
Anyway, I'd love to know how I could navigate the database to look at stuff by these means.
I would suggest moving your WSO2 IS completely onto SQL Server. You can then see all the tables and scripts that are run against it (using something like QueryProfiler). To do this, follow the instructions: https://docs.wso2.com/display/ML111/Setting+up+Microsoft+SQL.
Note that at the end of the document you must run two scripts (not just the one they show):
<PRODUCT_HOME>/dbscripts/mssql.sql
<PRODUCT_HOME>/dbscripts/identity/mssql.sql
I have to admit that the documentation on WSO2 IS is not very good or complete, but they have been good at answering questions. SQL Server was hard to set up as some of the steps were old (as you see they reference SQL Server 2005), but if you know your way around SQL Server pretty well, you can figure out the minor things. The largest issue was the second .sql script that needed to be run.
That should set you up well enough to see what is being called when set up Service Providers, or anything else that goes into the database.
I have just started an internship in I've had to learn a lot on my own. I'm learning MS SQL Server, but having a strange problem. I have a DB that has four small tables. Each one has a script to drop the table, recreate the table (I've avoided FK dependencies for the time being), and execute a demo query.
Problem 1: When I first started SQL Server Managmenent Studio would execute the script, but one table didn't show up in the Object Explorer. If I tried to execute a demo query from the same .sql file, it executed with no problem. If I tried to access it from another .sql, the table didn't exist. After many times of successfully executing the script, it finally just showed up.
Problem 2: Similar problem. When I updated one table, the changes wouldn't be reflected in queries.
Problem 3: Queries will fail, but if I click execute again with no changes being made, it will usually work correctly.
Problem 4: When I use an alias for a field name, sometimes the alias is recognized and sometimes it isn't. I've literally had single query in which the alias would work in one place, but not work in another and I had to use a fully qualified name.
I've tried the refresh and refresh local cache, but those seem to have no effect. If I exit Management Studio, that seems to usually fix the first two problems.
Am I going nuts or am I just in the dark about some weird specifics of SQL Server?
First of all, when you make a schema change you need to right-click on the "Tables" node for the database in management studio and hit refresh.
If you change a column or something in a table, right-click the table and refresh.
The refresh local cache only updates the intellisense stuff, and the refresh only updates the GUI. If you modify a table with SQL and do not refresh it in the UI, the query can still use the updated table.
If you query fails, you either have a bad query or it's not pointed at the database or connection you think it is.
For aliases, there are places where they will not work (update statements, for example) but if you don't post queries where they don't work we cannot read your mind and tell you what's wrong.
If you have specific queries that are failing, post them.
I'm using SQL Server 2008 and need to see a list of what commands have been exectued and when. Is this possible? How can I read such log?
Duplicated question (I guess)
Looking for a SQL Transaction Log file viewer
You can use third party software to read transaction logs.
http://www.red-gate.com/products/dba/sql-log-rescue/
http://www.apexsql.com/sql_tools_log.aspx
http://www.toadworld.com/products/toad-for-sql-server/w/wiki/10586.log-reader.aspx
And if you want to audit truncate command try to audit all commands executed on your database.
http://www.databasejournal.com/features/mssql/article.php/3861791/Database-Level-Auditing-with-Microsoft-SQL-Server-2008.htm
There are some commercial products which will do this like Apex SQL Log and I think Red Gate might do one too, which give you a nice GUI to do all this but it is possible to do all this without them. That being said, if you only need to do this once then you might get away with juts downloading and using a trial version of one of these products.
This tutorial shows you how to get started extracting information from the log using T-SQL and an undocumented function called fn_dblog. However, the caveat here, as always with undocumented features, is that you should not rely on it in production code in case it disappears without warning, which it may. If you're just using it to investigate something and not using it on a scheduled basis or anything then you'll be fine.
There are quite a few other tutorials out there that use fn_dblog as well, so just have a look on your favourite search engine. It is worth readin up on this function before using it as the information it returns isn't all that straightforward.
I just took over management for a webservice and today i got a user report about this error. Now i'm no sql injection expert but does this error make this attack possible?
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[MySQL][ODBC 3.51 Driver][mysqld-4.1.22-community-nt]You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '') ORDER BY TCOL_date desc' at line 1
I'm asking because for some reason i'm not given access to the code and the previous guy insists that the site is safe so i need to come with some proof or facts that it's actually vulnerable.
Thanks in advance for any help.
In short Not really... but.
While this might provide more information than you're comfortable with (version of MySQL running, drivers being used, and a little about a couple of columns), it's not going to open you up to an attack as much as showing the whole SQL line would. Someone could try to blind hack it to get more information, and the fact that it's showing any info at all is a lot worse for you from the standpoint of an attacker trying to get in than showing info only in the logs. Feedback, even a little can aid an attack[er].
If by trying to insert various bits of code into the form you can get a response that prints your own content you're inserting this would be much more beneficial to an attacker. The fact that this application breaks when you insert a ' leads me to believe that it's not as secure as the programmer claims. This might also lead an attacker to look for another avenue of attack. If they can insert javascript code into a form and have it display in a profile, or if they can inject code that's executed upon return from the server, then they could exploit the server and use it to launch their own attacks.
The problems with SQL injection come back to [code] implementation and the types of things allowed (and blindly processed) by the forms. For instance if you could escape a single quote \' in your current situation, someone could open and close the SQL statement and possibly UNION their own statement when pulling a query. If they could close the statement and append another statement, they might add delete from users where 1=1 or something of that nature. Another way might be if you can type in <marquee>Test</marquee> and it prints the word "test" scrolling when it finds no results then you can perform injections because it's not stripping out code.
This all leads back to permissions. The permissions on the server should make it so the users on the front end of the site only have access to the permission levels they need. If they're only querying the database (SELECT), they should not have access to INSERT, UPDATE, DROP TABLES, or DELETE.