Decode SQL Injection

Posted on 2011-05-11
Last Modified: 2012-08-13
My server caught and stopped the SQL injection below but I wanted to find out what the hacker was trying to accomplish (if I hadn't stopped it)? -Thanks!

This was the first attempt (I already URL decoded it):

ID=999999.9 UNION ALL SELECT 0x31303235343830303536--

and then they tried the above injection 31 more times (in 1 second intervals), except each time they added another 0x31303235343830303536, and so the 32nd attempt looked like this:

ID=999999.9 UNION ALL SELECT 0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536--

When I tried converting 31303235343830303536 from HEX to ASCII, I got 1025480056, but what the heck is that and what does it mean to SQL server?
Question by:bobPUNKbob
    LVL 32

    Accepted Solution

    LVL 42

    Assisted Solution

    Looks like a fishing expedition to figure out how many columns are needed for the real attack to follow.
    LVL 11

    Assisted Solution

    just for process in question alone, they try to figure out how many columns having in your query output.

    for ex, if your SELECT query which take ID=xxxx as parameters having 32 columns output.
    each time they query, will giving sql error like
    <b>All queries combined using a UNION, INTERSECT or EXCEPT operator must have an equal number of expressions in their target lists.</b>
    until the number of columns and the number of inject parameters is match, then it won't error. (which is 32)

    after that, they may try to uses yr query to obtain any data they want later using your existing code.
    LVL 21

    Expert Comment

    by:Alpesh Patel
    ID=999999.9 UNION ALL SELECT 10254800561025480056102548005610254800561025480056102548005610254800561025480056102548005610254800561025480056102548005610254800561025480056102548005610254800561025480056102548005610254800561025480056102548005610254800561025480056102548005610254800561025480056102548005610254800561025480056102548005610254800561025480056

    He is trying to do this
    LVL 21

    Expert Comment

    by:Alpesh Patel
    select replicate(convert(varchar,0x31303235343830303536),32)
    LVL 67

    Expert Comment

    This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Introduction SQL Server Integration Services can read XML files, that’s known by every BI developer.  (If you didn’t, don’t worry, I’m aiming this article at newcomers as well.) But how far can you go?  When does the XML Source component become …
    Load balancing is the method of dividing the total amount of work performed by one computer between two or more computers. Its aim is to get more work done in the same amount of time, ensuring that all the users get served faster.
    Familiarize people with the process of utilizing SQL Server functions from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Microsoft Ac…
    Via a live example, show how to setup several different housekeeping processes for a SQL Server.

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now