CODEWITHSUNDEEP
asp-classicsql-injection
Chief
Chief

Reputation: 914

Sql injection script

This title of the question may seem to be previously asked and answered but its different scenario for me. I use this script to stop sql injection in my ASP site. As per my knowledge or injecting script i have tried everything . Is it still possible to break through this code or do you feel this is fine .

Here is the script

<%
Function IsInject(strCheck, boolForm)
    IsInject = False
    If Not boolForm And Len(strCheck) > 50 Then IsInject = True
'   Dim sCmdList, arrCmds, i
    If boolForm Then
        sCmdList = "declare,varchar,convert,delete,create,is_srvrolemember,ar(,cast("
    Else
        sCmdList = "update,union,select,drop,declare,varchar,convert,delete,create,is_srvrolemember,ar(,cast(,char("
    End If
    arrCmds = Split(sCmdList, ",")
    For i = 0 To UBound(arrCmds)
        If Instr(UCase(CStr(strCheck)), UCase(arrCmds(i))) > 0 Then
            IsInject = True
            Exit For
        End If
    Next
    Erase arrCmds
End Function
Function CleanInject(strClean, boolInt)
    If boolInt Then CleanInject = CInt(strClean) Else CleanInject = Replace(strClean, "'", "''")
End Function

'-----------------------------------------------------------
'redirect user if specific IP
'Dim ipaddress, bFBIRedirect, sInjectType
bFBIRedirect = True
ipaddress = Request.ServerVariables("REMOTE_ADDR")
Select Case ipaddress
    Case "90.120.206.10"
    Case Else
        bFBIRedirect = False
End Select
If bFBIRedirect Then Response.Redirect "http://www.fbi.gov"
'-----------------------------------------------------------

'Dim bIsInject, sHackString
bIsInject = False

If Not bInject Then
'   Dim qsItm
    For Each qsItm In Request.QueryString
        If IsInject(Request.QueryString(qsItm), False) Then
            bIsInject = True
            sHackString = qsItm & "=" & Request.QueryString(qsItm)
            sHackType = "QueryString"
            sInjectType = "qs-" & Request.QueryString(qsItm)
            Exit For
        End If
    Next
End If
If Not bInject Then
'   Dim frmItm
'   For Each frmItm In Request.Form
'       If IsInject(Request.Form(frmItm), True) Then
'           bIsInject = True
'           sHackString = Request.Form(frmItm)
'           sHackString = frmItm & "=" & Request.Form(frmItm)
'           sHackType = "Form"
'           Exit For
'       End If
'   Next
End If

If bIsInject Then
    Session("hacktype") = sHackType
    Session("hackstr") = sHackString
    Session("thepagefrom") = Request.ServerVariables("PATH_INFO")
    Session("theip") = Request.ServerVariables("REMOTE_ADDR")

'   Dim arrWhereAt, iWhereAt, sRedirect

    arrWhereAt = Split(Request.ServerVariables("PATH_INFO"), "/")
    iWhereAt = UBound(arrWhereAt)

    sRedirect = "unknownerror.asp?ip=" & Request.ServerVariables("REMOTE_ADDR") & "&err=" & sInjectType & "&pg=" & Request.ServerVariables("PATH_INFO")
    If iWhereAt = 1 Then sRedirect = "../" & sRedirect
    If iWhereAt = 2 Then sRedirect = "../../" & sRedirect
    If iWhereAt = 3 Then sRedirect = "../../../" & sRedirect

    Response.Redirect sRedirect
End If
%>

Upvotes: 2

Views: 539

Answers (2)

Erlend
Erlend

Reputation: 4416

Using blacklists to remove commands is not really a good idea. You have to make sure you cover all possible commands, and still someone might sneak something past. This would also probably fail if you get data from a user that is not an attack, but still contains an attack string. Example "Back in the days of the Soviet Union".

As Nikolai suggests, see if you can find some type of prepared statements to use. Or find a really good library to properly escape data for you.

Upvotes: 1

Nikolai
Nikolai

Reputation: 11

rather doing that I think I would use ADO Parameter object when creating SQL queries, the second best thing is to do type conversion of the inputfields for the dynamic SQL queries, such as converting strings to SQL strings (replace any ' with two ''), making sure number is a number etc.

Upvotes: 1

Related Questions