We were recently the target of an SQL injection, so I am trying to
determine if they were successful. I have recovered the SQL commands
from mysqld.log, but the code has me stumped.

INSERT INTO queries (file,id) VALUES ('labs.php','4 OR 0 IN (SELECT TOP 1
CHAR(60)+CHAR(112)+CHAR(102)+CHAR(111)+CHAR(110)+C HAR(107)+
CHAR(110)+CHAR(112)+CHAR(112)+CHAR(62)+COALESCE(CA ST(0 AS
VARCHAR(8000)),SPACE(0))+CHAR(60)+CHAR(122)+CHAR(1 08)+
CHAR(105)+CHAR(99)+CHAR(110)+CHAR(113)+CHAR(97)+CH AR(116)+CHAR(62))
OR 0 IN (SELECT CHAR(60)+CHAR(120)+CHAR(111)+CHAR(112)+CHAR(107)+
CHAR(110)+CHAR(97)+CHAR(106)+CHAR(117)+CHAR(62))--')

Can anyone explain what this was intended to accomplish? I understand
the basic trick is in the "OR 0" disjunction, but I do not understand
what this would actually do if successful.

The above example gives a syntax error when I try it, but several
different attacks were done on different applications, and I have not
yet looked at all of them.

Thanks,
Fletcher

P.S. Is there a better place to ask this question?

It looks to me that they are trying to plant a query into your queries
file. What type is column 'id'? I am guessing that they (think they)
have found a vulnerability where running a web app (prob labls.php')
after this injection has taken place, the resulting query might get
exectuted...

how many rows do you have in 'queries' tagged as 'labs.php'? I ewould
be very tempted to examine each and every one of them by hand.

- michael dykman


On 9/4/07, Fletcher Mattox <fletcher@cs.utexas.edu> wrote:
> We were recently the target of an SQL injection, so I am trying to
> determine if they were successful. I have recovered the SQL commands
> from mysqld.log, but the code has me stumped.
>
> INSERT INTO queries (file,id) VALUES ('labs.php','4 OR 0 IN (SELECT TOP 1
> CHAR(60)+CHAR(112)+CHAR(102)+CHAR(111)+CHAR(110)+C HAR(107)+
> CHAR(110)+CHAR(112)+CHAR(112)+CHAR(62)+COALESCE(CA ST(0 AS
> VARCHAR(8000)),SPACE(0))+CHAR(60)+CHAR(122)+CHAR(1 08)+
> CHAR(105)+CHAR(99)+CHAR(110)+CHAR(113)+CHAR(97)+CH AR(116)+CHAR(62))
> OR 0 IN (SELECT CHAR(60)+CHAR(120)+CHAR(111)+CHAR(112)+CHAR(107)+
> CHAR(110)+CHAR(97)+CHAR(106)+CHAR(117)+CHAR(62))--')
>
> Can anyone explain what this was intended to accomplish? I understand
> the basic trick is in the "OR 0" disjunction, but I do not understand
> what this would actually do if successful.
>
> The above example gives a syntax error when I try it, but several
> different attacks were done on different applications, and I have not
> yet looked at all of them.
>
> Thanks,
> Fletcher
>
> P.S. Is there a better place to ask this question?
>
> --
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe: http://lists.mysql.com/mysql?unsub=mdykman@gmail.com
>
>


--
- michael dykman
- mdykman@gmail.com

- All models are wrong. Some models are useful.

Hi,

Fletcher Mattox wrote:
> We were recently the target of an SQL injection, so I am trying to
> determine if they were successful. I have recovered the SQL commands
> from mysqld.log, but the code has me stumped.
>
> INSERT INTO queries (file,id) VALUES ('labs.php','4 OR 0 IN (SELECT TOP 1
> CHAR(60)+CHAR(112)+CHAR(102)+CHAR(111)+CHAR(110)+C HAR(107)+
> CHAR(110)+CHAR(112)+CHAR(112)+CHAR(62)+COALESCE(CA ST(0 AS
> VARCHAR(8000)),SPACE(0))+CHAR(60)+CHAR(122)+CHAR(1 08)+
> CHAR(105)+CHAR(99)+CHAR(110)+CHAR(113)+CHAR(97)+CH AR(116)+CHAR(62))
> OR 0 IN (SELECT CHAR(60)+CHAR(120)+CHAR(111)+CHAR(112)+CHAR(107)+
> CHAR(110)+CHAR(97)+CHAR(106)+CHAR(117)+CHAR(62))--')
>
> Can anyone explain what this was intended to accomplish? I understand
> the basic trick is in the "OR 0" disjunction, but I do not understand
> what this would actually do if successful.
>
> The above example gives a syntax error when I try it, but several
> different attacks were done on different applications, and I have not
> yet looked at all of them.

That's because this attack was targeted at MS SQL Server. Maybe that
makes you feel better. It's hard to say exactly what this attack was
for -- attackers have automated tools that attempt to discover failure
and success patterns in HTML results and discover the schema and data
via that means. It's complicated to explain, but actually quite simple
most of the time to do.

The actual code snippet you've posted generates strings like
'<pfonknpp>'. Make of that what you can!

>
> Thanks,
> Fletcher
>
> P.S. Is there a better place to ask this question?

I think this is a fine list for such questions.

Baron