How cz32ts determines if your site is vulnerable to SQL Injection
Thanks to following site for info: http://wirewatcher.wordpress.com/2009/11/17/how-cz32ts-determines-if-your-site-is-vulnerable-to-sql-injection/
cz32ts will append some SQL to a URL given to it by its C&C server at 220.127.116.11, and will fetch the results. It then phones home the results of its mischief like this:
C&C: +OK LINK-SERVER READY
cz32ts: CMD PUTLINK http://some.victim.url?sql=goes&after=this InjectAsp:YES
It’s the InjectAsp:YES that denotes a successful SQL Injection vulnerability assessment. Given the appended SQL described in this post, cz32ts is looking simply for:
…in the page handed back by the server under test. If this pattern appears anywhere on the page, it will report InjectAsp:YES to the C&C server. Even error reports are sufficient, because they indicate that the injected SQL was executed and that the server is ripe for exploitation:
[Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting the varchar value ‘|98|’ to data type int.
If you’ve been paid a visit by cz32ts, it’s probably a good idea to replay its requests (based upon the parameter string in your web server’s logfiles) and check the responses for the pattern |number| – if it’s there, you’ve got a vulnerability that needs addressing. A vulnerability that the bad guys know about already!
writt3n by: Jared Braverman
SECNAP Network Security Corp.