Deprecated: Joomla\Input\Input implements the Serializable interface, which is deprecated. Implement __serialize() and __unserialize() instead (or in addition, if support for old PHP versions is necessary) in /homepages/13/d380392445/htdocs/Jlive/libraries/vendor/joomla/input/src/Input.php on line 41

Deprecated: Return type of Joomla\Input\Input::count() should either be compatible with Countable::count(): int, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in /homepages/13/d380392445/htdocs/Jlive/libraries/vendor/joomla/input/src/Input.php on line 170

Deprecated: KunenaControllerApplicationDisplay implements the Serializable interface, which is deprecated. Implement __serialize() and __unserialize() instead (or in addition, if support for old PHP versions is necessary) in /homepages/13/d380392445/htdocs/Jlive/libraries/kunena/controller/application/display.php on line 21

Deprecated: preg_match_all(): Passing null to parameter #2 ($subject) of type string is deprecated in /homepages/13/d380392445/htdocs/Jlive/administrator/components/com_easyblog/includes/adsense/adsense.php on line 138
SQL Injection Attacks - Macrotone Blogs
By Geoffrey Chapman on Monday, 22 April 2013
Category: Miscellaneous

SQL Injection Attacks

We are experiencing a spate of SQL injection attacks upon our site.

These take the form of appending SQL strings upon the end of valid URL addresses.  A simple Google search reveals that there are many sites where the examples given below have triggered problems. Two typical strings are shown below: 

(/**/sElEcT+1+/**/fRoM(/**/sElEcT+count(*),/**/cOnCaT((/**/sElEcT(/**/sElEcT+/**/uNhEx(/**/hEx(/**/cOnCaT(0x217e21,0x4142433134355a5136324457514146504f4959434644,0x217e21))))+/**/fRoM+information_schema/**/tAbLeS+/**/lImIt+0,1),floor(rand(0)*2))x+/**/fRoM+information_schema/**/tAbLeS+/**/gRoUp/**/bY+x)a)   

Or

+or+1=(/**/sElEcT+1+/**/fRoM(/**/sElEcT+count(*),/**/cOnCaT((/**/sElEcT(/**/sElEcT+/**/uNhEx(/**/hEx(/**/cOnCaT(0x217e21,0x4142433134355a5136324457514146504f4959434644,0x217e21))))+/**/fRoM+information_schema/**/tAbLeS+/**/lImIt+0,1),floor(rand(0)*2))x+/**/fRoM+information_schema/**/tAbLeS+/**/gRoUp/**/bY+x)a)+and+1=1   

As one can see the code is specifically targeting MySQL databases.  We presume that they would then, If successful, make further attempts to obtain more information to make a more specific targeted attack.

Note also the use of mixed case in the SQL strings used as an attempt to bypass simple selection tests that may/may not be used to detect these types of attack.

Looking at the first example in more detail we can first convert the hexadecimal strings to text and also change case of obvious SQL statements to make easier reading:

Converting the strings gives:   0x4142433134355a5136324457514146504f4959434644 converts to:   ?ABC145ZQ62DWQAFPOIYCFD

And 0x217e21  becomes:  ?!~!?

This gives us the following:

(/**/select+1+/**/from(/**/select+count(*),/**/concat((/**/select(/**/select+/**/unhex(/**/hex(/**/concat(?!~!?, ?ABC145ZQ62DWQAFPOIYCFD,  ?!~!?))))+/**/from+information_schema/**/tables+/**/lImit+0,1),floor(rand(0)*2))x+/**/from+information_schema/**/tables+/**/group/**/by+x)a) 

The next step is to change the ‘+’signs to spaces, since these are used to concatenate the different word together.

(/**/select 1 /**/from(/**/select count(*),/**/concat((/**/select(/**/select /**/unhex(/**/hex(/**/concat(?!~!?, ?ABC145ZQ62DWQAFPOIYCFD,  ?!~!?)))) /**/from information_schema/**/tables /**/lImit 0,1),floor(rand(0)*2))x /**/from information_schema/**/tables /**/group/**/by x)a) 

Take out the ‘/**/’ comment block strings [Why add the comment blocks anyway since they seem to add nothing, other than perhaps to make some form of obscurification!] and we start to see something more sensible:

(select 1 from(select count(*), concat(( select( select unhex(hex( concat(?!~!?, ?ABC145ZQ62DWQAFPOIYCFD,  ?!~!?)))) from information_schema tables lImit 0,1),floor(rand(0)*2))x from information_schema tables group by x)a) 

It is ironic that there appears to be syntax errors in the original source. (Two of which are identical!)

Not quite sure what the significance of the hex strings are currently.

There is something very sad about a situation where certain individuals have nothing better to do with their time than waste it trying to disrupt others efforts to disseminate information and knowledge sharing to those interesting in improving themselves.   Even more so since, if they crafted the SQL themselves they have a certain amount of SQL skills which could be employed to better use.

Leave Comments