homepage Welcome to WebmasterWorld Guest from 54.224.75.101
register, login, search, subscribe, help, library, PubCon, announcements, recent posts, open posts,
Subscribe to WebmasterWorld
Visit PubCon.com
Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
Forum Library : Charter : Moderators: phranque

Website Technology Issues Forum

    
Requests of URLs appended with '%22
What are they trying to do?
woop01




msg:4057976		 11:46 pm on Jan 10, 2010 (gmt 0)

In one of the seemingly endless waves of attempts at messing with our query strings, I started seeing '%22 appended to the end of the URLs today.

What exactly are they trying to exploit?

 

encyclo




msg:4058019		 1:29 am on Jan 11, 2010 (gmt 0)

%22 is an URL-encoded quote mark (") - this is usually due to a malformed link.

For a list of URL-encoded characters, see here:

[w3schools.com...]

woop01




msg:4058072		 2:57 am on Jan 11, 2010 (gmt 0)

It's not just a malformed link when it's a bot appending it to over 1,000 different pages.
encyclo




msg:4058350		 3:41 pm on Jan 11, 2010 (gmt 0)

In that case, it's just bad programming by the bot owner (not a surprise, they are spammers after all!) - their list of URLs was either parsed eith the end quote (from reading <a href="[b]/my-page.html"[/b]>), or they have generated a list of URLs but their regex is defective.
rocknbil




msg:4058677		 10:33 pm on Jan 11, 2010 (gmt 0)

One second .... is there any other data with this query string?

Reason I ask is if you have a query like this

select * from table where field like "%$term"

A quote can do some serious damage.

$term = 'blah%22%20or%201=1%22';

Add those two together,

select * from table where field like "%blah" or 1=1"

And you have a basic mysql injection that displays all records from a given table.

woop01




msg:4058774		 2:03 am on Jan 12, 2010 (gmt 0)

While we've certainly been the vicitm of SQL injection attacks, this time they only appended those characters to the URL.
chasehx




msg:4073941		 11:43 pm on Feb 3, 2010 (gmt 0)

it may be sending the quote to just test your server responses... See if it is exploitable further..
KenB




msg:4073950		 12:02 am on Feb 4, 2010 (gmt 0)

Encyclo's and Rocknbil's explanations are the most probable causes. If it is only the %22, then it is Encyclo's explanation if there is a lot of other squirrelly stuff then it is more likely to be Rocknbil's explanation
chasehx




msg:4118377		 8:28 pm on Apr 19, 2010 (gmt 0)

Adding a quick single or double quote to the end of a dynamic URL is the most basic way to test for SQL injection. A page like:

mysite.com/news.php?story=23

will throw an error if the url loaded is as follows(if there is not sufficient input validation):

mysite.com/news.php?story=23'

They are scanning your site for weaknesses my friend. Keep a close eye on it would be my recommendation, and as always, fully sanitize user input.
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
WebmasterWorld ® and PubCon ® are a Registered Trademarks of Pubcon Inc.
© Pubcon Inc. 1996-2012 all rights reserved