SQL injection? CHAR(45,120,49,45,81,45)

roo picture roo · Jul 3, 2013 · Viewed 18k times · Source

I just saw this come up in our request logs. What were they trying to achieve?

The full request string is:

properties?page=2side1111111111111 UNION SELECT CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45),CHAR(45,120,49,48,45,81,45),CHAR(45,120,49,49,45,81,45),CHAR(45,120,49,50,45,81,45),CHAR(45,120,49,51,45,81,45),CHAR(45,120,49,52,45,81,45),CHAR(45,120,49,53,45,81,45),CHAR(45,120,49,54,45,81,45) -- /*

Edit: As a google search didn't return anything useful I wanted to ask the question for people who encounter the same thing.

Answer

Your Common Sense picture Your Common Sense · Jul 3, 2013

This is just a test for injection. If an attacker can see xQs in the output then they'll know injection is possible.

There is no "risk" from this particular query.

A developer should pay no attention to whatever injection mechanisms, formats or meanings - these are none of his business.

There is only one cause for for all the infinite number of injections - an improperly formatted query. As long as your queries are properly formatted then SQL injections are not possible. Focus on your queries rather than methods of SQL injection.