Today I got a very interesting request from my boss. There was one of our sites that had suddenly been defaced with the following text:
"Warn3d By CrueLSaw"
After some research by one of our Senior Developers (Thanks Pete) he found that this CrueLSaw guy was very busy hacking into and defacing classic asp and even a few PHP websites.
It was our old friend sql injection--the guy had found the admin part of our site, and plopped in some sql into the password text box like this:
' OR 0=0 --
Of course the long gone developer of this code didn't parameterize their sql or use a stored procedure. This effectively let him into our site to deface it. We're lucky that CrueLSaw only warns people and didn't truncate our tables.
To be fair, this site was a Classic ASP website done around 6 years ago and the developer back then probably didn't know a thing about sql injection, because few people did at the time. But some lessons are painfully learned. The solution was simple--just use a stored proc or a ADO provider that allows paratmeterized SQL.
If you're company's website is having this problem, then fire me an email here and I can fix it for a small fee:
http://www.craigbowes.com/Contact.aspx
Thanks for the warning CrueLSaw.