Skip to content

Another malware exfil attempt

  • by

So a client site was under an attack. There were many many attempts to inject SQL like the following into an innocuous statement:

(SELECT (CASE WHEN (ORD(MID((SELECT IFNULL(CAST(table_name AS NCHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=0x616f6b6865616c7468 LIMIT 42,1),23,1))>114) THEN 1 ELSE (SELECT 3246 UNION SELECT 9107) END))

In essence it’s for stepping through tables of a target database, thru their names one character at at time, finding the characters and outputting them as numbers for reassembly once exfiltrated. Laborious but effective if a SQLI vulnerability is found. Luckily it’s also relatively slow and not subtle (depending on the database and server spec). This attempt had been noticed and interrupted before getting into table fields and data, in no small part due to its operation causing noticeable degradation of the server.

Yes prevented by parameterising queries and untainting inputs, but blocked easily enough by detecting never-innocent fragments of the query in any Form or Querystring input and banning the IP addresses. I could just temporarily ban the IPs but in the wide world of IP addresses I figure the probability of the site missing traffic from these IPs is vanishingly small if these are banned permanently.