#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2011
    Posts
    118
    Rep Power
    50

    SQL Insertion Attempt, no harm, now what?


    Not sure if this is the best place for this. Please move/link if there's a more appropriate place.

    A site I manage received an unsuccessful SQL Insertion attack.

    100 attempts in 3 minutes. It is a generic series of common attempts, so I assume a bot found the page and was just fishing for vulnerability. It is a simple page which processes a GET through an ID.

    I don't believe the site is vulnerable to such an attack. (Though I'm motivated to double check.) These kinds of attacks are in my test plans.

    I trapped the attacks (gave a generic 'not found' error), logged them, the IP source, and sent myself an alert.

    I checked and can see no harm to the database or the site. I blocked the IPs from further contact with the site.

    Apparently, the IPs are for known compromised/intentionally malicious servers:
    96.47.226.20
    18.187.1.68

    Here are some sample attack attempts:
    Code:
    file.php?ID=99 and 1=1
    file.php?ID=99 and 1>1
    file.php?ID=99' and 'x'='x
    file.php?ID=999999.9 union all select 0x31303235343830303536--
    file.php?ID=99 union all select null,null--
    file.php?ID=99 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,database(),0x27,0x7e)) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1
    file.php?ID=99; if (1=1) waitfor delay '00:00:07'--
    file.php?ID=99' or 1=convert(int,(select cast(Char(114)+Char(51)+Char(100)+Char(109)+Char(48)+Char(118)+Char(51)+Char(95)+Char(104)+Char(118)+Char(106)+Char(95)+Char(105)+Char(110)+Char(106)+Char(101)+Char(99)+Char(116)+Char(105)+Char(111)+Char(110) as nvarchar(4000))))--
    Are there authorities to whom it would be worth reporting this event?
    Any other recommended actions?
    Is it valuable to anyone for me to post other examples? (They are pretty much variations on the above.)

    Otherwise, I'm just going to clean out my log.
  2. #2
  3. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,316
    Rep Power
    7171
    Are there authorities to whom it would be worth reporting this event?
    No. Assuming you're in the US, attacking a site like that is probably against some law, but the only organizations with the jurisdiction and resources to actually do something about it have far more important things to do with their resources (unless your site happens to be for a major financial or governmental organization).

    Any other recommended actions?
    If the site is already secured then no.

    Is it valuable to anyone for me to post other examples? (They are pretty much variations on the above.)
    Not that I can think of.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around

IMN logo majestic logo threadwatch logo seochat tools logo