June 13, 2021

Ruby on Rails SQL Injection Vulnerability Found

(LiveHacking.Com) – A SQL injection vulnerability has been found in the Active Record component of Ruby on Rails. Active Record connects classes to a relational database tables giving applications a persistence layer.

According to the security advisory a vulnerability has been found in the way Active Record handles nested query parameters. An attacker can use a specially crafted request to inject some forms of SQL into an application’s SQL queries. For an application to be vulnerable it needs to directly pass request parameters to the `where` method of an ActiveRecord class like this: Post.where(:id => params[:id]).all

To exploit this weakness, an attacker needs to make a request that causes `params[:id]` (see above) to return a specially crafted hash. This will will cause the WHERE clause of the SQL statement to query an arbitrary table with some value.

There is a workaround where vulnerable code needs to be changed so that the parameter is cast to the expected value. For example:

Post.where(:id => params[:id]).all

is changed to this:

Post.where(:id => params[:id].to_s).all

The Ruby on Rails team have released new versions to fix the problem. Affected versions are 3.0.0 and all later versions, however 2.3.14 is not affected. The fixed Versions are 3.2.4, 3.1.5, 3.0.13. The latest versions can be downloaded from here.

All users running an affected release should upgrade immediately.

SQL injection Attack Hits Over 1 Million ASP.NET Pages (and Counting)

(LiveHacking.Com) – An SQL injection attack that infects web pages and causes drive by downloads of malware is spreading rampantly. Reported last week by Armorize, the SQL injection attack which targets ASP.NET sites, had infected some 180,000 pages. The Register reported on Friday that this number had grown to over 600,000. Now according to Google search the number of infected web pages is over 1,000,000.

Infected sites carry invisible links to sites including jjghui.com and nbnjkl.com. These sites in turn redirect to several other websites, including www3.strongdefenseiz.in and www2.safetosecurity.rr.nu, that include hidden code to exploit known vulnerabilities in Adobe PDF, Adobe Flash or Java. Any PC with un-patched versions of these programs will most likely become infected with malware. Servers used in the attack have IP addresses based in the US and Russia.

This current round of SQL injection attacks seem to be similar to the LizaMoon attacks which appeared in March and April of this year. The Security company Securi has noted that registration information for the domains used in this attack are the same as the one used on the earlier Lizamoon domains:

Technical Contact:
James Northone jamesnorthone@hotmailbox.com
+1.5168222749 fax: +1.5168222749
128 Lynn Court
Plainview NY 11803

One thing worth noting is that at the time of the LizaMoon attacks Google mentioned that:

“Google Search results aren’t always great indicators of how prevalent or widespread an attack is as it counts each unique URL or page, not domain or site, but it does give some indication of the scope of the problem if you look at how the numbers go up or down over time.”

Sites can be scanned to make sure they are clean (or not) at http://sitecheck.sucuri.net

LizaMoon SQL-injection Attack Not as Large as First Thought

Over the last few days, the Internet has been throbbing with news of an SQL-injection attack dubbed LizaMoon which was reported to have infected hundreds of thousands of web pages including iTunes. However these numbers were calculated using Google’s search engine and the number of results available for web pages with the relevant terms in them. Now PCPro has been speaking to a Google engineer and it seems the damage might not be as bad as first thought.

Niels Provos, a principal engineer at Google, has counted the sites with a functioning reference, leaving out those that had the code but didn’t actually redirect users. What he found is that the Lizamoon attack actually peaked in October with 5,600 infected sites, but is currently “undergoing a revival”.

On 29th March 2011 Websense reported that according to a Google Search, over 226,000 URLs have been compromised. This included several iTunes URLs. On the 31st March they reported that a search on Google returns more than 1,500,000 results that have a link with the same URL structure as the initial attack.

However they did mention that “Google Search results aren’t always great indicators of how prevalent or widespread an attack is as it counts each unique URL or page, not domain or site, but it does give some indication of the scope of the problem if you look at how the numbers go up or down over time.”

Using the same search today Google reported 4,670,000 results!

The attack is named LizaMoon after one of the URLs that are injected into web sites. These rogue URLs redirect users to scareware sites which generate messages warning the user that their computer is infected with viruses, and offers to sell them antivirus software.

Sqlninja 0.2.5 Released

Sqlninja 0.2.5 has been released. Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server. With reference to its project website, its main goal is to provide a remote access on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.

Sqlninja Features:

  • Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
  • Bruteforce of ‘sa’ password (in 2 flavors: dictionary-based and incremental)
  • Privilege escalation to sysadmin group if ‘sa’ password has been found
  • Creation of a custom xp_cmdshell if the original one has been removed
  • Upload of netcat (or any other executable) using only normal HTTP requests (no FTP/TFTP needed)
  • TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
  • Direct and reverse bindshell, both TCP and UDP
  • DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames (check the documentation for details about how this works)
  • Evasion techniques to confuse a few IDS/IPS/WAF
  • Integration with Metasploit3, to obtain a graphical access to the remote DB server through a VNC server injection
  • Integration with churrasco.exe, to escalate privileges to SYSTEM on w2k3 via token kidnapping


In order to use sqlninja, the following Perl modules need to be present:

  • NetPacket
  • Net-Pcap
  • Net-DNS
  • Net-RawIP
  • IO-Socket-SSL

You will also need the Metasploit Framework 3 on your box to use the metasploit attack mode, and also a VNC client if you use the VNC payload.

More Information & download links:

  1. Demo Video
  2. Project Documentation
  3. Download Page