Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What is NV32ts and its SQL Injection Attack trying to do?

Tags:

security

sql-server

sql-injection

I have been getting a number of attacks on my website lately, with a User-Agent of NV32ts.

They all are some variation of the following injection attacks against a querystring variable (where 99999 represents a valid querystring value, the attack is appended to the value):

(For convenience I have urldecoded the following attacks)

999999 And char(124)+(Select Cast(Count(1) as varchar(8000))+char(124) From [sysobjects] Where 1=1)>0

or

999999' And char(124)+(Select Cast(Count(1) as varchar(8000))+char(124) From [sysobjects] Where 1=1)>0 and ''='

or 

999999' And char(124)+(Select Cast(Count(1) as varchar(8000))+char(124) From [sysobjects] Where 1=1)>0 and ''='

I believe that sysobjects has something to do with the Sql Server master database, but I can't figure out what they are trying to accomplish.

Edit: I have now seen these same things with two different user agents:

  • NV32ts
  • Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; WWTClient2)
like image 654
Nathan Avatar asked Jan 12 '09 19:01

Nathan

1 Answers

I read this one two ways, but I'm not 100% sure which:

  1. At this point they're just fishing. The script is looking for web sites that have both open injection vulnerabilities and access to the sysobjects table in sql server. That table will provide a list of all tables and columns (and their types) in the database. If the page actually returns a result rather than throwing an error, the script will log that for a future more detailed attack. You'll eventually end up with malicious javascript code appended to every text (varchar, nvarchar, char, nchar, text) column of every row of every table in the entire db. I think this is the more-likely option.
  2. It creates an expression that will always return true, perhaps allowing them bypass your authentication system. This seems less likely, because the sysobjects reference makes it needlessly complex. Also: they used And rather than Or.
like image 151
Joel Coehoorn Avatar answered Nov 15 '22 05:11

Joel Coehoorn
Sign in to Comment

Related questions

how the top 1 works in sql server 2012
sqlalchemy, specify database name with DSN
Cannot restore SQL Server snapshot
Find the 3rd Maximum Salary for each department based on table data
T-SQL difference between WHERE EXISTS and INTERSECT
Comparing empty string with null value - SQL Server
pyodbc- connection failure to SQL Server
TSQL - Cannot find unicode char with CHARINDEX
EF Core delete one-to-one relation on same table
T-SQL multi-line strings without indent chars
How to change a UNION to a IN clause?
Convert Image data type into Base64 and Base64 into Image data type
Insert stored procedure results into temp table
List or concatenate in SQL window function
SQL Server 2019 Express installation failed because it could not find the 2017 driver?
Is it possible to connect PHP to SQL Server Compact Edition?
Simplest way to print out the contents of a text field in SQL Server
Log table access using SQL Server Profiler
Update script for updating a table field in SQL Server from NULL to non-NULL
Clever tricks to find specific LINQ queries in SQL Profiler

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!