Site has been hacked via SQL Injection
It looks like an overflow attack. They UNION-ed with your existing query. replacing all your %20 with (space) since its url-encoded yields:
=-999.9 UNION ALL SELECT CONCAT(0x7e,0x27,Hex(cast(database() as char)),0x27,0x7e),0x31303235343830303536,0x31303235343830303536,0x31303235343830303536-break it down:
- the
=-999.9is just ending your current query 0x31303235343830303536isNULL- they are just matching the number of columns in your existing query. If you hadSELECT * FROM usersandusershad 4 columns, theUNIONmust also have 4 columns. As a result, they just used `NULL values to populate those columns.- the real confusion is in the
CONCAT(). They are combining 126, 39, database name as hex value, 39, and 126 --is a mysql comment - it ignores the rest of your query after
Judging from this attack, i suspect that you are not wrapping input in mysql_real_escape_string(), which allowed to attacked to jump out of your query and execute their own.
See owasp.org for more information.
This is not the complete query, actually the person entered this string in your web app.
Now, first replace %20 with blank space in the union part, you get:
SELECT concat(0x7e,0x27,Hex(cast(database() as char)),0x27,0x7e),0x31303235343830303536,0x31303235343830303536,0x31303235343830303536--Seems like the user put the string in some place where you were expecting an number. So, you see that first there is a number (999.9) to complete the original condition of the query. Then, an UNION part is added.Finally, after the UNION part, the comment characters are added (-- ) so that, the rest of the query (which might be being added by your system) is bypassed.
We can format the code for better understanding:
SELECT concat ( 0x7e, 0x27, Hex(cast(database() as char)), 0x27, 0x7e ), 0x31303235343830303536, 0x31303235343830303536, 0x31303235343830303536Now, substring of the first column of the result will contain the hex encoded form of your datbase name. Actually, it should be surrounded by single quotes (0x27), then again surrounded by ~ (0x7e)
The query returned the Database name using DATABASE() , it then converted this to a hex value using HEx() function.
Once they had this they could use UNHEX function
Have a look at the UNHEX examples
mysql> SELECT UNHEX('4D7953514C'); -> 'MySQL'mysql> SELECT 0x4D7953514C; -> 'MySQL'mysql> SELECT UNHEX(HEX('string')); -> 'string'mysql> SELECT HEX(UNHEX('1267')); -> '1267'It is good to know how they got in, but all in all, you need to fix up your code to avoid SQL Injection.