homepage Welcome to WebmasterWorld Guest from 23.22.29.137
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Visit PubCon.com
Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
Forum Library, Charter, Moderators: phranque

Website Technology Issues Forum

    
Requests of URLs appended with '%22
What are they trying to do?
woop01




msg:4057976
 11:46 pm on Jan 10, 2010 (gmt 0)

In one of the seemingly endless waves of attempts at messing with our query strings, I started seeing '%22 appended to the end of the URLs today.

What exactly are they trying to exploit?

 

encyclo




msg:4058019
 1:29 am on Jan 11, 2010 (gmt 0)

%22 is an URL-encoded quote mark (") - this is usually due to a malformed link.

For a list of URL-encoded characters, see here:

[w3schools.com...]

woop01




msg:4058072
 2:57 am on Jan 11, 2010 (gmt 0)

It's not just a malformed link when it's a bot appending it to over 1,000 different pages.

encyclo




msg:4058350
 3:41 pm on Jan 11, 2010 (gmt 0)

In that case, it's just bad programming by the bot owner (not a surprise, they are spammers after all!) - their list of URLs was either parsed eith the end quote (from reading
<a href="[b]/my-page.html"[/b]>), or they have generated a list of URLs but their regex is defective.
rocknbil




msg:4058677
 10:33 pm on Jan 11, 2010 (gmt 0)

One second .... is there any other data with this query string?

Reason I ask is if you have a query like this

select * from table where field like "%$term"

A quote can do some serious damage.

$term = 'blah%22%20or%201=1%22';

Add those two together,

select * from table where field like "%blah" or 1=1"

And you have a basic mysql injection that displays all records from a given table.

woop01




msg:4058774
 2:03 am on Jan 12, 2010 (gmt 0)

While we've certainly been the vicitm of SQL injection attacks, this time they only appended those characters to the URL.

chasehx




msg:4073941
 11:43 pm on Feb 3, 2010 (gmt 0)

it may be sending the quote to just test your server responses... See if it is exploitable further..

KenB




msg:4073950
 12:02 am on Feb 4, 2010 (gmt 0)

Encyclo's and Rocknbil's explanations are the most probable causes. If it is only the %22, then it is Encyclo's explanation if there is a lot of other squirrelly stuff then it is more likely to be Rocknbil's explanation

chasehx




msg:4118377
 8:28 pm on Apr 19, 2010 (gmt 0)

Adding a quick single or double quote to the end of a dynamic URL is the most basic way to test for SQL injection. A page like:

mysite.com/news.php?story=23

will throw an error if the url loaded is as follows(if there is not sufficient input validation):

mysite.com/news.php?story=23'

They are scanning your site for weaknesses my friend. Keep a close eye on it would be my recommendation, and as always, fully sanitize user input.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved