SQL injection?

04/09/2007, 20h30

We were recently the target of an SQL injection, so I am trying to
determine if they were successful. I have recovered the SQL commands
from mysqld.log, but the code has me stumped.

INSERT INTO queries (file,id) VALUES ('labs.php','4 OR 0 IN (SELECT TOP 1
CHAR(60)+CHAR(112)+CHAR(102)+CHAR(111)+CHAR(110)+C HAR(107)+
CHAR(110)+CHAR(112)+CHAR(112)+CHAR(62)+COALESCE(CA ST(0 AS
VARCHAR(8000)),SPACE(0))+CHAR(60)+CHAR(122)+CHAR(1 08)+
CHAR(105)+CHAR(99)+CHAR(110)+CHAR(113)+CHAR(97)+CH AR(116)+CHAR(62))
OR 0 IN (SELECT CHAR(60)+CHAR(120)+CHAR(111)+CHAR(112)+CHAR(107)+
CHAR(110)+CHAR(97)+CHAR(106)+CHAR(117)+CHAR(62))--')

Can anyone explain what this was intended to accomplish? I understand
the basic trick is in the "OR 0" disjunction, but I do not understand
what this would actually do if successful.

The above example gives a syntax error when I try it, but several
different attacks were done on different applications, and I have not
yet looked at all of them.

Thanks,
Fletcher

P.S. Is there a better place to ask this question?

04/09/2007, 20h57

It looks to me that they are trying to plant a query into your queries
file. What type is column 'id'? I am guessing that they (think they)
have found a vulnerability where running a web app (prob labls.php')
after this injection has taken place, the resulting query might get
exectuted...

how many rows do you have in 'queries' tagged as 'labs.php'? I ewould
be very tempted to examine each and every one of them by hand.

- michael dykman

On 9/4/07, Fletcher Mattox <fletcher@cs.utexas.edu> wrote:
> We were recently the target of an SQL injection, so I am trying to
> determine if they were successful. I have recovered the SQL commands
> from mysqld.log, but the code has me stumped.
>
> INSERT INTO queries (file,id) VALUES ('labs.php','4 OR 0 IN (SELECT TOP 1
> CHAR(60)+CHAR(112)+CHAR(102)+CHAR(111)+CHAR(110)+C HAR(107)+
> CHAR(110)+CHAR(112)+CHAR(112)+CHAR(62)+COALESCE(CA ST(0 AS
> VARCHAR(8000)),SPACE(0))+CHAR(60)+CHAR(122)+CHAR(1 08)+
> CHAR(105)+CHAR(99)+CHAR(110)+CHAR(113)+CHAR(97)+CH AR(116)+CHAR(62))
> OR 0 IN (SELECT CHAR(60)+CHAR(120)+CHAR(111)+CHAR(112)+CHAR(107)+
> CHAR(110)+CHAR(97)+CHAR(106)+CHAR(117)+CHAR(62))--')
>
> Can anyone explain what this was intended to accomplish? I understand
> the basic trick is in the "OR 0" disjunction, but I do not understand
> what this would actually do if successful.
>
> The above example gives a syntax error when I try it, but several
> different attacks were done on different applications, and I have not
> yet looked at all of them.
>
> Thanks,
> Fletcher
>
> P.S. Is there a better place to ask this question?
>
> --
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe: http://lists.mysql.com/mysql?unsub=mdykman@gmail.com
>
>

--
- michael dykman
- mdykman@gmail.com

- All models are wrong. Some models are useful.

04/09/2007, 21h06

Hi,

Fletcher Mattox wrote:
> We were recently the target of an SQL injection, so I am trying to
> determine if they were successful. I have recovered the SQL commands
> from mysqld.log, but the code has me stumped.
>
> INSERT INTO queries (file,id) VALUES ('labs.php','4 OR 0 IN (SELECT TOP 1
> CHAR(60)+CHAR(112)+CHAR(102)+CHAR(111)+CHAR(110)+C HAR(107)+
> CHAR(110)+CHAR(112)+CHAR(112)+CHAR(62)+COALESCE(CA ST(0 AS
> VARCHAR(8000)),SPACE(0))+CHAR(60)+CHAR(122)+CHAR(1 08)+
> CHAR(105)+CHAR(99)+CHAR(110)+CHAR(113)+CHAR(97)+CH AR(116)+CHAR(62))
> OR 0 IN (SELECT CHAR(60)+CHAR(120)+CHAR(111)+CHAR(112)+CHAR(107)+
> CHAR(110)+CHAR(97)+CHAR(106)+CHAR(117)+CHAR(62))--')
>
> Can anyone explain what this was intended to accomplish? I understand
> the basic trick is in the "OR 0" disjunction, but I do not understand
> what this would actually do if successful.
>
> The above example gives a syntax error when I try it, but several
> different attacks were done on different applications, and I have not
> yet looked at all of them.

That's because this attack was targeted at MS SQL Server. Maybe that
makes you feel better. It's hard to say exactly what this attack was
for -- attackers have automated tools that attempt to discover failure
and success patterns in HTML results and discover the schema and data
via that means. It's complicated to explain, but actually quite simple
most of the time to do.

The actual code snippet you've posted generates strings like
'<pfonknpp>'. Make of that what you can!

>
> Thanks,
> Fletcher
>
> P.S. Is there a better place to ask this question?

I think this is a fine list for such questions.

Baron

04/09/2007, 20h30	#1
Fletcher Mattox Messages: n/a Hébergeur:	SQL injection? We were recently the target of an SQL injection, so I am trying to determine if they were successful. I have recovered the SQL commands from mysqld.log, but the code has me stumped. INSERT INTO queries (file,id) VALUES ('labs.php','4 OR 0 IN (SELECT TOP 1 CHAR(60)+CHAR(112)+CHAR(102)+CHAR(111)+CHAR(110)+C HAR(107)+ CHAR(110)+CHAR(112)+CHAR(112)+CHAR(62)+COALESCE(CA ST(0 AS VARCHAR(8000)),SPACE(0))+CHAR(60)+CHAR(122)+CHAR(1 08)+ CHAR(105)+CHAR(99)+CHAR(110)+CHAR(113)+CHAR(97)+CH AR(116)+CHAR(62)) OR 0 IN (SELECT CHAR(60)+CHAR(120)+CHAR(111)+CHAR(112)+CHAR(107)+ CHAR(110)+CHAR(97)+CHAR(106)+CHAR(117)+CHAR(62))--') Can anyone explain what this was intended to accomplish? I understand the basic trick is in the "OR 0" disjunction, but I do not understand what this would actually do if successful. The above example gives a syntax error when I try it, but several different attacks were done on different applications, and I have not yet looked at all of them. Thanks, Fletcher P.S. Is there a better place to ask this question?

04/09/2007, 20h57	#2
Michael Dykman Messages: n/a Hébergeur:	Re: SQL injection? It looks to me that they are trying to plant a query into your queries file. What type is column 'id'? I am guessing that they (think they) have found a vulnerability where running a web app (prob labls.php') after this injection has taken place, the resulting query might get exectuted... how many rows do you have in 'queries' tagged as 'labs.php'? I ewould be very tempted to examine each and every one of them by hand. - michael dykman On 9/4/07, Fletcher Mattox <fletcher@cs.utexas.edu> wrote: > We were recently the target of an SQL injection, so I am trying to > determine if they were successful. I have recovered the SQL commands > from mysqld.log, but the code has me stumped. > > INSERT INTO queries (file,id) VALUES ('labs.php','4 OR 0 IN (SELECT TOP 1 > CHAR(60)+CHAR(112)+CHAR(102)+CHAR(111)+CHAR(110)+C HAR(107)+ > CHAR(110)+CHAR(112)+CHAR(112)+CHAR(62)+COALESCE(CA ST(0 AS > VARCHAR(8000)),SPACE(0))+CHAR(60)+CHAR(122)+CHAR(1 08)+ > CHAR(105)+CHAR(99)+CHAR(110)+CHAR(113)+CHAR(97)+CH AR(116)+CHAR(62)) > OR 0 IN (SELECT CHAR(60)+CHAR(120)+CHAR(111)+CHAR(112)+CHAR(107)+ > CHAR(110)+CHAR(97)+CHAR(106)+CHAR(117)+CHAR(62))--') > > Can anyone explain what this was intended to accomplish? I understand > the basic trick is in the "OR 0" disjunction, but I do not understand > what this would actually do if successful. > > The above example gives a syntax error when I try it, but several > different attacks were done on different applications, and I have not > yet looked at all of them. > > Thanks, > Fletcher > > P.S. Is there a better place to ask this question? > > -- > MySQL General Mailing List > For list archives: http://lists.mysql.com/mysql > To unsubscribe: http://lists.mysql.com/mysql?unsub=mdykman@gmail.com > > -- - michael dykman - mdykman@gmail.com - All models are wrong. Some models are useful.

04/09/2007, 21h06	#3
Baron Schwartz Messages: n/a Hébergeur:	Re: SQL injection? Hi, Fletcher Mattox wrote: > We were recently the target of an SQL injection, so I am trying to > determine if they were successful. I have recovered the SQL commands > from mysqld.log, but the code has me stumped. > > INSERT INTO queries (file,id) VALUES ('labs.php','4 OR 0 IN (SELECT TOP 1 > CHAR(60)+CHAR(112)+CHAR(102)+CHAR(111)+CHAR(110)+C HAR(107)+ > CHAR(110)+CHAR(112)+CHAR(112)+CHAR(62)+COALESCE(CA ST(0 AS > VARCHAR(8000)),SPACE(0))+CHAR(60)+CHAR(122)+CHAR(1 08)+ > CHAR(105)+CHAR(99)+CHAR(110)+CHAR(113)+CHAR(97)+CH AR(116)+CHAR(62)) > OR 0 IN (SELECT CHAR(60)+CHAR(120)+CHAR(111)+CHAR(112)+CHAR(107)+ > CHAR(110)+CHAR(97)+CHAR(106)+CHAR(117)+CHAR(62))--') > > Can anyone explain what this was intended to accomplish? I understand > the basic trick is in the "OR 0" disjunction, but I do not understand > what this would actually do if successful. > > The above example gives a syntax error when I try it, but several > different attacks were done on different applications, and I have not > yet looked at all of them. That's because this attack was targeted at MS SQL Server. Maybe that makes you feel better. It's hard to say exactly what this attack was for -- attackers have automated tools that attempt to discover failure and success patterns in HTML results and discover the schema and data via that means. It's complicated to explain, but actually quite simple most of the time to do. The actual code snippet you've posted generates strings like '<pfonknpp>'. Make of that what you can! > > Thanks, > Fletcher > > P.S. Is there a better place to ask this question? I think this is a fine list for such questions. Baron

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email