[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] Mass SQL Injection Bots Now Targeting PHP Sites

From: "Ryan Barnett" <rcbarnett@xxxxxxxxx>
Subject: [WEB SECURITY] Mass SQL Injection Bots Now Targeting PHP Sites
Date: Thu, 28 Aug 2008 15:05:51 -0400

------=_Part_56228_4859931.1219950351475
Content-Type: text/plain; charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Greetings everyone,
I know that most of you have already heard about the mass SQL Injection bot=
s
that have been hammering IIS/ASP/MS-SQL sites, however the theory is that
the SQL injection code could be updated to compromise other platforms such
as PHP/MySQL, etc... Well, I have been doing some research and I am finding
evidence of PHP sites that have been infected. For example, if you do a goo=
gle
search looking for PHP sites that have the same javascript
code<http://www.google.com/search?hl=3Den&client=3Dfirefox-a&rls=3Dorg.mozi=
lla%3Aen-US%3Aofficial&q=3D%221000mg.cn%2Fcsrss%2Fw.js%22+inurl%3Aphp&btnG=
=3DSearch>as
some examples that ModSecurity users to me, you will see approximately
3,200 site PHP sites are currently infected.

Technical Sidenote - what is interesting with these PHP sites is that even
though their web applications are not properly filtering client input and
their DB queries are not secure, they are actually able to prevent the goal
of this particular attack since the PHP code is properly html encoding the
output sent to the clients :)  If you go to the sites, the javascript is
actually displayed as text by the browser instead of being executed as a
script.  Hooray defense in depth!

What I am not sure of, however, is whether the attack code itself has indee=
d
changed (to target other back-end DBs) or if the victim site is using a PHP
front-end with a MS-SQL back-end=85 If you have any logs of these attacks
where they are targeting PHP pages (instead of ASP/ASPX), please share them
with me or post them here on my Blog -
http://tacticalwebappsec.blogspot.com/2008/08/are-mass-sql-injection-attack=
s-now.html

Thanks.

--=20
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
Tactical Web Application Security
http://tacticalwebappsec.blogspot.com/

------=_Part_56228_4859931.1219950351475
Content-Type: text/html; charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

<div dir=3D"ltr">Greetings everyone,<br>I know that most of you have alread=
y heard about the mass SQL Injection bots that have been hammering IIS/ASP/=
MS-SQL sites, however the theory is that the SQL injection code could be up=
dated to
compromise other platforms such as PHP/MySQL, etc... Well, I have been doin=
g
some research and I am finding evidence of PHP sites that have been
infected. For example, if you do a <a href=3D"http://www.google.com/search?=
hl=3Den&amp;client=3Dfirefox-a&amp;rls=3Dorg.mozilla%3Aen-US%3Aofficial&amp=
;q=3D%221000mg.cn%2Fcsrss%2Fw.js%22+inurl%3Aphp&amp;btnG=3DSearch">google s=
earch looking for PHP sites that have the same javascript code</a> as some =
examples that ModSecurity users to me, you will see approximately 3,200 sit=
e PHP sites are currently infected.<br>
<br>Technical
Sidenote - what is interesting with these PHP sites is that even though
their web applications are not properly filtering client input and their DB
queries are not secure, they are actually able to prevent the goal of
this particular attack since the PHP code is properly html encoding the out=
put
sent to the clients :)&nbsp; If you go to the sites, the javascript is actu=
ally displayed as text by the browser instead of being executed as a script=
.&nbsp; Hooray defense in depth!<br><br>What I am not sure of, however, is =
whether
the attack code itself has indeed changed (to target other back-end
DBs) or if the victim site is using a PHP front-end with a MS-SQL
back-end=85 If you have any logs of these attacks where they are
targeting PHP pages (instead of ASP/ASPX), please share them with me or
post them here on my Blog -<br><a href=3D"http://tacticalwebappsec.blogspot=
.com/2008/08/are-mass-sql-injection-attacks-now.html">http://tacticalwebapp=
sec.blogspot.com/2008/08/are-mass-sql-injection-attacks-now.html</a><br>
<br>Thanks.<br><br>-- <br>Ryan C. Barnett<br>Web Application Security Conso=
rtium (WASC) Member<br>Tactical Web Application Security<br><a href=3D"http=
://tacticalwebappsec.blogspot.com/">http://tacticalwebappsec.blogspot.com/<=
/a><br>
<br>
</div>

------=_Part_56228_4859931.1219950351475--

Follow-Ups:
- Re: [WEB SECURITY] Mass SQL Injection Bots Now Targeting PHP Sites
  - From: Stephan Wehner

Prev by Date: RE: [WEB SECURITY] definition of "web application security"?
Next by Date: [WEB SECURITY] Video conference
Previous by thread: [WEB SECURITY] Positive Security Model
Next by thread: Re: [WEB SECURITY] Mass SQL Injection Bots Now Targeting PHP Sites
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site