48

Looking through error logs I found lots of requests to a web-app where the URL contains:

/if(now()=sysdate(),sleep(10),0)/*'XOR(if(now()=sysdate(),sleep(10),0))OR'"XOR(if(now()=sysdate(),sleep(10),0))OR"*/

I read that could be a part of an attack on websites developed in PHP which we don't use. Also we're using an ORM to query to our databases.

So is this an SQL injection attempt?

Jens Erat
  • 23,446
  • 12
  • 72
  • 96
Tony
  • 481
  • 1
  • 4
  • 4
  • Not an answer to your question as such but PHP does not have sysdate() or now() functions so it could not be that. – Roy Aug 04 '15 at 14:49
  • @Roy: That is not true. Bad PHP code is the vulnerable mechanism, but the payload ultimately goes to (say) MySQL in order to enact the exploit, and MySQL certainly has both functions. – Lightness Races in Orbit Aug 05 '15 at 11:22
  • @LightnessRacesinOrbit That's not limited to PHP though, any language capable of interacting with MySQL is vulnerable. There's no reason to finger PHP specifically in this case. – Roy Aug 05 '15 at 12:01
  • 1
    @Roy: Indeed; however, SQL injection bugs in crappy PHP code are overwhelmingly more common than in other software, so attacks (at least in my experience) overwhelmingly target PHP scripts. The OP seems to think PHP is to blame: I will join you in suggesting that this is, however, a leap. – Lightness Races in Orbit Aug 05 '15 at 13:09
  • `if(now()=sysdate(),sleep(10),0)/*'XOR(if(now()=sysdate(),sleep(10),0))OR'"XOR(if(now()=sysdate(),sleep(10),0))OR"*/` I found something similar in my db after a huge attack that virtually destroyed my website. Things are fixed now but the damage was big. Security is a priority for us now. – Regis Jul 20 '16 at 20:25

2 Answers2

62

This is most likely a blind SQL injection, testing whether you're vulnerable to SQL Injection by checking whether your server takes the specified time or more to reply to the request. This is not actually doing any data edit nor exposing anything; it's just checking whether you're vulnerable.

It's also worth noting that this specifically targets MySQL databases, as the if and sleep syntaxes are the ones of that db engine.

If the attack is isolated, you were probably "probed" by an automated vulnerability scanner that is preparing a large-scale attack, so if your webapp is not vulnerable you have nothing to worry about.

However, if you recieve more weird requests with different attack patterns, you could be the specific target of those attackers, and should take actions to prevent all attacks that may succeed.

See Time-Based Blind SQL Injection Attacks for more information.

TRiG
  • 609
  • 5
  • 14
BgrWorker
  • 1,941
  • 1
  • 10
  • 17
10

The data you've posted there appears to be similar to what an attacker might use for finding blind SQL Injection issues.

A common technique for finding these issues is to have a conditional test which, if true, causes a timeout or sleep function to run. That way the attacker can tell whether it was successful by obvserving how long it takes the site to respond (although it's worth noting that this technique can be a bit error prone if the site either doesn't respond at all or responds slowly for another, unrelated, reason)

The code you've mentioned seems to be doing that kind of logical test followed by a sleep statement, so it could well be an attempt to exploit SQL Injection. Some types of attacker will blast these out widely looking for hits so it may not be a very targeted attack and hence not likely to work on your site.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217