I've found that someone is trying to attack our company's website via password restore form. The attack is either a SQL or code injection. It looks like this:
'; if (db_name()))<48) waitfor delay \\\'00:00:04\\\'--'
there are several variations of the statement above, e.g.
'; if (Len((db_name()))=62) waitfor delay \\\'00:00:04\\\'--'
'; if (system_user))<48) waitfor delay \\\'00:00:04\\\'--'
'; if (Len((system_user))=63) waitfor delay \\\'00:00:04\\\'--'
Couldn't google anything related to this attack.
Hopefully, somebody know what kind of attack this is and what the attacker is trying to do here?
This is a time-based SQL injection attack.
The attacker knows whether the query is true or not by how fast the page loads with waitfor delay. If true then there will be a 4 second delay.
Next the attacker could use substring to slowly extract data from any column in your database that the current database user has permissions to.
example:
first character = a?
if(ASCII(SUBSTRING((SELECT password FROM admin), 1, 1))=97) waitfor delay ...
second character = b?
if(ASCII(SUBSTRING((SELECT password FROM admin), 1, 2))=98) waitfor delay ...
if the first letter of column password is 'a' (ASCII('a') === 97), the page will delay. By iterating over each character using substring, they could slowly extract your data.