SQL injection hacks

josephium · ‎09-01-2008

Hi,

i am a bit disappointed by the ability of cisco IPS to block sql injections, even with the new added generic sql injection signatures not long ago, still websites hosted with us are being hacked.

i know its vulnerabilities in the sites, but the command update is a lot used to hack sites, i have created a custom signature that catches "update" in small and caps, but i was surprised yesterday that the hacker used "u%pdate" and it bypassed the sensor !!

any thoughts on the subject

thanks

mhellman · ‎09-02-2008

Interesting. I'm so not a SQL expert, but I don't see how "u%pdate" is valid SQL. Why would the database interpret "u%pdate" as valid SQL? Is the application cleaning up the input before passing to the db?

IMHO, if your customers have vulnerable apps, then they need to fix them. A network based IDS simply isn't going to be the best at detecting every possible variation of injection (or anything else imo, but that's a whole different soap box). It just doesn't have the required context. Throw TLS into the mix, and most of the time coverage drops to zero.

josephium · ‎09-02-2008

well we are still investigating how "u%pdate" was interpreted to be a valid SQL statement, but i have to emphasize again that the cisco IPS is quite behind in signatures regarding sql injection, i was just checking Tippingpoint yesterday and it has more than 25 signatures on sql injection, it has a signature for each sql command, update, select ...

the cisco IPS engineers should really know this don't you think ?

mhellman · ‎09-03-2008

I agree. now they do;-)