Thursday, January 7, 2010

How cz32ts determines if your site is vulnerable to SQL Injection

How cz32ts determines if your site is vulnerable to SQL Injection

Thanks to following site for info:

cz32ts will append some SQL to a URL given to it by its C&C server at, and will fetch the results. It then phones home the results of its mischief like this:

cz32ts: CMD PUTLINK http://some.victim.url?sql=goes&after=this InjectAsp:YES
C&C: Finished.

It’s the InjectAsp:YES that denotes a successful SQL Injection vulnerability assessment. Given the appended SQL described in this post, cz32ts is looking simply for:


…in the page handed back by the server under test. If this pattern appears anywhere on the page, it will report InjectAsp:YES to the C&C server. Even error reports are sufficient, because they indicate that the injected SQL was executed and that the server is ripe for exploitation:

[Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting the varchar value ‘|98|’ to data type int.

If you’ve been paid a visit by cz32ts, it’s probably a good idea to replay its requests (based upon the parameter string in your web server’s logfiles) and check the responses for the pattern |number| – if it’s there, you’ve got a vulnerability that needs addressing. A vulnerability that the bad guys know about already!

writt3n by: Jared Braverman
SECNAP Network Security Corp.

1 comment:

  1. good, i drop by here through keyword "sql injection" via a service call "blogger auto follow" im following u.. hope to see u in my followers list soon and would love to share anything from internet, network and information security stuff.

    Hacking Expose! Team