1

I recently started receiving some really strange http traffic, and I'd like to understand what it's trying to do. Some of it seems like sql injection attempts, but the strings are appearing in the referrer URL and in the user-agent as well as in the form parameters, which is confusing to me. Please can you explain what vulnerabilities these are trying to attack, and whether I should be concerned about them?

weird maths:

-1' OR 2+502-502-1=0+0+0+1 --
-1\x22 OR 2+613-613-1=0+0+0+1 --
" AND 2*3*8=6*8 AND "K9Ap"="K9Ap

trying to wait for 15 seconds:

<alphanumerics>'; waitfor delay '0:0:15' --
<alphanumerics>' OR 857=(SELECT 857 FROM PG_SLEEP(15))--
if(now()=sysdate(),sleep(15),0)
1 waitfor delay '0:0:15' --
(select(0)from(select(sleep(3)))v)/*'+(select(0)from(select(sleep(3)))v)+'\x22+(select(0)from(select(sleep(3)))v)+\x22*/
0'XOR(if(now()=sysdate(),sleep(15),0))XOR'Z

something with Postgres?

||DBMS_PIPE.RECEIVE_MESSAGE(CHR(98)||CHR(98)||CHR(98),6)||

javascript and sql and /etc/passwd?

?<alphanumerics>=7995 AND 1<1 UNION ALL SELECT 1,NULL,'<script>alert("XSS")</script>',table_name FROM information_schema.tables WHERE 2>1--/**/; EXEC xp_cmdshell('cat ../../../etc/passwd')#

Just to put these in context, this is a low-traffic website, no logins, no password fields, no user data to steal, no apparent target. So could this just be a "scattergun" approach to spray requests around randomly and see what bounces back?

I just can't imagine what useful information could bounce back when stuff like this is put in the user agent or the referrer url - what is the sender trying to achieve? Or could it just be a harmless misconfigured script?

ConfusedHost
  • 9
  • 1
  • These are probes hoping to find a vulnerability on your site. – schroeder Jan 25 '23 at 20:50
  • Any idea what the sender is targeting - what kind of software are they hoping will take the agent/referrer and expose some vulnerability from these strings? are they hoping for a crash or a sleep somewhere? – ConfusedHost Jan 25 '23 at 22:11
  • Any idea what the sender is targeting .. the answer is "anything" and it doesn't stop - consider blocking ip's from a naughty-list viz. https://security.stackexchange.com/a/240358/ (.. and there does seem to a be a high correlation between spammers' ip's and the botwits: anecdotally, i regularly have http requests being blocked due to membership on a spammer list) – brynk Jan 25 '23 at 22:18
  • These are not targetted - they are trying a broad spectrum to see what works. – schroeder Jan 25 '23 at 22:41

1 Answers1

-1

The best answer I've found so far is a comment by "Jeff" on this question: someone is trying to SQL injection me.. what are they trying to do? : "The exploiter will watch if those three characters end up in the resulting HTML page and know there is a vulnerability."

So I'm guessing that this is the reason for at least some of them, like the weird maths. They just want to know if something will take the user agent or the referrer URL and insert that content into the response, I guess. I really don't get why these sums all evaluate to 1==1, or why there are thousands of them, all slightly different, but there you go.

I still don't get the sleep stuff, whether they're hoping for a sleep during the request processing (but what on earth would be processing the user agent and sleeping because of that?) or sometime later. Or why they're doing the same thing over and over again, thousands of times over several hours.

And the DBMS_PIPE, who knows.

Thanks for the comments.

ConfusedHost
  • 9
  • 1
  • 1
    This is not an answer. Please add this to the question and delete the answer. – mentallurg Jan 27 '23 at 20:37
  • sorry, it seems I'm not allowed to delete the answer, I don't get a delete button. Can't delete the question either :/ – ConfusedHost Jan 28 '23 at 07:12
  • Edit your question and add the contents from the question. Remove the contents from the question. Then the moderator will delete the empty answer. – mentallurg Jan 28 '23 at 09:29