Hi,
Fletcher Mattox wrote:
We were recently the target of an SQL injection, so I am trying to
determine if they were successful. I have recovered the SQL commands
from mysqld.log, but the code has me stumped.
INSERT INTO queries (file,id) VALUES ('labs.php','4 OR 0 IN (SELECT TOP 1
CHAR(60)+CHAR(112)+CHAR(102)+CHAR(111)+CHAR(110)+CHAR(107)+
CHAR(110)+CHAR(112)+CHAR(112)+CHAR(62)+COALESCE(CAST(0 AS
VARCHAR(8000)),SPACE(0))+CHAR(60)+CHAR(122)+CHAR(108)+
CHAR(105)+CHAR(99)+CHAR(110)+CHAR(113)+CHAR(97)+CHAR(116)+CHAR(62))
OR 0 IN (SELECT CHAR(60)+CHAR(120)+CHAR(111)+CHAR(112)+CHAR(107)+
CHAR(110)+CHAR(97)+CHAR(106)+CHAR(117)+CHAR(62))--')
Can anyone explain what this was intended to accomplish? I understand
the basic trick is in the "OR 0" disjunction, but I do not understand
what this would actually do if successful.
The above example gives a syntax error when I try it, but several
different attacks were done on different applications, and I have not
yet looked at all of them.
That's because this attack was targeted at MS SQL Server. Maybe that
makes you feel better. It's hard to say exactly what this attack was
for -- attackers have automated tools that attempt to discover failure
and success patterns in HTML results and discover the schema and data
via that means. It's complicated to explain, but actually quite simple
most of the time to do.
The actual code snippet you've posted generates strings like
'<pfonknpp>'. Make of that what you can!
Thanks,
Fletcher
P.S. Is there a better place to ask this question?
I think this is a fine list for such questions.
Baron
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
