Hello there folks!

I keep seeing this attempted exploit on my sites. I am just curious what the statement is trying to achieve. Any help deciphering it would be greatly appreciated!

(SELECT+8041+FROM(SELECT+COUNT(%2A),CONCAT(0x3a6f79753a,(SELECT+(CASE+WHEN+(8041%3D8041)+THEN+1+ELSE+0+END)),0x3a70687a3a,floor(rand(0)%2A2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)+AND+%27MEpR%27%3D%27MEpR

By itself, if it gets executed as a DB query, it looks like it would either return one result row with the value 8041, or else return nothing (or maybe throw an error/exception if it fails). Maybe it's an exploratory thing: if that 8041 shows up in some response, then they think they have found a SQL injection flaw and will try to exploit it further? 🤷‍♂️

Getting rid of the url-encoding and formatting a a bit:

(
  SELECT 8041 FROM(    -- all that actually gets returned by the query
    SELECT
      COUNT(*),
      CONCAT(
        0x3a6f79753a,
        (SELECT (CASE WHEN (8041=8041) THEN 1 ELSE 0 END)),
        0x3a70687a3a,
        floor(rand(0)*2)
      ) x
    FROM INFORMATION_SCHEMA.CHARACTER_SETS
    GROUP BY x
  ) a
) AND 'MEpR'='MEpR

But you're using PDO with prepared statements and bound parameters for all external values, so you don't have to worry, right? 😉

    Yeah, doing a search for "SELECT 8041" and similar turns up a bunch more attempts around the place. And, on my quick look, it looks like at least one site has since been pwned.

    Oh, hey, I think I remember hearing something about PunkSpider being relaunched. Coincidence?

      schwim If it's not already clear to you, these requests to your site hope to exploit carelessly written code in your system that takes user input (that query string in this case) and crams it without proper escaping into some SQL query. The PHP Manual describes SQL injection.

          Thank you all very much for your help! I was aware of it being an attempt at SQL injection but I just couldn't figure out what it expected as a result. It's a bot that hits the pages looking for variables in the URL then it starts trying some things with adding to the vars. For instance, it will first try /?action=about+and+1=1 then it will try /?action=about+and+1=2 trying what I posted right after.

          The bot tries about 700 URLs after but my site stops recording URLs after an automatic ban in an attempt to keep overhead down so I don't know what else it's trying. I think I'll change the way it handles it so I can see what's in the rest of the URLs. I think what it's going to be is just the same action on every GET var it finds at the site but we'll see.

          Thank you again for all your help!

            In the attacks I've seen, the incrementing of a value suggests a couple of scary possibilities:
            a) The attacker successfully found some SQL injection vulnerability and is incrementing some value to exfiltrate a data table, one record at a time.
            b) The attacker is attempting a buffer overflow exploit, and is trying to determine the right memory offset.

            Your posted query string examples look to me more like situation a. Situation b tends to increase the character length of the requested string.

            On the other hand, these attacks seem quite commonplace, so he presence of this incrementing behavior doesn't definitively mean there is any exploit in progress. Here are some entries from my apache log recently:

            170.106.99.215 - - [26/Aug/2021:11:54:59 +0000] "GET /community/home.php?p=1+%27-6863+union+all+select+1,1,CONCAT(0x3a6f79753a,0x4244764877697569706b,0x3a70687a3a)1,1,1%23 HTTP/1.0" 301 672 "-" "-"
170.106.99.215 - - [26/Aug/2021:11:54:59 +0000] "GET /community/home.php?p=1+-6863+union+all+select+1,1,CONCAT(0x3a6f79753a,0x4244764877697569706b,0x3a70687a3a)1,1,1,1%23 HTTP/1.0" 301 670 "-" "-"
170.106.99.215 - - [26/Aug/2021:11:55:00 +0000] "GET /community/home.php?p=1+-6863+union+all+select+1,1,CONCAT(0x3a6f79753a,0x4244764877697569706b,0x3a70687a3a)1,1,1,1,1%23 HTTP/1.0" 301 674 "-" "-"

            You might consider requesting one of these urls to see how your site responds.

            Thanks very much for your help sneakyimp , running those three URLs just result in triggering my ban mechanism.

            I know it doesn't mean anything but I've not seen any indication of successful exploit but I do like to see the various methods they attempt. It's very handy for customizing the protective measures.

              5 days later

              schwim I'm curious what protective measures you are taking. I have had problems in the past when banning specific IP addresses. Some IP addresses are clearly bad, but others are a proxy for very large universities or perhaps a starbucks or other large organization. I've considered setting some kind of 'ban cookie' for users that attempt these hacks.

              Also, recognizing these hack attempts seems like it might be a good application of machine learning.

                  8 days later

                  So out of curiosity I happened to google the funky looking encoded values, and came across this vulnerability scanner that uses this exact query: PHPmvs

                  From their readme it seems like it was a weekend/side project for a "down and dirty" method to scan for vulnerabilities. From a cursory look at the original script, it doesn't do anything except report the vulnerability. It's entirely possible someone has copied the script and modified it to automatically infect a server (or create a backdoor).

                    Or they might automate a spam operation to try and drum up some development work for the sites that exhibit the vulnerability.

                    Write a Reply...