Menu
Recently my site was hacked via SQL injection. The hacker used the following query to get my DB name. I cannot understand this query they wrote.
Query:
=-999.9%20UNION%20ALL%20SELECT%20concat(0x7e,0x27,Hex(cast(database()%20as%20char)),0x27,0x7e),0x31303235343830303536,0x31303235343830303536,0x31303235343830303536-- After the query was ran it showed an integer result, something like "74545883".
Can you explain how the query works?
222
SQL injection is an attack where the hacker makes use of unvalidated user input to enter arbitrary data or SQL commands; malicious queries are constructed and when executed by the backend database it results in unwanted results.
In-band SQL injection – This is the simplest and most common form of SQL injection attack. Hackers use error messages to gather the information they need to formulate a query. The hacker can use the same communication channel to launch the attack and gather their results.
SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
Can SQL Injection be traced? Most SQL Injection Vulnerabilities and attacks can be reliably and swiftly traced through a number of credible SQL Injection tools or some web vulnerability scanner. SQL Injection detection is not such a trying task, but most developers make errors.
It looks like an overflow attack. They UNION-ed with your existing query. replacing all your %20 with (space) since its url-encoded yields:
=-999.9 UNION ALL SELECT CONCAT(0x7e,0x27,Hex(cast(database() as char)),0x27,0x7e),0x31303235343830303536,0x31303235343830303536,0x31303235343830303536- break it down:
=-999.9 is just ending your current query0x31303235343830303536 is NULL - they are just matching the number of columns in your existing query. If you had SELECT * FROM users and users had 4 columns, the UNION must also have 4 columns. As a result, they just used `NULL values to populate those columns.CONCAT(). They are combining 126, 39, database name as hex value, 39, and 126-- is a mysql comment - it ignores the rest of your query afterJudging from this attack, i suspect that you are not wrapping input in mysql_real_escape_string(), which allowed to attacked to jump out of your query and execute their own.
See owasp.org for more information.
193
This is not the complete query, actually the person entered this string in your web app.
Now, first replace %20 with blank space in the union part, you get:
SELECT concat(0x7e,0x27,Hex(cast(database() as char)),0x27,0x7e),0x31303235343830303536,0x31303235343830303536,0x31303235343830303536-- Seems like the user put the string in some place where you were expecting an number. So, you see that first there is a number (999.9) to complete the original condition of the query. Then, an UNION part is added. Finally, after the UNION part, the comment characters are added (-- ) so that, the rest of the query (which might be being added by your system) is bypassed.
We can format the code for better understanding:
SELECT concat ( 0x7e, 0x27, Hex(cast(database() as char)), 0x27, 0x7e ), 0x31303235343830303536, 0x31303235343830303536, 0x31303235343830303536 Now, substring of the first column of the result will contain the hex encoded form of your datbase name. Actually, it should be surrounded by single quotes (0x27), then again surrounded by ~ (0x7e)
43
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
