SQL Hack Attempt


We just had someone try to submit the following on a form on our website:-

declare @q varchar(8000) select @q = 0x57414954464F522044454C4159202730303A30303A313527 exec(@q) --

They werent able to because we filter out certain characters, however... out of interest, what does the above line do?

We use both MySQL and MSSQL.

Many thanks
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lee SavidgeCommented:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Lee SavidgeCommented:
FYI, run this and see for yourself what it does:

declare @q varchar(8000) select @q = 0x57414954464F522044454C4159202730303A30303A313527
select @q

kaufmed 👽Commented:

Thanks for asking this question. I hadn't seen this particular attack before (the 'WAITFOR' method), which is really a shame since lsavidge's link denotes that it's quite common!
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

Same here. Looking it for the first time. But I think the user is generally trying to test some security hole so that he can actually do something with your site.
SQL injection should be taken care of. Since, it got filtered out and couln't executed, its great. But you should think of other attacks and points which are open for the hackers.
DanJournoAuthor Commented:
Is there a list of types of attacks that are common?

I would expect an SQL Injection to be very very common since its so simply to perform.
kaufmed 👽Commented:
From what I read in lsavidge's link, the above was more or less a probe. It allows the attacker to query your server to see if it is susceptible to injection-based attacks. If I am reading correctly, the deviousness of the attack lies in the fact that the WAIT FOR command is not logged--or at least not by default, I imagine. It would be very difficult for you to anticipate every possible vector of attack against your page. What you can do is minimize the attack surface for your page. You already mentioned that you strip out foreign characters. Input validation is a MUST any time you deal with data that is not yours (i.e. user-supplied data). I also suggest, if you are not already doing so, using parameterized queries vs. building query strings by means of string concatenation. Stored procedures are also a way to protect your queries--but make sure you are not using string-concatenated queries within your stored procedures!!!

In addition to protecting against SQL Injection, validating your user-supplied input is a way to protect against XSS (cross-site scripting). This is essentially where you don't validate a user-supplied input, and you simply echo whatever the user entered back to the page. This allows malicious users to post javascript by means of a <script> tag, which can subsequently compromise a user's credentials for a given site.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
MySQL Server

From novice to tech pro — start learning today.