Posts tagged: 'sqli'

The following posts are associated with the tag you have selected. You may subscribe to the RSS feed for this tag to receive future updates relevant to the topic(s) of your interest.

http://blog.logrhythm.com/tags/sqli/feed
 
 

“Reverse” SQL Injection Using HTTP Headers

I’ve been doing a good deal of research on HTTP Headers recently and was intrigued when I saw the following tweet last week.


 
The link takes you to a list of hosts that respond with the value “DROP TABLE” somewhere within the servers HTTP headers.

In case you aren’t already familiar with the HTTP protocol, when you make a request to a web site, lets say logrhythm.com,  something like this is going on in the background.

In this case, we place a GET request for logrhythm.com and everything after the “HTTP/1.1 200 OK”  are the HTTP header fields that the remote server server sent back to us.  As we can see above, the server claims to be IIS/6.0.  Based off of other returned header data, “X-powered-By:PleskWin, ASP.NET” for example, it’s probably a safe bet that it’s a windows server.  Back to the point though, in the case of Mikko’s example, the servers listed don’t respond with a know server type, instead the following text:

Server: ‘; DROP TABLE servertypes; –

Clearly, this is not an actual server type, instead a SQL injection command.

Why would someone configure a server to respond this way?

Well, if we read the SQL it’s pretty simple.  It’s telling the server to delete/remove the table servertypes. So who would be inserting HTTP Header response codes into a DB and would have a table named servertypes? Spiders, bots and crawlers of course! Well i’m guessing that’s the idea anyway.

So a bot hits your site, parses your header responses and tries to insert the value from “Server:” into a DB . If it happens to have a table named, servertype and SQL the statements aren’t being prepared or sanitized properly, then the table gets dropped.

Ultimately, it’s probably a joke more than anything but it’s interesting to think about. This assessment seems to be pretty accurate based on a Reddit mod’s explanation of why Reddit does it here.  At this point I will have to also admit that this is not really “reverse” SQLi because that doesn’t really add up technically.

In event that you would like to configure your servers to reply with different responses, check out the following links:

Apache: http://httpd.apache.org/docs/2.0/mod/mod_headers.html

IIS7:http://technet.microsoft.com/en-us/library/cc753133(v=ws.10).aspx

NginX:http://blog.secaserver.com/2012/03/customize-server-header-nginx/

Also, I like this site for viewing HTTP headers where standard proxy means are not ideal. http://pgl.yoyo.org/http/server-headers.php

Tags: , , , , , ,

4 Comments | SecuritySIEM

 
 

Finding Security Issues in the HTTP Request Headers, and the Mac OSX Flashback Botnet

LogRhythm Labs has recently initiated a research project into HTTP Request Header analysis, to include User Agent strings, both in proxy logs as well as web server logs.  A few recent events have validated our interest in this topic.

The recently identified botnet targeting Mac OSX machines, reportedly with more than 600,000 hosts compromised (conficker-sized!), uses the bot’s MAC address as the User Agent when phoning home to C&C.  Hosts infected with the Backdoor.Flashback.39 trojan can be identified with a simple regex looking for MAC address patterns in an organization’s proxy logs (see below for example regex’s).

We’ve also gotten our hands on some IIS log data from a recent high-profile breach.  What we found was very interesting.  The attackers didn’t bother to change the User Agent for the SQLi tools that were used.  Both Havij and sqlmap were identified.  Some simple whitelisting or blacklisting against the UA in the IIS logs would have easily caught these low-hanging fruit.

Stay tuned for more in-depth analysis of User Agent strings and HTTP Request Headers, as well as out-of-the-box content to help secure web applications using SIEM.

 

Example MAC Address Regex’s:

No dashes, colons, or spaces: [a-fA-F0-9]{12}

With dashes, colons, or spaces: ([a-fA-F0-9]{2}(:|-|\s)){5}[a-fA-F0-9]

UPDATE:

Kaspersky Labs gives an example User Agent string for the Flashback malware.  Here’s a regex that will match it in proxy logs: id:[a-fA-F0-9]{8}-\w{4}-[a-fA-F0-9]{4}-\w{4}-[a-fA-F0-9]{12}

 

Tags: , , , , ,

0 Comments | Digital ForensicsSecuritySIEM