Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

The Havij SQL Injection Tool

Published: 2011-06-06
Last Updated: 2011-06-07 12:23:01 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

 

Many of the recent high profile attacks follow a similar pattern. First, a web application is compromissed using SQL injection. Next, the attacker dumps the database using the SQL injection vulnerability.

Once the attacker has a hold of the database, the attacker will search it for passwords. In some cases, the password was not hashed, and in other cases, the hash was brute forced. The attacker then used the password to try and breach other accounts.

I will try to write up a few diaries discussing steps to defend against the basic weaknesses exploited by these attacks:

  • SQL Injection
  • Unhashed or weak passwords
  • Password reuse.

In this first pst, we will take a look at SQL injection.

The Tool: Havij

A few times before, I showed some of the attacks we see agains the ISC website. One notable change over the last couple years is an increase in SQL injection attacks. In the past, remote file inclusion attacks dominated. But now, SQL injection attacks have increased substantially, in particular attacks using the attack tool "Havij".

Havij is a simple Windows GUI tool to automate SQL injection attacks. Its capabilities are similar to tools like Absinthe and sqlmap. Personally, I think sqlmap is a more capable tool but it is not as easy to use as a click-kiddie friendly tool like Havij. Havij is distributed by itsecteam, an Iranian security company. The word "Havij" translates to "carrot" and indeed, Havij uses a carrot as icon. Havij works ok with simple GET requests. It does support POST but in my limited testing appears to be less reliable. In its default setting, Havij is easily identified by its user agent:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) Havij 

The attack method is pretty straight forward. Havij injects a "SELECT UNION" statement and keeps adding additional fields to the union query to work out how many columns are required. Each statement selects static "random" hex strings to make it easy to identify them in the response.

GET /diary.html?storyid=999999.9+UNION+ALL+SELECT+
  0x31303235343830303536%2C0x31303235343830303536--

Again a technique used by other tools as well.

Defense

Of course the best defense is to avoid SQL injection vulnerabilities in the first place. Did I mention yet that you should use prepared statements whenever possible? That and decent input validation will pretty much eliminate the problem.  

Now I also know, that you probably got plenty of legacy applications and applications you didn't code. In these cases, you need a "quick fix". You could for example block the Havij user agent at your Intrustion Protection System or your web application firewall. A little mod_rewrite rule may work too. I find another decent string to detect the tool (and other SQL injection tools) is "%27+UNION+ALL+SELECT" . This string shouldn't have a huge false positive rate. 

We covered SQL Injection a few times before:

http://isc.sans.org/tag.html?tag=SQL%20Injection
 

Update: Thanks to a reader for pointing out that Havij means carrot and that itsecteam is Iranian.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: Havij SQL Injection
2 comment(s)

Phishing: Same goal, same techniques and people still falling for such scams

Published: 2011-06-06
Last Updated: 2011-06-07 03:59:08 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
1 comment(s)

I live in a country where theft by electronic means are at fairly high levels. There are criminal organizations that are responsible for using various techniques to steal users and passwords for online banking web pages, doubling the bank web pages on sites that have security problems by allowing upload files and are used by attackers to mount them.

I want to discuss in this diary a very commonly used technique, which corresponds to spoof a URL in the status bar of browsers and links sent by e-mail. At the end of this text will find the Spanish version, which is a translation of this text in English.

For demonstration purposes, we will use the following URL: http://xeyeteam.appspot.com/media/agh4ZXlldGVhbXINCxIFTWVkaWEY-cIwDA/spoof_StatusBar.html. When passing the mouse over the URL, you can see the website www.google.com. If you click it, it leads to a different place. If you see the source code, the browser is fist recognized using javascript. After that, the status bar is modified using javascript that writes information using the properties in the style sheet customized for each browser:

Spoofed URL

 

Let's see another example. If you use http://handlers.dshield.org/msantand/spoofexample.html, you will get a link pointing to youtube. If clicked, it will get you to SANS Institute website. If you see the source code, when the mouse is not over the link the URL is modified using the href property of the element:

Spoofed bar example 

Unfortunately, at this time the code used on both examples are legitimate to browsers and they are executed as any other code. The only solution is to enforce user awareness and make them keep in they mind that they won't be asked by legitimate companies or people for personal information by e-mail or websites and that they should not click any link sent by e-mail.

------------------------------------------------START OF SPANISH VERSION------------------------------------------------

Vivo en un país en donde los robos utilizando medios electrónicos se encuentran en niveles bastante altos. Existen organizaciones criminales que se encargan de robar mediante diversas técnicas los usuarios y las claves de acceso de las sucursales bancarias en línea, duplicando las páginas web de los bancos en sitios web que poseen problemas de seguridad permitiendo subir archivos y son utilizados por los atacantes para montar estas fachadas fraudulentas.

Quiero discutir en este diario una técnica que es comunmente utilizada, la cual corresponde a falsificar un URL en la barra de estado de los navegadores o de los enlaces enviados por correo electrónico. Utilicemos el siguiente URL de demostración: http://xeyeteam.appspot.com/media/agh4ZXlldGVhbXINCxIFTWVkaWEY-cIwDA/spoof_StatusBar.html. Al pasar el mouse sobre el URL, aparece el sitio web www.google.com. Si usted da click, lo lleva a otro sitio distinto:

URL suplantado

Observemos otro ejemplo. Si usted accede la página http://handlers.dshield.org/msantand/spoofexample.html, encontrará un enlace apuntando al sitio web de youtube. Si le da click, lo llevará al sitio web de SANS Institute. Si usted observa el código fuente, cuando el mouse no se encuentra sobre el enlace, este último es modificado utilizando la propiedad href del elemento

Ejemplo de suplantación de barra de estado 

Desafortunadamente el código mostrado para ambos ejemplos es legítimo para los navegadores y por esto se ejecutan como cualquier otro código. La única solución para este problema es reforzar la concienciación y sensibilización al usuario, haciendo que siempre tenga claro en su mente que nadie legítimo le va a solicitar datos personales por correo o sitios web y que no deben hacer click en ningún enlace que reciban por correo electrónico. 

------------------------------------------------END OF SPANISH VERSION------------------------------------------------

-- Manuel Humberto Santander Peláez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org

1 comment(s)
Adobe releases Flash Player patch on a Sunday to combat latest 0day http://www.adobe.com/support/security/bulletins/apsb11-13.html
Diary Archives