Is This an Injection Attack ?

  • We just got several hundred email from our error contact page, with data such as:

    Name: cfwL

    E-Mail:

    Phone: ubGZ

    Comments: %' AND (SELECT 5319 FROM(SELECT COUNT(*),CONCAT(0x71716f6f71,(SELECT (CASE WHEN (5319=5319) THEN 1 ELSE 0 END)),0x716c6f6571,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='

    Error: Variable PROD is undefined.

    The error occurred on line 127.

    Name: cfwL

    E-Mail:

    Phone: ubGZ' AND (SELECT 4300 FROM(SELECT COUNT(*),CONCAT(0x71716f6f71,(SELECT (CASE WHEN (4300=4300) THEN 1 ELSE 0 END)),0x716c6f6571,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'erjH'='erjH

    URL Query String: wman

    Error: Variable PROD is undefined.

    The error occurred on line 127.

    Name: cfwL

    E-Mail:

    Phone: ubGZ

    Comments: AND 9204=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(113)||CHR(111)||CHR(111)||CHR(113)||(SELECT (CASE WHEN (9204=9204) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(108)||CHR(111)||CHR(101)||CHR(113)||CHR(62))) FROM DUAL)-- ndET

    URL Query String: wman

    Error: Variable PROD is undefined.

    The error occurred on line 127.

    Thoughts ??

  • It looks as if it is

    Googling on information_schema character_sets injection throws up a number of pages that indicate that.

    Here's one from the around the top of my search SQL Injection - Learn to Attack

  • Agreed. It looks like an attempt at injection to me. You're going to want to find out if it was successful. Your company may also have a policy in place where you notify the corporate security officer or someone similar. I hope the attempt failed and you can report it as such.

    Next, figure out what application it came from and put some server-side validation in place to lock it down to the point where the queries don't even make it to the database server. Client-side is fine, but there are ways around that.

    I'm not trying to get preachy when I say this, but this is never pleasant. I expect growth and learning to occur today for you. I know it did for me on my first one.

  • My boss is pretty sure that the pages they were hitting do not touch the database.

    I'm going to pull the trace files for that time period and take a look at DB activity

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply