It looks to me that they are trying to plant a query into your queries file. What type is column 'id'? I am guessing that they (think they) have found a vulnerability where running a web app (prob labls.php') after this injection has taken place, the resulting query might get exectuted...
how many rows do you have in 'queries' tagged as 'labs.php'? I ewould be very tempted to examine each and every one of them by hand. - michael dykman On 9/4/07, Fletcher Mattox <[EMAIL PROTECTED]> wrote: > We were recently the target of an SQL injection, so I am trying to > determine if they were successful. I have recovered the SQL commands > from mysqld.log, but the code has me stumped. > > INSERT INTO queries (file,id) VALUES ('labs.php','4 OR 0 IN (SELECT TOP 1 > CHAR(60)+CHAR(112)+CHAR(102)+CHAR(111)+CHAR(110)+CHAR(107)+ > CHAR(110)+CHAR(112)+CHAR(112)+CHAR(62)+COALESCE(CAST(0 AS > VARCHAR(8000)),SPACE(0))+CHAR(60)+CHAR(122)+CHAR(108)+ > CHAR(105)+CHAR(99)+CHAR(110)+CHAR(113)+CHAR(97)+CHAR(116)+CHAR(62)) > OR 0 IN (SELECT CHAR(60)+CHAR(120)+CHAR(111)+CHAR(112)+CHAR(107)+ > CHAR(110)+CHAR(97)+CHAR(106)+CHAR(117)+CHAR(62))--') > > Can anyone explain what this was intended to accomplish? I understand > the basic trick is in the "OR 0" disjunction, but I do not understand > what this would actually do if successful. > > The above example gives a syntax error when I try it, but several > different attacks were done on different applications, and I have not > yet looked at all of them. > > Thanks, > Fletcher > > P.S. Is there a better place to ask this question? > > -- > MySQL General Mailing List > For list archives: http://lists.mysql.com/mysql > To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED] > > -- - michael dykman - [EMAIL PROTECTED] - All models are wrong. Some models are useful. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]