Many of the recent high profile attacks follow a similar pattern. First, a web application is compromissed using SQL injection. Next, the attacker dumps the database using the SQL injection vulnerability.
Once the attacker has a hold of the database, the attacker will search it for passwords. In some cases, the password was not hashed, and in other cases, the hash was brute forced. The attacker then used the password to try and breach other accounts.
I will try to write up a few diaries discussing steps to defend against the basic weaknesses exploited by these attacks:
Unhashed or weak passwords
In this first pst, we will take a look at SQL injection.
The Tool: Havij
A few times before, I showed some of the attacks we see agains the ISC website. One notable change over the last couple years is an increase in SQL injection attacks. In the past, remote file inclusion attacks dominated. But now, SQL injection attacks have increased substantially, in particular attacks using the attack tool Havij .NET CLR 2.0.50727) Havij
The attack method is pretty straight forward. Havij injects a SELECT UNION statement and keeps adding additional fields to the union query to work out how many columns are required. Each statement selects static random hex strings to make it easy to identify them in the response.
Again a technique used by other tools as well.
Of course the best defense is to avoid SQL injection vulnerabilities in the first place. Did I mention yet that you should use prepared statements whenever possible? That and decent input validation will pretty much eliminate the problem.
Now I also know, that you probably got plenty of legacy applications and applications you didn't code. In these cases, you need a quick fix. You could for example block the Havij user agent at your Intrustion Protection System or your web application firewall. A little mod_rewrite rule may work too. I find another decent string to detect the tool (and other SQL injection tools) is %27+UNION+ALL+SELECT . This string shouldn't have a huge false positive rate.
We covered SQL Injection a few times before:
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.