|
Hacker Query Check By Nannette Thacker - 06/29/2007 Hackers will try to get information on your tables from query strings within your ASP pages. They do this by taking a regular page that has a query string ID, such as: http://www.shiningstar.net/mypage.asp?article_id=12345 As a programmer, all you wish to retrieve is the value of the article_id and pass it to the SQL query. But the hacker wishes to add on some additional code to pass to the query and hopefully return those results to the screen. The hacker may change this value to: http://www.shiningstar.net/mypage.asp?article_id=11%20and%20char(124)%2b(Select%20Top%201%20cast(name%20as%20varchar(8000))%20from%20(Select%20Top%201%20colid,name%20From%20[YOURTABLENAME]..[syscolumns]%20Where%20id%20=%20112719454%20Order%20by%20colid)%20T%20Order%20by%20colid%20desc)>0 How do they know your table name? By previous hacker queries that then display the error message to the screen and identify the table in use. Be sure to include in your error handling, if you have detailed error messages turned on, to display such messages only to the webmaster so she can track them down and get them fixed, as opposed to scammers utilizing the values for their own devious purposes.
You may #include the above code at the top of every page prior to any database activity. You may make it into a function as well. When I say include it in every page, I hope you have a pageheader.asp include file or something similar that contains the code you use on every page. No copying and pasting please. What this does is it retrieves the querystring, and checks it for any SQL commands. These are the most common SQL commands used by hackers. It should catch at least one of them if they are trying something. Then once it catches them, you may redirect them back to your home page, or add them to an IP block list or however you wish to deal with the situation. (Personally, I like to send them a virus that shuts down their entire system and melts it from the inside out. Bwa hahahaha! JK.)
|
|
