I'd be leery of simply looking for the word cast, or declare, or exec by
themselves. Better to include them as part of a regular expression that also
looks for semi-colons and ( like so:
REFindNoCase(';.*EXEC.*\(?.*\)?',VARIABLES.qString)
That looks for a ;, followed by any character (any number of times), then
EXEC, followed by any character (any number of times), then 0 or 1 (,
character, then finally 0 or 1 ).
That's not perfect, but it's better than just looking for those keywords
which could legitimately be included.
-----Original Message-----
From: Al Musella, DPM [mailto:[EMAIL PROTECTED]
Sent: Wednesday, July 23, 2008 5:15 PM
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
One of my websites got hit.. I always use cfqueryparam - at least for the
last few years, but some old code (this website started with version 1 of
CF) was still hanging around that was unprotected. I used that scanning
tool and it found about 20 unprotected querries out of about 20,000...
anyway - I set up a filter in the application.cfm to watch for a few of
these bad keywords..and temporarily ban those IPs.. I am getting hit a few
times a minute now.. on all of the websites I run.. however, one of the
owners got banned when he included the word "Declare" in a product
description:)
for this attack, I am thinking wouldn't it be wise to remove permission to
use the sysobjects and syscolumns from the user I access the MS SQL server
with from CF? (In other words, I am assuming that cf does not need access
to these tables - does it?)
>Mark,
>
>Thanks for the info. I tried this and it located the code. I removed
>the comment and Executed however, the code still remains.
>Any help you can offer would be great!
>
>Thanks!
>
>
> >For those of you who have been hit by this attack and who need to try
> >something short of restoring your DB, this script will generate a
> >series of update statements in reverse of the hack that's been going
around:
> >
> >-----------------------------------------------------------
> >DECLARE @T varchar(255), @C varchar(255) DECLARE @sql varchar(4000)
> >DECLARE @script varchar(255) /*fill in the value of the malicious
> >script. */ select @script = '<script src="*scriptsrc"></script><!---'
> >
> >DECLARE Table_Cursor CURSOR FOR
> > SELECT a.name, b.name
> > FROM sysobjects a, syscolumns b
> > WHERE a.id = b.id AND a.xtype = 'u'
> > AND (b.xtype = 99 OR b.xtype = 35 OR b.xtype = 231 OR b.xtype =
> >167)
> >
> > OPEN Table_Cursor
> > FETCH NEXT FROM Table_Cursor INTO @T, @C
> > WHILE (@@FETCH_STATUS = 0)
> > BEGIN
> > SELECT @sql = 'update [' + @T +'] set ['+ @C +'] =
> >Replace([' + @C + '],''' + @script + ''','''')'
> > PRINT @sql
> >
> > /*uncomment this after checking the output using print */
> > --EXEC(@sql)
> >
> > FETCH NEXT FROM Table_Cursor INTO @T, @C
> > END
> >CLOSE Table_Cursor
> >DEALLOCATE Table_Cursor
> >
> >-------------------------------------------------------
> >
> >1) Replace the value of @script (the select at the top) with the
> >value of the string that's been inserted into your DB
> >2) Run the script AS IS - you should see a list of "update"
> >statements that look like this:
> >
> >update [**tablename] set [**columnName] =
> >Replace([**ColumnName],'<script
> >src="*scriptsrc"></script><!---','')
> >
> >Where **tablename and **columname represent actual tables/columns
> >from your DB.
> >
> >You can then run the updates individually to strip out the malicious
code...
> >I also converted the update to a select to compare the values and see
> >what the result would be on update.
> >
> >3) If you are brave you can comment out the "EXEC(@sql)" line and
> >rerun the script. Doing so will hit every table and every char column
> >with these updates so be sure you know what you are doing.
> >
> >
> >-Mark
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309576
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
