Looks like Mysql is checking for valid hex pairs. In our case if we receive:

SELECT LOAD_FILE(0x633A5C626F6F742E696EZZ69)
decoded:
selectLOAD_FILEc:\\boot.inZZ69

0x41 0xZZ 0x42
decoded:
A 0xZZ B

Makes sense ?

On Thu, Oct 27, 2011 at 2:43 AM, Marc Stern <marc.stern@approach.be> wrote:
What about "0xZZ"?
Should we remove "0x" or not?
What do real SQL parsers?


On 26/10/2011 13:54, Breno Silva wrote:
> Can you give me an example ?
>
> Thanks
>
> On Tue, Oct 25, 2011 at 10:12 AM, Marc Stern <marc.stern@approach.be
> <mailto:marc.stern@approach.be>> wrote:
>
>     We may miss some attack patterns if we do not get the binary
>
>
>     -------- Original Message --------
>     Subject:        [mod-security-users] t:sqlHexDecode
>     Date:   Mon, 24 Oct 2011 09:18:07 -0500
>     From:   Breno Silva <breno.silva@gmail.com
>     <mailto:breno.silva@gmail.com>>
>     To:     Mod Security <mod-security-users@lists.sourceforge.net
>     <mailto:mod-security-users@lists.sourceforge.net>>
>
>
>
>     Hello all,
>
>     Want to get a feedback from you. I'm adding a new tfn called
>     sqlHexDecode that will decode 0x... data.
>     I was thinking about to not try to decode non-printable hex pairs,
>     thinking it should be easier for all of you write rules.
>
>     So, an input like:  0x4142431344 will be ABC13D. If i apply decode for
>     all pairs we will have ABC\x13D.
>
>     Appreciate any comments.
>
>     Thanks
>
>     Breno
>
>
>     ------------------------------------------------------------------------------
>     The demand for IT networking professionals continues to grow, and the
>     demand for specialized networking skills is growing even more rapidly.
>     Take a complimentary Learning@Cisco Self-Assessment and learn
>     about Cisco certifications, training, and career opportunities.
>     http://p.sf.net/sfu/cisco-dev2dev
>     _______________________________________________
>     mod-security-users mailing list
>     mod-security-users@lists.sourceforge.net
>     <mailto:mod-security-users@lists.sourceforge.net>
>     https://lists.sourceforge.net/lists/listinfo/mod-security-users
>     Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>     http://www.modsecurity.org/projects/commercial/rules/
>     http://www.modsecurity.org/projects/commercial/support/
>
>

------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Cisco Self-Assessment and learn
about Cisco certifications, training, and career opportunities.
http://p.sf.net/sfu/cisco-dev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/