How to view encoded string as text

toubept · Jul 25, 2023, 4:42 PM

My server log is showing a large number of entries like this

%27%29%29%2F%2A%2A%2FaNd%2F%2A%2A%2F6302%3DCONcat%28CHar%28113%29%2BCHar%28106%29%2BCHar%2898%29%2BCHar%2898%29%2BCHar%28113

If I run the mime tool to url decode it, it shows as

'))/**/aNd/**/6302=CONcat(CHar(113)+CHar(106)+CHar(98)+CHar(98)+CHar(113

Is there a way to convert it to plain text?

Alan Kilborn · Jul 25, 2023, 4:58 PM

@toubept

Hmm, what kind of “plain text” are you looking for?
Meaning, if you had what you want, what would your sample appear like?

toubept · Jul 25, 2023, 5:38 PM

@Alan-Kilborn I was hoping for something more human-readable where I don’t have to look up what the codes mean. So instead of CHR(113) it would show q.

rdipardo · Jul 25, 2023, 8:04 PM

@toubept,

'))/**/aNd/**/6302=CONcat(CHar(113)+CHar(106)+CHar(98)+CHar(98)+CHar(113

Your server is logging Transact-SQL queries . mimeTools would have to extract and evaluate those by sending them to a live RDBMS.

Embedding SQL in a query string is a textbook example of SQL injection , so perhaps mimeTools isn’t your biggest problem right not.

mkupper · Jul 26, 2023, 7:05 PM

@toubept I would agree with what @rdipardo wrote.

It appears that your server is either under attack or is the victim of a successful attack. If it’s a public facing server under attack then the front end needs to be locked down more to prevent the attacks from getting to the server. If it’s the victim of a successful attack then you have a large problem.

Attackers generate hard to decipher strings to prevent or slow you from understanding better what is happening.

If I wanted to decode lots of text that looked like CHar(113)+CHar(106)+CHar(98)+CHar(98)+CHar(113 then I’d use something other than Notepad++ simply because I don’t know how to do it directly in Notepad++ without lots of thinking and looking things up to see if it’s possible or practical. As I know ASCII I mentally decoded it as qjbbq which seems random and would be further evidence that you are likely dealing with an attacker or have been attacked.

It is also possible that there is no attacker. Some commercial packages generate hard to decode and understand code snippets to slow down attempts to reverse engineer how those packages work and/or to slow down or prevent attempts to perform automated data scraping of information that is being presented.

toubept · Jul 31, 2023, 6:59 PM

@mkupper Thank you for your thoughts on this. The strings are from hackers. They aren’t getting in. I wanted to have an automatic script to block them when they try since they try over and over. I know I can use regex to do that but I also wanted to see what they were looking for to see if it is something that might need tightening up. I would have a report that said something like, “10 attempts to access example.php”. But that seems not to be a simple thing so I will just block them with regex and leave it at that. Thanks, again.