You can run cast function on the hex string to see the actual sql it
generates, which I thought was required anyway so not sure that query would
even execute otherwise.
Russ Michaels
www.michaels.me.uk
cfmldeveloper.com
cflive.net
cfsearch.com
On 22 Jul 2013 04:45, Justin Scott
Check out the 4th comment here -
http://stackoverflow.com/questions/4600954/site-has-been-hacked-via-sql-injection
Seems to be similar attack.
On Sun, Jul 21, 2013 at 1:33 PM, Dave Hatz daveh...@hatzventures.orgwrote:
We had someone trying to hack our system last night and I would like to
In this particular case it's not generating SQL but just filling in
space to match the number of columns with the original query.
Basically once it executes without an error it allows the attacker to
see how many columns the original query is selecting. It's part of an
automated attack tool.
According to the stack overflow comments 0x313032 ...etc is the calling
card of Havij, an automated injection tool. The commentor said somewhat
of a necro - which I have no idea what that means... he's either
disparaging a race of intergalactic conquerors or misspelling macro.
-Original
That makes sense to me, looks more like an attempt to see if an injection
would work.
Byron Mann
Lead Engineer Architect
HostMySite.com
On Jul 22, 2013 12:46 PM, Mark A Kruger mkru...@cfwebtools.com wrote:
Justin (et al)
When I unpack this I get
99.99 /*!3000 union all select
Justin (et al)
When I unpack this I get
99.99 /*!3000 union all select 0x313032... etc */ --
Doesn't the /* */ force the whole string into a comment? Hard to see how
that would succeed.
-Mark
-Original Message-
From: Justin Scott [mailto:leviat...@darktech.org]
Sent:
Russ,
The query never processed. The hacker was relentless though. For about 5
straight hours he kept trying.
Which brings up another security question. How does other sites handle
something like this automatically? I mean, if I see an attack from an IP
address, is it even worth blocking
Justin,
That is the same attack we had. He never made it through to our database to
execute the query. I scanned the DB logs and it failed on him every time.
Thanks for the link, it was helpful.
Dave
~|
Order the Adobe
with application firewalls mostly.
There are plenty of options out there from hardware to software to web
server plugins.
For a cf specific WAF try fuseguard.
On Mon, Jul 22, 2013 at 7:28 PM, Dave Hatz daveh...@hatzventures.orgwrote:
Russ,
The query never processed. The hacker was
On Mon, Jul 22, 2013 at 12:45 PM, Mark A Kruger mkru...@cfwebtools.comwrote:
Doesn't the /* */ force the whole string into a comment? Hard to see how
that would succeed.
It is a MySQL version specific comment so if MySQL version is greater than
version 3.0 in this case it would execute, all
Ah that is devilishly clever.
-Original Message-
From: Pete Freitag [mailto:p...@foundeo.com]
Sent: Monday, July 22, 2013 2:23 PM
To: cf-talk
Subject: Re: Hack Attempt on our database last night
On Mon, Jul 22, 2013 at 12:45 PM, Mark A Kruger
mkru...@cfwebtools.comwrote:
Doesn't
Pete,
So is that the purpose of the !3000 then? Got it!
-Original Message-
From: Pete Freitag [mailto:p...@foundeo.com]
Sent: Monday, July 22, 2013 2:23 PM
To: cf-talk
Subject: Re: Hack Attempt on our database last night
On Mon, Jul 22, 2013 at 12:45 PM, Mark A Kruger
It looks like this problem is solved, because while it's been intermittent,
I haven't had the error for a couple of days.
So that means the problem was the timezone.cfc CFC by Paul Hastings. It's
an excellent component, but the version I had was old. It's been rock
solid for years and years,
Hi All,
I am trying to invalidate session using
getPageContext().getSession().invalidate().
Application runs on Unix,uses J2EE session and all session data is stored in
structure. Looks like session is only invalidated in first request of the
browser and after that it is not invalidated.
Which brings up another security question. How does other sites
handle something like this automatically? I mean, if I see an
attack from an IP address, is it even worth blocking at the firewall?
What I do is a combination of input sanitizing and using cfqueryparam
to the point where it's
15 matches
Mail list logo
