Tag Archives: Database

SQL injection against services fingerprinting and informations gathering

Various, ,
After the discovery of a new car license plate type, created to fight, with SQL injection method, the unpopular fixed radar system, mikkohypponen a security specialist has report a funny method to SQL inject services fingerprinting.
The concerned service is the HTTP service of www.reddit.com website. Normally the HTTP service should return things like “Apache” or “ISS”, but here you can find a dedicated fingerprint.
SQL injection against fixed radar systems
SQL injection against fixed radar systems
SQL injection against services fingerprinting
SQL injection against services fingerprinting
Most of time, fingerprinting method are done with nmap like tools, and the results could be stored into a database. ERIPP is also well know to create a database of 4 Billion routable IP addresses with the associated most common services fingerprints. SHODAN is also a similar database type than ERIPP, how is a computer search engine permitting to find computers running certain software (HTTP, FTP, etc). Imagine that the crawler code has some sql injection flaw… oups your database has gone cause the fingerprint contains some sql injection code 🙂
For Reddit, we have search the “CREATE TABLE servertypes” on Google, and find one services fingerprinting crawler using a database called “servertypes” and targeting Reddit 🙂
banthar gist HTTP service fingerprinting crawler
banthar gist HTTP service fingerprinting crawler
Is Reddit protecting him self against information gathering or just an sysadmin funny joke.

SUC012 : Chinese Blind SQL Injection – hn.kd.ny.adsl

Opportunists, Use Cases, , ,
  • Use Case Reference : SUC012
  • Use Case Title : Chinese Blind SQL Injection
  • Use Case Detection : IDS / HTTP logs / SQL logs
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : No
  • Source IP(s) : Most of 115.48.0.0/12 and ChinaNet
  • Source Countries : China
  • Source Port(s) : Random, but static source port when scan is initiated
  • Destination Port(s) : 80/TCP
Possible(s) correlation(s) :
  • Random SQL Injection Tool with some Google dorking capabilities

Source(s) :

We have some targeted Blind SQL Injection focusing on some randoms URLs, and all the time the same three parameters. We have actually make a list of different IP addresses, all located in China (hn.kd.ny.adsl), and more particular from the Henan province. All theses source IP addresses generating 30 distinct events. The 22/04/2010 events are not related with this Use Case.

1 month SID 2011040 IDS Events
1 month SID 2011040 IDS Events
One month SID 2006446 activity
One month SID 2006446 activity

Theses Blind SQL Injection scans are detected by Emerging Threats Snort rules, more precisely the 2011040WEB_SERVER Possible Usage of MYSQL Comments in URI for SQL Injection“, and also by the rule 2006446ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT“.

1 Month TOP 10 source IPs for SID 2011040
1 Month TOP 10 source IPs for SID 2011040
1 Month TOP 10 source IPs for SID 2006446
1 Month TOP 10 source IPs for SID 2006446
TOP 20 source countries for SID 2011040
TOP 20 source countries for SID 2011040
TOP 20 source countries for SID 2006446
TOP 20 source countries for SID 2006446

When starting the Blind SQL Injection scan, the source port stay static during 26 of 30 events and the last 4 events are have also a static source port, but different from the initial 26 events. We have also seen that some source IP only test doing 10 events, all these teen events with the same static source port.

For examples :

115.52.225.227 – hn.kd.ny.adsl – Beijing – China – User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

  • source port : 60865 (26 events)
  • source port : 61446 (4 events)
1 week 115.52.225.227 SIG 2011040 events
1 week 115.52.225.227 SIG 2011040 events

123.161.77.52 – Beijing – China – User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

  • source port : 21703 (26 events)
  • source port : 22035 (4 events)
1 week 123.161.77.52 SIG 2011040 events
1 week 123.161.77.52 SIG 2011040 events

115.52.227.129 – hn.kd.ny.adsl – Beijing – China – User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

  • source port : 24431 (26 events)
  • source port : 25206 (4 events)
1 month 115.52.227.129 SIG 2011040 events
1 month 115.52.227.129 SIG 2011040 events

hn.kd.ny.adsl is well know on Internet for malware, spam, etc. activities.

The 3 source IP addresses replay exactly the same HTTP Blind SQL Injection sequences, you can find them here under. This Blind SQL Injection Tool has maybe an Google Dorking capability.

/forum/index.php?autocom=blog&blogid=1&showentry=46/**/aND/**/8%3D8
/forum/index.php?autocom=blog&blogid=1&showentry=46/**/aND/**/8%3D3
/forum/index.php?autocom=blog&blogid=1&showentry=46%27/**/aND/**/%278%27%3D%278
/forum/index.php?autocom=blog&blogid=1&showentry=46%27/**/aND/**/%278%27%3D%273
/forum/index.php?autocom=blog&blogid=1&showentry=46%25%27/**/aND/**/%278%27%3D%278
/forum/index.php?autocom=blog&blogid=1&showentry=46%25%27/**/aND/**/%278%25%27%3D%273
/forum/index.php?autocom=blog&blogid=1&showentry=46/**/XoR/**/8%3D3
/forum/index.php?autocom=blog&blogid=1&showentry=46/**/XoR/**/8%3D8
/forum/index.php?autocom=blog&blogid=1&showentry=46%27/**/XoR/**/%278%27%3D%273
/forum/index.php?autocom=blog&blogid=1&showentry=46%27/**/XoR/**/%278%27%3D%278

/forum/index.php?showentry=46&autocom=blog&blogid=1/**/aND/**/8%3D8
/forum/index.php?showentry=46&autocom=blog&blogid=1/**/aND/**/8%3D3
/forum/index.php?showentry=46&autocom=blog&blogid=1%27/**/aND/**/%278%27%3D%278
/forum/index.php?showentry=46&autocom=blog&blogid=1%27/**/aND/**/%278%27%3D%273
/forum/index.php?showentry=46&autocom=blog&blogid=1%25%27/**/aND/**/%278%27%3D%278
/forum/index.php?showentry=46&autocom=blog&blogid=1%25%27/**/aND/**/%278%25%27%3D%273
/forum/index.php?showentry=46&autocom=blog&blogid=1/**/XoR/**/8%3D3
/forum/index.php?showentry=46&autocom=blog&blogid=1/**/XoR/**/8%3D8
/forum/index.php?showentry=46&autocom=blog&blogid=1%27/**/XoR/**/%278%27%3D%273
/forum/index.php?showentry=46&autocom=blog&blogid=1%27/**/XoR/**/%278%27%3D%278

/forum/index.php?blogid=1&showentry=46&autocom=blog/**/aND/**/8%3D8
/forum/index.php?blogid=1&showentry=46&autocom=blog/**/aND/**/8%3D3
/forum/index.php?blogid=1&showentry=46&autocom=blog%27/**/aND/**/%278%27%3D%278
/forum/index.php?blogid=1&showentry=46&autocom=blog%27/**/aND/**/%278%27%3D%273
/forum/index.php?blogid=1&showentry=46&autocom=blog%25%27/**/aND/**/%278%27%3D%278
/forum/index.php?blogid=1&showentry=46&autocom=blog%25%27/**/aND/**/%278%25%27%3D%273
/forum/index.php?blogid=1&showentry=46&autocom=blog/**/XoR/**/8%3D3
/forum/index.php?blogid=1&showentry=46&autocom=blog/**/XoR/**/8%3D8
/forum/index.php?blogid=1&showentry=46&autocom=blog%27/**/XoR/**/%278%27%3D%273
/forum/index.php?blogid=1&showentry=46&autocom=blog%27/**/XoR/**/%278%27%3D%278

Other SQL injection fingerprints

'%20and%205=6%20union%20select%200x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E%20--%20And%20'6'='6

If you have any informations around theses SQL injections and more in particular the used tool, please contact me on Twitter or comment this post.

SUC004 : phpMyAdmin User-Agent Revolt Scanner

Opportunists, Use Cases, , , , ,
  • Use Case Reference : SUC004
  • Use Case Title : phpMyAdmin User-Agent Revolt Scanner
  • Use Case Detection : HTTP Logs / IDS
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : Revolt Scanner
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random port, but static source port when scan is initiated
  • Destination Port(s) : 80/TCP, 443/TCP
Possible(s) correlation(s) :
  • phpMyAdmin scanner

Source(s) :

Surely during your daily HTTP log check, you have detect theses kind of patterns.

...
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/mysql/sqlmanager/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/mysql/mysqlmanager/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpmyadmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpMyadmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpMyAdmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpmyAdmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpmyadmin2/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/2phpmyadmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpmy/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phppma/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/myadmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/MyAdmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/program/ HTTP/1.1" 301 - "-" "revolt"
...

Theses patterns are related to Revolt Scanner, an Web scanner specialized in phpMyAdmin installation discovery. When the scanner is started the source port will stay static during the complete web directory discovery brute forcing. Also, this scanner is only targeting the IN A IP address of the domain he is asking.

Theses scans are detected by Emerging Threats Snort rules, more precisely the 2009288WEB_SERVER Attack Tool Revolt Scanner“.

You can find here, the typical list of directories how are scanned by revolt.

Here under you can find the latest statistics for Revolt Agent activities.

1 Month SIG 2009288 events activities
1 Month SIG 2009288 events activities
One year SIG 2009288 events activities
One year SIG 2009288 events activities
1 Month TOP 10 source IPs for SIG 2009288
1 Month TOP 10 source IPs for SIG 2009288
TOP 20 source countries for SIG 2009288
TOP 20 source countries for SIG 2009288

Activité croissante de Revolt Scanner

Various, ,

Depuis environ 1 mois, l’on peut observer une activitĂ© croissante du scanner Revolt, spĂ©cialisĂ© dans la dĂ©couverte des installations de phpMyAdmin. L’annĂ©e dernière cette mĂŞme croissance d’activitĂ© avait prĂ©cĂ©der la mise sur Internet d’un exploit pour phpMyAdmin, qui d’ailleurs est aussi activement utilisĂ© comme vecteur d’attaque. Une nouvelle vulnĂ©rabilitĂ© non encore publiĂ©e pour phpMyAdmin serait-elle en cours d’exploitation ?