List:General Discussion« Previous MessageNext Message »
From:Michael Dykman Date:September 4 2007 7:57pm
Subject:Re: SQL injection?
View as plain text  
It looks to me that they are trying to plant a query into your queries
file.  What type is column 'id'?  I am guessing that they (think they)
have found a vulnerability where running a web app (prob labls.php')
after this injection has taken place, the resulting query might get
exectuted...

how many rows do you have in 'queries' tagged as 'labs.php'?  I ewould
be very tempted to examine each and every one of them by hand.

 - michael dykman


On 9/4/07, Fletcher Mattox <fletcher@stripped> wrote:
> We were recently the target of an SQL injection, so I am trying to
> determine if they were successful.  I have recovered the SQL commands
> from mysqld.log, but the code has me stumped.
>
> INSERT INTO queries (file,id) VALUES ('labs.php','4 OR 0 IN (SELECT TOP 1
>   CHAR(60)+CHAR(112)+CHAR(102)+CHAR(111)+CHAR(110)+CHAR(107)+
>   CHAR(110)+CHAR(112)+CHAR(112)+CHAR(62)+COALESCE(CAST(0 AS
>   VARCHAR(8000)),SPACE(0))+CHAR(60)+CHAR(122)+CHAR(108)+
>   CHAR(105)+CHAR(99)+CHAR(110)+CHAR(113)+CHAR(97)+CHAR(116)+CHAR(62))
>   OR 0 IN (SELECT CHAR(60)+CHAR(120)+CHAR(111)+CHAR(112)+CHAR(107)+
>   CHAR(110)+CHAR(97)+CHAR(106)+CHAR(117)+CHAR(62))--')
>
> Can anyone explain what this was intended to accomplish?  I understand
> the basic trick is in the "OR 0" disjunction, but I do not understand
> what this would actually do if successful.
>
> The above example gives a syntax error when I try it, but several
> different attacks were done on different applications, and I have not
> yet looked at all of them.
>
> Thanks,
> Fletcher
>
> P.S.  Is there a better place to ask this question?
>
> --
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe:    http://lists.mysql.com/mysql?unsub=1
>
>


-- 
 - michael dykman
 - mdykman@stripped

 - All models are wrong.  Some models are useful.
Thread
SQL injection?Fletcher Mattox4 Sep
  • Re: SQL injection?Michael Dykman4 Sep
  • Re: SQL injection?Baron Schwartz4 Sep