8/14/2019 August 26th, 2009

1/13

Page 1 - CONFIDENTIAL -

SQL/JavaScript Hybrid WormsAs Two-stage QuinesWorkshop Seguridad Informtica 2009 38 JAIIO (MDQ) Lic. Jos Orlicki (jorlicki@)

August 26 th , 2009

8/14/2019 August 26th, 2009

2/13

Page 2

Not-So-Secret Agenda

MotivationHybrid ScenarioFeatures DiscussionProof of Concept HighlightsDemo&Discussion!?

Abstract: a what-if worm scenario based onSQL/JS real incidents and prototype code,

leads to proof-of-concept on laboratory withwidely-deployed technologies (unhardened).Helps anticipate future trends and protections.

- DECLASSIFIED -

8/14/2019 August 26th, 2009

3/13

Page 3 - CONFIDENTIAL -

Attacks in the Wild! (2008)

[..]Anyone know about www.nihaorr1.com/1.js? The db that

supports our companies ecommerce is lling up with this url[..][..]The script www.nihaorr1.com/1.js is getting inserted into everyrecord of my organizations SQL db. I'm the accidental techie in myoce, and I'm clueless[..]Huge Web Hack Attack Infects Many Pages Gregg Keizer,

Computerworld (nihaorr1 -> favorite search engine)

8/14/2019 August 26th, 2009

4/13

Page 4 - -

Prototype of infected RFIDs! (2006)

Is Your Cat Infected with a Computer Virus? Melanie R. Rieback,Bruno Crispo, Andrew S. TanenbaumSQL Virus Prototype propaging via RFID tags. (Virus != Worm?)Uses SQL Quines, self-replicating statements.

8/14/2019 August 26th, 2009

5/13

8/14/2019 August 26th, 2009

6/13

Page 6

Basic Quines in T-SQL and Javascript

Version 1: quine classic techniques in T-SQL

- NOT CONFIDENTIAL -

8/14/2019 August 26th, 2009

7/13Page 7

Basic Quines in T-SQL and Javascript

Version 2: quine using native reflection hack in T-SQL

- NOT CONFIDENTIAL -

8/14/2019 August 26th, 2009

8/13Page 8

Basic Quines in T-SQL and Javascript

Version 3 (fail!): quine classic and native getElementById()

techniques in SQLSimilar to Version 1 but on the JS/client-side

Similar to Version 2 but idem

- NOT CONFIDENTIAL -

8/14/2019 August 26th, 2009

9/13Page 9 - CONFIDENTIAL -

Proof of Concept

Lab:1. CherryPy,2. Two ad-hoc-vulnerable webapps in different domains,3. MS-SQL.4. Python SQL interface, no modifications.

Two-stage self-replication.Targets VARCHAR and TEXTdb fields, ALL TABLE s

Version 1 : MS-SQL Quines, JavaScript regexes to extract newpossibles victim URL, blind injection. ( 7359 bytes of SQLi egg )Version 2 : MS-SQL Reflective Features. ( 3000 bytes aprox, idem )Version 3 (fail!): JavaScript quines and reflection worked,complete worm dont. ( estimating 1500 bytes )

8/14/2019 August 26th, 2009

10/13Page 10

Proof of Concept (cont.)

SQL Hex and URL Encoding : stealthness and SQLi correctness. 4-

variable (original, 1 variable, 2008) scattered egg

http://192.168.1.105:8081/greetUser?numid=1%3BDECLAR E+@S+VARCHAR(MAX),@S2+VARCHAR(MAX),@S3+VARCHAR(MAX),@S4+VARCHAR(MAX)%3BSET+@S=CAST( 0x0d0a444398498468 ...

Regex matching for detecting possible new victim sites. var regexp = new RegExp(" [a-zA-Z0-9-.?_&=:\/]+\/[a-

zA-Z0-9-\.?_&=]+=[0-9]+ "," g"); var m = infected_html .match(regexp);

Javascript blind XSS for progapagation ( very naive! )document.write("

);- NOT CONFIDENTIAL -

8/14/2019 August 26th, 2009

11/13Page 11 - CONFIDENTIAL -

Hybrid Worms Discussion!

Billy Hoffman and John Terrill. The Little Hybrid Web Worm that Could , Black-Hat USA2007. (they focus in JS obfuscation and Perl)

No choke point.Stealthier infections.More portability (interpreted lang?)

Target generic vulnerabilities (idem)Easily obfuscated (idem)Less crashes (idem)

Data/Web 2.0/Cloud centric?

8/14/2019 August 26th, 2009

12/13Page 12

Demostration!?

...but I can only show you the door. You're the one that has to walkthrough it...

Acknowledgements:- Core Security Team : support and creative environment.- Sebastin Cufre : T-SQL tricks.- Aureliano Calvo : Javascript concepts.- Pedro Varangot : suitable testing computer.

- DECLASSIFIED -

8/14/2019 August 26th, 2009

13/13Page 13 CONFIDENTIAL

Questions?

Thanks!Contact :