What is NV32ts and its SQL Injection Attack trying to do?

Question

I have been getting a number of attacks on my website lately, with a User-Agent of NV32ts.

They all are some variation of the following injection attacks against a querystring variable (where 99999 represents a valid querystring value, the attack is appended to the value):

(For convenience I have urldecoded the following attacks)

999999 And char(124)+(Select Cast(Count(1) as varchar(8000))+char(124) From [sysobjects] Where 1=1)>0

or

999999' And char(124)+(Select Cast(Count(1) as varchar(8000))+char(124) From [sysobjects] Where 1=1)>0 and ''='

or

999999' And char(124)+(Select Cast(Count(1) as varchar(8000))+char(124) From [sysobjects] Where 1=1)>0 and ''='

I believe that sysobjects has something to do with the Sql Server master database, but I can't figure out what they are trying to accomplish.

Edit: I have now seen these same things with two different user agents:

• NV32ts
• Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; WWTClient2)

Answer 1

I read this one two ways, but I'm not 100% sure which:

1. At this point they're just fishing. The script is looking for web sites that have both open injection vulnerabilities and access to the sysobjects table in sql server. That table will provide a list of all tables and columns (and their types) in the database. If the page actually returns a result rather than throwing an error, the script will log that for a future more detailed attack. You'll eventually end up with malicious javascript code appended to every text (varchar, nvarchar, char, nchar, text) column of every row of every table in the entire db. I think this is the more-likely option.
2. It creates an expression that will always return true, perhaps allowing them bypass your authentication system. This seems less likely, because the sysobjects reference makes it needlessly complex. Also: they used And rather than Or.

Answer 2

I believe what they are trying to figure out here is if your application is vulnerable to SQL Injection.

The Char(124) translates to the | character which forces the whole query result to be seen as the result of the query with two pipes attached. So you end up with the number of tables in your database with two pipes attached (ex. |1428|). Which when compared to 0 in the > 0 causes an error because |1428| is not an int.

So if your application is open to SQL Injection they now know it (because the valid parameter value caused the application to err). They might also know that you have bad error handling if they SQL database error bubbles up to the top. If you do have bad error handling they also know how many tables you have (not sure what good that does them but the more information the better).

A lot of SQL injection attempts are really meant to cause your application to fail in order to know that you are vulnerable. If you do handle errors well they may then attempt to blind SQL inject you.

Check out this to see that in detail.

I hope that you are not vulnerable, and if you are good luck!

Answer 3

HP has a free tool you can run to check if your site (or any site) has SQL Injection vulnerabilities called sdrawlr. You can download it here:

Answer 4

check this out:

http://blogs.iss.net/archive/ConfickerwSQLInjecti.html