Script attack on classic ASP

Question

I have website as Classic ASP as Front end and SQL Server 2005 as Back end.

But I am facing a very strange SQL injection on my back end.

Some type of CSS with HTML with spamming site is appending their code to my website database with each table and with each varchar type columns.

For e.g.

</title><style>.am1y{position:absolute;clip:rect(405px,auto,auto,405px);}</style><div class=am1y>same day <a href=http://mazzpaydayloans.com >payday loans</a></div>

I Checked My IIS Log It shows me like this

2013-06-09 19:15:54 GET /mypage.asp%3C/title%3E%3Cstyle%3E.axo5{position:absolute;clip:rect(404px,auto,auto,404px);}%3C/style%3E%3Cdiv%20class=axo5%3Eapproval%20%3Ca%20href=http:/mazzpaydayloans.com%20%3Epayday%20loans%3C/a%3E%3C/div%3E - - 204.13.205.99 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1) loginfailure=chance=0&bantime=;+ASPSESSIONIDSSDRRCQQ=EDPHPJGCGLMKOADICKHODKBM - www.mysite.com 404 0 281 543 78

On my this selected ASP Page all SQL queries are parametrized.

But still this issue is persists.

MyPage.asp Code

new_prot = "http" 
new_https = lcase(request.ServerVariables("HTTPS")) 
if new_https <> "off" then new_prot = "https" 
new_domainname = Request.ServerVariables("SERVER_NAME") 
new_filename = Request.ServerVariables("SCRIPT_NAME") 

set cm1 = Server.CreateObject("ADODB.Command")
cm1.ActiveConnection = conn
cm1.commandtype=1
cm1.CommandText ="select * from Table1 where Web=?"

cm1.prepared=true
dim weburl

set weburl=cm1.createparameter(Web_URL,200,,5000)
weburl.value= Server.HtmlEncode(ltrim(rtrim(new_filename)))
cm1.parameters.append weburl


set Mobile = cm1.execute(RecordsAffected,,adCmdText)


do until Mobile.EOF
response.redirect(Mobile.fields("mob"))
loop

Answer 1

First, your query may be parameterised, but you need to impliment a stored procedure, not a straight SQL command.

set cm1 = Server.CreateObject("ADODB.Command")
cm1.ActiveConnection = conn
cm1.commandtype=1
cm1.CommandText ="select * from Table1 where Web=?"

command text is a no no

you need to impliment a stored procedure:

CREATE ProcTable 
@ParamWeb INT
as 

SELECT * FROM Table WHERE PAgeID = @ParamWeb

Then Exec the proc. This prevents injection because the page can ONLY accept the numeric value of the proc, and that will only return the revelant dataset (empty or with rows)

Your command text can have

"; any injection script you want" 

appended

any injection script can contain sqlcmdShell so once the injection has been made the bad guys can return a list of tables, their content, users, user data etc etc