Looking through some apache logs, I’ve run into the following pattern several times (URL decoded):
GET /foo.php?id=1 and union select 0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,... --
Clearly this is an SQL injection attempt. But why the constant shown above? I can’t see how it could be particularly significant, though it seems to appear quite frequently.
For what it’s worth, the above constant maps to the following ASCII characters: “^[}~“, or “~}[^” if you reverse the byte order. The value in decimal is 1,583,054,206, in octal it’s 013626676576. The code doesn’t seem to map to a useful sequence of x86 instructions.
A Google search for the number reveals simply the remnants of attempts at using the same SQL injection attack on other sites — no information about the attack itself.
Anyone have any insight?
This value is a unique identifier. If the value “
^[}~” appears on the page then the bot knows you are vulnerable to sql injection, where as if the value “0x5E5B7D7” appears then it was not interpreted by your sql server. This sql injection test probably starts off with only one 0x5E5B7D7E and then continues to a predefined number of them. This is because with a union select the union must return the same number of columns as the select it is being appended to, and the bot must brute force this value.Note, that this test will not work with blind sql injection because the value “
^[}~” will not be visible. A blind sql injection test for mysql would be injecting a call tosleep(30)orBENCHMARK(5000000,md5(1337)). This will cause the page to take a few seconds to load, thus signifying that this sql code is being executed.