SQL injection attacks, in which malicious SQL statements are inserted into an entry field for execution, are one of the most common attack vectors across the globe. SQL injections exploit security vulnerabilities in an application’s software and can be used to attack any type of SQL database.
In the past year, Check Point has created several adjusted SQL injection protections for our IPS software blade. By analyzing the traffic that triggered these protections in networks monitored by Check Point’s Managed Security Service, we can see the current trends and patterns in SQL injection attack attempts.
SQL injection through advertisements
This attack vector forces the attacked server to host advertisements, according to reddit.com. The Check Point IPS protection “SQL Servers MySQL Vendor-specific SQL Injection” found HTTP requests in detected traffic that contained the string “where can you buy the abortion pill.” One report implied that this campaign is not new, and was already active as a spam campaign around July 2014 (per inman.com).
This is the entire resource:
Joint detections of multiple protections
One attack attempt was detected by two SQL injection protections: “SQL Servers MySQL Vendor-specific SQL Injection” and “SQL Servers SQL Injection Evasion Techniques.”
Both of these protections were triggered by connections that contained the same HTTP request as displayed below:
These protections were triggered one after another and from the same source IP addresses. This is not the only occurrence of more than one protection detecting attempts to exploit SQL vulnerabilities. Analysis of several attack attempts detected in the monitored networks shows that the attacker tries to exploit several SQL vulnerabilities at a time.
These are some of the protections that were triggered together at least 4 at a time:
- SQL Servers Blind SQL Injection
- SQL Servers MySQL Vendor-specific SQL Injection
- SQL Servers SQL Injection Evasion Techniques
- SQL Servers UNION Query-based SQL Injection
- SQL Servers Oracle Vendor-specific SQL Injection
- SQL Servers Unauthorized Commands SQL Injection
- SQL Servers Time-based SQL Injection
- SQL Servers Stack Query SQL Injection
Havij tool detection by more than one SQL injection Protections
In a few attacks detected by the protection “SQL Servers UNION Query-based SQL Injection”, there was a repeated hexadecimal text in the HTTP requests: ‘31303235343830303536’ (the decoded string is 1025480056). This string is identified as related to the Havij SQL injection tool (stackexchange.com, isc.sans.edu). Additionally, this protection was triggered at the same time that traffic using the Havij automated SQL injection tool was detected. The Havij tool is widely used in the course of SQL injection attacks. Therefore, any detection of its activity is another step in the awareness and handling of a SQL injection attack.
SQL injection – latest patterns in the wild
The following is an analysis of known attack methods used in the latest attack attempts:
- Information schema method – a method in which the attacker accesses a particular part of the database that contains information on other parts of the database. Through this, the attacker has access to more confidential information.
In example No. 1, although it’s very easy to see that this vector contains a complex SQL query attempt, the most suspicious method is a request for the “information_schema.”
“INFORMATION_SCHEMA” is the information database, the place that stores information about all the other databases that the MySQL server maintains. In addition, the attacker tries to access the COLUMNS table, which provides information about columns in tables. Therefore, this query also attempts to manipulate information found in the database even without guessing the table names.
Example No. 1:
- Multiple methods in one request – combinations of multiple methods of SQL injection in one attempt, to increase the chances that one of them will succeed.
In examples No. 2 and No. 3, we find various suspicious patterns:
- %2f**%2f – this pattern is an attempt known as multi-line comments, used to bypass a defense technique that consists of detecting and removing all spaces or truncating the value to the first space from user entry.
- Information_schemna – as explained above.
- 0x696e666f726d6174696f6e5f736368656d61, 0x6d7973716c , 0x256d61696c25 – this is hex obfuscation of information_schema , mysql and %mail% . There are also many manipulations using case-sensitive features, making this trend even more suspicious.
Example No. 2
Example No. 3
- Multiline Comments – special characters that can be used in SQL injection, to bypass certain defense mechanisms.
“Always True” Vector – a certain pattern \ vector which takes advantage of SQL language, used to get a lot of information from part of the database.
In Example No. 4, there are a few common SQL injection characteristics:
- Where ’1’=’1’ – the SQL statement where “”=”” (or any where<x>=<x>) always returns true. Used frequently in this type of attack to try to get all rows of the table.
- /**/ – uses multiline comments. One defense technique detects and removes all spaces, or truncates the value to the first space from the user entry. Multiline comments can be used to bypass such restrictions.
- It can sometimes be obfuscated, like on this attack:
ua00rhsatp01:80/search.phpp?words=%’/%2A%2A/UNION/%2A%2A/SELECT/%2A%2A/1%2CCONCAT%28’%3C1%3E’%2Cname%2C’%3A’%2Cpassword%2C’%3C2%3E’%29%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10/%2A%2A/FROM/%2A%2A/site_administrators/%2A%2A/%2
- (2A is hex value of * – this hex obfuscation is common within SQL injection vectors.)
- (user,0x3a,password) – The attacker is trying to get user account information.
Example No. 4
- Always True Variant #2
An HTTP request containing “1=@@version—“ Or “<x>=<x>” at the end is another pattern that always returns true, meaning it will supply information that is requested to be exported from the site. In example No. 5, the attacker tried to hide “1=1” by using “1=@@version”—which is equivalent to 1.
Example No. 5
/ÿÿÿ-ÿÿÿÿÿ/**/or/**/1=@@version—
- SQL UNION Operator – combines the result sets of 2 or more SELECT statements to execute an SQL query on a particular part of the database.
One of the commonly used SQL commands is “Union.” For the command “Union All Select 1,2,3,4…” to work properly, the SQL UNION operator has the following requirements:
- The two queries must return exactly the same number of columns.
- The data in the corresponding columns of the two SELECT statements must be of the same (or at least compatible) types.
- The first query consists of injecting the second query multiple times, gradually increasing the number of columns until the query executes correctly.
Example No. 6
66.63.65.137:80/ask/forum_answer.php?que_id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,3,4,0x4f70656e5641532d53514c2d496e6a656374696f6e2d54657374,6,7,8,9,10/**/FROM/**/expert/*
- Obfuscation Techniques – obfuscates part of the injection attempt to hide it from the defense mechanism.
The attacker may obfuscate, or hide, his use of a tool for automated SQL injection or vulnerability scans. Example No. 6 (above) displays the hex vector as “OpenVas-SQL-Injection-Test” in ASCII .This obfuscation is intended to hide the activity of Openvas, a known vulnerability scanner.
- Time Based Attacks – SQL query that takes advantage of the inability of the SQL server to ignore time-related queries.
Time delays are a very powerful technique as the Web server can hide errors or data, but cannot avoid waiting for the database to return a result. You can therefore confirm the existence of SQL injection.
Example No. 7
associazioneprimonebiolo.org/pagina.aspx?ID=182%3B if %281%3D1%29 waitfor delay ‘00%3A00%3A02’—
- Stack Queries – a sequence of multiple queries executed in a single connection on the database.
One element that has a considerable impact on the ability to exploit an SQL Injection vulnerability is whether stacked queries are allowed. Example No. 8 presents this attack vector.
Example No. 8
http:// (*trageted_site*) /search/(*trageted_site*).idq?CiMaxRecordsPerPage= 10&CiScope=%2F&TemplateName=(*trageted_site*)&CiSort=rank%5Bd%5D&HTMLQueryForm=%2Fsearch.htm&MyQuery=new&GO=GO%27%3B%20if%20%281%3D1%29%20waitfor%20delay%20%2700%3A00%3A06%27–
Statistics
SQL Injection logs ratio from one monitored network in the past 60 days (over 8000 events):
Identification of the attacking sources in the TP events
Distribution by country of the attacking sources in the TP events