How to Hack a ASP Web Site and How to Prevent Being Hacked
April 21st, 2008 by Andrew Chen
Yahoo reported that the SANS institue found automate hacking tool that use Google’s search engine to look for vulnerable application and hack to the web sites automatically.
Up to 20,000 Web sites have been hacked since January…
The SANS Institute found a sneaky software tool that uses Google’s search engine to hunt for Web sites running certain kinds of vulnerable applications, wrote Bojan Zdrnja, on the institute’s blog…
When the tool finds a site that is vulnerable, it kicks into action. The exploit just consisted of an SQL statement that tried to inject a script tag into every HTML page on the web site…
That SQL statement was crafted to target Web sites running Microsoft’s Internet Information Server and SQL Server…
I really don’t think that is crafted to target web sites running Microsoft only because the way it mentioned above to hack a web site is universal doesn’t matter what kind technology a web site uses.
As I mentioned in my previous post my blog was hacked by someone and I was forced to change my ftp site password, WordPress password and upgraded my WordPress software. I kind of think my blog was one of sites that are discovered by the hacking tool reported. It would be rare that a hacker target a blog that its traffic is relatively low. It is just not worth hacking it. But with an automated tool it wouldn’t care.
Here is a simple case to show you how to hack a web site written in ASP. For example a web page let you input a date and access a database to retrieve your billing history. In order to do that the web page will need to construct a SQL statement to pass to the database. The SQL statement could be like this
Select BillingDate, Amount, Description From BillingTable Where UserName= ‘YourUserName’ and Date= ‘InputDate’
The web page could construct the SQL statement by concatenating
Select BillingDate, Amount, Description From BillingTable Where UserName= ‘You’ and Date=’ with the date you input and then concatenating a single quote
In that case if the hacker knows that your database has a table called Users and there is LoginName and Password field. He can pass this as the input date.
4/20/2008′ union select ‘ ’ , ‘ ’, LoginName + ‘ ’ + Password from User - -
The two dashes at the end tell SQL server to ignore the last single quote concatenated to the statement. Essentially the statement constructed not only display the billing history but also display all users login.
Of course a hacker can only do this if the web site doesn’t do validity check on the date input. If that is the case this security hole is in fact open up the entire database to the hacker because it can use it to query your system tables and discover your database structure.
Similar technique can be used against popular blog software like WordPress. Of course I believe the developer of WordPress already have such knowledge and will guard against such attacks when coding.
A simple way to prevent such attack is to use database store procedure to interact with database and avoid passing transparent SQL statement to database at all time. Also always does validity check on user input.
Related Posts:
(3 votes, average: 3.33 out of 5)
Loading ...
Good post …….very good……
Many old ASP sites that are still operational need fixed. Came here looking for solutions. Thanks.