cancel
Showing results for 
Search instead for 
Did you mean: 

SQL injection?

SQL injection?

Seen a few exceptions with this kind of param in the request over the weekend. 

?q=die('z!a'.'x');&w=die('z!a'.'x');&e=die('z!a'.'x');&r=die('z!a'.'x');&t=die('z!a'.'x');&y=die('z!a'.'x');&u=die('z!a'.'x');&i=die('z!a'.'x');&o=die('z!a'.'x');&p=die('z!a'.'x');&a=die('z!a'.'x');&s=die('z!a'.'x');&d=die('z!a'.'x');&f=die('z!a'.'x');&g=die('z!a'.'x');&h=die('z!a'.'x');&j=die('z!a'.'x');&k=die('z!a'.'x');&l=die('z!a'.'x');&z=die('z!a'.'x');&x=die('z!a'.'x');&c=die('z!a'.'x');&v=die('z!a'.'x');&b=die('z!a'.'x');&n=die('z!a'.'x');&m=die('z!a'.'x');&eval=die('z!a'.'x');&enter=die('z!a'.'x');

Looks like a sql injection? but why he tries to insert a die statement? what could it do for him? 

3 REPLIES 3

Re: SQL injection?

We received a similar request a few days ago in our .net app. This question is one of the two results on Google for this possible attack. From what we can determine, it's not really worth worrying about, especially if your server is configured properly and your application is hardened against XSS and SQL attacks.

 

Re: SQL injection?

This request was made to my site (non-Magento) as well...

I do not think that this is an SQL based attack. Rather I think it is a XSS Javascript based attack. The request is minified JS which unminifies to:

die('z!a'.
    'x'); & w = die('z!a'.
    'x'); & e = die('z!a'.
    'x'); & r = die('z!a'.
    'x'); & t = die('z!a'.
    'x'); & y = die('z!a'.
    'x'); & u = die('z!a'.
    'x'); & i = die('z!a'.
    'x'); & o = die('z!a'.
    'x'); & p = die('z!a'.
    'x'); & a = die('z!a'.
    'x'); & s = die('z!a'.
    'x'); & d = die('z!a'.
    'x'); & f = die('z!a'.
    'x'); & g = die('z!a'.
    'x'); & h = die('z!a'.
    'x'); & j = die('z!a'.
    'x'); & k = die('z!a'.
    'x'); & l = die('z!a'.
    'x'); & z = die('z!a'.
    'x'); & x = die('z!a'.
    'x'); & c = die('z!a'.
    'x'); & v = die('z!a'.
    'x'); & b = die('z!a'.
    'x'); & n = die('z!a'.
    'x'); & m = die('z!a'.
    'x'); & eval = die('z!a'.
    'x'); & enter = die('z!a'.
    'x');

I think that "die" is a variable of a malicious JS file which it hopes to interact with.

Just a thought.

Re: SQL injection?

https://www.w3schools.com/php/func_misc_die.asp

 

I have received this as well over HTTP