Does the following input into a web application text box strike appropriate fear into your heart?  Nay, I should say, dost though poop thine pants gazing there-upon? 

  • ' or 1=1;
  • '; use master; xp_cmdshell 'net user SomeUser SomeUsersPassword /add'; --

I love the last one.  I just added a user to your SQL box.  Now I will paaaarr--tay.

I remember vividly the vomit-comet, bowel-dropping sensation I had when Jesper Johanssen used this as the opening salvo in a complete network penetration at last year's TechEd.  I think the talk was titled "10 Easy Steps to Penetrating Your Network"--Jesper sorry if I butchered the title.  It was an excellent talk.

That second line works on quite secure-appearing networks; ones with proper external firewalls, a nice tidy DMZ with your uber-secure web serveren, and an inner firewall where your pristine, champagne-sipping SQL boxen sit.

The moral of this frightening tale?  Protect yourself against SQL Injection!  If you don't know what it is, Google it. 

I've seen so many complacent customers with SA passwords in cleartext in web.config.  Start there--use CryptoUtility to at least protect your connection string. (http://workspaces.gotdotnet.com/cryptoutility)  But before you go encrypting it--use least privilege!  SA is really hitting the fly with a hammer. 

Use stored procedures.  I was asked recently, "...well if I pass a varchar that came from user input, and then use string concatenation in the stored procedure, then use sp_executesql to run it...that's safe, right?"  NO.  The beauty of stored proc params is they're not executed; if you do string concat-execute you circumvent that.

Yep, there are times we can't use sp's for everything and have to generate SQL on the fly.  But remember that all user input is evil and untrustable!  There are some nice reg-ex based utilities out there that do a good job of scrubbing user input for nasties...but they're not perfect.

Now I'm going to go back to looking at my HoneyPot box in my DMZ.  I like to watch script-kiddies come in with cute little hacks like:

2005-05-30 14:40:48 67.167.243.58 - <my ip> 80 GET /scripts/root.exe /c+dir 404 -
2005-05-30 14:40:48 67.167.243.58 - <my ip> 80 GET /MSADC/root.exe /c+dir 404 -
2005-05-30 14:40:48 67.167.243.58 - <my ip> 80 GET /c/winnt/system32/cmd.exe /c+dir 404 -
2005-05-30 14:40:48 67.167.243.58 - <my ip> 80 GET /d/winnt/system32/cmd.exe /c+dir 404 -
2005-05-30 14:40:48 67.167.243.58 - <my ip> 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 -

Aren't they just precious?  Ah, the eternal optimism of the young...hey kids, doesn't it seem odd that the machine's name is "HoneyPot"?  I blame the schools these days.  They just don't teach these young'uns to READ, especially great classics like "The Cuckoo's Egg".  What especially cracks me up are the ones who, day after day, from the same damn IP addresses, run full port scans against my ISA 2005 external firewall.