[nsp-sec] Thoughts on the mass SQL injections

Tue Jun 24 14:56:22 EDT 2008

Related but slightly off topic we have several diaries up on how to PREVENT SQL injection.
http://isc.sans.org/diary.html?storyid=4615
And 
http://isc.sans.org/diary.html?storyid=4610

It is a bit humorous that Jason and I both choose to write diaries about preventing SQL injections and that we posted them so close together even using some of the same inputs but if you need to help your customers from getting injected these articles and the tools they point to may assist you.

Security through obscurity WORKS against some worms and ssh attacks:)
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Yonglin ZHOU
> Sent: Monday, June 23, 2008 7:50 PM
> To: Seth Hall
> Cc: nsp-security NSP
> Subject: Re: [nsp-sec] Thoughts on the mass SQL injections
> 
> ----------- nsp-security Confidential --------
> 
> Hi Seth,
> 
> On 6/24/08, Seth Hall <hall.692 at osu.edu> wrote:
> > ----------- nsp-security Confidential --------
> >
> >
> > On Jun 23, 2008, at 11:58 AM, Chris Morrow wrote:
> >> I think, thought someone chunked the particular query type 2+ weeks
> >> ago so it'd return nothing or some interstitial page... if there's
> >> an example query I can take a poke around.
> >
> >
> > I don't really know what could be done to filter these results from
> > the search engine, but here's an example of what I'm 
> talking about...
> >    http://www.google.com/search?q=wow112
> 
> When I trid it I did get a great deal of result. But most of them are
> pages talking about the SQL injection attacks in articles.  I think
> this case is not a good choice for bad guy already.
> 
> Talking about t filtering potential dangerious queries, I think it is
> not fair to only ask google to do that and other search engine vedors
> not. Anyway they have competations.
> 
> Besides, maybe to make a standard of malicous queries block for all
> the search engine is necessary. Then CSIRT teams could provide
> keywords in uniform format for their easy use.
> 
> Just my 2 cents.
> 
> Yonglin.
> 
> >
> > It comes back with a lot of sites with definite SQL injection
> > vulnerabilities.  I checked the first site that showed up, and it
> > looks like they cleaned up the content on the page but they're still
> > vulnerable to SQL injection attacks.  Because all of these sites are
> > pretty certain to be MSSQL behind ASP and tools already exist for
> > dumping the database schema in this scenario (a tool named 
> HackomatiX,
> > but its site's down) it doesn't take too much of a stretch of the
> > imagination to foresee an malicious individual writing a script that
> > grabs all sorts of sensitive data from these sites.
> >
> > Doing a search for the second level domain of almost any of 
> the names
> > on http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514
> > comes up with similar results.
> >
> >    .Seth
> >
> > ---
> > Seth Hall
> > Network Security - Office of the CIO
> > The Ohio State University
> > Phone: 614-292-9721
> >
> >
> >
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> >
> > Please do not Forward, CC, or BCC this E-mail outside of 
> the nsp-security
> > community. Confidentiality is essential for effective 
> Internet security
> > counter-measures.
> > _______________________________________________
> >
> 
> 
> -- 
> -------[CNCERT/CC]-----------------------------------------------
> Zhou, Yonglin              【周勇林】
> CNCERT/CC, P.R.China       【国家计算机网络应急技术处理协调中心】
> Tel: +86 10 82990355  Fax: +86 10 82990399  Web: www.cert.org.cn
> Finger Print: 9AF3 E830 A350 218D BD2C  2B65 6F60 BEFB 3962 1C64
> -----------------------------------------------[CNCERT/CC]-------
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
> 

This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.