1

I saw my logs today and I could see someone tried to launch sql-injection or was trying to find a vulnerability (not sure about it). It looks like two types of attempt were made either to gain some info or to launch an attack.

It's an asp.net mvc 5 application with EF6.

/my_app_name/home/action_method/1111111111111 UNION SELECT CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45)

/my_app_name/home/action_method/ or (1,2)=(select*from(select name_const(CHAR(77,112,66,78,100,100,97,106,101,104,70,90),1),name_const(CHAR(77,112,66,78,100,100,97,106,101,104,70,90),1))a) -- and 1=1

I tried to search but could only find few info about it. Would love to know what above codes are trying to do. The action method is a form field and will not post directly to a database. I send all input to validation and then call a method to save them to database. Should I be worried? What should I do now (I mean if something is compromised (which, unfortunately, I don't know)).

Update: I tried to simulate it on my test server. For the first I'm getting

System.Web.HttpException: The length of the URL for this request exceeds the configured maxUrlLength value.

and for the last I am getting

System.Web.HttpException: A potentially dangerous Request.Path value was detected from the client (*)

exception. Don't know what the attacker was trying to collect or is there more way to test the above code?

curious.netter
  • 774
  • 10
  • 16
  • Run it in local database and see what values are returned – Fabio Apr 09 '19 at 06:34
  • Actually I am testing that – curious.netter Apr 09 '19 at 06:38
  • @Fabio: For the first I'm getting System.Web.HttpException: The length of the URL for this request exceeds the configured maxUrlLength value. and for the last I am getting System.Web.HttpException: A potentially dangerous Request.Path value was detected from the client (*) exception. Don't know what the attacker was trying to collect or is there more way to test the above code? – curious.netter Apr 09 '19 at 06:46
  • 1
    usually the used EF providers use parametrization when creating the issued SQL queries to protect against SQL injection. If it is possible to circumvent this, either you use a crappy provider or you've found a bug. – DevilSuichiro Apr 09 '19 at 06:47
  • 2
    If you have a web server exposed on the internet, you'll see all kinds of attacks, including ones like these **all** of the time. They're not targetted at you (yet). They're testing to see if you have *simple and obvious* vulnerabilities. If you did, you'd then see follow-up more targetted attacks. It's not a reason to be *complacent* but know that they're not basing the attack on *anything about your application*. You'll see PHP and wordpress attacks too despite your application not being either of those. – Damien_The_Unbeliever Apr 09 '19 at 06:52
  • @Damien_The_Unbeliever: Thanks I will keep an eye to it. But that cost me my 2 hours :-( – curious.netter Apr 09 '19 at 07:00
  • @curious.netter the best way to avoid these attacks is to use a web application firewall. Have a look at [webknight](https://www.iis.net/downloads/community/2016/04/aqtronix-webknight) – prinkpan Apr 09 '19 at 09:55
  • Some of these attacks may also attempt to perform POST actions against GET endpoints. For anything public facing it's essential to validate all input types, and ensure all IDs etc. are relevant to the server session state. Any detected funny business like this should be logged and terminate the session. Authentication on public facing sites should also employ reCaptcha to ensure attacks like this don't start brute-forcing user accounts or locking out your users with failed login attempts. – Steve Py Apr 09 '19 at 11:24

0 Answers0