decoding sql injection attempts

October 10, 2011


SQL Server has a function called CAST, that converts an ASCII codes array to text. Hackers can use this function to obfuscate the SQL Injection payload, and bypass filters that block SQL commands or hazardous characters.
Here is an example to an attack that uses this technique:

SET @S=CAST(0x The ASCII Code Array) AS CHAR(4000));

The first step is to declare a variable that will contain the attack payload.
The second step is to set the variable with the payload, which is obfuscated and decoded using the CAST funciton.
In the third step, the payload is executed.

Sample Exploit

The following payload shuts down the Database server by executing the command ” exec master..xp_cmdshell ‘shutdown -f’ ” :


Affected Products
MS SQL based web applications.

Let’s start decoding sql injection attempts



To Decode (on linux)

# echo "0x650078006500630020006D00610073007400650072002E002E00780070005F0063006D0064007300680065006C006C0020002700730068007500740064006F0077006E0020002D0066002700" | xxd -r -p

This yields our payload:

exec master..xp_cmdshell 'shutdown -f'