Hi guys,
maybe dumb question but found a strange search tag which is popping up in search top list:
1"'`--;
Or as URL pageview:
https://hosteddomain/de/search?q=1%22%27%60--&cid=0&mid=0&pf=&pt=&adv=false&isc=false&sid=false
Nop shows all products on the page and the leading "1" stands for the sort order.
Lot of trials, think something automated is knocking on the door here.
Is this Sql injection on stored procedure "product search", may we add a working "delete" or "update" tag after the ";". Am i right with that assumption - and / or - can we block this?
Appreciate any hints or points on that.
Search tag in top list: 1"'`--;
MVP
- 11320
- 100942
- 22.05.2011
- United States
Yes, it does look like it could be an attempt at SQL injection. There is dynamic SQL in the ProductLoadAllPaged sp. I suppose you could up front check the nvarchar params to see if they contain -- or ; I don't think those would be legit search chars in most cases. Then you can immediately "return", but you probably do need to first SELECT the same fields as expected (even if no rows).
- 28
- 150
- 21.07.2020
- Germany
Thank you for your hints.
Adding a line to ProductLoadAllPaged fixes that:
SET @Keywords = REPLACE(REPLACE(@Keywords, '--', 'SomeTagToPreventHits'), '"', 'SomeTagToPreventHits')
Added the other sql placeholders & functional charachters like ? ! # % a.s.o., which are not escaped in ProductLoadAllPaged.
Have a nice day!
Adding a line to ProductLoadAllPaged fixes that:
SET @Keywords = REPLACE(REPLACE(@Keywords, '--', 'SomeTagToPreventHits'), '"', 'SomeTagToPreventHits')
Added the other sql placeholders & functional charachters like ? ! # % a.s.o., which are not escaped in ProductLoadAllPaged.
Have a nice day!