CODEWITHSUNDEEP
securitysql-injectioncode-injection
Nemoden
Nemoden

Reputation: 9056

What kind of SQL injection is this?

I've found that someone is trying to attack our company's website via password restore form. The attack is either a SQL or code injection. It looks like this:

'; if (db_name()))<48) waitfor delay \\\'00:00:04\\\'--'

there are several variations of the statement above, e.g.

'; if (Len((db_name()))=62) waitfor delay \\\'00:00:04\\\'--'
'; if (system_user))<48) waitfor delay \\\'00:00:04\\\'--'
'; if (Len((system_user))=63) waitfor delay \\\'00:00:04\\\'--'

Couldn't google anything related to this attack.

Hopefully, somebody know what kind of attack this is and what the attacker is trying to do here?

Upvotes: 3

Views: 329

Answers (2)

user1403947
user1403947

Reputation:

This is a time-based SQL injection attack.

The attacker knows whether the query is true or not by how fast the page loads with waitfor delay. If true then there will be a 4 second delay.

Next the attacker could use substring to slowly extract data from any column in your database that the current database user has permissions to.

example:

first character = a?

 if(ASCII(SUBSTRING((SELECT password FROM admin), 1, 1))=97) waitfor delay ...

second character = b?

if(ASCII(SUBSTRING((SELECT password FROM admin), 1, 2))=98) waitfor delay ...

if the first letter of column password is 'a' (ASCII('a') === 97), the page will delay. By iterating over each character using substring, they could slowly extract your data.

Upvotes: 6

Kenny Thompson
Kenny Thompson

Reputation: 1492

It looks like they are trying to find out information about your DB.

I found information about this type of attack on this site: http://searchsqlserver.techtarget.com/feature/Time-delay-SQL-injections

Upvotes: 1

Related Questions