SQL-Injection - "ASCII Encoded/Binary String Automated SQL Injection Attack" - i'm saimatkong
Follow saimatkong @ twitter

SQL-Injection – "ASCII Encoded/Binary String Automated SQL Injection Attack"

Written on July 21, 2008 – 6:05 pm | by Saimatkong Tian Leong | 48,989 views

What is SQL Injection?

SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.

Source : WikiPedia

Is your website hack proof or affected by SQL Injection? You might want to check your site now and make sure that your site is not affected by SQL Injection. Today itself, I just found out that my client website was hacked by this SQL-Injection with the script “ngg.js” which created much trouble. (as you could see from the image below with this “script src=http://www.keje.ru/ngg.js /script”)

SQL Injection

There seems to be a new wave of sql injections ending with ngg.js, it’s a kind of script that will run maybe to harm your pc recently?

The following table lists the references to malicious scripts detected and reported to date:

Date Monitored | Script Reference
7/20/2008 http://www.o1o2qq.cn/ri.js
7/20/2008 http://www.5kc3.ru/ngg.js
7/20/2008 http://www.sslwer.ru/ngg.js
7/20/2008 http://www.gb53.ru/ngg.js
7/20/2008 http://www.vcre.ru/ngg.js
7/20/2008 http://www.4cnw.ru/ngg.js
7/20/2008 http://www.sdkj.ru/ngg.js
7/20/2008 http://www.lkc2.ru/ngg.js
7/20/2008 http://www.kc43.ru/ngg.js
7/20/2008 http://www.bnrc.ru/ngg.js
7/20/2008 http://www.adwr.ru/ngg.js
7/20/2008 http://www.jvke.ru/ngg.js
7/20/2008 http://www.h23f.ru/ngg.js
7/20/2008 http://www.90mc.ru/ngg.js
7/20/2008 http://www.keec.ru/ngg.js
7/20/2008 http://www.jex5.ru/ngg.js
7/20/2008 http://www.rrcs.ru/ngg.js
7/20/2008 http://www.iogp.ru/ngg.js
7/20/2008 http://www.nudk.ru/ngg.js
7/20/2008 http://www.lodse.ru/ngg.js
7/20/2008 http://www.adwbn.ru/ngg.js
7/20/2008 http://www.ecx2.ru/ngg.js
7/20/2008 http://www.d5sg.ru/ngg.js
7/20/2008 http://www.keje.ru/ngg.js
7/19/2008 http://www.wowofmusiopl.com.cn/456.js
7/19/2008 http://www.btoperc.ru/ngg.js
7/19/2008 http://www.gbradde.tk/ngg.js
7/19/2008 http://www.korfd.ru/ngg.js
7/19/2008 http://www.movaddw.com/ngg.js
7/19/2008 http://www.usabnr.com/ngg.js
7/19/2008 http://www.ausbnr.com/ngg.js
7/19/2008 http://www.adwnetw.com/ngg.js
7/19/2008 http://www.grtsel.ru/ngg.js
7/19/2008 http://www.cdrpoex.com/ngg.js
7/19/2008 http://www.tctcow.com/ngg.js
7/19/2008 http://www.adpzo.com/ngg.js
7/19/2008 http://www.brcporb.ru/ngg.js
7/18/2008 http://www.hiwowpp.cn/ri.js
7/17/2008 http://www.rcdplc.ru/ngg.js
7/17/2008 http://www.maigol.cn/ri.js
7/17/2008 http://www.j8heisi.cn/ri.js
7/16/2008 http://www.cdport.eu/ngg.js
7/16/2008 http://www.bkpadd.mobi/ngg.js
7/16/2008 http://www.pyttco.com/ngg.js
7/16/2008 http://www.butdrv.com/ngg.js
7/16/2008 http://www.gitporg.com/ngg.js
7/16/2008 http://www.cliprts.com/ngg.js
7/16/2008 http://www.nopcls.com/ngg.js
7/16/2008 http://www.loopadd.com/ngg.js
7/16/2008 http://www.tertad.mobi/ngg.js
7/16/2008 http://www.destad.mobi/ngg.js
7/15/2008 http://www.porttw.mobi/ngg.js
7/15/2008 http://www.bnsdrv.com/ngg.js
7/15/2008 http://www.hdrcom.com/ngg.js
7/15/2008 http://www.addrl.com/ngg.js
7/14/2008 http://www.usaadp.com/ngg.js
7/14/2008 http://www.gbradp.com/ngg.js
7/14/2008 http://www.gbradw.com/ngg.js
7/14/2008 http://www.drvadw.com/ngg.js
7/14/2008 http://www.crtbond.com/ngg.js
7/14/2008 http://www.usaadw.com/ngg.js
7/11/2008 http://www.destbnp.com/ngg.js
7/10/2008 http://www.ausadd.com/ngg.js
7/9/2008 http://www.attadd.com/ngg.js
7/8/2008 http://www.allocbn.mobi/ngg.js
7/8/2008 http://www.catdbw.mobi/ngg.js
7/8/2008 http://www.asslad.com/ngg.js
7/8/2008 http://www.browsad.com/ngg.js
7/8/2008 http://www.bnrbase.com/ngg.js
7/8/2008 http://www.brsadd.com/ngg.js
7/8/2008 http://www.bnrbtch.com/ngg.js
7/8/2008 http://www.loctenv.com/ngg.js
7/8/2008 http://www.appdad.com/ngg.js
7/8/2008 http://www.apidad.com/ngg.js
7/8/2008 http://www.asodbr.com/ngg.js
7/8/2008 http://www.bnradd.mobi/ngg.js
7/8/2008 http://www.dbgbron.com/ngg.js
7/8/2008 http://www.adwadb.mobi/ngg.js
7/8/2008 http://www.blcadw.com/ngg.js
7/8/2008 http://www.portadrd.com/ngg.js
7/8/2008 http://www.blockkd.com/ngg.js
7/8/2008 http://www.clrbbd.com/ngg.js
7/7/2008 http://www.adbtch.com/ngg.js
7/7/2008 http://www.lokriet.com/ngg.js
7/7/2008 http://www.ucomddv.com/ngg.js
7/7/2008 http://www.bnrbasead.com/ngg.js
7/7/2008 http://www.aladbnr.com/ngg.js
7/7/2008 http://www.hiwowpp.cn/k.js
7/7/2008 http://www.mainbvd.com/ngg.js
7/7/2008 http://www.mainadt.com/ngg.js
7/7/2008 http://www.stiwdd.com/ngg.js
7/7/2008 http://www.upcomd.com/ngg.js
7/7/2008 http://www.portwbr.com/ngg.js
7/7/2008 http://www.testwvr.com/ngg.js
7/7/2008 http://www.ktrcom.com/ngg.js
7/7/2008 http://www.canclvr.com/ngg.js
7/4/2008 http://www.loveqianlai.cn/ri.js
7/3/2008 http://www.maigol.cn/k.js
7/3/2008 http://www.qqcc123.cn/ri.js
7/2/2008 http://www.qqcc123.cn/k.js
7/2/2008 http://www.debug73.com/ngg.js
7/2/2008 http://www.cont67.com/ngg.js
7/2/2008 http://www.config73.com/ngg.js
7/2/2008 http://www.default37.com/ngg.js
7/2/2008 http://www.cntrl62.com/ngg.js
7/2/2008 http://www.config73.com/b.js
7/2/2008 http://www.default37.com/b.js
7/2/2008 http://www.csl24.com/b.js
7/2/2008 http://www.cont67.com/b.js
7/2/2008 http://www.cntrl62.com/b.js
7/2/2008 http://www.get49.net/b.js
7/2/2008 http://www.web923.com/b.js
7/2/2008 http://www.debug73.com/b.js
7/2/2008 http://www.pid76.net/b.js
7/2/2008 http://www.adwste.mobi/b.js
7/2/2008 http://www.pid72.com/b.js
7/2/2008 http://www.adupd.mobi/b.js
7/2/2008 http://www.bnrupdate.mobi/b.js
7/2/2008 http://www.qq117cc.cn/ri.js
7/2/2008 http://www.qq117cc.cn/k.js
7/1/2008 http://www.suppadw.com/b.js
7/1/2008 http://www.supbnr.com/b.js
7/1/2008 http://www.hdadwcd.com/b.js
7/1/2008 http://www.kadport.com/b.js
6/30/2008 http://www.adwsupp.com/b.js
6/28/2008 http://www.hlpgetw.com/b.js
6/28/2008 http://www.lang34.com/b.js
6/28/2008 http://www.dl251.com/b.js
6/28/2008 http://www.tid62.com/b.js
6/28/2008 http://www.rid34.com/b.js
6/27/2008 http://www.bin963.com/b.js
6/27/2008 http://www.base48.com/b.js
6/27/2008 http://www.appid37.com/b.js
6/27/2008 http://www.apps84.com/b.js
6/27/2008 http://www.aspx49.com/b.js
6/27/2008 http://www.app52.com/b.js
6/27/2008 http://www.aspssl63.com/b.js
6/27/2008 http://www.batch29.com/b.js
6/26/2008 http://www.j8j8hei.cn/k.js
6/26/2008 “http://www.heiheinn.cn/k.js”
6/26/2008 http://www.bios47.com/b.js
6/26/2008 http://www.asp707.com/b.js
6/26/2008 http://www.dbupdr.com/b.js
6/26/2008 http://www.cid26.com/b.js
6/26/2008 http://www.st212.com/b.js
6/26/2008 http://www.getbwd.com/b.js
6/25/2008 http://www.westpacsecuresite.com/b.js
6/25/2008 http://www.update34.com/b.js
6/25/2008 http://www.bnradw.com/b.js
6/25/2008 http://www.pingadw.com/b.js
6/25/2008 http://www.pingbnr.com/b.js
6/24/2008 http://www.coldwop.com/b.js
6/24/2008 http://www.alzhead.com/b.js
6/24/2008 http://www.chkbnr.com/b.js
6/24/2008 http://www.chinabnr.com/b.js
6/24/2008 http://www.adwbnr.com/b.js
6/24/2008 http://www.chkadw.com/b.js
6/22/2008 http://www.heiheinn.cn/k.js
6/16/2008 http://www.heihei117.cn/k.js
6/16/2008 http://www.heihei117.cn.js
6/13/2008 http://www.fengnima.cn/k.js
6/13/2008 http://www.killpp.cn/k.js
6/10/2008 http://www.fengnima.cn/m.js
6/7/2008 http://www.killpp.cn/m.js
6/7/2008 http://www.qiqicc.cn/m.js
6/6/2008 http://www.nihao112.com/m.js
6/5/2008 http://o7n9.cn/a.js
6/2/2008 http://www.dota11.cn/m.js
5/24/2008 http://9i5t.cn/a.js

Introduction
Research, as well as Google’s Cache, indicates that there is a significant number of websites that are still vulnerable to SQL Injection attacks. Despite the fact that input filtering techniques and other protective measures are widely known, it is understandable why this is still the case. Regardless of their underlying technology, it often would be almost impractical to review out dated and/or poorly written websites and eliminate all vulnerabilities in their code bases. Such websites typically use the dynamic construction of ad-hoc SQL queries at run-time quite extensively. Even if a given website is less vulnerable, unintentionally missing even a single security hole could be sufficient to permit a successful SQL Injection attack. Such holes can be easily found during the “study” phase of the site (for example, by crawling the site in question and looking for vulnerable web pages).

Regardless of the complexity and costs involved, a publisher has a responsibility to shield his website from the risk of infection and becoming a virus distributing agent. Publishers of any size must protect their sites’ visitors from exposure to malicious scripts at all times.

Financial benefits, such as click-fraud, ad revenue generating zombies, and virtual assets, are generally the driving force behind these types of attacks, as research suggests. However, this can be prevented by use of secure programming and best practices. Ongoing monitoring, detection, and pro-active defensive methods should be utilized within the various layers of any web application.

Attack Description
Recently, we came across a particularly interesting type of SQL Injection that, at times, can be quite difficult to clean, even with the most robust database backup and recovery scheme. This massive and ongoing attack is conducted with the help of an Internet robot—also known as malbot and botnet—which attacks its prospects daily. It is likely that such a botnet fires the series of injection attempts continuously and conditionally until the malicious script references are sensed on the targeted web pages and/or based on detected vulnerability indicators.

The botnet behind this attack, called ASProx, was previously associated with Phishing attacks, and is now indirectly pushing malware through websites that are vulnerable to SQL Injection. The attackers have designed the Asprox botnet to conduct, with the help of Google search engine, an initial research for web pages utilizing ASP (.asp), ASP.NET (.aspx), and PHP (.php) web technologies. The ASProx botnet also utilizes a DNS Fast-Fluxing technique to hide the actual malware delivery sites behind an ever-changing network of compromised hosts acting as proxies. The botnet’s infrastructure grows steadily, and our own attack sample indicates it exceeds 24,200 distinct and recurring IP addresses to date.

There is nothing new in the way that the following T-SQL is injected. Yet, the generic nature of the script is somewhat interesting to see.

Analyzing the pattern above, it is quite obvious this attack is carefully crafted and fully managed. New malware domains are introduced daily, while others are excluded, probably based on declining success metrics as anti-virus and related software and hardware vendors are updating their databases and blacklisting newly detected domains.

This T-SQL script—carried by a single malicious request to a website that is vulnerable to SQL Injection—results in content contamination of the entire site with Persistent/Type 2 Cross-Site Scripting (XSS) exploit. The injected Javascript dynamically writes an invisible IFRAME HTML tag to the involuntarily hosting page, pointing to the actual web page that contains different malicious content in an effort to exploit current software configuration vulnerabilities of the end-user’s machine (and to further empower the botnet). Ironically, the botnet masters explicitly express cyber-crime sympathy or sort of patriotism by excluding all end-users with the following language preferences set in their browser—Russian (RU), Chinese (ZH-CN, ZH-TW, ZH), Korean (KO), Hindi (HI), Thai (TH), and Vietnamese (VI)—as the ngg.js script suggests.

Solutions: How To Immune Your Web Application and Database From Such Automated SQL Injection Attacks

Our attack sample indicates that the botnet zombies cover the entire globe and therefore, an IP-based filtering solution that excludes certain regions will not suffice by itself. Still in the networking-layer, an Intrusion Prevention System (IPS), be it hardware or software based, can make access control decisions based on sensed content and drop the malicious request and other potential malicious activity before it is passed to the web server. A software-based IPS can, for example (but not limited to), provide protection via integration with the IIS platform as an ISAPI filter.

If the web application being attacked is templated, or the underlying web technology is configurable and/or extensible and allows participation in the page processing, it is possible to detect the injected malicious T-SQL script during early stages of the page processing and force an exception at that point. Because such a solution is centralized, it is manageable and will prevent the malicious T-SQL from being propagated to an ad-hoc SQL query down the queue of the page request processing. This effectively stops this attack vector “at the gate.” The following ASP 3.0/VB and ASP.NET/C# code snippets demonstrate this (imperfect)

Quick & Dirty approach:
<%
Dim strQuery

strQuery = Request.ServerVariables("QUERY_STRING")
strQuery = Replace(URLDecode(strQuery), " ", "")

If InStr(UCase$(strQuery),"EXEC(") > 0 OR Len(strQuery) > 500 Then
Response.Write 1/0
End If
%>

Or you may follow my own way to replace the single quote syntax which is the cause of the SQL-Injection by just calling this valid_sql function across all your program. You may save it into a file and then use include function to include the file which can be accessible by all the pages.

<%
Function valid_sql(s)

For i = 1 To Len(s)
If Mid(s, i, 1) = "'" Then
temp = temp + "'"
End If

temp = temp + Mid(s, i, 1)
Next

valid_sql=trim(temp)

End Function
%>

source : bloombit.com

Related Posts Plugin for WordPress, Blogger...

Tags: , , ,

Related Posts

  1. 2 Responses to “SQL-Injection – "ASCII Encoded/Binary String Automated SQL Injection Attack"”

  2. By sam on Jul 25, 2008 | Reply

    I thought this was omre of a case of Cross Site Scripting and not SQL injection based on the usage of .js file.

    http://en.wikipedia.org/wiki/Cross_site_scripting

    Please don’t quote wrongly, as I believe you are an IT student… dun memalukan sendiri leh…

  3. By saimatkong on Jul 25, 2008 | Reply

    hi sam, thank you for your comment but pls read carefully before commenting and refer to the source pls. and don’t know who malukan sendiri.

    http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx

    it’s automated sql injection and it inject the script. go to the site and find out more and you could google about it too.

    =)

Post a Comment

About Me

This blog is a platform for me to write and share my passions: food, travel, gadgets, photography and events.

Facebook | Twitter | +Google | Instagram

Read more...

Want to subscribe?

 Subscribe in a reader Or, subscribe via email:
Enter your email address:  
Google