Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

SQL injection? CHAR(45,120,49,45,81,45)

I just saw this come up in our request logs. What were they trying to achieve?

The full request string is:

properties?page=2side1111111111111 UNION SELECT CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45),CHAR(45,120,49,48,45,81,45),CHAR(45,120,49,49,45,81,45),CHAR(45,120,49,50,45,81,45),CHAR(45,120,49,51,45,81,45),CHAR(45,120,49,52,45,81,45),CHAR(45,120,49,53,45,81,45),CHAR(45,120,49,54,45,81,45) -- /* 

Edit: As a google search didn't return anything useful I wanted to ask the question for people who encounter the same thing.

like image 508
roo Avatar asked Jul 03 '13 03:07

roo


2 Answers

This is just a test for injection. If an attacker can see xQs in the output then they'll know injection is possible.

There is no "risk" from this particular query.

A developer should pay no attention to whatever injection mechanisms, formats or meanings - these are none of his business.

There is only one cause for for all the infinite number of injections - an improperly formatted query. As long as your queries are properly formatted then SQL injections are not possible. Focus on your queries rather than methods of SQL injection.

like image 120
Your Common Sense Avatar answered Oct 12 '22 14:10

Your Common Sense


The Char() function interprets each value as an integer and returns a string based on given the characters by the code values of those integers. With Char(), NULL values are skipped. The function is used within Microsoft SQL Server, Sybase, and MySQL, while CHR() is used by RDBMSs.

SQL's Char() function comes in handy when (for example) addslashes() for PHP is used as a precautionary measure within the SQL query. Using Char() removes the need of quotation marks within the injected query.

An example of some PHP code vulnerable to an SQL injection using Char() would look similar to the following:

$uname = addslashes( $_GET['id'] ); $query = 'SELECT username FROM users WHERE id = ' . $id; 

While addslashes() has been used, the script fails properly sanitize the input as there is no trailing quotation mark. This could be exploited using the following SQL injection string to load the /etc/passwd file:

Source: http://hakipedia.com/index.php/SQL_Injection#Char.28.29

like image 24
Ganesh S Avatar answered Oct 12 '22 12:10

Ganesh S