Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

Auditing Matters Expand / Collapse
Author
Message
Posted Saturday, February 22, 2014 11:29 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 10:02 AM
Points: 33,188, Visits: 15,323
Comments posted to this topic are about the item Auditing Matters






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1544253
Posted Monday, February 24, 2014 3:15 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 9:07 AM
Points: 5,327, Visits: 3,015
I found that reading a couple of books on hacking in general (i.e. hacking networks, systems, databases, applications, etc.) really helped open my eyes to a new way of thinking. It also highlighted things like rootkits to me (yes, it was a LONG time ago). Sometimes general technology reading can be worthwhile.

Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Post #1544398
Posted Monday, February 24, 2014 7:15 AM
SSC Journeyman

SSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC Journeyman

Group: General Forum Members
Last Login: Today @ 10:38 AM
Points: 80, Visits: 723
From Steve's editorial:

look for potential hacking issues, like updating all of your lookup values to the same string, or embedding script tags in your data.


Can anyone elaborate on either of Steve's two suggestions? I don't understand what either of these ideas mean. I'm hoping that it's obvious after someone explains them but at this point I'm clueless. Any links perhaps?
Post #1544500
Posted Monday, February 24, 2014 7:31 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 9:07 AM
Points: 5,327, Visits: 3,015
thisisfutile (2/24/2014)
From Steve's editorial:

look for potential hacking issues, like updating all of your lookup values to the same string, or embedding script tags in your data.


Can anyone elaborate on either of Steve's two suggestions? I don't understand what either of these ideas mean. I'm hoping that it's obvious after someone explains them but at this point I'm clueless. Any links perhaps?


I believe that the embedded script tags is referring to the scripting equivalent of SQL Injection. It was a common hacking practice to add valid (but malicious) HTML into a comment on a forum, for example, and anyone who loaded up the page (along with all the comments) downloaded and, therefore, executed whatever HTML (and often JavaScript) that was embedded in the original, malicious comment. This method does not target the servers (like SQL Injection attacks) but peer clients.

I hope that I made it clear (and was right).


Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Post #1544520
Posted Monday, February 24, 2014 7:37 AM


SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Today @ 3:07 AM
Points: 1,664, Visits: 1,091
thisisfutile (2/24/2014)
From Steve's editorial:

look for potential hacking issues, like updating all of your lookup values to the same string, or embedding script tags in your data.


Can anyone elaborate on either of Steve's two suggestions? I don't understand what either of these ideas mean. I'm hoping that it's obvious after someone explains them but at this point I'm clueless. Any links perhaps?


I don't think it means anything beyond what it says - I have observed both these attacks (not at my workplace).

If you have a SQL Injection vulnerability then a way this may be exploited (in a minor, annoying way) is that the hackers change all strings in a lookup table (e.g. list of countries) to ''Leet haxors wuz here". They may also choose to update a string value to include script tags e.g. edit all product names to include something like <script>alert('Leet haxors wuz here');</script> - in that way when anyone visits the site (if it puts the product name on the page etc) the aforementioned alert appears.
Post #1544530
Posted Monday, February 24, 2014 7:54 AM
SSC Journeyman

SSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC Journeyman

Group: General Forum Members
Last Login: Today @ 10:38 AM
Points: 80, Visits: 723
Thank you both, Gary Varga and call.copse for the explanations. I now understand. I think my confusion started because I thought Steve was suggesting some methods for finding exploits but instead it was basic exploits that he was pointing out.

I read it like this... "look for potential hacking issues, BY updating all of your lookup values to the same string, or embedding script tags in your data.

I knew it was something simple that I was making more complicated...I have a tendency to do that. Where's my coffee cup?
Post #1544540
Posted Monday, February 24, 2014 9:12 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 10:02 AM
Points: 33,188, Visits: 15,323
I meant write code that looks for

count(lookup value) = count(*)

for a table. Also, look for items in your text fields like "<script language=js>"

We've seen both of these hacks here on the site over the years. There are some other patterns you can search for that can let you know you've had an attack.







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1544588
Posted Monday, February 24, 2014 9:52 AM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Friday, August 15, 2014 4:12 AM
Points: 48, Visits: 220
Hi Steve

Sorry I still don't understand what you mean by

" write code that looks for count(lookup value) = count(*)"

Thanks
Steve
Post #1544621
Posted Monday, February 24, 2014 10:00 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 10:02 AM
Points: 33,188, Visits: 15,323
If I have

LookupID   LookupValue
====== =========
1 Red
2 Blue
3 Orange

and I run a count of values, grouped by the value, I'd get this.

count(lookupvalue)  count(*)
============ ======
1 (for Red) 3 (total)
1 (for Blue) 3 (total)
1 (for Orange) 3 (total)


The count(*) is the row count. I'd have to do grouping to get the count by specific values, and include those values. I didn't write all the code here.

If I've been hacked, my table could be:

LookupID   LookupValue
====== =========
1 Red
2 Red
3 Red


or

LookupID   LookupValue
====== =========
1 Red <script=js>http.redirect 'malicioussite.com</script>
2 Red <script=js>http.redirect 'malicioussite.com</script>
3 Red <script=js>http.redirect 'malicioussite.com</script>


and my counts would be

count(lookupvalue)  count(*)
============ ======
3 (for Red) 3 (total)









Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1544623
Posted Monday, February 24, 2014 10:28 AM


SSC-Insane

SSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-Insane

Group: General Forum Members
Last Login: Today @ 9:46 AM
Points: 21,639, Visits: 15,306
Gary Varga (2/24/2014)
I found that reading a couple of books on hacking in general (i.e. hacking networks, systems, databases, applications, etc.) really helped open my eyes to a new way of thinking. It also highlighted things like rootkits to me (yes, it was a LONG time ago). Sometimes general technology reading can be worthwhile.


+10




Jason AKA CirqueDeSQLeil
I have given a name to my pain...
MCM SQL Server


SQL RNNR

Posting Performance Based Questions - Gail Shaw
Posting Data Etiquette - Jeff Moden
Hidden RBAR - Jeff Moden
VLFs and the Tran Log - Kimberly Tripp
Post #1544640
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse