Mattched IT - Our Blog

In our blog we publish notes and comments which we feel are of benefit or interest to our clients and the community in general. We update frequently so please check back - or sign up to our Newsletter so we can keep you updated!

Technical Topics

A warning: Our failed SQL Injection attack

22nd March 2009
Author: Matt Chatterley

Odds are that if you're not a techie, you don't know what SQL Injection is. Theres plenty of material on the web which describes the problem and approaches that can be taken to prevent it - however, in light of recent events, we just wanted to give a warning to those of you who may not have heard of SQL Injection - or haven't heard anything in so long that you dismiss it as no longer being a threat.

Someone tried to attack our website using a basic SQL Injection technique recently - most likely they noticed that we have 'ids' in some of our query strings (the bit that says id=xxx in the url) - and thought that they would have a nose around.

Unluckily for them (and fortunately for us), we don't actualy use a database - our website runs via a set of XML files, so we were safe. However, the attack was caught by our logging system, and we wanted to post it here as an example and a warning.

They edited the url, so that it ended with: id='special-offer-ecommerce-discount-beat-credit-crunch' and 1=convert(int,(select top 1 table_name from information_schema.tables))--sp_password'

This is a pretty standard 'opening gambit' in recent injection attacks, and we won't go into details, but essentially SQL Server will not log any command containing 'sp_password' - so that bit is supposed to hide the attack, and the rest of the string is intended to modify the SQL query retrieving information from the database so that firstly, they can test if you are using SQL Server, and secondly, begin to retrieve information about your database schema so that they can do something more sinister - like modify your information - place fake orders, anything you could imagine.

We hope that you already know SQL Injection exists - and that if you are a business owner, you have made sure that your technical team has taken the necessary precautions to ensure your web presence is secure (particularly your shopping cart, if you have one). If you haven't, do it now - it's like having backups. You won't really notice until it is too late!

If you'd like more information, advice, or to ask us about investigating the security of your website, please contact us.