Welcome to WebmasterWorld Guest from 22.214.171.124 , register , free tools , login , search , pro membership , help , library , announcements , recent posts , open posts Become a Pro Member
Requests of URLs appended with '%22 What are they trying to do? woop01
In one of the seemingly endless waves of attempts at messing with our query strings, I started seeing '%22 appended to the end of the URLs today.
What exactly are they trying to exploit?
is an URL-encoded quote mark ( " ) - this is usually due to a malformed link.
For a list of URL-encoded characters, see here:
It's not just a malformed link when it's a bot appending it to over 1,000 different pages. encyclo
In that case, it's just bad programming by the bot owner (not a surprise, they are spammers after all!) - their list of URLs was either parsed eith the end quote (from reading
), or they have generated a list of URLs but their regex is defective.
One second .... is there any other data with this query string?
Reason I ask is if you have a query like this
select * from table where field like "%$term"
A quote can do some serious damage.
$term = 'blah%22%20or%201=1%22';
Add those two together,
select * from table where field like "%blah" or 1=1"
And you have a basic mysql injection that displays all records from a given table.
While we've certainly been the vicitm of SQL injection attacks, this time they only appended those characters to the URL. chasehx
it may be sending the quote to just test your server responses... See if it is exploitable further.. KenB
Encyclo's and Rocknbil's explanations are the most probable causes. If it is only the %22, then it is Encyclo's explanation if there is a lot of other squirrelly stuff then it is more likely to be Rocknbil's explanation chasehx
Adding a quick single or double quote to the end of a dynamic URL is the most basic way to test for SQL injection. A page like: mysite.com/news.php?story=23 will throw an error if the url loaded is as follows(if there is not sufficient input validation): mysite.com/news.php?story=23' They are scanning your site for weaknesses my friend. Keep a close eye on it would be my recommendation, and as always, fully sanitize user input.