Decoding T-SQL CAST in C#/VB.net

Question

Recently our site has been deluged with the resurgence of the ASPRox bot SQL Injection attack. Without going into details, the attack attempts to execute SQL code by encoding the T-SQL commands in an ASCII encoded BINARY string. It looks something like this:

DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x44004500...06F007200%20AS%20NVARCHAR(4000));EXEC(@S);--

I was able to decode this in SQL, but I was a little wary of doing this since I didn't know exactly what was happening at the time.

I tried to write a simple decode tool so I could decode this type of text without even touching SQL server. The main part I need decoded is:

CAST(0x44004500...06F007200 AS
NVARCHAR(4000))

I've tried all of the following commands with no luck:

txtDecodedText.Text = 
    System.Web.HttpUtility.UrlDecode(txtURLText.Text);             
txtDecodedText.Text =
    Encoding.ASCII.GetString(Encoding.ASCII.GetBytes(txtURLText.Text));    
txtDecodedText.Text =
    Encoding.Unicode.GetString(Encoding.Unicode.GetBytes(txtURLText.Text));             
txtDecodedText.Text =
    Encoding.ASCII.GetString(Encoding.Unicode.GetBytes(txtURLText.Text));    
txtDecodedText.Text =
    Encoding.Unicode.GetString(Convert.FromBase64String(txtURLText.Text));

Can anybody suggest the proper way to translate this encoding without using SQL Server. Is is possible? I'll take VB.net code since I'm familiar with that too.

Answer 1

Why do you want to decode it? Is this a way that you communicate on your website? If not I would just recommend blocking it and switching to SQL Parameters.

Answer 2

Partially for convenience, partially for security, partially for reuse. I primarily do web app development, but if a URL like this comes into my log and I'm trying to diagnose it, I'd like to be able to quickly decode it without having to fire up SQL Management Studio and potentially execute some malicious code through the decoding process.

Answer 3

To be honest I have been looking for away to do the same, eventually what I did was log it and I use a separate database in a VM to look at the content. Wish there was an easier answer, but I am also looking for this solution.

Answer 4

Yeah, I would definitely start by using SQL parameters, if you aren't already.

Answer 5

Try removing the 0x first and then Encoding.UTF8.GetString, I think that may work.

Essentially: 0x44004500

remove the 0x, and then always 2 Bytes are one Character:

44 00 = D

45 00 = E

6F 00 = o

72 00 = r

So it's definitely a Unicode/UTF Format with 2 Bytes/Character.

Answer 6

Okay, I'm sure I'm missing something here, so here's where I'm at.

Since my input is a basic string, I started with just a snippet of the encoded portion - 4445434C41 (which translates to DECLA) - and the first attempt was to do this...

txtDecodedText.Text = Encoding.UTF8.GetString(Encoding.UTF8.GetBytes(txtURL.Text));

...and all it did was return the exact same thing that I put in, since it converted each character into is byte.

I realized that I need to parse each two characters into a byte manually since I don't know of any methods yet that will do that, so now my little decoder looks something like this:

while (!boolIsDone)
     {
        bytURLChar = byte.Parse(txtURLText.Text.Substring(intParseIndex, 2));
        bytURL[intURLIndex] = bytURLChar;
        intParseIndex += 2;
        intURLIndex++;

        if (txtURLText.Text.Length - intParseIndex < 2)
        {
           boolIsDone = true;
        }
     }

txtDecodedText.Text = Encoding.UTF8.GetString(bytURL);

Things look good for the first couple pairs, but then the loop balks when it gets to the "4C" pair and says that the string is in the incorrect format.

Interestingly enough, when I step through the debugger and to the GetString method on the byte array that I was able to parse up to that point, I get ",-+" as the result.

Can anybody help me figure out what I'm missing, do I need to do a "direct cast" for each byte instead of attempting to parse it?

Answer 7

Hazzah!!!!

I went back to Michael's post, did some more poking and realized that I did needed to do a double conversion, and eventually worked out this little nugget:

Convert.ToString(Convert.ToChar(Int32.Parse(EncodedString.Substring(intParseIndex, 2), System.Globalization.NumberStyles.HexNumber)));

From there I simply made a loop to go through all the characters 2 by 2 and get them "hexified" and then translated to a string.

To Nick, and anybody else interested, I went ahead and posted my little app over in CodePlex, feel free to use/modify as you need.

Thanks again all!

Answer 8

Glad to see it worked :-)

Answer 9

See my answer here: http://stackoverflow.com/questions/32412/whats-the-best-way-of-cleaning-up-after-a-sql-injection#32422