Inside Cyber Warfare - Jeffrey Carr [85]
Hackers turned to the BENCHMARK stored procedure (for SQL injection against MySQL databases) to get some indication as to whether their injected SQL query succeeded or failed. By including a Boolean clause (true or false) in the blind SQL injection, the hacker can craft a SQL injection in such a fashion so that if the query is successful (and only if it is successful), the database runs the BENCHMARK query.
The BENCHMARK queries chosen by the hacker are CPU-intensive, typically crypto functions run thousands of times. Since these CPU-intensive BENCHMARK queries take time to complete, the backend becomes “stalled” until the BENCHMARK is completed. If the hacker launches the blind SQL injection with a CPU-intensive BENCHMARK and the application “stalls” for a few seconds before displaying the page, the hacker knows the SQL injection was successful. Conversely, if the attacker launches the blind SQL injection with a CPU-intensive BENCHMARK and the application immediately displays the page, the hacker knows the SQL injection was not successful.
Visit http://www.milw0rm.com/papers/149 for more information about using the BENCHMARK stored procedure for blind SQL injection. It’s interesting to note that the hacker who wrote the tutorial is trying to reduce the CPU load involved with BENCHMARK usage in order to avoid detection/server-performance issues.
Now, the specific techniques suggested in the StopGeorgia.ru forum were a new twist on those for typical SQL injection vulnerability exploitation. Some posters to the forum suggested the using the BENCHMARK stored procedure to consume massive amounts of CPU cycles on the backend database. BENCHMARK has been a popular technique for blind SQL injection, but using it to intentionally cause a DoS is rare.
The forum suggested that attackers use SQL injection vulnerabilities to call a CPU-intensive task (built-in crypto functions) for the backend database to execute hundreds of thousands of times. One post suggested that nested BENCHMARKs be used, each running 100,000 times (that equates to 100,000 × 100,000, or about 10,000,000,000 times)! These queries would simply consume the CPU for the system hosting the database (often it’s the same machine as the web server).
By using BENCHMARK, a single web request can cause a significant load on the database server, and in most cases a single machine can render the database server inoperative. Specific SQL injection points were identified on the forums, as well as observed in collected web server logs. SQL injection was undoubtedly used in attacks against Georgia servers.
NOTE
The BENCHMARK stored procedure is specific to MySQL databases, but other popular databases have similar functionality. Other specific techniques mentioned in both forums for bringing down or gaining illicit access to machines included:
Regularly checking the status of a host through ping -t Using SQL injection through an improperly sanitized query string Brute-force attacks Social engineering to gain passwords Twitter as DDoS Command Post against Iran Official Iranian filtering targeted news media of all types, so Iranian dissidents turned to posting photos and videos on Internet sites such as YouTube and various blogging platforms. Protests, when interrupted by Iranian police, turned violent, and within a few days eight fatalities were reported. The coordinating medium for this outrage was none other than Twitter, the microblogging service that has defied attempts by journalists, politicians, and comedians to categorize it as a tool of the self-absorbed. In fact, Twitter
The mid-June 2009 Iranian elections were so flawed that opposition protests, fueled by harsh Iranian government treatment against protesters, overflowed onto the Internet, creating a wave of instant support for the protesters and fury against the Iranian government after Iranian president Mahmoud Ahmadinejad defeated rival Mir Hussein Moussavi in a contested election.