Looks like an SQL injection attempt.

...

Details and description of operation here [webmasterworld.com].

Jim

SQL Injection. I've getting 500-1200 new ones of these a day plus hundreds of hits on blocked IPs.

Easiest way to block them is on length of QueryString - they tend to be approx 1200 bytes so kill anything over, say, 800 bytes - fewer if possible. There are also a couple of recognisable UAs associated with the hits - MSIE-based, obviously - which can be used to pre-empt them.

Many thanks to all.

I don't use SQL or ASP.
Nor do my sites utilize and scripts or Java.

In some instances (IP Allowed) these requests are getting 200 responses and I'm not sure why?

Shouldn't the SQL injection requests result in a 404?

The 200/404 is surely under your control.

Unless you trap the QueryString and return an error code you will probably get a 200, even if the page is expecting a QueryString - unless you parse the string and return an error code on a bad string.

A page will only use the QueryString if it's expecting it - ie it's expecting parameters such as product ID or page ID and knows what to do with them when they arrive. If the page is not expecting a QueryString the unexpected parameters will be ignored, hence the 200.

If the page is not expecting a QueryString the unexpected parameters will be ignored, hence the 200.

Many thanks.

I've seen a mere four of these between two sites within the past 24 hours, with each request being duplicated.

Two ate 403's due to IP's, the other two resulted in 200's.

If you have dynamic pages (eg php, asp) then trap them - they might be able to cause a problem. I can't see it affecting plain html pages.

Trap on QueryString length, as I suggested, or on the SQL keywords DECLARE%20@S, VARCHAR, SET%20@S, =CAST(, EXEC(@S) (add in RegEx escapes for parentheses etc if needed). That will not necessarily stop all accesses from the IP, which requires UA/header traps, but it will stop the code. And obviously, if you do use a SQL database ensure the passed parameters are what you expect.

I have also recently seen allied code that's aimed at php sites and may be more dangerous, and since the QueryString is quite short it has to be detected on words. I've had a dozen of them this week (mainly ASP sites but some PHP). Keywords are DOCUMENT_ROOT (on its own) and _SERVER[DOCUMENT_ROOT] as used in php's _SERVER["DOCUMENT_ROOT"] but without the quotes shown in phpinfo (not sure how this works as I don't use php very much).

Another snippet that cropped up yesterday, and which is puzzling, is "prefix=http://" (with full url) added to the QueryString. I suspect this may be targetting some known kind of CMS.

Also, and this is also puzzling, %20%61%6E%64%20%31%3D%31 and its semi-decoded version '%20and%201=1%20and%20''=' - whether this is a broken sequence I'm not sure; doesn't make sense if it's not.