Clarification on IIS reported sql-injection exploits

My post will not get as much press as Slashdot, but here is some postings from sources at MS, including Bill Staples on the SQL Injection attacks that help clarify things.



Here is a post on forums.iis.net about this topic
http://forums.iis.net/t/1148917.aspx?PageIndex=1


For those who want to use Log parser to detect in your IISLogs if you’ve been hit, here are a few log parser examples.


‘This will find all webpages that had sql injection.  You can change the wording between the %% to look for a different string
logparser -i:iisw3c “select date,time,cs-uri-stem,cs-uri-query from <example.com> where cs-uri-query like ‘%CAST%'” -o:csv

‘This will give you the first time your site was hit, if applicable. 
logparser -i:iisw3c “select date,time,cs-uri-stem,cs-uri-query from <example.com> where cs-uri-query like ‘%1.js%'” -o:csv

‘Download Log Parser 2.2
http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1287

Hope this helps,


Steve Schofield
Microsoft MVP – IIS

4 thoughts on “Clarification on IIS reported sql-injection exploits”

  1. Thanks Steve! This is really useful information. I was beginning to get worried that this massive SQL Injection attack was not a wake up call for developers because I was not finding much discussion about it in the blogs and nobody was providing any resources or tips.

    Like

  2. This worked great for me to help figure out the sql injection attack that I have been getting everyday now for a week. I fixed it by making sure there was no “;” or “cast” inside of the variable that is passed in. But is there a way to universally protect again this form of attack, without me having to change hundreds of SQL statements?

    Like

  3. Hi Cnaught,

    I’m glad this was helpful. About changing hundreds of sql statements. The best advice I can offer is have your sql statements and parameters in code check for bad statements before being submitted to your database. If you are still unsure, I would check on http://aspadvice.com/lists about techniques to prevent this, I’m not a seasoned enough coder to have to change an application being exploited like this.

    Good luck,
    Steve

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s