homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
Forum Library, Charter, Moderators: phranque

Website Technology Issues Forum

Requests of URLs appended with '%22
What are they trying to do?

 11:46 pm on Jan 10, 2010 (gmt 0)

In one of the seemingly endless waves of attempts at messing with our query strings, I started seeing '%22 appended to the end of the URLs today.

What exactly are they trying to exploit?



 1:29 am on Jan 11, 2010 (gmt 0)

%22 is an URL-encoded quote mark (") - this is usually due to a malformed link.

For a list of URL-encoded characters, see here:



 2:57 am on Jan 11, 2010 (gmt 0)

It's not just a malformed link when it's a bot appending it to over 1,000 different pages.


 3:41 pm on Jan 11, 2010 (gmt 0)

In that case, it's just bad programming by the bot owner (not a surprise, they are spammers after all!) - their list of URLs was either parsed eith the end quote (from reading
<a href="[b]/my-page.html"[/b]>), or they have generated a list of URLs but their regex is defective.

 10:33 pm on Jan 11, 2010 (gmt 0)

One second .... is there any other data with this query string?

Reason I ask is if you have a query like this

select * from table where field like "%$term"

A quote can do some serious damage.

$term = 'blah%22%20or%201=1%22';

Add those two together,

select * from table where field like "%blah" or 1=1"

And you have a basic mysql injection that displays all records from a given table.


 2:03 am on Jan 12, 2010 (gmt 0)

While we've certainly been the vicitm of SQL injection attacks, this time they only appended those characters to the URL.


 11:43 pm on Feb 3, 2010 (gmt 0)

it may be sending the quote to just test your server responses... See if it is exploitable further..


 12:02 am on Feb 4, 2010 (gmt 0)

Encyclo's and Rocknbil's explanations are the most probable causes. If it is only the %22, then it is Encyclo's explanation if there is a lot of other squirrelly stuff then it is more likely to be Rocknbil's explanation


 8:28 pm on Apr 19, 2010 (gmt 0)

Adding a quick single or double quote to the end of a dynamic URL is the most basic way to test for SQL injection. A page like:


will throw an error if the url loaded is as follows(if there is not sufficient input validation):


They are scanning your site for weaknesses my friend. Keep a close eye on it would be my recommendation, and as always, fully sanitize user input.

Global Options:
 top home search open messages active posts  

Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved