How to Hack a ASP Web Site and How to Prevent Being Hacked
April 21st, 2008 by Andrew Chen
Yahoo reported that the SANS institue found automate hacking tool that use Google’s search engine to look for vulnerable application and hack to the web sites automatically.
Up to 20,000 Web sites have been hacked since January…
The SANS Institute found a sneaky software tool that uses Google’s search engine to hunt for Web sites running certain kinds of vulnerable applications, wrote Bojan Zdrnja, on the institute’s blog…
When the tool finds a site that is vulnerable, it kicks into action. The exploit just consisted of an SQL statement that tried to inject a script tag into every HTML page on the web site…
That SQL statement was crafted to target Web sites running Microsoft’s Internet Information Server and SQL Server…
I really don’t think that is crafted to target web sites running Microsoft only because the way it mentioned above to hack a web site is universal doesn’t matter what kind technology a web site uses.
As I mentioned in my previous post my blog was hacked by someone and I was forced to change my ftp site password, WordPress password and upgraded my WordPress software. I kind of think my blog was one of sites that are discovered by the hacking tool reported. It would be rare that a hacker target a blog that its traffic is relatively low. It is just not worth hacking it. But with an automated tool it wouldn’t care.
Here is a simple case to show you how to hack a web site written in ASP. For example a web page let you input a date and access a database to retrieve your billing history. In order to do that the web page will need to construct a SQL statement to pass to the database. The SQL statement could be like this
Select BillingDate, Amount, Description From BillingTable Where UserName= ‘YourUserName’ and Date= ‘InputDate’
The web page could construct the SQL statement by concatenating
Select BillingDate, Amount, Description From BillingTable Where UserName= ‘You’ and Date=’ with the date you input and then concatenating a single quote
In that case if the hacker knows that your database has a table called Users and there is LoginName and Password field. He can pass this as the input date.
4/20/2008′ union select ‘ ’ , ‘ ’, LoginName + ‘ ’ + Password from User - -
The two dashes at the end tell SQL server to ignore the last single quote concatenated to the statement. Essentially the statement constructed not only display the billing history but also display all users login.
Of course a hacker can only do this if the web site doesn’t do validity check on the date input. If that is the case this security hole is in fact open up the entire database to the hacker because it can use it to query your system tables and discover your database structure.
Similar technique can be used against popular blog software like WordPress. Of course I believe the developer of WordPress already have such knowledge and will guard against such attacks when coding.
A simple way to prevent such attack is to use database store procedure to interact with database and avoid passing transparent SQL statement to database at all time. Also always does validity check on user input.
Related Posts:
(4 votes, average: 3.75 out of 5)
Loading ...
Good post …….very good……
Many old ASP sites that are still operational need fixed. Came here looking for solutions. Thanks.
Thanks you, very usefull to protect yourself from hackers… or to hack competitors (just kiding).
ed against popular blog software like WordPress. Of course I believe the developer of WordPress already have such knowledge and will guard against such attacks when coding.
A simple way to prevent such
Great post. Indeed this is very critical issue regarding the site security. Since hackers can easily take advantages of such security hole and destroy hole sites.
web penetration testing
email me edit0r@hushmail.com
there is far more than just sql injection. please also investigate csrf, xss, etc. a bit more detail above on how people can use procs would help.
for example, do not call with “exec proc_whatever( + some parameter + “)” as that is also open to injection.
Also do not use inline sql in your procedures either - as those can be injected too. check out the OWASP site as well.
Greetings to you.
I ‘m from Iran. I had some questions.
Read on.
Can you help me?
If you can please e-mail this comment to my answer.
I am a beginner in hacking.
Who are you to help me.?
I’m waiting.
Thank you.
Goodbye.Greetings to you.
I ‘m from Iran. I had some questions.
Read on.
Can you help me?
If you can please e-mail this comment to my answer.
I am a beginner in hacking.
Who are you to help me.?
What is the solution Runtime error
I’m waiting.
Thank you.
Goodbye.
Since hackers can easily take advantages of such security hole and destroy……..
Since hackers can easily take advantages of such security hole and destroySince hackers can easily take advantages of such security hole and destroy