Skip to content
Advertisement

Decoding T-SQL CAST in C#/VB.NET

Recently our site has been deluged with the resurgence of the Asprox botnet SQL injection attack. Without going into details, the attack attempts to execute SQL code by encoding the T-SQL commands in an ASCII encoded BINARY string. It looks something like this:

DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x44004500...06F007200%20AS%20NVARCHAR(4000));EXEC(@S);--

I was able to decode this in SQL, but I was a little wary of doing this since I didn’t know exactly what was happening at the time.

I tried to write a simple decode tool, so I could decode this type of text without even touching SQL  Server. The main part I need to be decoded is:

CAST(0x44004500...06F007200 AS
NVARCHAR(4000))

I’ve tried all of the following commands with no luck:

txtDecodedText.Text =
    System.Web.HttpUtility.UrlDecode(txtURLText.Text);
txtDecodedText.Text =
    Encoding.ASCII.GetString(Encoding.ASCII.GetBytes(txtURLText.Text));
txtDecodedText.Text =
    Encoding.Unicode.GetString(Encoding.Unicode.GetBytes(txtURLText.Text));
txtDecodedText.Text =
    Encoding.ASCII.GetString(Encoding.Unicode.GetBytes(txtURLText.Text));
txtDecodedText.Text =
    Encoding.Unicode.GetString(Convert.FromBase64String(txtURLText.Text));

What is the proper way to translate this encoding without using SQL Server? Is it possible? I’ll take VB.NET code since I’m familiar with that too.


Okay, I’m sure I’m missing something here, so here’s where I’m at.

Since my input is a basic string, I started with just a snippet of the encoded portion – 4445434C41 (which translates to DECLA) – and the first attempt was to do this…

txtDecodedText.Text = Encoding.UTF8.GetString(Encoding.UTF8.GetBytes(txtURL.Text));

…and all it did was return the exact same thing that I put in since it converted each character into is a byte.

I realized that I need to parse every two characters into a byte manually since I don’t know of any methods yet that will do that, so now my little decoder looks something like this:

while (!boolIsDone)
{
    bytURLChar = byte.Parse(txtURLText.Text.Substring(intParseIndex, 2));
    bytURL[intURLIndex] = bytURLChar;
    intParseIndex += 2;
    intURLIndex++;

    if (txtURLText.Text.Length - intParseIndex < 2)
    {
        boolIsDone = true;
    }
}

txtDecodedText.Text = Encoding.UTF8.GetString(bytURL);

Things look good for the first couple of pairs, but then the loop balks when it gets to the “4C” pair and says that the string is in the incorrect format.

Interestingly enough, when I step through the debugger and to the GetString method on the byte array that I was able to parse up to that point, I get “,-+” as the result.

How do I figure out what I’m missing – do I need to do a “direct cast” for each byte instead of attempting to parse it?

Advertisement

Answer

I went back to Michael’s post, did some more poking and realized that I did need to do a double conversion, and eventually worked out this little nugget:

Convert.ToString(Convert.ToChar(Int32.Parse(EncodedString.Substring(intParseIndex, 2), System.Globalization.NumberStyles.HexNumber)));

From there I simply made a loop to go through all the characters 2 by 2 and get them “hexified” and then translated to a string.

To Nick, and anybody else interested, I went ahead and posted my little application over in CodePlex. Feel free to use/modify as you need.

User contributions licensed under: CC BY-SA
4 People found this is helpful
Advertisement