me,myself,english and programming..

SQL Injection Attack using T-SQL and HEXADECIMAL

SQL Injection occurs when an attacker is able to insert a series of SQL statements into a ‘query’ by manipulating data input into an application. This can be either using a web form or URL query string.

Last week, I found the sample of real case where the attacker used T-SQL combining with HEX values to do the injection.

In this post i’ll show how the SQL injection look like and the solution to revert back the effected data based on the attacked. What I can say is that, the attacker is quite a ‘nice’ person since the SQL query did not do any big harm to the data itself.

From IIS log file, below are the attacked look like. Note that all the ‘XXX’ are not the original values.

XXXX.asp?XXXXX@;DECLARE%20@S%20VARCHAR(4000);SET%20@S=

CAST(0x4445434C4XXXXXXXXXXXXX72736F7220%20

AS%20VARCHAR(4000));EXEC(@S);–

Based on above query string,the original values that executed will be like below.

DECLARE @T VARCHAR(255),@C VARCHAR(255)
DECLARE Table_Cursor CURSOR FOR
SELECT a.name,b.name
FROM sysobjects a,syscolumns b
WHERE a.id=b.id AND a.xtype='u' AND
(b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167)

OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0)
BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''''')

FETCH NEXT FROM Table_Cursor INTO @T,@C

END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor

That is very powerful query whereby it will get all the tables in the database using sysobjects and look for field which are NTEXT,TEXT,NVARCHAR,VARCHAR.

Then, the query will try to update the field to add the additional values.Something like : original value + new value. See,that is why I say this guy still a ‘nice’ person. I’m not sure what will going to happen in case the statement is something else.

The solution for this is very simple where we just need to revert back the original values using below statement.Use back the same code that attacker use with minor modification to cater for our update.

SET @Sqltext = "Update [" + convert(Varchar, @tab) + "] "
IF (@xtype=231) or (@xtype=167)
SET @Sqltext = @Sqltext + "SET [" + convert(Varchar, @col) + "] = replace(["+  convert(Varchar, @col) + "], '','')"
ELSE
   SET @Sqltext = @Sqltext + "SET [" + convert(Varchar, @col) + "] = substring(["+  convert(Varchar, @col) + "],1,PATINDEX('%

(Let me know if you guys need the whole query since I notice that my sql code here is not properly displayed.)

Well, there are good and bad about this thing. I don’t want to talk about bad things. :)

The good things is, I learn new stuff. :)

On top of that, I also learn how to print getdate() using HEX and no…I’m not a hackers,crackers or attackers :)

todaydateinHex

Till then, adios and Have a nice weekend. :)

Update:

Top 15 FREE SQL Injection Scanners

  1. 6 Responses to “SQL Injection Attack using T-SQL and HEXADECIMAL”

  2. By oryzana on Jul 7, 2008 | Reply

    what about the solutions? .. i guess you purposely left that part for me to put it on my blog right?.. :) .. coming soon

  3. By oryzana on Jul 7, 2008 | Reply

    what i meant was.. solution for the rest of it.. you just giving the solution on how to revert the data changes. The prevention part? the diagnostic part? The detection part? .. i’ll cover it on my blog… :) .. well it’s a server technical part anyway…

  4. By arejae on Jul 7, 2008 | Reply

    ehehe…yelar..I will leave it to you. I just done my part to patch the data.oklar tuh kan. :)

  5. By LVS on Jul 22, 2008 | Reply

    Cool. I came across exactly the same thing for a public site am working on.
    They were trying to pass that as a query string.
    but fortunately, we had only integers for query strings and it kept throwing errors :-)

    LVS’s last blog post..How to…Why is…

  6. By arejae on Jul 27, 2008 | Reply

    Hi LVS,lucky for you guys.! :)

    Based on my research,I believe this attack is been done by a bot called “Asprox botnet”

  7. By abc on Sep 21, 2010 | Reply

    alert(“hi,don’t mind”)

Post a Comment