Decoding encoded IIS logs

When doing intrusion investigations, I have run across IIS web logs that have encoded entries that were the product of a SQL injection attack. Many times the attacker will encode the web request that is sent to the webserver and then subsequently to the SQL server by using ASCII values for the characters or HEX values. There are several reasons for doing this and there are several automated tools that an attacker can use that will automatically encode the string he/she wishes to send.

For example, imagine the attacker wants to send the HTTP GET request of :
"id=999999 or select * from cctable"

You obviously cannot send spaces in a URL, so it would be rewritten as:
"id=999999%20or%20select%20*%20from cctable"

Special characters are also usually never explicitly represented so they too can be replaced by a ASCII representation or HEX value such as:
"id=999999%20or%20select%20char(42)%20from cctable"

This type of encoding makes reading and understanding what type of SQL commands the attacker is sending, very difficult. So I wrote an EnScript that does a simple search and replace for seveal types of encoding in order to make it easier to understand what the attacker was doing. This can also help in keyword searching in case the word you were searching for was encoded it obviously would not be found in its encoded form.

The following is an example of a real encoded IIS weblog entry:
pageid=830%20And%20(Select%20Top%201%20char(124)%2Bname%2Bchar(124)%20From%20(Select%20Top%201%20[name]%20From%20[syscolumns]%20where%20(id%20=%20(SELECT%20TOP%201%20id%20FROM%20[sysobjects]%20WHERE%20name%20=%20char(112)%2Bchar(97)%2Bchar(103)%2Bchar(101)%2Bchar(99)%2Bchar(111)%2Bchar(110)%2Bchar(116)%2Bchar(101)%2Bchar(110)%2Bchar(116)%2Bchar(115)))%20Order%20by%20[name])%20T%20Order%20by%20[name]%20desc)>0%20--

The decoded entry looks like this:
pageid=830 And (Select Top 1 +name+ From (Select Top 1 [name] From [syscolumns] where (id = (SELECT TOP 1 id FROM [sysobjects] WHERE name = p+a+g+e+c+o+n+t+e+n+t+s)) Order by [name]) T Order by [name] desc)>0 --

To use within EnCase, select (blue check) the IIS log and then run the EnScript, check the console for results.

Download Here
(tested in v6.5)