2

I'm seeing a weird url repeatedly in my logs and I'm wondering if someone is able to understand what this user was attempting to do. I'm a little familiar with the basics of MySQL, however, I'm lost with this one (especially the 0x7e parts), and want to prevent future possible vulnerabilities. I've found and am correcting the vulnerability in my script, however I'd really like to know what this person was doing. Any insight you can offer would be greatly appreciated. Thank you.

Note: I replaced my actual database and table names below with DatabaseName.TableName to make it clearer.

Here's the weird url:

photo.php?member_id=11616%27+AND+(SELECT+7509+FROM(SELECT+COUNT(*),CONCAT(0x7e,0x7e,0x7e,0x27,(SELECT+CONCAT(MID((IFNULL(CAST(member_id+AS+CHAR),0x20)),1,50),0x3A,MID((IFNULL(CAST(email_address+AS+CHAR),0x20)),1,50),0x3A,MID((IFNULL(CAST(password+AS+CHAR),0x20)),1,50))+FROM+DatabaseName.TableName+ORDER+BY+member_id+LIMIT+81947,1),0x27,0x7e,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)+AND+%27FtCw%27=%27FtCw&name=1392855.jpg

snollygolly
  • 1,858
  • 2
  • 17
  • 31
Mandiana
  • 157
  • 1
  • 1
  • 9
  • 1
    http://stackoverflow.com/questions/4600954/site-has-been-hacked-via-sql-injection – Rafa Paez Feb 19 '14 at 23:48
  • 1
    `0x7E` is the ASCII character code for `~`, `0x27` is `'`, `0x20` is a space character, `0x3A` is `:`. See [ASCII table](http://en.wikipedia.org/wiki/ASCII). Yes, this is a SQL injection attempt. – Ken White Feb 19 '14 at 23:49
  • 1
    I would recommend disabling this web app immediately and not turning it back on until you are sure it is not vulnerable to an attack. – Craig Feb 19 '14 at 23:56

2 Answers2

3

I believe so. They're testing to see if you are susceptible to SQL injection.

The INFORMATION_SCHEMA.CHARACTER_SETS table is tested because all users have read privilege to this table regardless of what privileges you otherwise give them. I can't imagine the attacker is really interested in how many character sets you have, so they're probably just seeing if they can get that query to run. If they confirm this, it means that they can proceed to use other attacks.

You need to block that attacker's IP address ASAP. Then review your code to make sure you are safe from SQL injection vulnerabilities.

Community
  • 1
  • 1
Bill Karwin
  • 538,548
  • 86
  • 673
  • 828
0

well i have been through penetration testing and testing these kind of attacks.. this query is generated by SQLMap a penetration testing tool (written on python) to check if the link is vulnerable to Sql Injection or Not.. bt make sure if its only testing mean u r conducting this urself.. if he managed to access ur database he can compromise the server even.. u can check more on sql map here..

Project Sql Map

rummykhan
  • 2,603
  • 3
  • 18
  • 35