SecureState Blog

Read SecureState's award winning blog.

Many of my clients look to me and my team of penetration testers for input on the latest and greatest attacks since we are down in the trenches performing the work and clean-up of real-world attacks.With that being said, a member of the Northeast Ohio INFOSEC forum recently sent out a request for more information regarding over 1,000 recently blocked requests against a website he runs.The attack came from less than 12 IP addresses with a user-agent of “NV32ts“, so it *may* be a fair assumption that it came from a bot net.

The attack looked like this:

/modules.php?name=news&new_topic=9′ and 1=2 union select CONCAT(0×27,0x7c,0x5f,0x7c),CONCAT(0×27,0x7c,0x5f,0x7c),
CONCAT(0×27,0x7c,0x5f,0x7c),CONCAT(0×27,0x7c,0x5f,0x7c),
CONCAT(0×27,0x7c,0x5f,0x7c),CONCAT(0×27,0x7c,0x5f,0x7c),
CONCAT(0×27,0x7c,0x5f,0x7c),CONCAT(0×27,0x7c,0x5f,0x7c),
CONCAT(0×27,0x7c,0x5f,0x7c),CONCAT(0×27,0x7c,0x5f,0x7c),
CONCAT(0×27,0x7c,0x5f,0x7c),CONCAT(0×27,0x7c,0x5f,0x7c),
CONCAT(0×27,0x7c,0x5f,0x7c),CONCAT(0×27,0x7c,0x5f,0x7c),
CONCAT(0×27,0x7c,0x5f,0x7c),CONCAT(0×27,0x7c,0x5f,0x7c),
CONCAT(0×27,0x7c,0x5f,0x7c),CONCAT(0×27,0x7c,0x5f,0x7c),
CONCAT(0×27,0x7c,0x5f,0x7c),CONCAT(0×27,0x7c,0x5f,0x7c),
CONCAT(0×27,0x7c,0x5f,0x7c) and ’1′=’1

Just from looking at it, I observe a few things:

  • <!–[if !supportLists]–><!–[endif]–>It is a clearly a SQL injection attempt
  • <!–[endif]–>It utilizes hex
  • <!–[endif]–>I assume the escaped quotes are because of PHP’s magic quotes being enabled
  • <!–[endif]–>Its syntax shows an attempt to inject into a string literal
  • <!–[endif]–>It attempts to append data to a record set with UNION SELECT
  • <!–[endif]–>The UNION SELECT has 21 values with each being CONCAT(0×27,0x7c,0x5f,0x7c)
  • <!–[endif]–>The injection is meant to be in the same query as the page’s query since it doesn’t utilize comments (MS SQL allows for “piggybacking” of queries, others like Oracle and MySQL do not)

Let’s break it down into something we can read:

/modules.php?name=news&new_topic=9′ and 1=2 union select ‘|_|, ‘|_|, ‘|_|, ‘|_|, ‘|_|, ‘|_|, ‘|_|, ‘|_|, ‘|_|, ‘|_|, ‘|_|, ‘|_|, ‘|_|, ‘|_|, ‘|_|, ‘|_|, ‘|_|, ‘|_|, ‘|_|, ‘|_|, ‘|_| and ’1′=’1

More observations:

  • <!–[if !supportLists]–>An underscore (“_”) in MySQL is a wildcard for a single character
  • Two vertical bars in Oracle and other databases is equivalent to “OR” as most people know it
  • <!–[endif]–>‘|_| would be the same as ‘|*| for those of you that are familiar with an asterisk wildcard, or ‘|?| for those of you that like MSDOS and renaming other things… (for example, to rename test_1.txt to test-1.txt you would use rename test?*.txt test-*.jpg)

What doesn’t make sense:

  • <!–[endif]–>‘|_| would leave an unclosed quotation mark…so there are syntax errors for every value, and the number of values being odd, so let’s say they are careless and they get lucky for single quotes to close each other out, at best, we *may* be able to get 10 values, but we still have one oddball that will cause an error…you would have a string literal of “|_|, “ followed by a |_|, which does not follow logically…The UNION SELECT portion makes no sense to me whatsoever…perhaps me not knowing much about MySQL is an issue, or the attack was by a script kiddy.
  • If you search “0×27,0x7c,0x5f,0x7c” in Google there are 3,450 hits.There is somewhat widespread exposure out there with this…
  • If it is specifically aiming at 21 values in the UNION SELECT, maybe it is targeting a specific 3rd party application?
  • <!–[endif]–>The logic is AND UNION SELECT <21> AND

<!–[if !supportLists]–>o<!–[endif]–> AND will always be false

<!–[if !supportLists]–>o<!–[endif]–>UNION SELECT <21> will always fail with syntax errors

<!–[if !supportLists]–>o<!–[endif]–>AND will be true only if injecting into a string literal

  • <!–[if !supportLists]–>From the previous bullet point, whatever the page is that will be loading will NEVER return a record…

After my analysis and trying to think outside of the box, with so many things to go wrong with this attack, I have led myself to believe that the one and only goal of this is to cause deliberate errors.There is the opportunity for unclosed quotations, different numbers of values in the UNION and page, and who knows how many others I missed…

Part of my due diligence as a pen tester is to always be on top of things, and provided the latest and greatest to everyone, and aiding other information security professionals with my knowledge.For those of you that may have been lost through all of that, I chose to post this blog to give some insight as to some of the challenges we face in this world of cyber criminals.Not only do I break into stuff regularly, I also try to decipher the bad guys’ attacks as well.As the saying goes, you have to know how to be a hacker to defend against one.

If anyone has any information as to what this may be or has seen it before, I would love to hear your thoughts so not only I can hear, but I can forward them on to others if someone has a better explanation that I do!