Justin (et al) When I unpack this I get
999999.99 /*!3000 union all select 0x313032... etc */ -- Doesn't the /* */ force the whole string into a comment? Hard to see how that would succeed. -Mark -----Original Message----- From: Justin Scott [mailto:leviat...@darktech.org] Sent: Monday, July 22, 2013 11:19 AM To: cf-talk Subject: Re: Hack Attempt on our database last night In this particular case it's not generating SQL but just filling in space to match the number of columns with the original query. Basically once it executes without an error it allows the attacker to see how many columns the original query is selecting. It's part of an automated attack tool. -Justin On Mon, Jul 22, 2013 at 5:08 AM, Russ Michaels <r...@michaels.me.uk> wrote: > > You can run cast function on the hex string to see the actual sql it > generates, which I thought was required anyway so not sure that query would > even execute otherwise. > > Russ Michaels > www.michaels.me.uk > cfmldeveloper.com > cflive.net > cfsearch.com > On 22 Jul 2013 04:45, "Justin Scott" <leviat...@darktech.org> wrote: > >> >> There was some discussion about a very similar injection on Stack >> Overflow which may be useful: >> >> >> http://stackoverflow.com/questions/4600954/site-has-been-hacked-via-sql-inje ction >> >> >> -Justin >> >> >> >> On Sun, Jul 21, 2013 at 1:33 PM, Dave Hatz <daveh...@hatzventures.org> >> wrote: >> > >> > We had someone trying to hack our system last night and I would like to >> know what he was trying to get. Seems one of our new Junior programmers >> didn't use CFQUERYPARAM and allowed this param into the query string. >> Needless to say, I will be having a nice long chat with him when he gets >> into the office tomorrow. >> > >> > How do I decode what this is? Is there a tool or site that will convert >> this for me? >> > >> > 999999.9 /*!30000union all select >> 0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303 235343830303536,0x31303235343830303536,0x31303235343830303536,0x313032353438 30303536,0x31303235343830303536,0x31303235343830303536,0x3130323534383030353 6,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x313 03235343830303536,0x31303235343830303536,0x31303235343830303536,0x3130323534 3830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303 536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x3 1303235343830303536,0x31303235343830303536,0x31303235343830303536*/-- >> > >> > >> >> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356268 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
