SpiderLabs Blog

WASC Distributed Open Proxy Honeypot: Blind SQL Injection Attempt (Update)

Written by SpiderLabs Anterior | Nov 6, 2007 8:23:00 AM

As some of you may know, I am heading up the WASC Distributed Open Proxy Honeypot Project. The project architecture includes having participants deploy VMware images of a specially configured Apache server (functioning as an open proxy) along with ModSecurity. When the honeypot identifies an attack, it blocks it and then sends back the attack data to a central log server. This gives us a pretty unique view of the types of attacks that happening out on the web as most bad guys are using these types of open proxies to funnel their attacks through to try and hide their true origins.

We recently (Oct 2007) deployed phase II of the project and now have many more sensors online. As you might expect, we are getting some interesting traffic :) With this in mind, I am going to be periodically posting attack data that we identify with the honeypots and provide a sort of web attack "Chalk Talk" breakdown of what is happening. For those of you aren't familiar with the "Chalk Talk" term, it is commonly used by sports commentators in the United States when discussing American Football. The sports analysts breakdown the schemes used by offenses and defenses to show spectators the details of what is happening.

With this in mind, here is the 1st installment - Blind SQL Injection.

A client sent the following request (bolded portions are of interest):

GET http://www.mehdiplugins.com/misc/phpbbjoomhack.htm?textfield=Your%20site%20was%20so%20interesting %20and%20informative%20I%20had%20to%20call%20a%20friend%20to%20tell%20her%20about%20it%2E%20Great %20work%0D%0A%20%3Ca%20href%3Dhttp%3A%2F%2Fnwhjl%2Efree%2Dsite%2Dhost%2Ecom%2Fmap4%2Ehtml%20%3E%20 My%20Best%20Links%20%3C%2Fa%3E%20%20%3Ca%20href%3Dhttp%3A%2F%2Fnwhjl%2Efree%2Dsite%2Dhost%2Ecom%2F map2%2Ehtml%20%3E%20top%20links%20%3C%2Fa%3E%20%20%3Ca%20href%3Dhttp%3A%2F%2Fahsjh%2Efreephpwebhosting %2Enet%2Fmap8%2Ehtml%20%3E%20favourite%20links%20%3C%2Fa%3E%20%20%3Ca%20href%3Dhttp%3A%2F%2Fahsjh %2Efreephpwebhosting%2Enet%2Fmap7%2Ehtml%20%3E%20Links%20%3C%2Fa%3E%20%0D%0A%20%5Burl%3Dhttp%3A%2F %2Fmembers%2Elycos%2Eco%2Euk%2Fdfska%2Fmap3%2Ehtml%5D%20top%20links%20%5B%2Furl%5D%20%20%5Burl%3D http%3A%2F%2Fkersnm%2Eawesomewebspace%2Ecom%2Fmap3%2Ehtml%5D%20best%20links%20%5B%2Furl%5D%20%20%5B url%3Dhttp%3A%2F%2Fnwhjl%2Efree%2Dsite%2Dhost%2Ecom%2Fmap5%2Ehtml%5D%20My%20Links%20%5B%2Furl%5D%20 %20%5Burl%3Dhttp%3A%2F%2Fnwhjl%2Efree%2Dsite%2Dhost%2Ecom%2Fmap1%2Ehtml%5D%20my%20favourite%20links %20%5B%2Furl%5D%20%20%5Burl%3Dhttp%3A%2F%2Fkersnm%2Eawesomewebspace%2Ecom%2Fmap6%2Ehtml%5D%20Links %20%5B%2Furl%5D%20&textfield2=Michalis&textfield3=if%28%20md5%28%24password%29%20%3D%3D%20 %24row%5B%27user%5Fpassword%27%5D%20%26%26%20%24row%5B%27user%5Factive%27%5D%20%29&textfield4 =Your%20site%20was%20so%20interesting%20and%20informative%20I%20had%20to%20call%20a%20friend%20to%20 tell%20her%20about%20it%2E%20Great%20work%0D%0A%20%3Ca%20href%3Dhttp%3A%2F%2Fnwhjl%2Efree%2Dsite%2D host%2Ecom%2Fmap4%2Ehtml%20%3E%20My%20Best%20Links%20%3C%2Fa%3E%20%20%3Ca%20href%3Dhttp%3A%2F%2Fnwhjl %2Efree%2Dsite%2Dhost%2Ecom%2Fmap2%2Ehtml%20%3E%20top%20links%20%3C%2Fa%3E%20%20%3Ca%20href%3Dhttp %3A%2F%2Fahsjh%2Efreephpwebhosting%2Enet%2Fmap8%2Ehtml%20%3E%20favourite%20links%20%3C%2Fa%3E%20%20 %3Ca%20href%3Dhttp%3A%2F%2Fahsjh%2Efreephpwebhosting%2Enet%2Fmap7%2Ehtml%20%3E%20Links%20%3C%2Fa%3E %20%0D%0A%20%5Burl%3Dhttp%3A%2F%2Fmembers%2Elycos%2Eco%2Euk%2Fdfska%2Fmap3%2Ehtml%5D%20top%20links %20%5B%2Furl%5D%20%20%5Burl%3Dhttp%3A%2F%2Fkersnm%2Eawesomewebspace%2Ecom%2Fmap3%2Ehtml%5D%20best%20 links%20%5B%2Furl%5D%20%20%5Burl%3Dhttp%3A%2F%2Fnwhjl%2Efree%2Dsite%2Dhost%2Ecom%2Fmap5%2Ehtml%5D%20 My%20Links%20%5B%2Furl%5D%20%20%5Burl%3Dhttp%3A%2F%2Fnwhjl%2Efree%2Dsite%2Dhost%2Ecom%2Fmap1%2Ehtml %5D%20my%20favourite%20links%20%5B%2Furl%5D%20%20%5Burl%3Dhttp%3A%2F%2Fkersnm%2Eawesomewebspace%2Ecom %2Fmap6%2Ehtml%5D%20Links%20%5B%2Furl%5D%20&textfield32=if%28%20md5%28%24password%29%20%3D %3D%20%24row%5B%27user%5Fpassword%27%5D%20%26%26%20%24row%5B%27user%5Factive%27%5D%20%29 &textfield5=Namibia%2C%20Guangzhou&textfield6=http%3A%2F%2Fahsjh%2Efreephpwebhosting%2Enet%2Fmap8%2E html&textfield22=http%3A%2F%2Fahsjh%2Efreephpwebhosting%2Enet%2Fmap8%2Ehtml HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* Accept-Language: en Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Referer: http://www.mehdiplugins.com/misc/phpbbjoomhack.htm Host: www.mehdiplugins.com 

If you URL Decode this text, you will get the following:

GET http://www.mehdiplugins.com/misc/phpbbjoomhack.htm?textfield=Your site was so interesting and informative I had to call a friend to tell her about it. Great work  <a href=http://nwhjl.free-site-host.com/map4.html > My Best Links   <a href=http://nwhjl.free-site-host.com/map2.html > top links   <a href=http://ahsjh.freephpwebhosting.net/map8.html > favourite links   <a href=http://ahsjh.freephpwebhosting.net/map7.html > Links    [url=http://members.lycos.co.uk/dfska/map3.html] top links [/url]  [url=http://kersnm.awesomewebspace.com/map3.html] best links [/url]  [url=http://nwhjl.free-site-host.com/map5.html] My Links [/url]  [url=http://nwhjl.free-site-host.com/map1.html] my favourite links [/url]  [url=http://kersnm.awesomewebspace.com/map6.html] Links [/url] &textfield2=Michalis&textfield3=if( md5($password) == $row['user_password'] && $row['user_active'] )&textfield4=Your site was so interesting and informative I had to call a friend to tell her about it. Great work  <a href=http://nwhjl.free-site-host.com/map4.html > My Best Links   <a href=http://nwhjl.free-site-host.com/map2.html > top links   <a href=http://ahsjh.freephpwebhosting.net/map8.html > favourite links   <a href=http://ahsjh.freephpwebhosting.net/map7.html > Links    [url=http://members.lycos.co.uk/dfska/map3.html] top links [/url]  [url=http://kersnm.awesomewebspace.com/map3.html] best links [/url]  [url=http://nwhjl.free-site-host.com/map5.html] My Links [/url]  [url=http://nwhjl.free-site-host.com/map1.html] my favourite links [/url]  [url=http://kersnm.awesomewebspace.com/map6.html] Links [/url] &textfield32=if( md5($password) == $row['user_password'] && $row['user_active'] )&textfield5=Namibia, Guangzhou&textfield6=http://ahsjh.freephpwebhosting.net/map8.html&textfield22= http://ahsjh.freephpwebhosting.net/map8.html HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* Accept-Language: en Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Referer: http://www.mehdiplugins.com/misc/phpbbjoomhack.htm Host: www.mehdiplugins.com 

The URL-decoded data makes it much easier to visually identify what the client was trying to do. This appears to be a SPAMMER show is sending their data to this destination in the hopes that it will be posted to the comment site where user will see it.

The bolded portion of the data triggered a ModSecurity Core Rule for Blind SQL Injection and generated this alert message:

Message: Access denied with code 200 (phase 2). Pattern match "\\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c (?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr (?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)| ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects) |object_(?:(?:nam|typ)e|id) ..." at ARGS:textfield3. [id "950904"] [msg "Blind SQL Injection Attack. Matched signature <user_password>"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/4.5"] [tag "OWASP/A6"] [tag "PCI/6.5.6"] 

So, the matched portion of the text was this:

if( md5($password) == $row['user_password'] && $row['user_active'] ) 

What is this attempting to do? It appears that the SPAMMER is attempting to Bypass Authentication for the PHPBB form page. This actually makes sense when you think about it from a spammer's perspective. What is easier and less resource intensive? To either actually register for accounts on these sites to then allow them to post or to include this Blind SQL Injection Authentication Bypass string and not have to worry about authenticating at all? The later it seems is the case.

Update

We had more time to review this specific transaction and it appears to be a False Positive. It is not that the rule triggered on something that it shouldn't have, but rather that this was not an actual Blind SQL Injection attack.

The string that was matched is actually a PHP code snippet that was present in the page. It seems that the SPAMMER's script automatically included all of the hidden arguments in their request. I guess that instead of taking the time to code in the proper intelligence as to what fields are required for their request, it is just easier to "throw the kitchen sink" at it and included everything. Most web apps will not error out with extra parameters, however they will if you are missing require elements.

As a side note, at the same time were were conducting this internal analysis, we did recieve some feedback from the public re-affirming this theory (thanks kuza55 by way of Jeremiah Grossman's Blog). This does raise an important issue - we need help with data analysis! If you are interested in participating in the WASC honeypot project (even if you don't want to deploy an actual honeypot) then please let me know and we will get you signed up for the project mail-list. This way, we can get more eyes on these alerts for validation.