Welcome to WebmasterWorld Guest from 54.234.114.182

Forum Moderators: phranque

Message Too Old, No Replies

Requests of URLs appended with '%22

What are they trying to do?

     
11:46 pm on Jan 10, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 25, 2003
posts:972
votes: 0


In one of the seemingly endless waves of attempts at messing with our query strings, I started seeing '%22 appended to the end of the URLs today.

What exactly are they trying to exploit?

1:29 am on Jan 11, 2010 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 31, 2003
posts:9068
votes: 4


%22
is an URL-encoded quote mark (") - this is usually due to a malformed link.

For a list of URL-encoded characters, see here:

[w3schools.com...]

2:57 am on Jan 11, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 25, 2003
posts:972
votes: 0


It's not just a malformed link when it's a bot appending it to over 1,000 different pages.
3:41 pm on Jan 11, 2010 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 31, 2003
posts:9068
votes: 4


In that case, it's just bad programming by the bot owner (not a surprise, they are spammers after all!) - their list of URLs was either parsed eith the end quote (from reading
<a href="[b]/my-page.html"[/b]>
), or they have generated a list of URLs but their regex is defective.
10:33 pm on Jan 11, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 28, 2004
posts:7999
votes: 0


One second .... is there any other data with this query string?

Reason I ask is if you have a query like this

select * from table where field like "%$term"

A quote can do some serious damage.

$term = 'blah%22%20or%201=1%22';

Add those two together,

select * from table where field like "%blah" or 1=1"

And you have a basic mysql injection that displays all records from a given table.

2:03 am on Jan 12, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 25, 2003
posts:972
votes: 0


While we've certainly been the vicitm of SQL injection attacks, this time they only appended those characters to the URL.
11:43 pm on Feb 3, 2010 (gmt 0)

Junior Member

5+ Year Member

joined:Nov 17, 2009
posts:41
votes: 0


it may be sending the quote to just test your server responses... See if it is exploitable further..
12:02 am on Feb 4, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 24, 2003
posts:729
votes: 0


Encyclo's and Rocknbil's explanations are the most probable causes. If it is only the %22, then it is Encyclo's explanation if there is a lot of other squirrelly stuff then it is more likely to be Rocknbil's explanation
8:28 pm on Apr 19, 2010 (gmt 0)

Junior Member

5+ Year Member

joined:Nov 17, 2009
posts:41
votes: 0


Adding a quick single or double quote to the end of a dynamic URL is the most basic way to test for SQL injection. A page like:

mysite.com/news.php?story=23

will throw an error if the url loaded is as follows(if there is not sufficient input validation):

mysite.com/news.php?story=23'

They are scanning your site for weaknesses my friend. Keep a close eye on it would be my recommendation, and as always, fully sanitize user input.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members