Site has been hacked via SQL Injection

Question

Recently my site was hacked via SQL injection. The hacker used the following query to get my DB name. I cannot understand this query they wrote.

Query:

Answer 1

First off, the query looks like it's HTML encoded. Replace the %20s with spaces and it will become a little more readable. Also they are converting part of the query into a hex representation of something. Try hexadecimal decoding that part of the statement as well.

A SQL injection risk is created when you try to create a SQL dynamically as a string, and then send it to the DBMS. Imagine a string like this stored in your system for use in a search bar, etc:

SELECT * FROM SOME_TABLE WHERE SOME_COLUMN=

To complete the query and let the attack in, they would need to make their input like this:

'x' or 1=1

In that instance the query will become:

SELECT * FROM SOME_TABLE WHERE SOME_COLUMN='x' or 1=1

SOME_COLUMN could be any variable, it doesn't matter where it fails, the thing that matters is that 1=1 is ALWAYS true, thereby potentially giving the attacker access to every row in that table.

Now that you know about it, go through your code and replace every dynamically created query with a Prepared Statements. The OWASP site has a lot of resources for defensive coding as well:

www.owasp.org