Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is NV32ts and its SQL Injection Attack trying to do?

I have been getting a number of attacks on my website lately, with a User-Agent of NV32ts.

They all are some variation of the following injection attacks against a querystring variable (where 99999 represents a valid querystring value, the attack is appended to the value):

(For convenience I have urldecoded the following attacks)

999999 And char(124)+(Select Cast(Count(1) as varchar(8000))+char(124) From [sysobjects] Where 1=1)>0

or

999999' And char(124)+(Select Cast(Count(1) as varchar(8000))+char(124) From [sysobjects] Where 1=1)>0 and ''='

or

999999' And char(124)+(Select Cast(Count(1) as varchar(8000))+char(124) From [sysobjects] Where 1=1)>0 and ''='

I believe that sysobjects has something to do with the Sql Server master database, but I can't figure out what they are trying to accomplish.

Edit: I have now seen these same things with two different user agents:

  • NV32ts
  • Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; WWTClient2)
like image 654
Nathan Avatar asked Jan 12 '09 19:01

Nathan


1 Answers

I read this one two ways, but I'm not 100% sure which:

  1. At this point they're just fishing. The script is looking for web sites that have both open injection vulnerabilities and access to the sysobjects table in sql server. That table will provide a list of all tables and columns (and their types) in the database. If the page actually returns a result rather than throwing an error, the script will log that for a future more detailed attack. You'll eventually end up with malicious javascript code appended to every text (varchar, nvarchar, char, nchar, text) column of every row of every table in the entire db. I think this is the more-likely option.
  2. It creates an expression that will always return true, perhaps allowing them bypass your authentication system. This seems less likely, because the sysobjects reference makes it needlessly complex. Also: they used And rather than Or.
like image 151
Joel Coehoorn Avatar answered Nov 15 '22 05:11

Joel Coehoorn