SQL injections going mad

Dominic White

 

SQL injections going mad

So, the SQL injections of last month are still going and on the increase. At last check (11am SAST) Google's index had 1 070 000 infected pages. Not all of these are from the same source, or load the same malware. However, they have the same basic principle:

generic SQL injection -> Javascript -> infect visitors

Several of the sites in South Africa I've been watching have been re-infected. I spoke to several of the admins, but it seems they are just restoring from backup and not fixing the root cause. The domains currently being injected and containing the malicious Javascript are:

  • nihaorr1.com
  • 2117966.net
  • aspder.com
  • haoliuliang.net
  • nmidahena.com
  • free.hostpinoy.info
  • xprmn4u.info
  • winzipices.cn
  • wowgm1.cn
  • killwow1.cn
  • wowyeye.cn

Although, new ones are coming to my attention fairly quickly at the moment. For example, wowgm1.cn was re-injected over winzipices.cn on a few pages. The 'wow' range seem to be related, as they are re-infecting pages with a new URL. On the point of re-injections, it seems some are overwriting each other in funny ways, for example, the following was found on one page (*'s added):

<script src=http://www.2<script src=h**p://www.2117966.net/f*ckjp.js></script>

It bother's me that the security industry (particularly in SA) doesn't seem to have cottoned on to this as a widespread pervasive attack. Shadowserver (one, two) seems to be the only ones getting close to the problem, but even SANS is treating these as seperate events. There is only basic protection at the moment, if you click through from some of these sites (10%?) in Google, you will get a Malware warning. Continuing to the site anyway prevents me due to Firefox's security setting (which shares the same list from Google, i.e. stopbadware.org).

Given how successfull the exploitation of such an 'old' vulnerability, it is likely we are only going to see more (and better executed) versions of this in the next few months (years?). Hitting over a million pages with a pretty lame attack, that only targets Microsoft SQL is fairly impressive. If they just modified their SQL to work on MySQL or Postgres I'm sure we would seem more than a million more hit. It is interesting to note that it has taken this long from someone to try and 'monetise' SQL injections, as it has been around for a while (8 years?). My guess is that it will take less time for bad guys to do the same with XSS & CSRF, but that Microsoft's default request validation will save some of us, but not because dev's have cottoned on.


Monday, May 12. 2008
Posted by Dominic White in Security
Comments (2) | Trackbacks (0)

 

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

#1 Philip wrote (Link) (Reply)
Posted on Monday, May 12. 2008
This happened to our site... but I thought SQL injection only works on pages with forms ? This happened to database tables that are only read to display content ?
 
#1.1 Dominic White wrote (Link) (Reply)
Posted on Tuesday, May 13. 2008
Hi Philip, There only needs to be one injection point, and that can be on *any* page displaying forms, or accepting GET/POST variables, or even WebServices. Once they have an injection point, and if your DB isn't sufficiently secured, they can write to any content table the user in the connection string has access to write to. The current round seems to try and write to all of them. Parameterise and pre-compile your SQL, then remove as many rights from the user you use to connect to the DB to solve this.
 

Add Comment