What kind of SQL injection is this?

Question

I've found that someone is trying to attack our company's website via password restore form. The attack is either a SQL or code injection. It looks like this:

'; if (db_name()))<48) waitfor delay \\\'00:00:04\\\'--'

there are several variations of the statement above, e.g.

'; if (Len((db_name()))=62) waitfor delay \\\'00:00:04\\\'--'
'; if (system_user))<48) waitfor delay \\\'00:00:04\\\'--'
'; if (Len((system_user))=63) waitfor delay \\\'00:00:04\\\'--'

Couldn't google anything related to this attack.

Hopefully, somebody know what kind of attack this is and what the attacker is trying to do here?

Answer 1

This is a time-based SQL injection attack.

The attacker knows whether the query is true or not by how fast the page loads with waitfor delay. If true then there will be a 4 second delay.

Next the attacker could use substring to slowly extract data from any column in your database that the current database user has permissions to.

example:

first character = a?

 if(ASCII(SUBSTRING((SELECT password FROM admin), 1, 1))=97) waitfor delay ...

second character = b?

if(ASCII(SUBSTRING((SELECT password FROM admin), 1, 2))=98) waitfor delay ...

if the first letter of column password is 'a' (ASCII('a') === 97), the page will delay. By iterating over each character using substring, they could slowly extract your data.

Answer 2

It looks like they are trying to find out information about your DB.

I found information about this type of attack on this site: http://searchsqlserver.techtarget.com/feature/Time-delay-SQL-injections