asked on

SQL Hack Attempt

Hi,

We just had someone try to submit the following on a form on our website:-

declare @q varchar(8000) select @q = 0x57414954464F522044454C4159202730303A30303A313527 exec(@q) --

They werent able to because we filter out certain characters, however... out of interest, what does the above line do?

We use both MySQL and MSSQL.

Many thanks
Dan

ASKER CERTIFIED SOLUTION

Lee

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Lee

FYI, run this and see for yourself what it does:

declare @q varchar(8000) select @q = 0x57414954464F522044454C4159202730303A30303A313527
select @q

kaufmed

@DanJourno

Thanks for asking this question. I hadn't seen this particular attack before (the 'WAITFOR' method), which is really a shame since lsavidge's link denotes that it's quite common!

TempDBA

Same here. Looking it for the first time. But I think the user is generally trying to test some security hole so that he can actually do something with your site.
SQL injection should be taken care of. Since, it got filtered out and couln't executed, its great. But you should think of other attacks and points which are open for the hackers.

DanJourno

ASKER

Is there a list of types of attacks that are common?

I would expect an SQL Injection to be very very common since its so simply to perform.

SOLUTION

kaufmed

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial