What is this hacker trying to do?

security windows sql-injection sql-server tsql

If you do a search for:

http://www.google.co.uk/search?q=0x57414954464F522044454C4159202730303A30303A313527&hl=en&start=30&sa=N

you will see a lot of examples of an attempted hack along the lines of:

1) declare @q varchar(8000) select @q = 0x57414954464F522044454C4159202730303A30303A313527 exec(@q) --

What is exactly is it trying to do? Which db is it trying to work on? Do you know of any advisories about this?


He is testing your server for SQL Injection, specifically this is a robust test that will work even if its Blind SQL Injection. Blind SQL Injection is when an attacker is able to execute SQL however, there isn't a viewable response. If the http request takes at least 15 seconds the attacker will know that he can execute SQL, and that your running MS-SQL. After this attack he will follow it up with a xp_cmpdshell() to infect your server.


According to http://bytes.com/topic/mysql/answers/888849-hacker-attempt it looks like it's trying to run:

WAITFOR DELAY '00:00:15'

As others have pointed out it's not a DOS attack (as I originally stated) but merely a way to easily determine if the SQL Server is vulnerable and can be added to a list of hosts to perhaps further hack away at later on.


In simpler terms he/she/it is very slick. Using the "WAITFOR DELAY..." strategy allows he/she/it to see if the server is vulnerable without logging anything. The check is being done to see what access the connectionstring user has in the db. And like @Rook said, thT WOULD LEAD TO XP_CMDSHELL() which can give the intruder access to the server and even your network.


That is a hex string. When you translate it, it translates into: "WAITFOR DELAY '00:00:15'"


WAITFOR could be used for time-based SQL Injection attack.

Time-Based Blind SQL Injection Attacks

Time-based techniques are often used to achieve tests when there is no other way to retrieve information from the database server. This kind of attack injects a SQL segment which contains specific DBMS function or heavy query that generates a time delay. Depending on the time it takes to get the server response, it is possible to deduct some information. As you can guess, this type of inference approach is particularly useful for blind and deep blind SQL injection attacks.

Time-Based Attacks Pros and Cons

One main advantage of this technique is to have little to no impact on logs, especially when compared to error-based attacks. However, in situations where heavy queries or CPU intensive functions like MySQL's BENCHMARK() must be used, chances are good that system administrators realize something is going on.

This vulnerability could be mitigated with new SQL Server 2019/SQL Azure Database feature:

Feature Restrictions(discountinued)

One common source of SQL Server attacks is through web applications that access the database where various forms of SQL injection attacks are used to glean information about the database. Ideally, application code is developed so it does not allow for SQL injection. However, in large code-bases that include legacy and external code, one can never be sure that all cases have been addressed, so SQL injections are a fact of life that we have to protect against. The goal of feature restrictions is to prevent some forms of SQL injection from leaking information about the database, even when the SQL injection is successful.

EXEC sp_add_feature_restriction <feature>, <object_class>, <object_name>

WAITFOR Feature Restriction

A Blind SQL Injection is when an application does not provides an attacker with the results of the injected SQL or with an error message, but the attacker can infer information from the database by constructing a conditional query in which the two conditional branches take a different amount of time to execute. By comparing the response time, the attacker can know which branch was executed, and thereby learn information about the system. The simplest variant of this attack is using the WAITFOR statement to introduce the delay.

EXEC sp_add_feature_restriction N'Waitfor', N'User', N'MyUserName'

Related

How to scroll to element in UWP
Remove line if field is duplicate
"193: %1 is not a valid Win32 application" bug with a new Rails Application
How can I mount a windows drive in Java?
What is the difference between importing a function expression or a function declaration from a ES6 module?
How do I implement JDatePicker
Android Save images to SQLite or SDCard or memory
Print html document from Windows Service without print dialog
iOS: frame.size.width/2 doesn't produce a circle on every device
Bitmask in PHP for settings?
Can I use array_push on a SESSION array in php?
property type or class using reflection