[thelist] Website Hacked?
Chris Anderson
Chris at activeide.com
Sat May 24 18:01:26 CDT 2008
> The more sophisticated hackers will encode their SQL statements like
> this:
>
> Store.asp?id=300;DECLARE%20 at S%20VARCHAR(4000);SET%20 at S=CAST(0x444
> 5204054205641524348415228323535292C404320564152434841522832353529
> 204445434C415245205461626C655F437572736F7220435552534F5220464F522
> 2736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20
> VARCHAR(4000));EXEC(@S);
Some go further and URLEncode *every* character (so DECLARE becomes
%44%45%43%4C%41%52%45) to get around people checking for "SELECT",
"EXEC", etc
However if you use the 300 using a parameter that's configured as an Int
- it should never hit the database anyway (so if you are using
parameterised queries, you probably need to look elsewhere)
Chris
More information about the thelist
mailing list