This is SQL Injection attack + and + (5 = 5 + xor + 2 = 9) - + a
Is the following SQL injection attack? While checking the log files today, I noticed a lot of entries like this:
lat = 52.350 & lon = 4.917 "+ and + (5 = 5 + xor + 2 = 9) - + a lat = 52.350 & lon = 4.917 "+ and + (1 = 1 + xor + 2 = 2) - + a lat = 52.350 & lon = 4.917 "+ and + not + 1 = 7 - + a
There are more, but I only added the ones above. I'm not sure what they are trying to do.
Any insight would be helpful.
An example of a full url is
http://www.example.com/5-Day-Weather-Forcast-For-Amsterdam?lat=52.350&lon=4.917"+and+(5=5+xor+2=9)--+a
This is the error they are getting:
The value is 52.350 or 4.917 "and (5 = 5 xor 2 = 9) - a for your latitude, longitude is not in the correct format
source to share
Probably yes.
The standard testing approach for logical blind SQL injection is to try to identify a parameter that will accept additional clauses and produce significantly different responses when the clauses evaluate to true or false.
If adding " and 1=1
" to the query produces the same results, but and 1=2
gives " " an error or different results, then it is reasonable to conclude that the additional SQL is being parsed.
The SQL and Web Application Scanner typically tries several variations of these logical test loads using different combinations of brackets and quotes to try to fit into the syntax of the vulnerable query. If you are interested in doing this, hook up a tool like SQLmap to run through a proxy and see how it tries to find the vulnerable parameter as a masterclass in SQLi.
source to share