March 9, 2010 at 10:12 am
In our search logs, I see quite a few attempts to enter:
1 declare @x varchar(99) set @x=0x77616974666f722064656c61792027303a303a323027 exec(@x)--
into our search box.
I've searched for this string, but find no useful pages describing what it does.
I tried running it directly (not on my live server!) but the initial '1' threw an error.
Removing the 1 and running again, didn't throw an error, nor did it return any results immediately. I cancelled after a couple of seconds.
Anyone any ideas?
March 9, 2010 at 10:18 am
The following:
declare @ x varchar(99) -- space added between @ and x to allow code to be posted.
set @x=0x77616974666f722064656c61792027303a303a323027
select @x
returns:
waitfor delay '0:0:20'
Is there actually more in the logs? Looks like it was delaying execution for 20 seconds for some reason.
March 9, 2010 at 10:20 am
Ah Lynn you are just about 30 seconds faster than me..
CEWII
March 9, 2010 at 10:31 am
It's a test.
Telling SQL to wait 20 sec is an easy way for an attacker to tell if the system is vulnerable to SQL injection. If it is, the submitted page take 20 seconds longer to return than it would have without the injection. If that happens, the attacker knows that the system is vulnerable and can start sending more damaging statements, ones that don't have such a clear indication as to their success or failure..
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
March 9, 2010 at 3:01 pm
Lynn,
Thanks for that. How do you decode it though?
I can't see any other attempts though, so the attacker's 'test' of my site obviously failed (from the attackers point of view any way!)
Regards
Adam
March 9, 2010 at 3:03 pm
Take a close look at what I posted. There is an implicit conversion between binary and text in the assignment to the variable @x. All I did was do a SELECT @x after the assignment.
March 9, 2010 at 3:04 pm
Gail,
Thanks for the pointer. I had a look though the rest of the logs and there was no sign of further attempts, so the delay must have not happened for the attacker.
I hadn't wanted to try it through a web page, as I didn't know what it did, but I'll try it now just to be sure.
Regards
Adam
March 9, 2010 at 3:04 pm
The code she posted would show you. When I did it, I did it the hard way with an ASCII chart that has hex values.. Hers was easier..
CEWII
March 9, 2010 at 3:12 pm
Elliott W (3/9/2010)
The code she posted would show you. When I did it, I did it the hard way with an ASCII chart that has hex values.. Hers was easier..CEWII
Hers??? You talking about me??? 😉
March 9, 2010 at 3:12 pm
Doh!
Missed that - Sorry!
Adam
March 9, 2010 at 3:35 pm
I was. I made an assumption of your sex based on name. Since I have never referred to you as anything but Lynn before I gambled..
CEWII
March 9, 2010 at 3:40 pm
Cyberspy (3/9/2010)
Gail,Thanks for the pointer. I had a look though the rest of the logs and there was no sign of further attempts, so the delay must have not happened for the attacker.
I hadn't wanted to try it through a web page, as I didn't know what it did, but I'll try it now just to be sure.
Regards
Adam
I suggest you run it in your webpage and verify that it did not happen. It likely did occur for the hacker and the hacker will return at a later time for something more sinister.
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
March 11, 2010 at 8:39 am
I suggest you run it in your webpage and verify that it did not happen. It likely did occur for the hacker and the hacker will return at a later time for something more sinister.
Jason,
Once I knew it was not in itself harmful, I tried it, and it didn't work. 😀
It's been tried 92 times now!
Someone has also tried the less subtle x' waitfor delay '0:0:20'-- as well, but that doesn't work either 😉
Adam
March 11, 2010 at 10:33 am
Cyberspy (3/11/2010)
I suggest you run it in your webpage and verify that it did not happen. It likely did occur for the hacker and the hacker will return at a later time for something more sinister.
Jason,
Once I knew it was not in itself harmful, I tried it, and it didn't work. 😀
It's been tried 92 times now!
Someone has also tried the less subtle x' waitfor delay '0:0:20'-- as well, but that doesn't work either 😉
Adam
Good to know. That should help you sleep a little at night. 😉
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
March 12, 2010 at 1:35 pm
Elliott W (3/9/2010)
I was. I made an assumption of your sex based on name. Since I have never referred to you as anything but Lynn before I gambled..CEWII
Yeah. I made the same mistake too a while ago.
Lynn,
How about a sex change or a new name ?
Just kidding. TGIF
Viewing 15 posts - 1 through 14 (of 14 total)
You must be logged in to reply to this topic. Login to reply