According to the stack overflow comments 0x313032 ...etc is the "calling card" of Havij, an automated injection tool. The commentor said "somewhat of a necro" - which I have no idea what that means... he's either disparaging a race of intergalactic conquerors or misspelling macro.
-----Original Message----- From: Byron Mann [mailto:byronos...@gmail.com] Sent: Monday, July 22, 2013 11:49 AM To: cf-talk Subject: RE: Hack Attempt on our database last night That makes sense to me, looks more like an attempt to see if an injection would work. Byron Mann Lead Engineer & Architect HostMySite.com On Jul 22, 2013 12:46 PM, "Mark A Kruger" <mkru...@cfwebtools.com> wrote: > > Justin (et al) > > When I unpack this I get > > 999999.99 /*!3000 union all select 0x313032... etc */ -- > > Doesn't the /* */ force the whole string into a comment? Hard to see how > that would succeed. > > -Mark > > > > -----Original Message----- > From: Justin Scott [mailto:leviat...@darktech.org] > Sent: Monday, July 22, 2013 11:19 AM > To: cf-talk > Subject: Re: Hack Attempt on our database last night > > > In this particular case it's not generating SQL but just filling in > space to match the number of columns with the original query. > Basically once it executes without an error it allows the attacker to > see how many columns the original query is selecting. It's part of an > automated attack tool. > > -Justin > > On Mon, Jul 22, 2013 at 5:08 AM, Russ Michaels <r...@michaels.me.uk> > wrote: > > > > You can run cast function on the hex string to see the actual sql it > > generates, which I thought was required anyway so not sure that query > would > > even execute otherwise. > > > > Russ Michaels > > www.michaels.me.uk > > cfmldeveloper.com > > cflive.net > > cfsearch.com > > On 22 Jul 2013 04:45, "Justin Scott" <leviat...@darktech.org> wrote: > > > >> > >> There was some discussion about a very similar injection on Stack > >> Overflow which may be useful: > >> > >> > >> > > http://stackoverflow.com/questions/4600954/site-has-been-hacked-via-sql-inje > ction > >> > >> > >> -Justin > >> > >> > >> > >> On Sun, Jul 21, 2013 at 1:33 PM, Dave Hatz <daveh...@hatzventures.org> > >> wrote: > >> > > >> > We had someone trying to hack our system last night and I would like > to > >> know what he was trying to get. Seems one of our new Junior programmers > >> didn't use CFQUERYPARAM and allowed this param into the query string. > >> Needless to say, I will be having a nice long chat with him when he > gets > >> into the office tomorrow. > >> > > >> > How do I decode what this is? Is there a tool or site that will > convert > >> this for me? > >> > > >> > 999999.9 /*!30000union all select > >> > > 0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303 > > 235343830303536,0x31303235343830303536,0x31303235343830303536,0x313032353438 > > 30303536,0x31303235343830303536,0x31303235343830303536,0x3130323534383030353 > > 6,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x313 > > 03235343830303536,0x31303235343830303536,0x31303235343830303536,0x3130323534 > > 3830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303 > > 536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x3 > 1303235343830303536,0x31303235343830303536,0x31303235343830303536*/-- > >> > > >> > > >> > >> > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356270 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
