Browsing articles in "Web Development"

SQL Injection Attempt on My Site

Recently, it came to my attention that someone was attempting to perform a SQL injection on this blog. I figured I would write a post about SQL injections, and share with you the attempt on this site.

First off, SQL injections are a technique used by hackers to take over a server and website. Most websites on the internet (including this one) use a SQL database to store information. The information stored in a SQL databases will vary depending on the site. They may contain website content, user accounts, phone numbers, email address, and even credit card numbers. Therefore, keeping your server and SQL database secure is essential.

Now, lets look at the recent SQL injection attempts on my site: 

There were 4 advanced SQL injection attempts coming from the same IP address. The IP address was traced to a server running Apache located in Kansas that was rented from a hosting company.

The first attempt was this SQL query:

‘ declare @q varchar(8000) select @q = 0x57414954464F522044454C4159202730303A30303A313527 exec(@q)

The long string of characters beginning with “0x” is HEX code which can be translated to “?WAITFOR DELAY ’00:00:15′”.

The second attempt:

1 declare @q varchar(8000) select @q = 0x57414954464F522044454C4159202730303A30303A313527 exec(@q)

Basically the same as the first minus the first character. The Hex code is the same as the first (“?WAITFOR DELAY ’00:00:15”).

The third attempt:

1) declare @q varchar(8000) select @q = 0x57414954464F522044454C4159202730303A30303A313527 exec(@q)

Notice the addition of the “)” in the beginning. The remainder of the query was the same including the “?WAITFOR DELAY ’00:00:15”.

The final attempt:

‘) declare @q varchar(8000) select @q = 0x57414954464F522044454C4159202730303A30303A313527 exec(@q)

You can see the first two characters are different in the final attempt. The remainder of the query was the same including the “?WAITFOR DELAY ’00:00:15”.

Basically the purpose of these 4 SQL injections were to check the response times of my server/database to see if they could use a blind SQL injection to gain access. This was most likely done with an automatic vulnerability scanner.

In the end it failed.

 

Recent Comments


    Disclaimer

    Some of the links on this site are affiliate links, which means I get paid a commission when you purchase the product. You are not charged anything extra for this, thank you.