Posts tagged SQL injection

SUC021 : Havij SQL Injection Tool User-Agent Inbound

2 years ago

in Opportunists, Professional, Targeting Opportunists, Use Cases

Use Case Reference : SUC021
Use Case Title : Havij SQL Injection Tool User-Agent Inbound
Use Case Detection : IDS / HTTP / SQL logs
Attacker Class : Opportunists / Targeting Opportunists / Professional
Attack Sophistication : Unsophisticated / Low / Mid-High
Identified tool(s) : Havij Advanced SQL Injection
Source IP(s) : Random
Source Countries : Random
Source Port(s) : Random
Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

Havij Advanced SQL Injection free version
Havij Advanced SQL Injection commercial version

Source(s) :

Snort rule :

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ZATAZ SCAN Havij SQL Injection Tool User-Agent Inbound"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| Havij"; nocase; http_header; reference:url,itsecteam.com/en/projects/project1.htm; threshold:type limit, count 1, seconds 30, track by_src; classtype:web-application-attack; priority:2; sid:1010051; rev:1;)

SIG 1010051 1 Week events activity

SIG 1010051 1 month events activity

Database Havij SQL injection

SUC016 : RCE & SQL injection attempts on xmlrpc.php

3 years ago

in Opportunists, Use Cases

Use Case Reference : SUC016
Use Case Title : RCE & SQL injection attempts on xmlrpc.php
Use Case Detection : IDS / Web logs
Attacker Class : Opportunists
Attack Sophistication : Unsophisticated
Identified tool(s) : No, but User-Agent Mozilla/5.0
Source IP(s) : Random
Source Countries : Random
Source Port(s) : Random
Destination Port(s) : 80/TCP

Possible(s) correlation(s) :

Joomla XML-RPC vulnerability
Multi functions Web scanner (RFI, LFI, XMLRPC, etc.)

Source(s) :

Emerging Threats SIG 2002158

Since one week, we have detect some increasing RCE (Remote Code Execution) and SQL injection attempts on xmlrpc.php. These attempts are detected by ET rule 2002158, with last modification on the rule the 2009-03-13.

You can find here under the payload how is called by the attempts.

test.method’,”));echo ‘XxXDIOCANEXxX’;exit;/*

Despite the source IPs are completely random, the User Agent is still Mozilla/5.0 and the payload is all the time the same. These attempts seems to be generated by a tool using some Google dorking capabilities. Also the source IPs are also involved in other exploits attempts, members of RFI or LFI botnets.

24 hours SIG 2002158 events activities

1 week SIG 2002158 events activities

1 Month SIG 2002158 events activities

One year SIG 2002158 events activities

1 Month TOP 10 source IPs for SIG 2002158

Botnet Database RCE SQL injection

SQL injection against services fingerprinting and informations gathering

3 years ago

in Various

After the discovery of a new car license plate type, created to fight, with SQL injection method, the unpopular fixed radar system, mikkohypponen a security specialist has report a funny method to SQL inject services fingerprinting.

The concerned service is the HTTP service of www.reddit.com website. Normally the HTTP service should return things like “Apache” or “ISS”, but here you can find a dedicated fingerprint.

SQL injection against fixed radar systems

SQL injection against services fingerprinting

Most of time, fingerprinting method are done with nmap like tools, and the results could be stored into a database. ERIPP is also well know to create a database of 4 Billion routable IP addresses with the associated most common services fingerprints. SHODAN is also a similar database type than ERIPP, how is a computer search engine permitting to find computers running certain software (HTTP, FTP, etc). Imagine that the crawler code has some sql injection flaw… oups your database has gone cause the fingerprint contains some sql injection code

For Reddit, we have search the “CREATE TABLE servertypes” on Google, and find one services fingerprinting crawler using a database called “servertypes” and targeting Reddit

banthar gist HTTP service fingerprinting crawler

Is Reddit protecting him self against information gathering or just an sysadmin funny joke.

Database Scanner SQL injection

SUC012 : Chinese Blind SQL Injection – hn.kd.ny.adsl

3 years ago

in Opportunists, Use Cases

Use Case Reference : SUC012
Use Case Title : Chinese Blind SQL Injection
Use Case Detection : IDS / HTTP logs / SQL logs
Attacker Class : Opportunists
Attack Sophistication : Unsophisticated
Identified tool(s) : No
Source IP(s) : Most of 115.48.0.0/12 and ChinaNet
Source Countries : China
Source Port(s) : Random, but static source port when scan is initiated
Destination Port(s) : 80/TCP

Possible(s) correlation(s) :

Random SQL Injection Tool with some Google dorking capabilities

Source(s) :

We have some targeted Blind SQL Injection focusing on some randoms URLs, and all the time the same three parameters. We have actually make a list of different IP addresses, all located in China (hn.kd.ny.adsl), and more particular from the Henan province. All theses source IP addresses generating 30 distinct events. The 22/04/2010 events are not related with this Use Case.

1 month SID 2011040 IDS Events

One month SID 2006446 activity

Theses Blind SQL Injection scans are detected by Emerging Threats Snort rules, more precisely the 2011040 “WEB_SERVER Possible Usage of MYSQL Comments in URI for SQL Injection“, and also by the rule 2006446 “ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT“.

1 Month TOP 10 source IPs for SID 2011040

1 Month TOP 10 source IPs for SID 2006446

TOP 20 source countries for SID 2011040

TOP 20 source countries for SID 2006446

When starting the Blind SQL Injection scan, the source port stay static during 26 of 30 events and the last 4 events are have also a static source port, but different from the initial 26 events. We have also seen that some source IP only test doing 10 events, all these teen events with the same static source port.

For examples :

115.52.225.227 – hn.kd.ny.adsl – Beijing – China - User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

source port : 60865 (26 events)
source port : 61446 (4 events)

1 week 115.52.225.227 SIG 2011040 events

123.161.77.52 - Beijing – China - User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

source port : 21703 (26 events)
source port : 22035 (4 events)

1 week 123.161.77.52 SIG 2011040 events

115.52.227.129 – hn.kd.ny.adsl – Beijing – China - User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

source port : 24431 (26 events)
source port : 25206 (4 events)

1 month 115.52.227.129 SIG 2011040 events

hn.kd.ny.adsl is well know on Internet for malware, spam, etc. activities.

The 3 source IP addresses replay exactly the same HTTP Blind SQL Injection sequences, you can find them here under. This Blind SQL Injection Tool has maybe an Google Dorking capability.

/forum/index.php?autocom=blog&blogid=1&showentry=46/**/aND/**/8%3D8
/forum/index.php?autocom=blog&blogid=1&showentry=46/**/aND/**/8%3D3
/forum/index.php?autocom=blog&blogid=1&showentry=46%27/**/aND/**/%278%27%3D%278
/forum/index.php?autocom=blog&blogid=1&showentry=46%27/**/aND/**/%278%27%3D%273
/forum/index.php?autocom=blog&blogid=1&showentry=46%25%27/**/aND/**/%278%27%3D%278
/forum/index.php?autocom=blog&blogid=1&showentry=46%25%27/**/aND/**/%278%25%27%3D%273
/forum/index.php?autocom=blog&blogid=1&showentry=46/**/XoR/**/8%3D3
/forum/index.php?autocom=blog&blogid=1&showentry=46/**/XoR/**/8%3D8
/forum/index.php?autocom=blog&blogid=1&showentry=46%27/**/XoR/**/%278%27%3D%273
/forum/index.php?autocom=blog&blogid=1&showentry=46%27/**/XoR/**/%278%27%3D%278

/forum/index.php?showentry=46&autocom=blog&blogid=1/**/aND/**/8%3D8
/forum/index.php?showentry=46&autocom=blog&blogid=1/**/aND/**/8%3D3
/forum/index.php?showentry=46&autocom=blog&blogid=1%27/**/aND/**/%278%27%3D%278
/forum/index.php?showentry=46&autocom=blog&blogid=1%27/**/aND/**/%278%27%3D%273
/forum/index.php?showentry=46&autocom=blog&blogid=1%25%27/**/aND/**/%278%27%3D%278
/forum/index.php?showentry=46&autocom=blog&blogid=1%25%27/**/aND/**/%278%25%27%3D%273
/forum/index.php?showentry=46&autocom=blog&blogid=1/**/XoR/**/8%3D3
/forum/index.php?showentry=46&autocom=blog&blogid=1/**/XoR/**/8%3D8
/forum/index.php?showentry=46&autocom=blog&blogid=1%27/**/XoR/**/%278%27%3D%273
/forum/index.php?showentry=46&autocom=blog&blogid=1%27/**/XoR/**/%278%27%3D%278

/forum/index.php?blogid=1&showentry=46&autocom=blog/**/aND/**/8%3D8
/forum/index.php?blogid=1&showentry=46&autocom=blog/**/aND/**/8%3D3
/forum/index.php?blogid=1&showentry=46&autocom=blog%27/**/aND/**/%278%27%3D%278
/forum/index.php?blogid=1&showentry=46&autocom=blog%27/**/aND/**/%278%27%3D%273
/forum/index.php?blogid=1&showentry=46&autocom=blog%25%27/**/aND/**/%278%27%3D%278
/forum/index.php?blogid=1&showentry=46&autocom=blog%25%27/**/aND/**/%278%25%27%3D%273
/forum/index.php?blogid=1&showentry=46&autocom=blog/**/XoR/**/8%3D3
/forum/index.php?blogid=1&showentry=46&autocom=blog/**/XoR/**/8%3D8
/forum/index.php?blogid=1&showentry=46&autocom=blog%27/**/XoR/**/%278%27%3D%273
/forum/index.php?blogid=1&showentry=46&autocom=blog%27/**/XoR/**/%278%27%3D%278

Other SQL injection fingerprints

'%20and%205=6%20union%20select%200x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E%20--%20And%20'6'='6

If you have any informations around theses SQL injections and more in particular the used tool, please contact me on Twitter or comment this post.