Welcome to WebmasterWorld Guest from 54.145.4.19

Forum Moderators: phranque

Message Too Old, No Replies

Requests of URLs appended with '%22

What are they trying to do?

     

woop01

11:46 pm on Jan 10, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



In one of the seemingly endless waves of attempts at messing with our query strings, I started seeing '%22 appended to the end of the URLs today.

What exactly are they trying to exploit?

encyclo

1:29 am on Jan 11, 2010 (gmt 0)

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member



%22
is an URL-encoded quote mark (") - this is usually due to a malformed link.

For a list of URL-encoded characters, see here:

[w3schools.com...]

woop01

2:57 am on Jan 11, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



It's not just a malformed link when it's a bot appending it to over 1,000 different pages.

encyclo

3:41 pm on Jan 11, 2010 (gmt 0)

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member



In that case, it's just bad programming by the bot owner (not a surprise, they are spammers after all!) - their list of URLs was either parsed eith the end quote (from reading
<a href="[b]/my-page.html"[/b]>
), or they have generated a list of URLs but their regex is defective.

rocknbil

10:33 pm on Jan 11, 2010 (gmt 0)

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member



One second .... is there any other data with this query string?

Reason I ask is if you have a query like this

select * from table where field like "%$term"

A quote can do some serious damage.

$term = 'blah%22%20or%201=1%22';

Add those two together,

select * from table where field like "%blah" or 1=1"

And you have a basic mysql injection that displays all records from a given table.

woop01

2:03 am on Jan 12, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



While we've certainly been the vicitm of SQL injection attacks, this time they only appended those characters to the URL.

chasehx

11:43 pm on Feb 3, 2010 (gmt 0)

5+ Year Member



it may be sending the quote to just test your server responses... See if it is exploitable further..

KenB

12:02 am on Feb 4, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Encyclo's and Rocknbil's explanations are the most probable causes. If it is only the %22, then it is Encyclo's explanation if there is a lot of other squirrelly stuff then it is more likely to be Rocknbil's explanation

chasehx

8:28 pm on Apr 19, 2010 (gmt 0)

5+ Year Member



Adding a quick single or double quote to the end of a dynamic URL is the most basic way to test for SQL injection. A page like:

mysite.com/news.php?story=23

will throw an error if the url loaded is as follows(if there is not sufficient input validation):

mysite.com/news.php?story=23'

They are scanning your site for weaknesses my friend. Keep a close eye on it would be my recommendation, and as always, fully sanitize user input.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month