Tuesday, March 3, 2009

Odd SQL Injection Attack

Updated 3/9/09.

Last night, from 21:21 EST to 21:41 EST a website I help run received over 1300 SQL injection attempts from less than a dozen IP addresses. This is a pretty popular site so its not uncommon for us to get hit with injection attacks, but its rare for us to get this hard.

Normally I would brush it off as an unsuccessful botnet attack, but the SQL injection is bugging me as I can't figure out what the purpose is. The query we recieved was as follows:

/modules.php?name=news&new_topic=9\' and 1=2 union select
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c) and \'1\'=\'1
The user-agent was "NV32ts".

This is an attack on PostNuke, which the site does run. However, the number of CONCAT's are what I'm stumped on (as well as some others I've asked).

The CONCAT(0x27,0x7c,0x5f,0x7c) statement decodes to:
'|_|
When you combine them all together, you get the following statement:
/modules.php?name=news&new_topic=9\' and 1=2 union select
'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,
'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,
'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,
'|_| and \'1\'=\'1
The underscore in MySQL can be used as a single-character wildcard, which could further decode the injection to:
/modules.php?name=news&new_topic=9\' and 1=2 union select
'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,
'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,
'||,'||,'||,'||,'||,'||,'|| and \'1\'=\'1
In reading that, its potentially a bunch of logical OR statements (the double pipes) with some single quotes. But to me it still looks like it will generate at error.

I've googled the CONCAT statement and the user-agent and there are a bunch of hits, but nothing which gives me any information. In fact, it looks like there have been a number of attacks using this string. But, that doesn't give me the purpose of the injection string above. This is what I (and some others) have come up with:
  1. This was meant to generate a SQL error to see if a site is vulnerable. If thats the case, why so many hits in such a short period of time?
  2. The attacker was trying to evade IDS/IPS/protections, but made a mistake.
  3. The attacker just doesn't know what they are doing at all.
I'm open to any ideas.

UPDATE

I received alot of responses on my previous SQL Injection. Thanks to everyone who did. For the most part, most came to the same conclusion as I did that the injection was either to generate an error or it was a mistake on the attacker's part.

As for the user agent, NV32ts, I've confirmed that it is a known signature of a botnet. I am currently trying to dig up any samples on it.

4 comments:

iamnowonmai said...

My guess - messed up code injection.

Frederik said...
This comment has been removed by the author.
Frederik said...

We get this one on all of our asp.net sites.

NV32ts

/pages/news/detail.aspx?id=286'%20And%20char(124)%2b(Select%20Cast(Count(1)%20as%20varchar(8000))%2Bchar(124)%20From%20[sysobjects]%20Where%201=1)>0%20and%20''='

Alec Waters said...

I've managed to compile a bit more on this:

http://wirewatcher.wordpress.com/2009/11/13/cz32ts-evil-twin-of-nv32ts/

http://wirewatcher.wordpress.com/2009/11/13/cz32ts-an-interesting-banana/

alec