How cz32ts determines if your site is vulnerable to SQL Injection

cz32ts will append some SQL to a URL given to it by its C&C server at 205.209.143.94, and will fetch the results. It then phones home the results of its mischief like this:

C&C: +OK LINK-SERVER READY
cz32ts: CMD PUTLINK http://some.victim.url?sql=goes&after=this InjectAsp:YES
C&C: Finished.

It’s the InjectAsp:YES that denotes a successful SQL Injection vulnerability assessment. Given the appended SQL described in this post, cz32ts is looking simply for:

|number|

…in the page handed back by the server under test. If this pattern appears anywhere on the page, it will report InjectAsp:YES to the C&C server. Even error reports are sufficient, because they indicate that the injected SQL was executed and that the server is ripe for exploitation:

[Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting the varchar value ‘|98|’ to data type int.

If you’ve been paid a visit by cz32ts, it’s probably a good idea to replay its requests (based upon the parameter string in your web server’s logfiles) and check the responses for the pattern |number| – if it’s there, you’ve got a vulnerability that needs addressing. A vulnerability that the bad guys know about already!


Alec Waters is responsible for all things security at Dataline Software, and can be emailed at alec.waters(at)dataline.co.uk

Advertisements

One Response to “How cz32ts determines if your site is vulnerable to SQL Injection”

  1. Thanks for the info, I found this one in my log yesterday.
    Now I have to go test for responces.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: