SQL injections going mad

SA Security Bloggers

SensePost

Haroon Meer
link

Matt Erasmus
link

Andrew Mohawk

Junaid Loonat
link

Barry Irwin
link

Tom Wells

Allen Baranov
link

Jock Forrester
link

IT Security Pubcast
link

Telspace

ISGAfrica

Ralfe Poisson

How-To's
link Linux SSH Jail with pam_chroot
link Firefox Privacy & Security Extensions

Papers
link Managing Patching, my MSc Thesis
link Risk Analysis of Monthly Patch Schedules

Tools
link Automated Vodacom SMS (VodaSMS)
link RSS 2 SMS
link DShield Hack Detection

Neologisms
link Encryption principles
link Zoolander's Law

Syndicate This Blog

SSL

Certificate fingerprints:

SHA1: 61 13 45 4B 4C F9 89 9B B7 87 C8 78 F7 38 12 CB 07 E2 60 BF
MD5 : DA 53 7B 50 E4 3A 2C 6C A1 17 53 C1 A0 5E CB 89

HTTPS version.
You can find an explanation here.

License

Original content in this work is licensed under a Creative Commons License

Disclaimer

This blog and its contents are in no way affiliated with, or endorsed by my employer.

Random Entry: Sun Recommended Patch Management Policy
< Currently, potentially, Infected SA sites | Debian (and derivatives) OpenSSL-based keys vulnerability >

Monday, May 12. 2008

SQL injections going mad

So, the SQL injections of last month are still going and on the increase. At last check (11am SAST) Google's index had 1 070 000 infected pages. Not all of these are from the same source, or load the same malware. However, they have the same basic principle:

generic SQL injection -> Javascript -> infect visitors

Several of the sites in South Africa I've been watching have been re-infected. I spoke to several of the admins, but it seems they are just restoring from backup and not fixing the root cause. The domains currently being injected and containing the malicious Javascript are:

nihaorr1.com
2117966.net
aspder.com
haoliuliang.net
nmidahena.com
free.hostpinoy.info
xprmn4u.info
winzipices.cn
wowgm1.cn
killwow1.cn
wowyeye.cn

Although, new ones are coming to my attention fairly quickly at the moment. For example, wowgm1.cn was re-injected over winzipices.cn on a few pages. The 'wow' range seem to be related, as they are re-infecting pages with a new URL. On the point of re-injections, it seems some are overwriting each other in funny ways, for example, the following was found on one page (*'s added):

<script src=http://www.2<script src=h**p://www.2117966.net/f*ckjp.js></script>

It bother's me that the security industry (particularly in SA) doesn't seem to have cottoned on to this as a widespread pervasive attack. Shadowserver (one, two) seems to be the only ones getting close to the problem, but even SANS is treating these as seperate events. There is only basic protection at the moment, if you click through from some of these sites (10%?) in Google, you will get a Malware warning. Continuing to the site anyway prevents me due to Firefox's security setting (which shares the same list from Google, i.e. stopbadware.org).

Given how successfull the exploitation of such an 'old' vulnerability, it is likely we are only going to see more (and better executed) versions of this in the next few months (years?). Hitting over a million pages with a pretty lame attack, that only targets Microsoft SQL is fairly impressive. If they just modified their SQL to work on MySQL or Postgres I'm sure we would seem more than a million more hit. It is interesting to note that it has taken this long from someone to try and 'monetise' SQL injections, as it has been around for a while (8 years?). My guess is that it will take less time for bad guys to do the same with XSS & CSRF, but that Microsoft's default request validation will save some of us, but not because dev's have cottoned on.

Posted by Dominic White in Security at 10:32 | Comments (2) | Trackbacks (0)

Last modified on 2008-05-13 06:19

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

This happened to our site... but I thought SQL injection only works on pages with forms ? This happened to database tables that are only read to display content ?

#1 Philip (Homepage) on 2008-05-12 22:32 (Reply)

Hi Philip, There only needs to be one injection point, and that can be on *any* page displaying forms, or accepting GET/POST variables, or even WebServices. Once they have an injection point, and if your DB isn't sufficiently secured, they can write to any content table the user in the connection string has access to write to. The current round seems to try and write to all of them. Parameterise and pre-compile your SQL, then remove as many rights from the user you use to connect to the DB to solve this.

#1.1 Dominic White (Homepage) on 2008-05-13 06:19 (Reply)

Add Comment

Name
Email
Homepage
In reply to
Comment	E-Mail addresses will not be displayed and will only be used for E-Mail notifications. To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above:
	Remember Information? Subscribe to this entry