0

I have website as ASP.net as Front end and SQL Server 2005 as Back end. But I am facing a very strange SQL injection on my back end. Some type of CSS with HTML with spamming site is appending their code to my website database with each table and with each varchar type columns. For e.g.

</title><style>.acoi{position:absolute;clip:rect(439px,auto,auto,439px);}</style><div class=acoi>Apply here <a href=http://gogopaydayloans.com>payday loans</a></div>

I tried all these things. I have checked there are no query string parameters are open. All queries are parameterized in whole website. My IIS Server log not specifying that which page open for this. How should I sort out this issue?

Martin Smith
  • 438,706
  • 87
  • 741
  • 845
user2470580
  • 61
  • 3
  • 1
    I doubt your assertion that "All queries are parameterized". – Martin Smith Jun 10 '13 at 10:57
  • Just open the SQL Profiler and start a Trace session. You should be able to identify the problematic query (if the attack repeats) – Steve Jun 10 '13 at 11:01
  • 1
    Do you have any suspicious connections to your SQL server? It is possible (although much more less likely than simple SQL injection) that someone has got direct access to your SQL server. About SQL injection - parametrized queries do not help, if you happen to build dynamic sql, using textual parameters as building blocks. – Arvo Jun 10 '13 at 11:01
  • Are you reading title from the database if that is the case then SQL Injection is to blame. Otherwise it seems that your server has been compromised & it has been hard-coded. Please look for all possibility accident insert, SQL Injection Web server compromised etc.. Sorry Just noticed that it has been appended to Table column, then for sure it seems SQL Injection. Please also ckeck your SQL Server log to see if that has not been compromised. – Learning Jun 10 '13 at 11:12

2 Answers2

0

Are you reading title from the database if that is the case then SQL Injection is to blame.

Please look for all possibility accident insert, SQL Injection, Web server compromised etc..

Please also check your SQL Server log to see if that has not been compromised. That cannot be ruled out.

Otherwise with out much details it is difficult to say weather it is CODE, OS SERVER, WEB SERVER, SQL SERVER 2005 or XSS

Update: Mostly spamming links are result of XSS make sure your form validates all the inputs.

Update: I would also recommend using following article I hope you are not using sp_executesql in your code anywhere that is vulnerable to sql injection http://taylorza.blogspot.ae/2009/04/sql-injection-are-parameterized-queries.html

Learning
  • 19,469
  • 39
  • 180
  • 373
  • `XSS` wouldn't cause the update to all existing records as described by the OP. This seems like a typical SQL injection attack that loops through results of a query against `INFORMATION_SCHEMA` for all string columns then `EXEC`s an `UPDATE`. [Example here](http://stackoverflow.com/q/8380233/73226) – Martin Smith Jun 10 '13 at 11:33
  • @Martin, I agree with you i missed that part. So then it is left to SQL Injection as prime cause.. – Learning Jun 10 '13 at 11:39
-1

Try to filter database inputs by using 

System.Web.HttpUtility.HtmlEncode(strIn);
kostas ch.
  • 1,960
  • 1
  • 17
  • 30