Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

The Havij SQL Injection Tool

Published: 2011-06-06
Last Updated: 2011-06-07 12:23:01 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

 

Many of the recent high profile attacks follow a similar pattern. First, a web application is compromissed using SQL injection. Next, the attacker dumps the database using the SQL injection vulnerability.

Once the attacker has a hold of the database, the attacker will search it for passwords. In some cases, the password was not hashed, and in other cases, the hash was brute forced. The attacker then used the password to try and breach other accounts.

I will try to write up a few diaries discussing steps to defend against the basic weaknesses exploited by these attacks:

  • SQL Injection
  • Unhashed or weak passwords
  • Password reuse.

In this first pst, we will take a look at SQL injection.

The Tool: Havij

A few times before, I showed some of the attacks we see agains the ISC website. One notable change over the last couple years is an increase in SQL injection attacks. In the past, remote file inclusion attacks dominated. But now, SQL injection attacks have increased substantially, in particular attacks using the attack tool "Havij".

Havij is a simple Windows GUI tool to automate SQL injection attacks. Its capabilities are similar to tools like Absinthe and sqlmap. Personally, I think sqlmap is a more capable tool but it is not as easy to use as a click-kiddie friendly tool like Havij. Havij is distributed by itsecteam, an Iranian security company. The word "Havij" translates to "carrot" and indeed, Havij uses a carrot as icon. Havij works ok with simple GET requests. It does support POST but in my limited testing appears to be less reliable. In its default setting, Havij is easily identified by its user agent:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) Havij 

The attack method is pretty straight forward. Havij injects a "SELECT UNION" statement and keeps adding additional fields to the union query to work out how many columns are required. Each statement selects static "random" hex strings to make it easy to identify them in the response.

GET /diary.html?storyid=999999.9+UNION+ALL+SELECT+
  0x31303235343830303536%2C0x31303235343830303536--

Again a technique used by other tools as well.

Defense

Of course the best defense is to avoid SQL injection vulnerabilities in the first place. Did I mention yet that you should use prepared statements whenever possible? That and decent input validation will pretty much eliminate the problem.  

Now I also know, that you probably got plenty of legacy applications and applications you didn't code. In these cases, you need a "quick fix". You could for example block the Havij user agent at your Intrustion Protection System or your web application firewall. A little mod_rewrite rule may work too. I find another decent string to detect the tool (and other SQL injection tools) is "%27+UNION+ALL+SELECT" . This string shouldn't have a huge false positive rate. 

We covered SQL Injection a few times before:

http://isc.sans.org/tag.html?tag=SQL%20Injection
 

Update: Thanks to a reader for pointing out that Havij means carrot and that itsecteam is Iranian.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: Havij SQL Injection
2 comment(s)
Diary Archives