Weird attack

Hi, Since a few days, I have all my sites receiving requests in which a string like "/**/or/**/1=@@version)--" is added in the URL. Has someone any idea what this guy is actually trying to do ?

I've gotten those as well. It appears he's using a proxy or it's a worm as it's traced to Germany and PA in the states. No clue as to what it's trying to accomplish. On Fri, Nov 18, 2011 at 8:57 AM,  <> wrote: ----- Excess quoted text cut - see Original Post for more -----

No clue what they are after, but I have been seeing that in my error notification alerts the week.  Good old cfqueryparam has been working like a charm! Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilgeno@trunkful.com www.trunkful.com On Nov 18, 2011, at 10:57 AM, "Claude Schnéegans <schneegans"@internetiq.trunkful.com wrote: ----- Excess quoted text cut - see Original Post for more -----

Well, if it wasn't cfqueryparam, I don't see any issues in the SQL that would cause ... anything. Am I missing something here? If it wasn't scrubbed, what would it do? ----- Excess quoted text cut - see Original Post for more -----

SQL Injection attacks are usually just one little possibility an attacker tries as fast and as many places as they can hoping one of them will give up the goods. That one in particular looks like they are banking on forcing their own parameterized query input comparison. If they can break your query's parsing logic and declare their own parameter point 1 then they can supply a test case version in say the form scope they may be thinking you are using directly in the code, and comparing that to your database's @@version information. Probably the hope for the attacker is query would run something like (the @@version output doesn't really look like my example, but the idea is the same): select * from table where (    ...    "Microsoft SQL Server 2000 build 1234, Windows Server 2003 SP1"=@@version)   -- and def = whatever) At this point they know what you are running if the query successfully executed, and probably try some known exploits for that platform. Luckily this isn't something to worry about when you parameterize your queries, since that input will not be executable query constructs. On Fri, Nov 18, 2011 at 11:05 AM, Phillip Vector <vector@mostdeadlygame.com>wrote: ----- Excess quoted text cut - see Original Post for more -----

That is an attempted SQL Injection.  @@VERSION returns all the goodies you would expect, and offers information an attacker might be able to use to better expoit. MS SQL Server @@VERSION: http://msdn.microsoft.com/en-US/library/ms177512(v=SQL.90).aspx ----- Excess quoted text cut - see Original Post for more -----

Ah.. Thank you. ----- Excess quoted text cut - see Original Post for more -----

this is SQL Injection. most hackers will first use a simple URL hack like this to identify vulnerable websites, their bot will collect the response and flag the ones that gave back the required response. If your site returned what they wanted, in this case SQL server version information, then they will attack you with a whole bunch of other SQL injection scripts that are intended to insert phishing Javascripts calls into your database, which will then be output into your page content on your site, this loading the phishing scripts into your unsuspecting visitors browsers.

> Since a few days, I have all my sites receiving requests in which a string like "/**/or/**/1=@@version)--" is added in the URL. I would guess it's targeting MS SQL Server (@@VERSION). Beyond that, I'd guess it's intended to identify vulnerable web apps using SQL Server and perhaps measure timings. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite.

> MS SQL Server (@@VERSION). Btw: MySQL supports @@VERSION too.

select @@VERSION does not work with PostgreSQL.  This is the DB I use for all my sites. I scrub ALL data input, varchar fields get run through several scrubbers in my code. The one I am seeing this on are integer fields and I have cfqueryparam datatypes sets.  Thus integers are scrubbed without any other code.  Lazy, yes, but it works and I have error handling to deal with it. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilgeno@trunkful.com www.trunkful.com On Nov 18, 2011, at 11:15 AM, Leigh wrote: > >> MS SQL Server (@@VERSION). > > Btw: MySQL supports @@VERSION too.

I do not know about the whole expression. But a few references mentioned using 1=@@version) to trigger an error disclosing the database version. The @@version variable works in MySQL and MS SQL, maybe others.   -Leigh

>>Good old cfqueryparam has been working like a charm! If your template is not using URL parameters in a query, cfqueryparam wont help. And if the parameter is text, the scrap will get into your database as well. Happily, my moron trap is more general. ;-)

> If your template is not using URL parameters in a query, > cfqueryparam wont help. The cfqueryparam tag doesn't care where data comes from and works just as well on data imported from a CSV or XML file as it does on form, url, or cgi scope variables that the end-user can control.  Aside from enforcing data types, it can also help with performance as the database engine can reuse execution plans if all of the variables are passed into the query this way. > And if the parameter is text, the scrap will get into your > database as well.  Happily, my moron trap is more general. ;-) True, and I always recommend error checking before the data ever gets to the database query, but cfqueryparam is designed to stop arbitrary code from getting executed on the database engine and it does a fabulous job of that.  It's up to the developer to decide what data they will allow to get that far, however. -Justin

>>The cfqueryparam tag doesn't care where data comes from What I mean is that cfqueryparam will not protect you against attacks, il will just prevent attacks to be succesful. A better approach is to check for a couple of key words like user declare script @@ exec,... (provided you don't use them in your application) in the url and form variables and systematically ban the IP adresse. At the very first trial, generaly in some parameter not even used in a query, you nip the attack in the bud. Otherwise, you may get hundreds of requests causing errors on your site. With only a cfqueryparam protection, the attack won't succeed, fine, but you may get many error reports.

> What I mean is that cfqueryparam will not protect you against > attacks, il will just prevent attacks to be succesful. Well, that's mostly the point. > A better approach is to check for a couple of key words like ... In other words, deploy an IDS/IPS system in front of your web application to prevent those attacks from ever getting there.  That still doesn't prevent you from being attacked, it just moves the detection and prevention out one more layer away from the database. Deploying multiple layers of security and having a "Defense in Depth" strategy is good practice.  Many developers, unfortunately, don't have the resources available to do so.  Using cfqueryparam may be the only line of defense in many cases. > Otherwise, you may get hundreds of requests causing errors > on your site.  With only a cfqueryparam protection, the attack > won't succeed, fine, but you may get many error reports. That can generally be solved by a little bit of up-front data massaging.  For example, if you know a value is supposed to be a positive integer (many primary keys, etc.)... <!--- Force a positive integer or zero. ---> <cfset url.id = abs(val(trim(url.id))) /> If it's supposed to be a date: <cfif not isDate(url.somedate)>   <cfset url.somedate = "" />   <!--- Or some other reasonable default. ---> </cfif> Simple approaches like this will prevent the flood of errors if you don't have the resources for an IDS/IPS system and don't require you to chase keyword lists which can change over time or be incomplete.  I wrote one of those keyword scrubbers a while back (2005!) when one of the major SQL injection attacks was making the rounds and lots of people weren't using cfqueryparam.  That is still available at http://www.gravityfree.com/_sqlprev.cfm.txt for those who want that kind of protection in addition to cfqueryparam, though I'd recommend a more solid solution than using that in production. -Justin

In addition to ids/ips one could consider an application firewall. On Nov 23, 2011 7:48 PM, "Justin Scott" <leviathan@darktech.org> wrote: ----- Excess quoted text cut - see Original Post for more -----

On 18/11/2011 16:57, =?ISO-8859-1?Q?Claude_Schn=E9egans wrote: > Hi, > > Since a few days, I have all my sites receiving requests in which a string like "/**/or/**/1=@@version)--" is added in the URL. > > Has someone any idea what this guy is actually trying to do ?

or give Fuseguard a try http://foundeo.com/security/ On Thu, Nov 24, 2011 at 10:56 AM, Paul Stewart <paul@whichfranchise.com> wrote: ----- Excess quoted text cut - see Original Post for more -----

On 24/11/2011 11:10, Russ Michaels wrote: ----- Excess quoted text cut - see Original Post for more -----

Looks as if to me someone is using a javascript in the url of your sites to generate their own url. Either that or you have a virus, malware, proxy redirection or your DNS has been changed on your machine. It's worth it to do a scan at http://housecall.trendmicro.com even if you have an antivirus. Good luck. Kind Regards, Rick Sanders Webenergy Software 902-401-7689 http://www.webenergy.ca On 24/11/2011 11:10, Russ Michaels wrote: ----- Excess quoted text cut - see Original Post for more -----

On 24/11/2011 12:21, Rick Sanders wrote: ----- Excess quoted text cut - see Original Post for more -----

Fuseguard is nothing to do with me Rick. On Thu, Nov 24, 2011 at 12:26 PM, Paul Stewart <paul@whichfranchise.com> wrote: ----- Excess quoted text cut - see Original Post for more -----

I've never used Fuseguard before, looks pretty good though.  Any experience with the customizations?  It says fully customizable, but is it all done via code, or a GUI?

it is all done via config files, but it pretty straightforward. On Thu, Nov 24, 2011 at 2:41 PM, Matt Blatchley <matt@bridgeleaf.com> wrote: > > I've never used Fuseguard before, looks pretty good though.  Any > experience with the customizations?  It says fully customizable, but > is it all done via code, or a GUI?

Found it, very cool.  I've been using older anti-SQL Injection scripts and blocking IP's, which is a pain in the arse to manage over a long period of time. This should help save me time from having to worry too much about that now.

On Thu, Nov 24, 2011 at 9:41 AM, Matt Blatchley <matt@bridgeleaf.com> wrote: > > I've never used Fuseguard before, looks pretty good though.  Any > experience with the customizations?  It says fully customizable, but > is it all done via code, or a GUI? Hi Matt, Just wanted to provide some more details on how customizing FuseGuard - it is customized a CFC file called a Configurator. You can use one configurator for all your sites, or create customized configurators for each site / application. When you add FuseGuard to your Application.cfc/cfm you simply tell it which Configurtor CFC to use for the given application. The Configurator tells FuseGuard which filters (filters inspect the request and give it a threat level, they do not modify the input as that can lead to hard to debug issues), loggers (log to db, email, files, etc), and block listeners (api hook that runs if FuseGuard is configured to block a request, and a request is blocked) to run, along with a few other FuseGuard instance specific settings. You can find the Install / Config Docs here: http://foundeo.com/security/fuseguard/docs/2.0/ and the CFC api reference here: http://foundeo.com/security/fuseguard/docs/2.0/reference/ or if you prefer here's a 10 min video on installing / configuring FuseGuard: http://www.youtube.com/watch?v=ubESB87vl5U Feel free to contact me directly if you want. Thanks. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting & Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secu

Thanks for the information Pete.  I appreciate your response. Matt

>>If your site returned what they wanted, in this case SQL server version information Ok, I see. In my case, I doubt the 403 error they get in return will help them a lot ;-)

It is actually very difficult to change an application's rendered output, like in the case of obtaining version information.  It is much easier to inject comparisons and see if the template continues to execute, and that would verify their inquiry.  You are right an attacker that is just blanket attacking like that probably will see 403 errors and ignore it, but that is also why they hit a site everywhere they can because that injection will only work in specific conditions they hope you might have somewhere in your application. On Fri, Nov 18, 2011 at 11:33 AM, <> wrote: ----- Excess quoted text cut - see Original Post for more -----