search

Shazwazza / ClientDependency

DEPRECATED. A library for managing CSS & JavaScript dependencies and optimization in ASP.Net
139 stars 65 forks source link

SQL in the DependendyHandler.axd call #174

Closed poprhythm closed 4 years ago

poprhythm commented 4 years ago

I recently published an update to an Umbraco site I maintain which caused a server error. When examining eventlog.xml, I find that there is a request being made to DependencyHandler.axd with this signature:

<Data>https://www.site.org:443/DependencyHandler.axd?s=L3NjcmlwdHMvanF1ZXJ5LTEuMTIuNC5qczsvc2NyaXB0cy9ib290c3RyYXAuanM7L3NjcmlwdHMvanF1ZXJ5LXVpLTEuMTIuMS5qczsvc2NyaXB0cy9zaXRlLmpzOy9zY3JpcHRzL2pxdWVyeS52YWxpZGF0ZS5taW4uanM7L3NjcmlwdHMvanF1ZXJ5LnZhbGlkYXRlLnVub2J0cnVzaXZlLm1pbi5qczsvc2NyaXB0cy9qcXVlcnkudmFsaWRhdGUudW5vYnRydXNpdmUuYm9vdHN0cmFwLm1pbi5qczs%' UNION ALL SELECT NULL,NULL,NULL,NULL#&amp;t=Javascript&amp;cdv=1550335859</Data><Data>/DependencyHandler.axd</Data><Data>141.98.81.196</Data><Data></Data><Data>False</Data><Data></Data><Data>IIS APPPOOL\LeafWebUmbraco</Data><Data>67</Data><Data>IIS APPPOOL\LeafWebUmbraco</Data><Data>False</Data><Data>   at System.Convert.FromBase64_Decode(Char* startInputPtr, Int32 inputLength, Byte* startDestPtr, Int32 destLength)
   at System.Convert.FromBase64CharPtr(Char* inputPtr, Int32 inputLength)
   at System.Convert.FromBase64String(String s)
   at ClientDependency.Core.StringExtensions.DecodeFrom64(String toDecode) in C:\Users\Shannon\Documents\_Projects\ClientDependency\ClientDependency\ClientDependency.Core\StringExtensions.cs:line 81
   at ClientDependency.Core.StringExtensions.DecodeFrom64Url(String toDecode) in C:\Users\Shannon\Documents\_Projects\ClientDependency\ClientDependency\ClientDependency.Core\StringExtensions.cs:line 73
   at ClientDependency.Core.CompositeFiles.CompositeDependencyHandler.GetCombinedFiles(HttpContextBase context, String fileset, ClientDependencyType type, List`1&amp; fDefs) in C:\Users\Shannon\Documents\_Projects\ClientDependency\ClientDependency\ClientDependency.Core\CompositeFiles\CompositeDependencyHandler.cs:line 297
   at ClientDependency.Core.CompositeFiles.CompositeDependencyHandler.ProcessRequestInternal(HttpContextBase context, String fileset, ClientDependencyType type, Int32 version, Byte[] outputBytes, OutputCachedPage page, Boolean&amp; success) in C:\Users\Shannon\Documents\_Projects\ClientDependency\ClientDependency\ClientDependency.Core\CompositeFiles\CompositeDependencyHandler.cs:line 214
   at ClientDependency.Core.CompositeFiles.CompositeDependencyHandler.System.Web.IHttpHandler.ProcessRequest(HttpContext context) in C:\Users\Shannon\Documents\_Projects\ClientDependency\ClientDependency\ClientDependency.Core\CompositeFiles\CompositeDependencyHandler.cs:line 135
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&amp; completedSynchronously)

It is baffling how %' UNION ALL SELECT NULL,NULL,NULL,NULL#&amp; appears at the end of the s argument. I've searched through my changes but can't find an obvious culprit - I'm guessing there's an Html.RequireJs call somehow injecting this SQL? Any ideas?

Edit: this is deployed on an Azure site, I cannot reproduce the behavior locally by setting the configuration to debug="false" and release mode.

Shazwazza commented 4 years ago

To me this sounds like some bot is trying to hack your site. Since DependencyHandler.axd is just a public endpoint anything can send any string to it.