Translating T-SQL CAST in C#/ VB.NET

Lately our website has actually been drenched with the rebirth of the Asprox botnet SQL injection strike. Without explaining, the strike tries to execute SQL code by inscribing the T-SQL regulates in an ASCII inscribed BINARY string. It looks something similar to this:

DECLARE%[email protected]%20NVARCHAR(4000);SET%[email protected]=CAST(0x44004500...06F007200%20AS%20NVARCHAR(4000));EXEC(@S);--

I had the ability to translate this in SQL, yet I was a little skeptical of doing this given that I really did not recognize specifically what was taking place at the time.

I attempted to write a straightforward decode device, so I can translate this sort of message without also touching SQL  Server. The almost all I require to be translated is:

CAST(0x44004500...06F007200 AS
NVARCHAR(4000))

I've attempted every one of the adhering to commands without good luck:

txtDecodedText.Text =
    System.Web.HttpUtility.UrlDecode(txtURLText.Text);
txtDecodedText.Text =
    Encoding.ASCII.GetString(Encoding.ASCII.GetBytes(txtURLText.Text));
txtDecodedText.Text =
    Encoding.Unicode.GetString(Encoding.Unicode.GetBytes(txtURLText.Text));
txtDecodedText.Text =
    Encoding.ASCII.GetString(Encoding.Unicode.GetBytes(txtURLText.Text));
txtDecodedText.Text =
    Encoding.Unicode.GetString(Convert.FromBase64String(txtURLText.Text));

What is the correct means to convert this inscribing without making use of SQL Server? Is it feasible? I'll take VB.NET code given that I'm acquainted with that said also.


Okay, I'm certain I'm missing out on something below, so below's where I'm at.

Given that my input is a standard string, I began with simply a fragment of the inscribed section - 4445434C41 (which converts to DECLA) - and also the first effort was to do this ...

txtDecodedText.Text = Encoding.UTF8.GetString(Encoding.UTF8.GetBytes(txtURL.Text));

... and also all it did was return the specific very same point that I place in given that it transformed each personality right into is a byte.

I understood that I require to parse every 2 personalities right into a byte by hand given that I do not recognize of any kind of approaches yet that will certainly do that, so currently my little decoder looks something similar to this:

while (!boolIsDone)
{
    bytURLChar = byte.Parse(txtURLText.Text.Substring(intParseIndex, 2));
    bytURL[intURLIndex] = bytURLChar;
    intParseIndex += 2;
    intURLIndex++;

    if (txtURLText.Text.Length - intParseIndex < 2)
    {
        boolIsDone = true;
    }
}

txtDecodedText.Text = Encoding.UTF8.GetString(bytURL);

Points look helpful for the first number of sets, yet after that the loop stops when it reaches the "4C" set and also claims that the string remains in the wrong layout.

Surprisingly sufficient, when I tip via the debugger and also to the GetString method on the byte array that I had the ability to parse approximately that factor, I get ",-+" as the outcome.

Just how do I identify what I'm missing out on - do I require to do a "straight actors" for each and every byte as opposed to trying to parse it?

0
2019-05-06 23:30:21
Source Share
Answers: 2

I returned to Michael's blog post, did some even more jabbing and also understood that I did require to do a double conversion, and also at some point exercised this little nugget:

Convert.ToString(Convert.ToChar(Int32.Parse(EncodedString.Substring(intParseIndex, 2), System.Globalization.NumberStyles.HexNumber)));

From there I merely made a loop to experience all the personalities 2 by 2 and also get them "hexified" and afterwards converted to a string.

To Nick, and also any person else interested, I proceeded and also posted my little application over in CodePlex. Do not hesitate to use/modify as you require.

0
2019-05-11 18:17:46
Source

Try getting rid of the 0x first and afterwards call Encoding.UTF8.GetString. I assume that might function.

Basically : 0x44004500

Remove the 0x, and afterwards constantly 2 bytes are one personality :

44 00 = D

45 00 = E

6F 00 = o

72 00 = r

So it's most definitely a Unicode/UTF layout with 2 bytes/character.

0
2019-05-07 17:03:54
Source