The Havij SQL Injection Tool

Published: 2011-06-06
Last Updated: 2011-06-07 12:23:01 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

 

Many of the recent high profile attacks follow a similar pattern. First, a web application is compromissed using SQL injection. Next, the attacker dumps the database using the SQL injection vulnerability.

Once the attacker has a hold of the database, the attacker will search it for passwords. In some cases, the password was not hashed, and in other cases, the hash was brute forced. The attacker then used the password to try and breach other accounts.

I will try to write up a few diaries discussing steps to defend against the basic weaknesses exploited by these attacks:

  • SQL Injection
  • Unhashed or weak passwords
  • Password reuse.

In this first pst, we will take a look at SQL injection.

The Tool: Havij

A few times before, I showed some of the attacks we see agains the ISC website. One notable change over the last couple years is an increase in SQL injection attacks. In the past, remote file inclusion attacks dominated. But now, SQL injection attacks have increased substantially, in particular attacks using the attack tool "Havij".

Havij is a simple Windows GUI tool to automate SQL injection attacks. Its capabilities are similar to tools like Absinthe and sqlmap. Personally, I think sqlmap is a more capable tool but it is not as easy to use as a click-kiddie friendly tool like Havij. Havij is distributed by itsecteam, an Iranian security company. The word "Havij" translates to "carrot" and indeed, Havij uses a carrot as icon. Havij works ok with simple GET requests. It does support POST but in my limited testing appears to be less reliable. In its default setting, Havij is easily identified by its user agent:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) Havij 

The attack method is pretty straight forward. Havij injects a "SELECT UNION" statement and keeps adding additional fields to the union query to work out how many columns are required. Each statement selects static "random" hex strings to make it easy to identify them in the response.

GET /diary.html?storyid=999999.9+UNION+ALL+SELECT+
  0x31303235343830303536%2C0x31303235343830303536--

Again a technique used by other tools as well.

Defense

Of course the best defense is to avoid SQL injection vulnerabilities in the first place. Did I mention yet that you should use prepared statements whenever possible? That and decent input validation will pretty much eliminate the problem.  

Now I also know, that you probably got plenty of legacy applications and applications you didn't code. In these cases, you need a "quick fix". You could for example block the Havij user agent at your Intrustion Protection System or your web application firewall. A little mod_rewrite rule may work too. I find another decent string to detect the tool (and other SQL injection tools) is "%27+UNION+ALL+SELECT" . This string shouldn't have a huge false positive rate. 

We covered SQL Injection a few times before:

http://isc.sans.org/tag.html?tag=SQL%20Injection
 

Update: Thanks to a reader for pointing out that Havij means carrot and that itsecteam is Iranian.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: Havij SQL Injection
2 comment(s)

Phishing: Same goal, same techniques and people still falling for such scams

Published: 2011-06-06
Last Updated: 2011-06-07 03:59:08 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
1 comment(s)

I live in a country where theft by electronic means are at fairly high levels. There are criminal organizations that are responsible for using various techniques to steal users and passwords for online banking web pages, doubling the bank web pages on sites that have security problems by allowing upload files and are used by attackers to mount them.

I want to discuss in this diary a very commonly used technique, which corresponds to spoof a URL in the status bar of browsers and links sent by e-mail. At the end of this text will find the Spanish version, which is a translation of this text in English.

For demonstration purposes, we will use the following URL: http://xeyeteam.appspot.com/media/agh4ZXlldGVhbXINCxIFTWVkaWEY-cIwDA/spoof_StatusBar.html. When passing the mouse over the URL, you can see the website www.google.com. If you click it, it leads to a different place. If you see the source code, the browser is fist recognized using javascript. After that, the status bar is modified using javascript that writes information using the properties in the style sheet customized for each browser:

Spoofed URL

 

Let's see another example. If you use http://handlers.dshield.org/msantand/spoofexample.html, you will get a link pointing to youtube. If clicked, it will get you to SANS Institute website. If you see the source code, when the mouse is not over the link the URL is modified using the href property of the element:

Spoofed bar example 

Unfortunately, at this time the code used on both examples are legitimate to browsers and they are executed as any other code. The only solution is to enforce user awareness and make them keep in they mind that they won't be asked by legitimate companies or people for personal information by e-mail or websites and that they should not click any link sent by e-mail.

------------------------------------------------START OF SPANISH VERSION------------------------------------------------

Vivo en un país en donde los robos utilizando medios electrónicos se encuentran en niveles bastante altos. Existen organizaciones criminales que se encargan de robar mediante diversas técnicas los usuarios y las claves de acceso de las sucursales bancarias en línea, duplicando las páginas web de los bancos en sitios web que poseen problemas de seguridad permitiendo subir archivos y son utilizados por los atacantes para montar estas fachadas fraudulentas.

Quiero discutir en este diario una técnica que es comunmente utilizada, la cual corresponde a falsificar un URL en la barra de estado de los navegadores o de los enlaces enviados por correo electrónico. Utilicemos el siguiente URL de demostración: http://xeyeteam.appspot.com/media/agh4ZXlldGVhbXINCxIFTWVkaWEY-cIwDA/spoof_StatusBar.html. Al pasar el mouse sobre el URL, aparece el sitio web www.google.com. Si usted da click, lo lleva a otro sitio distinto:

URL suplantado

Observemos otro ejemplo. Si usted accede la página http://handlers.dshield.org/msantand/spoofexample.html, encontrará un enlace apuntando al sitio web de youtube. Si le da click, lo llevará al sitio web de SANS Institute. Si usted observa el código fuente, cuando el mouse no se encuentra sobre el enlace, este último es modificado utilizando la propiedad href del elemento

Ejemplo de suplantación de barra de estado 

Desafortunadamente el código mostrado para ambos ejemplos es legítimo para los navegadores y por esto se ejecutan como cualquier otro código. La única solución para este problema es reforzar la concienciación y sensibilización al usuario, haciendo que siempre tenga claro en su mente que nadie legítimo le va a solicitar datos personales por correo o sitios web y que no deben hacer click en ningún enlace que reciban por correo electrónico. 

------------------------------------------------END OF SPANISH VERSION------------------------------------------------

-- Manuel Humberto Santander Peláez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org

1 comment(s)
Adobe releases Flash Player patch on a Sunday to combat latest 0day http://www.adobe.com/support/security/bulletins/apsb11-13.html

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives