68

Recently our site has been deluged with the resurgence of the Asprox botnet SQL injection attack. Without going into details, the attack attempts to execute SQL code by encoding the T-SQL commands in an ASCII encoded BINARY string. It looks something like this:

DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x44004500...06F007200%20AS%20NVARCHAR(4000));EXEC(@S);--

I was able to decode this in SQL, but I was a little wary of doing this since I didn't know exactly what was happening at the time.

I tried to write a simple decode tool, so I could decode this type of text without even touching SQL  Server. The main part I need to be decoded is:

CAST(0x44004500...06F007200 AS
NVARCHAR(4000))

I've tried all of the following commands with no luck:

txtDecodedText.Text =
    System.Web.HttpUtility.UrlDecode(txtURLText.Text);
txtDecodedText.Text =
    Encoding.ASCII.GetString(Encoding.ASCII.GetBytes(txtURLText.Text));
txtDecodedText.Text =
    Encoding.Unicode.GetString(Encoding.Unicode.GetBytes(txtURLText.Text));
txtDecodedText.Text =
    Encoding.ASCII.GetString(Encoding.Unicode.GetBytes(txtURLText.Text));
txtDecodedText.Text =
    Encoding.Unicode.GetString(Convert.FromBase64String(txtURLText.Text));

What is the proper way to translate this encoding without using SQL Server? Is it possible? I'll take VB.NET code since I'm familiar with that too.

Okay, I'm sure I'm missing something here, so here's where I'm at.

Since my input is a basic string, I started with just a snippet of the encoded portion - 4445434C41 (which translates to DECLA) - and the first attempt was to do this...

txtDecodedText.Text = Encoding.UTF8.GetString(Encoding.UTF8.GetBytes(txtURL.Text));

...and all it did was return the exact same thing that I put in since it converted each character into is a byte.

I realized that I need to parse every two characters into a byte manually since I don't know of any methods yet that will do that, so now my little decoder looks something like this:

while (!boolIsDone)
{
    bytURLChar = byte.Parse(txtURLText.Text.Substring(intParseIndex, 2));
    bytURL[intURLIndex] = bytURLChar;
    intParseIndex += 2;
    intURLIndex++;

    if (txtURLText.Text.Length - intParseIndex < 2)
    {
        boolIsDone = true;
    }
}

txtDecodedText.Text = Encoding.UTF8.GetString(bytURL);

Things look good for the first couple of pairs, but then the loop balks when it gets to the "4C" pair and says that the string is in the incorrect format.

Interestingly enough, when I step through the debugger and to the GetString method on the byte array that I was able to parse up to that point, I get ",-+" as the result.

How do I figure out what I'm missing - do I need to do a "direct cast" for each byte instead of attempting to parse it?

Improve this question
3
  • Yeah, I would definitely start by using SQL parameters, if you aren't already. Commented Aug 2, 2008 at 1:33
  • See my answer here: http://stackoverflow.com/questions/32412/whats-the-best-way-of-cleaning-up-after-a-sql-injection#32422 Commented Sep 10, 2008 at 18:07
  • I did my best to try and sort some of the 'answers' out, however most of them are simply aren't answers. Hence, converting other non-answers to comments on non-answers wasn't possible, so those were converted to comments. If I got anything incorrect, please let me know. Commented Aug 10, 2011 at 6:21

2 Answers 2

Reset to default
24

I went back to Michael's post, did some more poking and realized that I did need to do a double conversion, and eventually worked out this little nugget:

Convert.ToString(Convert.ToChar(Int32.Parse(EncodedString.Substring(intParseIndex, 2), System.Globalization.NumberStyles.HexNumber)));

From there I simply made a loop to go through all the characters 2 by 2 and get them "hexified" and then translated to a string.

To Nick, and anybody else interested, I went ahead and posted my little application over in CodePlex. Feel free to use/modify as you need.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

8

Try removing the 0x first and then call Encoding.UTF8.GetString. I think that may work.

Essentially: 0x44004500

Remove the 0x, and then always two bytes are one character:

44 00 = D

45 00 = E

6F 00 = o

72 00 = r

So it's definitely a Unicode/UTF format with two bytes/character.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.