TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
891
Signature ID: 35143
SQL Injection Attempt using MySQL Inline-Comments, Conditions and Integers Injection
using char function
Threat Level: Severe
Signature Description: Attackers can inject MySQL Comments to bypass security, ignore the remaining part of the
MySQL statements at server-side, and inject their own MySQL statements. Attackers can add their own MySQL
statements by passing tautological conditions to the server. This may allow remote attackers to gain admin access to the
web server. Attackers can evade SQL Injection signatures by putting char functions in the conditions, for example
“char(‘A’) = char (‘A’)” will give a tautological condition. In general SQL
Injections look for the pattern like character string equals character string, but the above mentioned condition will give
the same result and SQL Injection Signatures can be bypassed.
Signature ID: 35144
SQL Injection Using HAVING or IF SQL Conditions
Threat Level: Severe
Signature Description: Attackers passes SQL Conditional Statements which result a tautology (always true). For
example : '%20HAVING%201=1%20—by this attackers can bypass IPS Signatures, and can gain admin access
to the targeted server. Or with simple conditional statements like : IF (SELECT * FROM login)
BENCHMARK(1000000,MD5(1))attackers can gain the access to the admin account on the target server.
Signature ID: 35145
Blind SQL Injection Attempt
Threat Level: Severe
Signature Description: Attackers use Blind SQL Injection Tools to find the SQL Injection vulnerabilities on the target
system. If any attack is succeeded then attacker uses that technique to proceed further. This Rule hits for blind sql
injection attempts. Most of the browsers accepts > like patterns as (> or etc,.) like symbols. With Blind SQL
Injection, attacker sends patterns with > like patterns. This rule detects all these kinds of patterns.
Signature ID: 35146
Blind SQL Injection Attempt
Threat Level: Severe
Bugtraq: 29191,29574
Signature Description: When an attacker executes SQL Injection attacks sometimes the server responds with error
messages from the database server complaining that the SQL Query's syntax is incorrect. Blind SQL injection is
identical to normal SQL Injection except that when an attacker attempts to exploit an application rather then getting a
useful error message they get a generic page specified by the developer instead. This makes exploiting a potential SQL
Injection attack more difficult but not impossible. An attacker can still steal data by asking a series of True and False
questions through sql statements.Attackers use Blind SQL Injection Tools to find the SQL Injection vulnerabilities on
the target system. If any attack is succeeded then attacker uses that technique to proceed further. This Rule hits for
blind sql injection attempts.
Signature ID: 35147
SQL Injection Login Bypass Attempt
Threat Level: Severe
Signature Description: Remote Attackers bypass login page and gets admin access by combining embedded tautology
conditions like 1=1 with post data fields like admin, id. If attack is succeeded attackers gains admin access on the target
system.