SQL used for evil

Thursday, May 6, 2004

SQL

Yikes. I heard about a website being hacked, probably via SQL injection. This trigger was added:

CREATE TRIGGER tr_Orders_INSERT_InsteadOf ON Orders 
INSTEAD OF INSERT 
AS RAISEERROR("[Microsoft OLE DB Provider for SQL Server] Timeout expired",16,0)

That's a rough one to catch, because it looks to the calling function as if you're getting unexplained timeouts every time you try to add a new row to the Orders table. This is pretty much a “denial of service” type of attack in that it's designed to harm the business rather than steal from it. Not cool.

And while I'm at it, it's not a good idea to have files with non-standard extensions (.bak, .inc, .site) in a web directory since IIS doesn't know about them and will happily serve them up as text files. That can help a hacker find places where you're vulnerable to other attacks such as SQL injection.

3 Comments

Hey thanks...something to remeber....

Think SQLTeam just got a post like that..

Brett - Thursday, May 6, 2004 9:04:00 AM

You can fix the .bak, .inc, .site problem by adding file mappings for these to send them first through the ASP engine.

Scullee - Thursday, May 6, 2004 4:55:00 PM

It would be even harder to debug if you added a WAITFOR '00:01:00' before the RAISEERROR.... ouch.

Paul - Sunday, May 9, 2004 7:07:00 PM

Comments have been disabled for this content.