posted on Tuesday, April 20, 2004 12:38 AM
by
demiliani
A site ready to be Hacked...
Just this morning I've posted the news that a big site of Telecom Italia was hacked with a SQL Injection attack...
This evening I've received via email a project for a little website from a friend. He asked me to do a little part of the site (pure ASP with an Access Database) and I've decided to help him.
I've opened the .zip of the project, I've checked the code written by him and... horror... I've discovered this files (for a User Login):
Login.htm File:
<form action="Login.asp" method="post">
Username: <input type="text" name="txtUser"><br>
Password: <input type="password" name="txtPassword"><br>
<input type="submit"></form>
Login.asp File:
<% Dim strUser, strPassword, objRS, strSQL
strUser = Request.Form("txtUser") strPassword = Request.Form("txtPassword") strSQL = "SELECT * FROM Utenti " & _
"WHERE Uname='" & strUser & _
"' and UPwd='" & strPassword & "'"
Set objRS = Server.CreateObject("ADODB.Recordset") objRS.Open strSQL, "..."
......... %>
This code is terrible... it's ready for a SQL Injection attack... I understand that a little personal website maybe will never be under attack, but writing a good code is really important.
The error in this piece of code is (unfortunately) quite common on lots of little site I've seen. Here, the user input can be used to build a dangerous SQL statement that can permit to an attacker to exploit the site and take its control.
If an attacker enter the string ' or ''=' on the input fields, the SQL statement really executed is something like this:
SELECT * FROM Utenti WHERE Uname='' or ''='' and UPwd = '' or ''=''
Do you understand what this query returns? It will return all the records contained in the Utenti tables... can you understand what an attacker could obtain?
Terrible... 
(Obviously, I've changed this code with something more secure 
)
Maybe I'll write more about this problem that must be clearly understood.