Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2974
  • Last Modified:

Decode SQL Injection

My server caught and stopped the SQL injection below but I wanted to find out what the hacker was trying to accomplish (if I hadn't stopped it)? -Thanks!

This was the first attempt (I already URL decoded it):

ID=999999.9 UNION ALL SELECT 0x31303235343830303536--

and then they tried the above injection 31 more times (in 1 second intervals), except each time they added another 0x31303235343830303536, and so the 32nd attempt looked like this:

ID=999999.9 UNION ALL SELECT 0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536--

When I tried converting 31303235343830303536 from HEX to ASCII, I got 1025480056, but what the heck is that and what does it mean to SQL server?
3 Solutions
Ephraim WangoyaCommented:
Looks like a fishing expedition to figure out how many columns are needed for the real attack to follow.
just for process in question alone, they try to figure out how many columns having in your query output.

for ex, if your SELECT query which take ID=xxxx as parameters having 32 columns output.
each time they query, will giving sql error like
<b>All queries combined using a UNION, INTERSECT or EXCEPT operator must have an equal number of expressions in their target lists.</b>
until the number of columns and the number of inject parameters is match, then it won't error. (which is 32)

after that, they may try to uses yr query to obtain any data they want later using your existing code.

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Alpesh PatelAssistant ConsultantCommented:
ID=999999.9 UNION ALL SELECT 10254800561025480056102548005610254800561025480056102548005610254800561025480056102548005610254800561025480056102548005610254800561025480056102548005610254800561025480056102548005610254800561025480056102548005610254800561025480056102548005610254800561025480056102548005610254800561025480056102548005610254800561025480056

He is trying to do this
Alpesh PatelAssistant ConsultantCommented:
select replicate(convert(varchar,0x31303235343830303536),32)
QlemoC++ DeveloperCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now