SQL-Injection

SQL-Injection

by Fabienne Neveu -
Number of replies: 8

Salut,


please excuse my bad English…

In short, we have Moodle - server which was attacked. I think it was 

an SQL-Injection.


Early December the following user were created in the moodle database:

xxxxxxxxxxx

gui74f5qd | |

http://some-inexistent-website.acu/some ... _name?.jpg | |

| '" | |

| set|set&set | |

| ;print(md5(security_test)); | |

| index.php | |

| ) | |

| 1some_inexistent_file_with_long_name%00.jpg | |

| 'fvb588hk9 | |

http://testasp.vulnweb.com/t/fit.txt | |

| <!-- | |

http://testasp.vulnweb.com/t/fit.txt%3f.jpg | |

| ';print(md5(security_test));$a=' | |

| ../../../../../../../../../../etc/passwd | |

| testasp.vulnweb.com | |

| 'set|set&set' | |

| !(()&&!|*|*| | |

| "zq86m240n | |

| ";print(md5(security_test));$a=" | |

| ../../../../../../../../../../../../../../../proc/version | |

| "set|set&set" | |

| ${@print(md5(security_test))} | |

| ..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%00.jpg | |

| ^(#$!@#$)(()))****** | |

| ../../../../../../../../../../etc/passwd%00.jpg | |

| ${@print(md5(security_test))}\ | |

| `set|set&set` | |

| ;set|set&set;

xxxxxxxxxxx


What you see are simply entries in the field „username" of the table „mdl_user"

Normally we have made the setting, that it is forbidden to create a user without

authentication. However somebody had managed to create users and I think

it was an SQL-injection. 


We update our Debian on a regular basis and we ran Moodle 2.9.1.

By early December I can remember I updated for a couple of days to Moodle 2.9.2

and then (a week later) to Moodle 2.9.8. 


What would recommend here ?

Is this a known bug which can be found on moodle.org ? So one can only fix it by updating

to Moodle 3.0 ? At the moment we can’t update to 

Moodle 3.0 because of Plugins. Alternatives ?

 

My aim is to find out, wether there are damages in the existing Moodle systems.

A diagnosis so to speak...

Of course I want to secure our server in order to prevent SQL-injections an other assaults.


Can you get me started here ? That would be nice. We are just collecting 

any useful information. Are there useful feeds /links to keep us up-date ?

 

Thanks a lot.


Kind regards,

Fabienne


Average of ratings: -
In reply to Fabienne Neveu

Re: SQL-Injection

by Howard Miller -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

My immediate reaction is that these entries look to be related to a web vulnerability scan. (This one... http://www.acunetix.com/vulnerability-scanner/).

At the very least, make sure you are running the *latest* version of 2.9.  2.9.9 is over a year newer than 2.9.1!!

I would start by reviewing https://moodle.org/security/

Average of ratings: -
In reply to Howard Miller

Re: SQL-Injection

by Fabienne Neveu -

Hi...


cool ..

... have thanks for you fast answer!

I will update to 2.9.9. 

Hard to assess the aim of the attacker... just demonstrating what is possible or trying to 

cause servere damage.

in any event ..thanks!


Regards,

Fabienne



Average of ratings: -
In reply to Howard Miller

Re: SQL-Injection

by James McLean -

This doesn't appear to be typical SQL injection. Most of that data is consistent with fuzzing, specifically looking for Local File Inclusion vulnerabilities, and trying to bypass file upload restrictions which check for file extensions etc. Note the use of null bytes (%00), this is consistent with LFI vulnerability exploitation.

I'd agree with Howard and say it's likely a vulnerability scanner, Acunetix does appear to be well used among script kiddies. It appears it simply hit a registration page filled in all the fields, and submitted it automatically.

I personally believe Moodle has excellent SQLi protections, so without further evidence (such as WAF logs, or web server logs) I would find it hard to instantly attribute this data to an SQL injection directly.

Average of ratings: -
In reply to James McLean

Re: SQL-Injection

by Fabienne Neveu -
Hi,
and many thanks for your assessments.
That is helpful …
So a local file inclusion is more likeliy than a
an SQL- Injection. But what does that mean exactly.
Is it useful to monitor the uploads more diligently ?
If so there must be from my naive
point of view a  registration / signup page or whatever,
that would allow a non-user to upload something.
I don’t see that even not in a plain moodle release.

If you talk about upload restrictions / file extension check..
.. do you mean internal Moodle settings ? where can I configure that ?
What are recommended settings ?
Can I disallow the use of null bytes (%00) ? What is LFI vulnerable
exploitation ?

Sorry for questions … Maybe you can provide some

additional infos… Thanks s lot!

Kind Regards,
Fabienne<

Average of ratings: -
In reply to Fabienne Neveu

Re: SQL-Injection

by James McLean -
Those are all common vulnerabilities in web-applications, and the scanning tool was looking for those by entering strings that exploit the vulnerability, if it exists. If the application is vulnerable the results will include the contents of the file, rather than the request itself (as in the result above).


The output above implies that the site is NOT vulnerable, at least in the page and fields that were checked, nothing further needs to be done. Except perhaps disable external user registrations - as that's how I believe that data would have made it into the system.

Average of ratings: -
In reply to Fabienne Neveu

Re: SQL-Injection

by kim Rechter -

I agree with James that Moodle has excellent SQLi protections.

There are different types of threats which can be used to take advantage of your network security vulnerability. 

Besides SQL Injection there are threats like unauthorized data access, penetration testing and many more. 

My advice would be to perform network security testing to validate that your network is secure. 

You can do it with a tool like BreakingPoint. It simulates your environments and injects security attacks and malware into the simulated traffic to test the resiliency of your network security.

Average of ratings: -