Saturday 31 August 2013

WTF an SQL injection payload as part of an URL (in IIS.NET) , it must be a honeypot

Update: I wrote the original post in March 2013, and after a couple days I was contacted by the admin asking me to remove it (which I did). Since It has been fixed since, here is the original post (which now I'm assuming the vuln was real, but still have no idea how it got there)

NOTE: I used the 'contact us' form at to ask for a direct email to send the info below, and they said to 'post it on the support forum'.  (see at the end of this blog entry a screenshot of the email I sent to IIS.NET)

Btw, since the issue is still there (a week later), I think this is a honeypot

Here is blog entry I was writing when I found this (saved as a draft since).

This is either a funny joke, or an attack gone wrong.

When I was adding some references to my What happens when Asp.Net not installed on Windows 8 server  post, I noticed something weird with one of the urls used as references'%20or%20'82'='82/iis-80-using-aspnet-35-and-aspnet-45

Can you spot the issue?

What about like this:'%20or%20'82'='82/iis-80-using-aspnet-35-and-aspnet-45

Just to confirm that something hadn't happened with my copy and paste, I went to the browser and confirmed that it was the correct URL


Note how these variation of the original URL don't work :

image :


BUT, these work:'%20or%20'83'='83/iis-80-using-aspnet-35-and-aspnet-45'%20or%20'8'='8/iis-80-using-aspnet-35-and-aspnet-45


The last ones seems to imply that there is an SQL Injection here

Now the question is where do the links with the SQL Injection payload come from?

Weirdly, it looks like they come directly from their own website!

A search for:


shows the SQL injection payload in there:


Same thing in Google (note the full URL in the address bar):


And sure enough, there are more cases:




Humm, this is a bit weird, since It looks like an SQL Injection, but somehow I think this is a honeypot.

But since Google doesn't return any decent hits on that


And I’m not authorized to make any ‘SQL Injection’ tests on this side, I’m going to contact the website owners and see what they say about it

Note: Email sent to IIS.NET support team (note how they never replied to my 2nd email