sql injection finalv1 - virtual security operations center · 2014-08-25 · popular types of sql...
TRANSCRIPT
ii
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
RESEARCH AND INTELLIGENCE REPORT
RELEASE DATE: AUGUST 25, 2014
BY: DAVID MCMILLEN, SENIOR THREAT RESEACHER
IBM MSS SQL INJECTION – INPUT VALIDATION
iii
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
TABLE OF CONTENTS
EXECUTIVE OVERVIEW/KEY FINDINGS ................................................................................................................ 1
DISTRIBUTION OF ATTACK SOURCES ................................................................................................................... 1
SQL INJECTION ATTACK METRICS ........................................................................................................................ 2
POPULAR TYPES OF SQL INJECTION ATTACKS ...................................................................................................... 3
IBM’S SQL INJECTION DETECTION ENGINE .......................................................................................................... 3
RECOMMENDATIONS/MITIGATION TECHNIQUES ............................................................................................... 4
IDPS SIGNATURES AND/OR SIEM RULES ............................................................................................................................. 4 Proventia ................................................................................................................................................................................. 4 AirDefense ............................................................................................................................................................................... 5 Akamai .................................................................................................................................................................................... 5 Checkpoint ............................................................................................................................................................................... 5 Cisco IDS .................................................................................................................................................................................. 8 IBM ........................................................................................................................................................................................ 11 Intrushield .............................................................................................................................................................................. 11 Nessus.................................................................................................................................................................................... 14 Netscreen .............................................................................................................................................................................. 15 Palo Alto ................................................................................................................................................................................ 15 Snort ...................................................................................................................................................................................... 17 Sourcefire............................................................................................................................................................................... 19 Tipping Point ......................................................................................................................................................................... 21
ADDITIONAL RECOMMENDATIONS .................................................................................................................................... 26
REFERENCES .................................................................................................................................................... 26
CONTRIBUTORS ............................................................................................................................................... 26
DISCLAIMER ..................................................................................................................................................... 26
1
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
EXECUTIVE OVERVIEW/KEY FINDINGS
Data breaches seem to be everywhere these days. Every time a major security event makes the headlines
there is usually one common denominator associated with it: weak SQL database security policy. Bad
actor groups make a living off of it and have come to utilize this attack vector more than any other, largely
because they know getting the perfect database security solution implemented requires much time,
strategy and money. Most enterprise database deployments are not going to be locked down very
securely. Although not the norm, off the shelf database deployments are out there, and they are ripe for
picking. In the cases where primary security concerns have been taken into consideration and mitigated,
there is almost always a lack of data validation. No matter how secure you think your databases are,
there is an attacker out there willing to prove you wrong and make you pay one way or the other.
Whether by giving up sensitive customer information, credit card data or intellectual capital, it will be just
a matter of time when you will be adversely affected if you don’t trap unexpected input. This paper will
look at this subject and provide some remediation tactics that you can utilize to further strengthen your
database farm, your reputation and protect your endpoints.
DISTRIBUTION OF ATTACK SOURCES
According to IBM’s Managed Security Services data, the top attacking countries are allegedly the United
States and China. It is generally believed that the Chinese attackers for the most part are state
sponsored while American attackers are more aligned with hacktivist groups.
2
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
SQL INJECTION ATTACK METRICS
Although SQL injection volume has declined over the course of the year, it is still highly prevalent when
compared to all other attack types. The incidents illustrated above were tracked from actual security
incidents where SQL Injection activity was confirmed and customers were notified.
We see a plethora of different styles of SQL injection against a wide variety of entry types. PHP, ASP,
Wordpress, URL, and Parallels Plesk are the most popular attacked entry points. A fair amount of the
attacks we track are solely focused on defacing web pages. The remainder are usually targeting sensitive
data.
3
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
POPULAR TYPES OF SQL INJECTION ATTACKS
There are four main types of SQL injection;
1. First Order Attack - An attacker can enter a malicious string and cause the modified code to be
executed immediately
2. Second Order Attack - An Attacker injects persistent storage (such as a table) which normally is a
trusted source and the attack is carried out by a second activity
3. Lateral Injection - An attacker can manipulate the function To_Char() by changing environmental
variables
4. Blind Injection – SQL Injection attacks that don’t require error messages to be returned to the
attacker and are more focused on vulnerable applications.
Input fields on web applications are major injection entry points. Search fields are also utilized to send
injection attack strings. Expected characters need to be defined and anything outside of that range,
rejected. These are called “check constraints”. Check constraints are rules that define acceptable
column values for row data within a table. These constraints can validate the integrity of one or multiple
columns. You can also use multiple constraints within a single column. If the data that is being inserted
or updated violates the check constraint, then the database will reject the operation from occurring.
Complex applications can have a large number of entry points. This makes it extremely difficult for a
developer to enforce rules. All possible forms of input must be tested to check whether the application
sufficiently validates the data prior to using it. Input validation is useful as a defense-in-depth strategy.
Although input validation and check constraints are certainly extremely important, they are not infallible.
The use of stored procedures is as important as data validation. Stored procedures are a group of SQL
statements that perform a particular task. SQL code for a stored procedure is defined and stored in the
database itself, and then called from the application. The main benefit of using stored procedures are
performance gains from precompiled execution, reduction in client/server traffic and security controls by
granting users permissions on the stored procedures instead of database tables.
IBM’S SQL INJECTION DETECTION ENGINE
Relying on raw signature events to detect SQL Injection is hardly a perfect solution. IBM has developed a
very reliable and robust set of rules within its SIEM environment that allow us nearly a 100% accuracy rate
4
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
of detection. We see new attack strings on a daily basis which we analyze and implement to the rule sets.
New strings are captured within a set of active lists and sent to analysts within minutes of their capture.
Once the offending strings are confirmed to be malicious, they are then added to the production
detection rules. No one else in the industry has such a proactive solution.
If a SQL Injection attack is escalated to you it is imperative that you take this action seriously and inspect
the target server(s) immediately. Since a large majority of the attack strings are purposely meant to
exploit an application first, you MUST ensure your patch management solution is robust.
RECOMMENDATIONS/MITIGATION TECHNIQUES
As mentioned earlier, it is highly prudent to implement check constraints in order to prevent an attacker
from pushing an injection string through a data input field. Please check the following resource for more
information.
https://www.owasp.org/index.php/Data_Validation
Designing stored procedures is also key to good database security posture. More can be found at the
following link.
http://msdn.microsoft.com/en-us/library/cc505879.aspx
Where possible, we recommend that customers immediately enable the signatures listed below for
blocking and analyzing any events generated by them. In addition, ensure that any related security
patches and anti-virus solutions are up-to-date. These signatures may not be enabled by default.
Because of the wide scope of attack types that can affect SQL, the list of signatures is very large. It may
not be prudent for customers to turn on each and every SQL signature for their specific vendor. A large
majority of these signatures are focusing on specific applications. Enabling only the signatures that cover
your specific applications would be best practice. IBM Proventia utilizes heuristics within its SQL injection
detection signature which allows for a single signature to cover all SQL attack types.
IDPS SIGNATURES AND/OR SIEM RULES
PROVENTIA
SQL_Injection
5
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
AIRDEFENSE
SSID SQL Injection Attack
AKAMAI
Basic MongoDB SQL Injection Attempts
Basic SQL Injection - Common Attack Payloads
Blind SQL Injection Attack
Chained SQL Injection Attempts 1/2
Chained SQL Injection Attempts 2/2
Classic SQL Injection Probes 1/2
Classic SQL Injection Probes 2/2
Concatenated Basic SQL Injection and SQLLFI Attempts
Conditional SQL Injection Attempts
Detects SQL Injections that Use Time Delays
SQL Injection (DROP Statement)
SQL Injection (String Termination and Comment Sequence)
SQL Injection Attack
SQL Injection Attack: Common DB Names Detected
SQL Injection Attack: Common Injection Testing Detected
SQL Injection Attack: SQL Operator Detected
SQL Injection Bypass/Probing
CHECKPOINT
ActiveCampaign 1-2-All Broadcast Email sername Parameter SQL Injection - Ver2
AdaptWeb Web Application SCADA SQL Injection
Adobe RoboHelp Server SQL Injection
Advantech WebAccess SQL Injection Information Disclosure
AJ Dating view_profile.php user_id Parameter SQL Injection - Ver2
Benders Calendar index.php this_day Parameter SQL Injection - Ver2
Bit 5 Blog processlogin.php username Parameter SQL Injection - Ver2
BSQL Automated SQL Injection tool
CA Total Defense Suite UNCWS exportReport SQL Injection
CA Total Defense Suite UNCWS Multiple Report Stored Procedure SQL Injections
Chimera Web Portal System linkcategory.php id Parameter SQL Injection - Ver2
Cisco Unified Communications Manager Multiple SQL Injections
Cybozu Garoon tid Parameter SQL Injection - Ver2
Dell SonicWALL Scrutinizer SQL Injection
Forum Livre info_user.asp user Parameter SQL Injection - Ver2
6
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
Fourtwosevenbb showthread.php ForumID Parameter SQL Injection - Ver2
GeoBlog viewcat.php cat Parameter SQL Injection - Ver2
GNUTurk mods.php t_id Parameter SQL Injection - Ver2
Havij Automated SQL Injection tool
HP Data Protector Multiple Products FinishedCopy SQL Injection
HP Data Protector Multiple Products GetPolicies SQL Injection
HP Data Protector Multiple Products LogClientInstallation SQL Injection
HP Data Protector Multiple Products RequestCopy SQL Injection
IBM Tivoli Provisioning Manager Express Asset.getMimeType SQL Injection
IBM Tivoli Provisioning Manager Express User.updateUserValue SQL Injection
InTouch index.php user Parameter SQL Injection - Ver2
Ipswitch WhatsUp Web Interface SQL Injection
Jive Software Openfire Jabber Server SQL Injection
Joomla! Jobline Component 'search' Parameter SQL Injection
Lighttpd Host Header mod_mysql_vhost SQL Injection
Lingxia ICE CMS media.cfm session.user_id Parameter SQL Injection - Ver2
McAfee ePolicy Orchestrator UID Multiple SQL Injection
MyPhPim calendar.php3 cal_id Parameter SQL Injection - Ver2
Nagios Core Config Manager tfPassword SQL Injection
Novell ZENworks Patch Management Multiple SQL Injection Vulnerabilities
Oracle Database DBMS_AQADM_SYS.GRANT_TYPE_ACCESS Procedure SQL Injection
Oracle Database Server CREATE_TABLES SQL Injection
Oracle Database Server DBMS_CDC_PUBLISH Multiple Procedure SQL Injection
Oracle Database Server DBMS_METADATA Package SQL Injection
Oracle Database Server LT.ROLLBACKWORKSPACE SQL Injection
Oracle Database Server MDSYS.SDO_LRS Package SQL Injection
Oracle Database Server Multiple Procedures SQL Injection
Oracle Database Server REPCAT_RPC.VALIDATE_REMOTE_RC SQL Injection
Oracle Database Server SQL Injection In Package SYS.KUPV
Oracle Database Server SYS.DBMS_METADATA_UTIL Package SQL Injection
Oracle Database Server SYS.LT.FINDRICSET Function SQL Injection
Oracle Database Server Workspace Manager Multiple SQL Injection
Oracle Database Server XDB PITRIG TRUNCATE and DROP SQL Injection
Oracle Database SUBSCRIPTION_NAME Parameter SQL Injection
Oracle Database SYS.KUPW-WORKER Package MAIN Procedure SQL Injection
Oracle Database SYS.LT.FINDRICSET SQL Injection
Oracle Database Trigger MDSYS.SDO_TOPO_DROP_FTBL SQL Injection
Oracle Warehouse Builder Stored Procedure SQL Injection
Oracle Warehouse Builder WB_OLAP_AW_REMOVE_SOLVE_ID SQL Injection
Oracle Warehouse Builder WB_RT_AUDIT_SHADOW_TABLE Multiple SQL Injections
Pangolin Automated SQL Injection tool
7
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
PHPenpals profile.php personalID Parameter SQL Injection - Ver2
PHPjournaler index.php readold Parameter SQL Injection - Ver2
PollMentor pollmentorres.asp id Parameter SQL Injection - Ver2
ProFTPD Server Username Handling SQL Injection
Red Hat CloudForms Management Engine SQL Injection
Ruby on Rails Hash SQL Injection
Saphplesson id Parameter SQL Injection - Ver2
ScozBook auth.php adminname Parameter SQL Injection - Ver2
SePortal staticpages SQL Injection
SQL Servers Blind SQL Injection
SQL Servers MSSQL Vendor-specific SQL Injection
SQL Servers MySQL Vendor-specific SQL Injection
SQL Servers Oracle Vendor-specific SQL Injection
SQL Servers SQL Injection Evasion Techniques
SQL Servers SQL Injection Evasion Techniques - ver 2
SQL Servers Stack Query SQL Injection
SQL Servers Time-based SQL Injection
SQL Servers Unauthorized Commands SQL Injection
SQL Servers Unauthorized SQL Injection Command Execution
SQL Servers UNION Query-based SQL Injection
Sqlmap Automated SQL Injection tool
Sqlninja Automated SQL Injection tool
Symantec IM Manager Administrator Interface SQL injection
Symantec IM Manager IMAdminReportTrendFormRun.asp SQL Injection
Symantec IM Manager IMAdminScheduleReport.asp SQL Injection
Symantec IM Manager LoggedInUsers.lgx Definition File Multiple SQL Injections
Symantec IM Manager LoggedInUsers.lgx Definition File SQL Injections
Symantec IM Manager rdpageimlogic.aspx Multiple SQL Injections
Symantec Web Gateway blocked.php Blind SQL Injection
Symantec Web Gateway blocked.php Blind SQL Injection - Ver2
Symantec Web Gateway ldap_latest.php Blind SQL Injection - Ver2
TheWebForum login.php username Parameter SQL Injection - Ver2
Trend Micro Control Manager ad hoc query Module SQL Injection
vBulletin Nodeid Parameter SQL Injection
VEGO Web Forum index.php theme_id Parameter SQL Injection - Ver2
VEGO Web Forum login.php username Parameter SQL Injection - Ver2
Venom Board post.php3 topic_id Parameter SQL Injection - Ver2
Wordcircle index.php password Parameter SQL Injection - Ver2
WordPress Plugin AdRotate SQL Injection
Xerox DocuShare ResultBackgroundJobMultiple SQL Injection
Zabbix Multiple SQL Injections Information Disclosure
8
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
CISCO IDS
5381 "VPASP SQL injection"
5480 "phpBB SQL injection"
5481 "VPASP SQL injection"
5483 "Cyberstrong eShop SQL Injection"
5803.0 Sygate Login Servlet SQL Injection
ActiveCampaign 1-2-All Control Panel Username SQL Injection Vulnerability
Adaptcms Config.Php Question Parameter SQL Injection Vulnerability
BlackNova Traders News.php SQL Injection Vulnerability
Boonex Dolphin Categories.php SQL Injection
Cinfores SQL injection Vulnerability
Cisco Call Manager SQL Injection
Cisco Network Admission Control Manager SQL Injection
ClipShare Gid Parameter SQL Injection
ClipShare Ugroup_videos.php SQL Injection Vulnerability
Computer Associates Total Defense Suite UNCWS SQL Injection
Cotonti SQL Injection Vulnerability
Cyberstrong eShop SQL Injection
Datalogicco CMS SQL Injection Vulnerability
DBlog CMS SQL Injection Vulnerability
Dir2web SQL Injection Vulnerability
DotNetNuke SQL Injection
EasyWebScripts EBay Clone Script Gallery.php Script SQL Injection
EasyWebScripts EBay Clone Script Product_desc.php Script SQL Injection
EasyWebScripts EBay Clone Script Showcategory.php Script SQL Injection
Elite Bulletin Board Groups.php SQL Injection
Elite Bulletin Board Index.php SQL Injection
Elite Bulletin Board Login.php SQL Injection Vulnerability
Elite Bulletin Board Register.php SQL Injection Vulnerability
Generic SQL Injection
GNUTurk mods.php t_id Parameter SQL Injection
HP Data Protector RequestCopy SQL Injection
HTTP Alibaba Clone SQL Injection
HTTP Free Hosting Manager viewaccount.php SQL Injection Vulnerability
IBM Rational ClearQuest Username Parameter SQL Injection
iisPROTECT Admin SQL Injection
IMP SQL Injection
9
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
Integrated CMS SQL Injection Vulnerability
inTouch index.php user Parameter SQL Injection
Joomla VirtueMart Component SQL Injection
Kwok SQL Injection Vulnerability
Lizamoon SQL Injection
Lizard Cart CMS id Parameter SQL Injection Vulnerability
MLM Auction SQL Injection Vulnerability
MLM Script Productview.Php SQL Injection
Monkeycms SQL Injection Vulnerability
Musicbox genre_albums.php id Parameter SQL Injection
Nagios XI SQL Injection
NConf Delete Attr Script SQL Injection Vulnerability
NConf Write2DB Script SQL Injection Vulnerability
Oracle Database Server DBMS_CDC_PUBLISH SQL Injection
Oracle Database Workspace Manager SQL Injection
OrangeHRM ViewCustomers SQL Injection
OrangeHRM ViewPayGrades SQL Injection Vulneraibility
OrangeHRM ViewSystemUsers SQL Injection
Ovidentia Item Parameter SQL Injection
Palms SQL Injection Vulnerability
Parallel Plesk Panel Remote SQL Injection
Parallels Plesk Panel Remote SQL Injection
PHP Address Book Admin Index SQL Injection
PHP Address Book Edit User Save SQL Injection
PHP Address Book Edit User SQL Injection
PHP Address Book Link Tick SQL Injection
PHP Address Book Password Reset Save SQL Injection
PHP Address Book Reset Password SQL Injection
PHP Address Book Username SQL Injection
PHP Address Traffic SQL Injection
PHP Labs Top Auction SQL Injection Vulnerability
PHP-Fusion Bbcodes.php Script SQL Injection Vulnerability
PHP-Fusion Messages.php SQL Injection
PHP-Fusion News.php SQL Injection
PHP-Fusion Postedit.php Script SQL Injection Vulnerability
PHP-Fusion Postnewthread.php Script SQL Injection Vulnerability
phpBB SQL injection
Phpfox SQL Injection Vulnerability
PhpMyRecipes Viewrecipe.php SQL Injection
PhpVibe blind SQL injection vulnerability
PK-CMS SQL Injection Vulnerability
10
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
Plogger plog-feedback.php SQL Injection Vulnerability
Process PHP login parameter SQL Injection Vulnerability
Psychostats SQL Injection Vulnerability
Rebus List List.Php SQL Injection Vulnerability.
Request Tracker ShowPending Parameter SQL Injection Vulnerability
Rlswordpresssearch Plugin For Wordpress Register.Php SQL Injection Vulnerability
Rsfiles Component For Joomla Cid Parameter SQL Injection Vulnerability
Ruby on Rails Where Hash SQL Injection
SalesLogix SQL Injection Vulnerability
Scripts Genie Domain Trader Script Catalog.php SQL Injection
Scripts Genie Gallery Personals gallery.php SQL Injection
Scripts Genie Games Site Script Index.php SQL Injection
Scripts Genie Pet Rate Pro Index.php SQL Injection
Scripts Genie Top Sites Script Out.php SQL Injection
SHOP CMS Listproduct.asp Script SQL Injection
SHOP CMS Productdetails.asp Script SQL Injection
Snitz Forums SQL injection
SonicWALL Aventail CategoryID Parameter SQL Injection
Sygate Login Servlet SQL Injection
Symphony CMS BluePRINTs URI SQL Injection
Symphony Sort Parameter SQL Injection
SynConnect SQL Injection Vulnerability
SYS.KUPW-WORKER Package MAIN Procedure SQL Injection Attempt
Telmanik CMS Press SQL Injection
TheWebForum Login.php Username Parameter SQL Injection
Vbbux And Vbplaza SQL Injection Vulnerability
VEGO Web Forum login.php username Parameter SQL Injection
Voila CMS SQL Injection
VPASP SQL injection
Web Cookbook Currid Parameter SQL Injection
Web Cookbook Searchrecipe.Php Script SQL Injection Vulnerability
Web Cookbook Showtext.Php Script SQL Injection Vulnerability
WHMCS Group Pay Plugin SQL Injection
Wordcircle index.php password Parameter SQL Injection
WordPress Ck-processkarma.php SQL Injection Vulnerability
WordPress Easy Webinar Plugin Wid Parameter SQL Injection
WordPress G-Lock Double Opt-In Manager Plugin SQL Injection
Wordpress HD Webplayer Plugin Config.php SQL Injection
Wordpress HD Webplayer Plugin Config.php SQL Injection Vulnerability
WordPress ProPlayer Plugin Id Parameter SQL Injection
WordPress Webplayer Plugin ID Parameter SQL Injection
11
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
WordPress Wp-ImageZoom Theme ID Parameter SQL Injection
WordPress Wysija Newsletters Plugin SQL Injection
Xoops WebChat SQL Injection
Xpede sprc.asp SQL Injection
Zenphoto Index.php SQL Injection Vulnerability
Zyxware SQL Injection Vulnerability
IBM
osTicket ajax.php SQL Injection
xbtit index.php SQL Injection
INTRUSHIELD
BOT: SQL Injection - Danmec Bot SQL Injection Attack Detected
BOT: SQL Injection - Danmec Bot SQL Injection Attack Detected II
DBMS_METADATA Package SQL Injection
FTP: ProFTPD Server Username Handling SQL Injection
HTTP: Ipswitch WhatsUp Web Interface SQL Injection
HTTP: ActiveCampaign 1-2-All main.php username Parameter SQL Injection
HTTP: Astium VoIP PBX SQL Injection Authentication Bypass
HTTP: Blind SQL Injection - Exploit
HTTP: Blind SQL Injection - Timing
HTTP: CA Total Defense Suite UNC Management Console Operations SQL Injection Remote Code Execution
HTTP: CA Total Defense Suite UNCWS exportReport SQL Injection
HTTP: Cisco Unified Communications Manager Multiple SQL Injection
HTTP: Coppermine Blind SQL Injection
HTTP: Cybozu tid Parameter SQL Injection
HTTP: Danmec Bot SQL Injection Attacks Detected
HTTP: Firefuzzer SQL Injection Scanning I
HTTP: Firefuzzer SQL Injection Scanning II
HTTP: Firefuzzer SQL Injection Scanning III
HTTP: Firefuzzer SQL Injection Scanning IV
HTTP: FlexBB Start PHP SQL Injection Vulnerability
HTTP: Forum Livre info_user.asp user Parameter SQL Injection
HTTP: FullASPSite ASP Hosting Windows ASP SQL Injection Vulnerability
HTTP: HP Data Protector Multiple Products FinishedCopy SQL Injection
HTTP: HP Data Protector Multiple Products GetPolicies SQL Injection
HTTP: HP Data Protector Multiple Products LogClientInstallation SQL Injection
12
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
HTTP: HP Data Protector Multiple Products RequestCopy SQL Injection
HTTP: IBM Tivoli Provisioning Manager Express User.updateUserValue SQL Injection
HTTP: MiniMySqlat0r SQL Injection Scanning I
HTTP: Netsparker SQL Injection Scanning I
HTTP: phpBB Search.php SQL Injection
HTTP: phpBB Search.php SQL Injection (0x40219400)
HTTP: Ruby on Rails Where Hash SQL Injection
HTTP: ScozNet ScozBook AdminName Variable SQL Injection Vulnerability
HTTP: SonicWALL Aventail SSL-VPN SQL Injection Information Disclosure
HTTP: SQL Injection - Adobe RoboHelp Server SQL Injection Vulnerability
HTTP: SQL Injection - Blind Injection Exploit II
HTTP: SQL Injection - Blind Injection Exploit III
HTTP: SQL Injection - Danmec Bot SQL Injection Attack Detected
HTTP: SQL Injection - Danmec Bot SQL Injection Attack Detected II
HTTP: SQL Injection - data MySQL
HTTP: SQL Injection - data Oracle
HTTP: SQL Injection - data Oracle II
HTTP: SQL Injection - database_crawler
HTTP: SQL Injection - database_crawler II
HTTP: SQL Injection - database_crawler III
HTTP: SQL Injection - database_crawler_MSSQL
HTTP: SQL Injection - detection
HTTP: SQL Injection - detection DB2
HTTP: SQL Injection - detection II
HTTP: SQL Injection - detection MySQL
HTTP: SQL Injection - directory_traversal
HTTP: SQL Injection - evasion
HTTP: SQL Injection - evasion II
HTTP: SQL Injection - evasion III
HTTP: SQL Injection - Exploit
HTTP: SQL Injection - Exploit II
HTTP: SQL Injection - Exploit III
HTTP: SQL Injection - Exploit IV
HTTP: SQL Injection - Exploit V
HTTP: SQL Injection - extension Oracle
HTTP: SQL Injection - file_download
HTTP: SQL Injection - http_request Oracle
HTTP: SQL Injection - OSCodeExecution Oracle
HTTP: SQL Injection - package Oracle
HTTP: SQL Injection - Phorum SQL read.php3 Attack
HTTP: SQL Injection - phpBB Search.php SQL Injection
13
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
HTTP: SQL Injection - PrivilegeEscalation Oracle
HTTP: SQL Injection - registry_reader
HTTP: SQL Injection - system_command_execution
HTTP: SQL Injection - union Oracle
HTTP: SQL Injection - writefile MySQL
HTTP: SQL Injection Exploit
HTTP: SQL Injection Exploit II
HTTP: SQL Injection Exploit III
HTTP: SqlMap SQL Injection - Scanning I
HTTP: SqlMap SQL Injection - Scanning II
HTTP: Stored Procedure Name Detected by SQL Injection Heuristic Engine
HTTP: Symantec IM Manager Administrative Interface IMAdminReportTrendFormRun SQL Injection
HTTP: Symantec IM Manager Administrative Interface IMAdminScheduleReport.asp SQL Injection
HTTP: Symantec IM Manager Administrator Interface SQL Injection
HTTP: Symantec Web Gateway Blind SQL Injection
HTTP: TheWebForum login php SQL Injection Vulnerability
HTTP: Trend Micro Control Manager AdHocQuery Module SQL Injection
HTTP: VEGO Links Builder Login Script SQL Injection Vulnerability
HTTP: Venom Board Post PHP3 Multiple SQL Injection Vulnerability
HTTP: Wordcircle index.php password Parameter SQL Injection Vulnerability
ORACLE: CTX_DOC SQL Injection Vulnerability
ORACLE: DBMS DataPump Metadata API SQL Injection Vulnerability
ORACLE: DBMS METADATA_UTIL Package SQL Injection Vulnerability
ORACLE: DBMS_CDC_UTILITY Multiple Procedure SQL Injection Vulnerability
ORACLE: DBMS_CDC_UTILITY Multiple Procedure SQL Injection Vulnerability (0x46c03a00)
Oracle: DBMS_METADATA Package SQL Injection
ORACLE: DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC Package SQL Injection
ORACLE: DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC Package SQL Injection II
ORACLE: Generic SQL Injection Detected
ORACLE: MDSYS.SDO_LRS Package SQL Injection Vulnerability
ORACLE: MDSYS.SDO_TOPO_MAP SQL Injection Vulnerability
ORACLE: Oracle Database CREATE_TABLES SQL Injection vulnerability
ORACLE: Oracle Database EXFSYS PLSQL Injection Vulnerability
ORACLE: Oracle Database LT.ROLLBACKWORKSPACE SQL Injection vulnerability
ORACLE: Oracle Database LT.ROLLBACKWORKSPACE SQL Injection Vulnerability II
ORACLE: Oracle Database Server Multiple SQL Injection Vulnerabilities
ORACLE: Oracle DBMS_AQADM_SYS Package GRANT_TYPE_ACCESS Procedure SQL Injection
Oracle: SQL Injection in package SYS.KUPW$WORKER
ORACLE: SQL Injection Vulnerability on Crafted Data Types
ORACLE: SYS KUPV Package Multiple Procedure SQL Injection Vulnerability
ORACLE: SYS KUPV Package Multiple Procedure SQL Injection Vulnerability (0x46c03b00)
14
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
ORACLE: SYS.DBMS_DEFER_SYS SQL Injection Vulnerability
Oracle: SYS.KUPV$FT.ATTACH_JOB Package SQL Injection
ORACLE: Workspace Manager SQL Injection Vulnerability
SYMANTEC: Symantec Altiris DS SQL Injection
NESSUS
ASP-Rider SQL Injection
aspWebAlbum SQL Injection
aspWebCalendar SQL Injection
b2Evolution title SQL Injection
BroadBoard SQL Injection
CactuShop XSS and SQL injection flaws
cfWebStore SQL injection
Comersus Login SQL injection
CoolForum XSS and SQL Injection Vulnerabilities
CubeCart SQL injection
FishCart SQL injections
IBProArcade index.php SQL Injection
INL ulog-php SQL injection
Invision Power Board Arcade SQL Injection Vulnerability
Invision Power Board Calendar SQL Injection Vulnerability:
Invision Power Board Post SQL Injection Vulnerability
Invision Power Board ssi.php SQL Injection Vulnerability
Invision Power Board st Parameter SQL Injection Vulnerability
Invision Power Top Site List SQL Injection:
Kayako eSupport SQL Injection and Cross-Site-Scripting
mod_survey ENV tags SQL injection
MyDMS SQL Injection and Directory Traversal
Nucleus CMS SQL Injection
Password Protect SQL Injection
PhotoPost showgallery.php SQL Injection
PHPCatalog SQL injection:
PHPMyWebHosting SQL Injection Vulnerability
PHPNews sendtofriend.php SQL injection
PlaySMS Cookie SQL Injection
Psychoblogger SQL Injection:
Serendipity SQL Injections
Snitz Forums 2000 SQL injection
SpiderSales Shopping Cart SQL injection
SQL injection in Antiboard
SQL injection in JPortal:
15
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
SQL injection in Photopost PHP Pro
SQL injection in phpBB (2):
SQL injection in phpBB (3)
SQL injection in ReviewPost PHP Pro:
SQL injection in XTreme ASP Photo Gallery
TorrentTrader SQL Injection
Tutos SQL injection and Cross Site Scripting Issues
vbulletin calendar SQL Injection Vulnerability
vBulletin SQL injection Issue
VP-ASP shopsearch SQL injection:
VP-ASP SQL Injection
NETSCREEN
HTTP: osCommerce products_id Parameter SQL Injection
PALO ALTO
ActiveCampaign 1-2-All Admin Panel Username Parameter SQL Injection
Adobe RoboHelp Server SQL Injection Vulnerability
Benders Calendar index.php this_day Parameter SQL Injection
Best Software SalesLogix SQL Injection Vulnerability
CA Total Defense UNCWS Web Service deleteReportFilter SQL Injection Vulnerability
CA Total Defense UNCWS Web Service exportReport SQL Injection Vulnerability
CA Total Defense UNCWS Web Service UnAssignAdminUsers SQL Injection Vulnerability
Coppermine Photo Gallery SQL Injection Vulnerability
Cyclope Employee Surveillance Solution v6 SQL Injection Vulnerability
DBMS_METADATA Package GET_GRANTED_XML Funtion SQL Injection
DBMS_METADATA Package GET_XML Funtion SQL Injection
DBMS_METADATA Package Open Function SQL Injection
Dell SonicWALL Plixer Scrutinizer SQL Injection Vulnerability
FlexBB index.php flexbb_lang_id Cookie SQL Injection
FullASPSite ASP Hosting Windows.ASP SQL Injection
HP Data Protector Multiple Products FinishedCopy SQL Injection Vulnerability
HP Data Protector Multiple Products GetPolicies SQL Injection Vulnerability
HP Data Protector Multiple Products LogClientInstallation SQL Injection Vulnerability
HTTP SQL Injection Attempt
IBM Rational ClearQuest Username Parameter SQL Injection Vulnerability
IBM Tivoli Provisioning Manager register.do SQL Injection Vulnerability
Ipswitch WhatsUp Professional LOGIN.ASP SQL Injection Vulnerability
16
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
Lyris ListManager Read Message Attachment SQL Injection Vulnerability
Malicious Websites Compromised by Massive SQL Injection Attacking
Microsoft BizTalk Server DTA Interface SQL Injection Vulnerability
Microsoft SQL Server 2000 sp_MScopyscript SQL Injection Vulnerability
Oracle Database CTX_DOC Package Markup Procedure SQL Injection Vulnerability
Oracle Database DBMS_AQADM_SYS Package SQL Injection
Oracle Database DBMS_DEFER_SYS Package SQL Injection Vulnerability
Oracle Database KUPM-MCP Package MAIN Procedure SQL Injection
Oracle Database Server CompressWorkspaceTree SQL Injection
Oracle Database Server CREATE_TABLES SQL Injection Vulnerability
Oracle Database Server Rollbackworkpsace SQL Injection
Oracle Database Server ROLLBACKWORKSPACE SQL Injection
Oracle Database Server SYS.KUPV Package SQL Injection
Oracle Database Server SYS.LT.FINDRICSET SQL Injection
Oracle Database Server XDB PITRIG TRUNCATE and DROP Procedures SQL Injection
Oracle Database SYS.DBMS_CDC_PUBLISH.DROP_CHANGE_SOURCE SQL Injection Vulnerability
Oracle Database VALIDATE_REMOTE_RC SQL Injection
Oracle DBMS_CDC_PUBLISH Package SQL Injection Vulnerability
Oracle DBMS_METADATA Package SQL Injection
Oracle Retail Central Office invoiceAdvSearchDone.do SQL Injection Vulnerability
Oracle SYS.DBMS_CDC_PUBLISH.DROP_CHANGE_SOURCE SQL Injection Vulnerability
Oracle SYS.LT.COMPRESSWORKSPACETREE SQL Injection Vulnerability
Oracle SYS.LT.MERGEWORKSPACE SQL Injection Exploit
Oracle SYS.LT.MERGEWORKSPACE SQL Injection Vulnerability
Oracle SYS.LT.REMOVEWORKSPACE SQL Injection Exploit
Oracle SYS.LT.REMOVEWORKSPACE SQL Injection Vulnerability
Oracle Warehouse Builder WB_OLAP_AW_REMOVE_SOLVE_ID SQL Injection Vulnerability
Oracle Warehouse Builder WB_RT_AUDIT_SHADOW_TABLE SQL Injection Vulnerability
Parallels Plesk Panel SQL Injection Vulnerability
Philboard philboard_forum.asp forumid Parameter SQL Injection
PHP Nuke HTTP Referer Header SQL Injection Vulnerability
phpnuke Search Module Query variable SQL Injection
PollMentor pollmentorres.asp id Parameter SQL Injection
ProFTPD Server Username Handling SQL Injection Vulnerability
Ruby on Rails Action Parameter Parsing SQL Injection Vulnerability
ScozBook auth.php adminname Parameter SQL Injection
Snitz Forums pop_profile id Parameter SQL Injection
Solarwinds Storage Manager SQL Injection Vulnerability
Symantec IM Manager Multiple SQL Injection Vulnerabilities
Symantec Sygate Management Server SMS Authentication Servlet SQL Injection
Symantec Web Gateway blocked.php SQL Injection Vulnerability
17
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
Trend Micro Control Manager id Parameter SQL injection Vulnerability
Wordpress FormCraft Plugin SQL Injection Vulnerability
SNORT
DELETED SERVER-WEBAPP Symantec Web Gateway blocked.php id parameter sql injection attempt
DELETED SPECIFIC-THREATS Adobe RoboHelp r0 SQL injection attempt
DELETED SQL Jive Software Openfire Jabber Server SQL injection attempt
INDICATOR-OBFUSCATION encoded union select function in POST - possible sql injection attempt
INDICATOR-OBFUSCATION encoded waitfor delay function in POST - possible sql injection attempt
INDICATOR-OBFUSCATION large number of calls to ascii function - possible sql injection obfuscation
INDICATOR-OBFUSCATION large number of calls to char function - possible sql injection obfuscation
INDICATOR-OBFUSCATION large number of calls to chr function - possible sql injection obfuscation
INDICATOR-OBFUSCATION large number of calls to concat function - possible sql injection obfuscation
INDICATOR-OBFUSCATION oversized cast statement - possible sql injection obfuscation
INDICATOR-OBFUSCATION oversized convert statement - possible sql injection obfuscation
INDICATOR-OBFUSCATION select concat statement - possible sql injection obfuscation
INDICATOR-SCAN sqlmap SQL injection scan attempt
MALWARE-CNC Lizamoon sql injection campaign phone-home
MALWARE-CNC Lizamoon sql injection campaign ur.php response detected
MALWARE-CNC Win.Trojan.Dexter CasinoLoader SQL injection
MALWARE-TOOLS Havij advanced SQL injection tool user-agent string
ORACLE Oracle XDB.XDB_PITRIG_PKG sql injection attempt
PROTOCOL-SCADA Sinapsi SQL injection attempt
SERVER-ORACLE DBMS_ASSERT.simple_sql_name double quote SQL injection attempt
SERVER-ORACLE DBMS_EXPORT_EXTENSION SQL injection attempt
SERVER-ORACLE Oracle XDB.XDB_PITRIG_PKG sql injection attempt
SERVER-ORACLE SYS.KUPW-WORKER sql injection attempt
SERVER-ORACLE Warehouse builder WE_OLAP_AW_REMOVE_SOLVE_ID SQL Injection attempt
SERVER-ORACLE Warehouse builder WE_OLAP_AW_SET_SOLVE_ID SQL Injection attempt
SERVER-OTHER CA Total Defense Suite UNCWS deleteReportFilter SQL injection attempt
SERVER-OTHER CA Total Defense Suite UNCWS DeleteReports stored procedure SQL injection
SERVER-OTHER CA Total Defense Suite UNCWS deleteReportTemplate SQL injection attempt
SERVER-OTHER CA Total Defense Suite UNCWS reGenerateReports/DeleteReports SQL injection attempt
SERVER-OTHER CA Total Defense Suite UNCWS ReportFilterID/reportTemplateID SQL injection attempt
SERVER-OTHER Nagios core config manager tfpassword sql injection attempt
SERVER-OTHER Ruby on Rails authlogic session cookie SQL injection attempt
SERVER-WEBAPP ADNForum SQL injection in index.php fid attempt
SERVER-WEBAPP Advantech WebAccess ChartThemeConfig SQL injection attempt
SERVER-WEBAPP ASPMForum SQL injection attempt
18
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
SERVER-WEBAPP Benders Calendar SQL injection in index.php this_day attempt
SERVER-WEBAPP Bit 5 Blog SQL injection in processlogin.php username via
SERVER-WEBAPP CA Total Defense Suite UNCWS UnassignFunctionalRoles stored procedure POST SQL injection attempt
SERVER-WEBAPP CA Total Defense Suite UNCWS UnassignFunctionalRoles stored procedure SQL injection attempt
SERVER-WEBAPP cacti graph_image SQL injection attempt
SERVER-WEBAPP Click N Print Coupons coupon_detail.asp SQL injection attempt
SERVER-WEBAPP Demarc SQL injection attempt
SERVER-WEBAPP Devellion CubeCart searchStr parameter SQL injection
SERVER-WEBAPP DuWare DuClassmate default.asp iCity sql injection attempt
SERVER-WEBAPP F5 Networks FirePass my.activation.php3 state parameter sql injection attempt
SERVER-WEBAPP geoBlog SQL injection in viewcat.php cat parameter attempt
SERVER-WEBAPP HP Data Protector LogClientInstallation SQL Injection attempt
SERVER-WEBAPP HP LoadRunner Virtual User Generator EmulationAdmin getReport SQL injection attempt
SERVER-WEBAPP IBM Tivoli Provisioning Manager Express asset.getmimetype sql injection attempt
SERVER-WEBAPP IBM Tivoli Provisioning Manager express user.updateUserValue sql injection attempt
SERVER-WEBAPP inTouch SQL injection in index.php user attempt
SERVER-WEBAPP Joomla weblinks-categories SQL injection attempt
SERVER-WEBAPP Kloxo webcommand.php SQL injection attempt
SERVER-WEBAPP Lizard Cart CMS SQL injection in detail.php id attempt
SERVER-WEBAPP Lizard Cart CMS SQL injection in pages.php id attempt
SERVER-WEBAPP McAfee ePO DisplayMSAPropsDetail.do sql injection attempt
SERVER-WEBAPP McAfee ePO showRegisteredTypeDetails.do sql injection attempt
SERVER-WEBAPP Neocrome Land Down Under profile.inc.php SQL injection attempt
SERVER-WEBAPP Novell ZENworks patch management SQL injection attempt
SERVER-WEBAPP Nucleus CMS action.php itemid SQL injection
SERVER-WEBAPP Outfront Spooky Login a_register.asp SQL injection attempt
SERVER-WEBAPP Outfront Spooky Login register.asp SQL injection attempt
SERVER-WEBAPP PHP-Nuke index.php SQL injection attempt
SERVER-WEBAPP phpBB mod shoutbox sql injection attempt
SERVER-WEBAPP phpBB mod tag board sql injection attempt
SERVER-WEBAPP Ruby on Rails SQL injection attempt
SERVER-WEBAPP ScozBook SQL injection in auth.php adminname attempt
SERVER-WEBAPP SePortal poll.php SQL injection attempt
SERVER-WEBAPP SePortal print.php SQL injection attempt
SERVER-WEBAPP SePortal staticpages.php SQL injection attempt
SERVER-WEBAPP Symantec IM Manager administrator interface SQL injection attempt
SERVER-WEBAPP Symantec IM manager IMAdminReportTrendFormRun.asp sql injection attempt
SERVER-WEBAPP Symantec IM Manager IMAdminScheduleReport.asp SQL injection attempt
SERVER-WEBAPP Symantec IM Manager LoggedInUsers.lgx definition file multiple SQL injections attempt
SERVER-WEBAPP Symantec Sygate Policy Manager SQL injection
SERVER-WEBAPP TankLogger SQL injection in showInfo.php livestock_id attempt
19
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
SERVER-WEBAPP TheWebForum SQL injection in login.php username attempt
SERVER-WEBAPP VEGO Web Forum SQL injection in login.php username attempt
SERVER-WEBAPP Venom Board SQL injection attempt
SERVER-WEBAPP Visuplay CMS news_article.php unspecified SQL injection attempt
SERVER-WEBAPP WHMCS SQL injection attempt
SERVER-WEBAPP Wordcircle SQL injection attempt
SERVER-WEBAPP Zabbix session id disclosure via sql injection attempt
SQL 1 = 0 - possible sql injection attempt
SQL 1 = 1 - possible sql injection attempt
SQL char and sysobjects - possible sql injection recon attempt
SQL declare varchar - possible SQL injection attempt
SQL IBM System Storage DS storage manager profiler sql injection attempt
SQL Jive Software Openfire Jabber Server sql injection attempt
SQL large number of calls to ascii function - possible sql injection obfuscation
SQL large number of calls to concat function - possible sql injection obfuscation
SQL McAfee ePolicy Orchestrator timing based SQL injection attempt
SQL or kic = kic - known SQL injection routine
SQL oversized cast statement - possible sql injection obfuscation
SQL oversized convert statement - possible sql injection obfuscation
SQL parameter ending in comment characters - possible sql injection attempt - POST
SQL parameter ending in encoded comment characters - possible sql injection attempt - POST
SQL PHPSESSID SQL injection attempt
SQL Ruby on rails SQL injection attempt
SQL union select - possible sql injection attempt - POST parameter
SQL use of concat function with select - likely SQL injection
SQL waitfor delay function - possible SQL injection attempt
SQL waitfor delay function in POST - possible sql injection attempt
WEB-MISC Adobe RoboHelp r0 SQL injection attempt
WEB-MISC Demarc SQL injection attempt
WEB-MISC Symantec Sygate Policy Manager SQL injection
WEB-PHP cacti graph_image SQL injection attempt
WEB-PHP phpBB mod shoutbox sql injection attempt
WEB-PHP phpBB mod tag board sql injection attempt
SOURCEFIRE
FTP ProFTPD username sql injection attempt
HTTP: SQL Injection Exploit (0x40216400)
ORACLE DBMS_EXPORT_EXTENSION SQL injection attempt
ORACLE DBMS_METADATA Package SQL Injection attempt
20
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
ORACLE Oracle Database DBMS_AQADM_SYS package GRANT_TYPE_ACCESS procedure SQL injection attempt
ORACLE Oracle Database REPCAT_RPC.VALIDATE_REMOTE_RC SQL injection attempt
ORACLE Oracle database server CompressWorkspaceTree SQL injection attempt
ORACLE Oracle database server CREATE_TABLES SQL injection attempt
ORACLE Oracle Database Server DBMS_CDC_PUBLISH.ALTER_CHANGE_SOURCE procedure SQL injection attempt
ORACLE Oracle Database Server DBMS_CDC_PUBLISH.DROP_CHANGE_SOURCE procedure SQL injection attempt
ORACLE Oracle database server MergeWorkspace SQL injection attempt
ORACLE Oracle database server RemoveWorkspace SQL injection attempt
ORACLE Oracle Database Server RollbackWorkspace SQL injection attempt
ORACLE Oracle database SYS.LT.FINDRICSET SQL injection attempt
ORACLE SYS.KUPW-WORKER sql injection attempt
PROTOCOL-FTP ProFTPD username sql injection attempt
SERVER-ORACLE Database REPCAT_RPC.VALIDATE_REMOTE_RC SQL injection attempt
SERVER-ORACLE DBMS_METADATA Package SQL Injection attempt
SERVER-ORACLE Oracle Database DBMS_AQADM_SYS package GRANT_TYPE_ACCESS procedure SQL injection attempt
SERVER-ORACLE Oracle database server CompressWorkspaceTree SQL injection attempt
SERVER-ORACLE Oracle database server CREATE_TABLES SQL injection attempt
SERVER-ORACLE Oracle Database Server DBMS_CDC_PUBLISH.ALTER_CHANGE_SOURCE procedure SQL injection attempt
SERVER-ORACLE Oracle Database Server DBMS_CDC_PUBLISH.DROP_CHANGE_SOURCE procedure SQL injection attempt
SERVER-ORACLE Oracle database server MergeWorkspace SQL injection attempt
SERVER-ORACLE Oracle database server RemoveWorkspace SQL injection attempt
SERVER-ORACLE Oracle Database Server RollbackWorkspace SQL injection attempt
SERVER-ORACLE Oracle database server Workspace Manager multiple SQL injection attempt
SERVER-ORACLE Oracle database SYS.LT.FINDRICSET SQL injection attempt
SERVER-OTHER HP DPNECentral RequestCopy type SQL injection attempt
SERVER-WEBAPP Adobe RoboHelp r0 SQL injection attempt
SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt
SERVER-WEBAPP CA Total Defense management.asmx sql injection attempt
SERVER-WEBAPP Cisco Unified Communications Manager sql injection attempt
SERVER-WEBAPP Gazi Download Portal down_indir.asp SQL injection attempt
SERVER-WEBAPP HP Data Protector FinishedCopy SQL Injection attempt
SERVER-WEBAPP HP Data Protector GetPolicies SQL Injection attempt
SERVER-WEBAPP Oracle Fusion Middleware WebCenter selectedLocale parameter sql injection attempt
SERVER-WEBAPP Symantec Web Gateway blocked.php blind sql injection attempt
SPECIFIC-THREATS Adobe RoboHelp r0 SQL injection attempt
SPECIFIC-THREATS Oracle database server Workspace Manager multiple SQL injection attempt
SQL large number of calls to char function - possible sql injection obfuscation
SQL union select - possible sql injection attempt - GET parameter
SQL url ending in comment characters - possible sql injection attempt
WEB-CGI Nucleus CMS action.php itemid SQL injection
WEB-CGI Symantec IM Manager LoggedInUsers.lgx definition file multiple SQL injections attempt
21
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
WEB-MISC Adobe RoboHelp rx SQL injection attempt
WEB-MISC Novell ZENworks patch management SQL injection attempt
WEB-MISC Symantec IM manager IMAdminReportTrendFormRun.asp sql injection attempt
WEB-MISC Symantec IM Manager IMAdminScheduleReport.asp SQL injection attempt
TIPPING POINT
10534: HTTP: Symantec IM Manager Administrative Interface SQL Injection Vulnerability (ZDI-10-225)
10607: HTTP: Symantec IM Manager sGetDefinition SQL Injection Vulnerability (ZDI-10-226)
10889: HTTP: Cisco Unified Call Manager SQL Injection Vulnerability (ZDI-11-143)
10895: HTTP: WordPress Plugin Comment Rating SQL Injection Vulnerability
11063: HTTP: Computer Associates Total Defense Suite SQL Injection Vulnerability (ZDI-11-134)
11064: HTTP: Computer Associates Total Defense Suite SQL Injection Vulnerability (ZDI-11-133)
11065: HTTP: Computer Associates Total Defense Suite SQL Injection Vulnerability (ZDI-11-132)
11066: HTTP: Computer Associates Total Defense Suite SQL Injection Vulnerability (ZDI-11-131)
11067: HTTP: Computer Associates Total Defense Suite SQL Injection Vulnerability (ZDI-11-130)
11068: HTTP: Computer Associates Total Defense Suite SQL Injection Vulnerability (ZDI-11-129)
11069: HTTP: Computer Associates Total Defense Suite SQL Injection Vulnerability (ZDI-11-128)
11162: HTTP: SQL Injection Attempt with Empty Quotes
11171: HTTP: SQL Injection (UNION)
11365: HTTP: Symantec Web Gateway SQL Injection Vulnerability (ZDI-11-233)
11447: HTTP: Computer Associates Total Defense Suite SQL Injection Vulnerability
11493: HTTP: Havij SQL Injection Tool Access
11632: Oracle: Oracle SQL Injection Near Vulnerable Package
11634: Oracle: Oracle SQL Injection Near Vulnerable Package
11722: Oracle: Oracle SQL Injection Near Vulnerable Package
11812: HTTP: HP Data Protector Notebook Extension Policy Server SQL Injection (ZDI-11-321)
11812: HTTP: HP Data Protector Notebook Extension Policy Server SQL Injection (ZDI-11-321-327)
11897: Oracle: SQL Function SQL Injection
11902: Oracle: SQL Function SQL Injection
11938: HTTP: SQL Injection (Boolean Identity)
12019: HTTP: Joomla XBall SQL Injection Vulnerability
12028: HTTP: Computer Associates Total Defense Suite SQL Injection Vulnerability (ZDI-12-022)
12030: HTTP: Computer Associates Total Defense Suite SQL Injection Vulnerability (ZDI-12-024)
12143: HTTP: Parallels Plesk Small Business Panel SQL Injection Vulnerability
12324: HTTP: Symantec IM Manager Administrative Interface SQL Injection Vulnerability
12497: TCP: HP Operations Orchestration RSScheduler Service SQL Injection Vulnerability (ZDI-12-172)
12523: HTTP: SQL Injection Percent Encoded (Boolean Identity)
12529: HTTP: SQL Injection Unsanitized Characters in Request
12580: HTTP: SQL Injection (Cookie Header)
12598: HTTP: IBM Tivoli Provisioning Manager SQL Injection Vulnerability (ZDI-12-040)
12638: HTTP:Trend Micro Control Manager SQL Injection
22
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
1897: HTTP: Snitz Forum SQL Injection
1922 HTTP: xp_cmdshell SQL Injection
1922: HTTP: xp_cmdshell SQL Injection
2033 HTTP: iisProtect SQL Injection / Cmd Exec
2033: HTTP: iisProtect SQL Injection / Cmd Exec
2128 HTTP: Xpressions.com authenticate.asp SQL Injection
2128: HTTP: Xpressions.com authenticate.asp SQL Injection
2131 HTTP: Xpressions.com login.asp SQL Injection
2131: HTTP: Xpressions.com login.asp SQL Injection
2229 HTTP: CyberStrong eShop SQL Injection
2229: HTTP: CyberStrong eShop SQL Injection
2236 HTTP: EarlyImpact ProductCart Login.asp SQL Injection
2236: HTTP: EarlyImpact ProductCart Login.asp SQL Injection
2240 HTTP: EarlyImpact ProductCart Custvb.asp SQL Injection
2240: HTTP: EarlyImpact ProductCart Custvb.asp SQL Injection
2244 HTTP: Virtual Programming VP-ASP Shopping Cart SQL Injection
2244: HTTP: Virtual Programming VP-ASP Shopping Cart SQL Injection
2258 HTTP: eStore SQL Injection
2258: HTTP: eStore login.php SQL Injection
2450 HTTP: DeskPro faq.php SQL Injection
2450: HTTP: DeskPro faq.php SQL Injection
2451 HTTP: DeskPro view.php SQL Injection
2451: HTTP: DeskPro view.php SQL Injection
2453 HTTP: DeskPro login.php SQL Injection
2453: HTTP: DeskPro login.php SQL Injection
2525: HTTP: phpBB search.php SQL Injection
2526: HTTP: VP-ASP shopdisplayproducts.asp SQL Injection
2527: HTTP: VP-ASP shopsearch.asp SQL Injection
3593: HTTP: SQL Injection (UNION)
3624: HTTP: SQL Injection (SELECT)
3625: HTTP: SQL Injection (OPENROWSET)
3626: HTTP: SQL Injection (WAITFOR)
3630: HTTP: SQL Injection (Boolean Identity)
3634: HTTP: Claroline Multiple SQL Injection
3798: HTTP: SQL Injection (Boolean Identity)
3799: HTTP: SQL Injection (Boolean Identity)
3800: HTTP: SQL Injection (Boolean Identity)
3801: HTTP: SQL Injection (EXECUTE)
3802: HTTP: SQL Injection (DROP/CREATE)
3803: HTTP: SQL Injection (INSERT)
3804: HTTP: SQL Injection (UPDATE)
23
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
3805: HTTP: SQL Injection (ALTER)
3806: HTTP: SQL Injection (DELETE)
3807: HTTP: SQL Injection Evasion Inline SQL Comment
3808: HTTP: SQL Injection Variable Declaration Evasion
3809: HTTP: SQL Injection Evasion SQL Comment Terminator
3810: HTTP: SQL Injection Evasion (System Variables)
3936: HTTP: SQL Injection Evasion (Oracle PL/SQL Block)
3940: HTTP: Oracle SQL Injection using Vulnerable Functions
3986: HTTP: SQL Injection (Oracle GRANT TO)
4001: HTTP: SQL Injection MySQL Show Function
4010: HTTP: Lyris Attachment SQL Injection
4098: Oracle: AUTH_ALTER_SESSION Sql Injection Attack
4115: HTTP: Oracle SQL Injection using Vulnerable Functions
4352: HTTP: Oracle SQL Injection Using Vulnerable Functions
4416: HTTP: Oracle SQL Injection Using Vulnerable Functions
4558: HTTP: Oracle SQL Injection Using Vulnerable Functions
4559: HTTP: Coppermine Photo Gallery SQL Injection
4636: HTTP: Symantec Sygate Management Server SQL Injection
4776: HTTP: Mambo Cookie SQL Injection
4804: HTTP: SQL Injection (Cookie Header)
4827: HTTP: Oracle SQL Injection Using Vulnerable Functions
4921: HTTP: Oracle E-Business Suite SQL Injection Vulnerability (ZDI-08-088)
4925 BRIGHTSTOR: Computer Associates Hierarchical Storage Manager SQL Injection (TPTI-07-017)
4925: BRIGHTSTOR: Computer Associates Hierarchical Storage Manager SQL Injection (TPTI-07-017)
4925: BRIGHTSTOR: Computer Associates Hierarchical Storage Manager SQL Injection (TPTI-07-17)
5063: HTTP: Cacti SQL injection Vulnerability
5064: HTTP: PAfileDB SQL Injection Vulnerability
5078: HTTP: Oracle SQL Injection Using Vulnerable Functions
5092: HTTP: Oracle E-Business Suite SQL Injection Vulnerability (ZDI-07-058)
5092: HTTP: Oracle E-Business Suite SQL Injection Vulnerability (ZDI-CAN-159)
5176: HTTP: SQL Injection Evasion (String Functions)
5178: Oracle: Oracle SQL Injection Using Vulnerable Functions
5237: Oracle: Oracle SQL Injection Using Vulnerable Functions
5265: Oracle: Oracle SQL Injection Using Vulnerable Functions
5270: Oracle: Oracle SQL Injection Using Vulnerable Functions
5296: HTTP: Wordpress XMLRPC SQL Injection
5302: HTTP: PunBB SQL Injection
5314: HTTP: Phorum SQL Injection Attack
5365: Oracle: Oracle SQL Injection Near Vulnerable Package
5368: HTTP: Oracle SQL Injection Using Vulnerable Functions
5375: Oracle: Oracle SQL Injection Near Vulnerable Package
24
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
5389: HTTP: SQL Injection Evasion (MySQL Functions)
5390: HTTP: SQL Injection Evasion Inline SQL Comment
5413: HTTP: WordPress SQL Injection Vulnerability
5421: HTTP: Wordpress XMLRPC SQL Injection
5450 HTTP: Advanced Guestbook SQL Injection Vulnerability
5450: HTTP: Advanced Guestbook SQL Injection Vulnerability
5468 HTTP: Buddy Zone SQL Injection Vulnerability
5468: HTTP: Buddy Zone SQL Injection Vulnerability
5528 HTTP: Firestorm Joomla com_gmaps SQL Injection
5528: HTTP: Firestorm Joomla com_gmaps SQL Injection
5572 Oracle: Oracle SQL Injection Using Vulnerable Functions
5572: Oracle: Oracle SQL Injection Using Vulnerable Functions
5591 HTTP: Oracle SQL Injection Using Vulnerable Functions
5591: HTTP: Oracle SQL Injection Using Vulnerable Functions
5617 HTTP: Plesk Cookie SQL Injection
5617: HTTP: Plesk Cookie SQL Injection
5618 HTTP: Plesk Cookie SQL Injection
5618: HTTP: Plesk Cookie SQL Injection
5669: HTTP: SQL Injection (UNION)
5670: HTTP: SQL Injection (SELECT)
5671: HTTP: SQL Injection (OPENROWSET)
5672: HTTP: SQL Injection (WAITFOR)
5673: HTTP: SQL Injection (Boolean Identity)
5674: HTTP: SQL Injection (Boolean Identity)
5675: HTTP: SQL Injection (Boolean Identity)
5719: HTTP: SQL Injection (CAST)
5772: HTTP: SQL Injection (Boolean Identity)
5773: HTTP: SQL Injection (EXECUTE)
5774: HTTP: SQL Injection (DROP/CREATE)
5775: HTTP: SQL Injection (INSERT)
5776: HTTP: SQL Injection (UPDATE)
5777: HTTP: SQL Injection (ALTER)
5778: HTTP: SQL Injection (DELETE)
5836 HTTP: PAfileDB SQL Injection Vulnerability
5836: HTTP: PAfileDB SQL Injection Vulnerability
5880: HTTP: PHP Real Estate SQL Injection Vulnerability
5935: ALTIRIS: Symantec Altiris Deployment Solution SQL Injection Vulnerability (ZDI-08-024)
6055: HTTP: SQL Injection (Content-Type Header)
6063: Oracle: Oracle SQL Injection Near Vulnerable Package
6066: HTTP: Oracle SQL Injection Using Vulnerable Functions
6103: HTTP: SQL Injection (RESTORE)
25
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
6115: HTTP: SQL Injection (CONVERT)
6116: HTTP: SQL Injection (CAST)
6127: HTTP: SQL Injection Worm Payload Download Request
6133: HTTP: SQL Injection Evasion
6134: HTTP: SQL Injection Variable Declaration Evasion
6135: HTTP: SQL Injection Evasion
6139: HTTP: 68 Classifieds SQL Injection Vulnerability
6226: HTTP: SQL Injection Tool with Asprox Botnet
6230: HTTP: SQL Injection Tool with Asprox Botnet
6236: HTTP: SQL Injection (RESTORE)
6264: Oracle: Oracle SQL Injection Near Vulnerable Package
6265: HTTP: Oracle SQL Injection Using Vulnerable Functions
6312: HTTP: Joomla Token SQL Injection Vulnerability
6321: HTTP: SQL Injection (CONVERT)
6388: HTTP: SQL Injection (Benchmark)
6392: HTTP: SQL Injection (Benchmark)
6454: HTTP: SQL Injection Tool with Asprox Botnet
6549: HTTP: Joomla Components SQL Injection Vulnerability
6568: HTTP: SQL Injection (CAST)
6639: HTTP: SQL Injection Asprox Botnet Variant
6641: HTTP: Joomla Live Chat SQL Injection Vulnerability
6740: Oracle: Oracle SQL Injection Near Vulnerable Package
6741: HTTP: Oracle SQL Injection Using Vulnerable Functions
6769: HTTP: SQL Injection MS-SQL Stored Procedure
8026: HTTP: Novell ZENworks SQL Injection Vulnerability (ZDI-10-003)
8054: Oracle: Oracle SQL Injection Near Vulnerable Package
8055: HTTP: Oracle SQL Injection Using Vulnerable Functions
8372: HTTP: SQL Injection Select Into Outfile
8373: HTTP: SQL Injection Select Load_file
8799: HTTP: Jive Software Openfire Jabber Server SQL Injection
8834: Oracle: Multiple SQL Function SQL Injection
8871: Oracle: SQL Function SQL Injection
8992: Oracle: Oracle SQL Injection Near Vulnerable Package
9072: ORACLE: Oracle DBMS_Assert SQL Injection
9074: ORACLE: Oracle Kupw-Worker SQL Injection
9166: HTTP: Ipswitch WhatsUp Web Interface SQL Injection
9412: Oracle: Oracle SQL Injection Near Vulnerable Package
9413: HTTP: Oracle SQL Injection Using Vulnerable Functions
9418: HTTP: Zen Cart SQL Injection Vulnerability
9497: Oracle: Oracle SQL Injection Near Vulnerable Package
9563: HTTP: Oracle Real User Experience Insight rsynclogdird SQL Injection Vulnerability (ZDI-11-016)
26
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
9696: HTTP: Symantec IM Manager SQL Injection Vulnerability (ZDI-10-220, ZDI-10-221, ZDI-10-222,223,224)
9740: HTTP: Joomla Multi-Venue RestaurantManager SQL Injection Vulnerability
9746: Oracle: Oracle SQL Injection Near Vulnerable Package
9762: Oracle: Oracle SQL Injection Near Vulnerable Package
9764: Oracle: Oracle SQL Injection Near Vulnerable Package
9765: Oracle: Oracle SQL Injection Near Vulnerable Package
9785: HTTP: SQL Injection (Referer Header)
9924: HTTP: Multiple Vendors SQL Injection Vulnerability
HTTP: Phorum SQL Injection Attack
HTTP: WordPress SQL Injection Vulnerability
HTTP: Wordpress XMLRPC SQL Injection
ADDITIONAL RECOMMENDATIONS
• Implement strong server side validation for all user inputs including cookie values
• Escape special characters in user inputs
• Avoid using EXEC command in SQL server
• Never use sa account to connect database from applications
• Configure generic error page for applications and do not display error messages to users
• Trap all possible exceptions and use global exception handler
REFERENCES
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
http://www.codeproject.com/Tips/706692/Preventing-SQL-Injection-Attacks
CONTRIBUTORS
Nick Bradley, Threat Research Practice Lead
DISCLAIMER
This document is intended to inform clients of IBM Security Services of a threat or discovery by IBM Managed
Security Services and measures undertaken or suggested by IBM Security Service Teams to remediate the threat.
The data contained herein describing tactics, techniques and procedures is classified Confidential for the
consumption of IBM MSS clients only.