Decode SQL Injection

My server caught and stopped the SQL injection below but I wanted to find out what the hacker was trying to accomplish (if I hadn't stopped it)? -Thanks!

This was the first attempt (I already URL decoded it):

ID=999999.9 UNION ALL SELECT 0x31303235343830303536--

and then they tried the above injection 31 more times (in 1 second intervals), except each time they added another 0x31303235343830303536, and so the 32nd attempt looked like this:

ID=999999.9 UNION ALL SELECT 0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536--

When I tried converting 31303235343830303536 from HEX to ASCII, I got 1025480056, but what the heck is that and what does it mean to SQL server?
bobPUNKbobAsked:
Who is Participating?
 
Ephraim WangoyaCommented:
0
 
dqmqCommented:
Looks like a fishing expedition to figure out how many columns are needed for the real attack to follow.
0
 
JoeNuvoCommented:
just for process in question alone, they try to figure out how many columns having in your query output.

for ex, if your SELECT query which take ID=xxxx as parameters having 32 columns output.
each time they query, will giving sql error like
<b>All queries combined using a UNION, INTERSECT or EXCEPT operator must have an equal number of expressions in their target lists.</b>
until the number of columns and the number of inject parameters is match, then it won't error. (which is 32)

after that, they may try to uses yr query to obtain any data they want later using your existing code.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Alpesh PatelAssistant ConsultantCommented:
ID=999999.9 UNION ALL SELECT 10254800561025480056102548005610254800561025480056102548005610254800561025480056102548005610254800561025480056102548005610254800561025480056102548005610254800561025480056102548005610254800561025480056102548005610254800561025480056102548005610254800561025480056102548005610254800561025480056102548005610254800561025480056

He is trying to do this
0
 
Alpesh PatelAssistant ConsultantCommented:
select replicate(convert(varchar,0x31303235343830303536),32)
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.