What is the SQL value of 0xForceB7D7E?

Question

What is the SQL value of 0xForceB7D7E?

Looking through several apache logs, I ran the following pattern several times (URL decryption):

GET /foo.php?id=1 and union select 0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,... --

Obviously, this is an attempt at SQL injection. But why is the constant shown above? I do not see how this can be particularly significant, although it seems that it appears quite often.

For what it's worth, the above constant displays the following ASCII characters: " ^[}~ " or " ~}[^ " if you reverse the byte order. The value in decimal value is 1,583,054,206 , in octal 013626676576 - 013626676576 . The code does not seem to match the useful x86 instruction sequence.

A Google search simply shows the remnants of attempts to use the same SQL injection attack on other sites - no information about the attack itself.

Does anyone have an understanding?

+7

security sql sql-injection

tylerl Oct 20 '10 at 2:17

source share

1 answer

rook · Accepted Answer · 2010-10-20T04:21:51+0000

This value is a unique identifier. If the value " ^[}~ " appears on the page, the bot knows that you are vulnerable to SQL injection, where, as if the value " 0x5E5B7D7 " appeared, it was not interpreted by your SQL server. This SQL injection test probably starts with only one 0xForceB7D7E, and then continues to a predetermined number of them. This is due to the fact that when choosing union, the union must return the same number of columns as when choosing which it joins, and the bot must reset this value.

Note that this test will not work with blind sql processing, because the value " ^[}~ " will not be visible. A blind sql injection test for mysql will enter a call to sleep(30) or BENCHMARK(5000000,md5(1337)) . This will make the page load for a few seconds, which means that this sql code is executing.

What is the SQL value of 0xForceB7D7E?

More articles: