SQL Hack Attempt

DanJourno
DanJourno used Ask the Experts™
on
Hi,

We just had someone try to submit the following on a form on our website:-

declare @q varchar(8000) select @q = 0x57414954464F522044454C4159202730303A30303A313527 exec(@q) --

They werent able to because we filter out certain characters, however... out of interest, what does the above line do?

We use both MySQL and MSSQL.

Many thanks
Dan
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
FYI, run this and see for yourself what it does:


declare @q varchar(8000) select @q = 0x57414954464F522044454C4159202730303A30303A313527
select @q

ǩa̹̼͍̓̂ͪͤͭ̓u͈̳̟͕̬ͩ͂̌͌̾̀ͪf̭̤͉̅̋͛͂̓͛̈m̩̘̱̃e͙̳͊̑̂ͦ̌ͯ̚d͋̋ͧ̑ͯ͛̉Glanced up at my screen and thought I had coded the Matrix...  Turns out, I just fell asleep on the keyboard.
Most Valuable Expert 2011
Top Expert 2015

Commented:
@DanJourno

Thanks for asking this question. I hadn't seen this particular attack before (the 'WAITFOR' method), which is really a shame since lsavidge's link denotes that it's quite common!
Learn Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

Commented:
Same here. Looking it for the first time. But I think the user is generally trying to test some security hole so that he can actually do something with your site.
SQL injection should be taken care of. Since, it got filtered out and couln't executed, its great. But you should think of other attacks and points which are open for the hackers.

Author

Commented:
Is there a list of types of attacks that are common?

I would expect an SQL Injection to be very very common since its so simply to perform.
ǩa̹̼͍̓̂ͪͤͭ̓u͈̳̟͕̬ͩ͂̌͌̾̀ͪf̭̤͉̅̋͛͂̓͛̈m̩̘̱̃e͙̳͊̑̂ͦ̌ͯ̚d͋̋ͧ̑ͯ͛̉Glanced up at my screen and thought I had coded the Matrix...  Turns out, I just fell asleep on the keyboard.
Most Valuable Expert 2011
Top Expert 2015
Commented:
From what I read in lsavidge's link, the above was more or less a probe. It allows the attacker to query your server to see if it is susceptible to injection-based attacks. If I am reading correctly, the deviousness of the attack lies in the fact that the WAIT FOR command is not logged--or at least not by default, I imagine. It would be very difficult for you to anticipate every possible vector of attack against your page. What you can do is minimize the attack surface for your page. You already mentioned that you strip out foreign characters. Input validation is a MUST any time you deal with data that is not yours (i.e. user-supplied data). I also suggest, if you are not already doing so, using parameterized queries vs. building query strings by means of string concatenation. Stored procedures are also a way to protect your queries--but make sure you are not using string-concatenated queries within your stored procedures!!!

In addition to protecting against SQL Injection, validating your user-supplied input is a way to protect against XSS (cross-site scripting). This is essentially where you don't validate a user-supplied input, and you simply echo whatever the user entered back to the page. This allows malicious users to post javascript by means of a <script> tag, which can subsequently compromise a user's credentials for a given site.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial