SQL Injection. Sajjad Pourali sajjad@securation.com CERT of Ferdowsi University of Mashhad

SQL Injection Sajjad Pourali sajjad@securation.com CERT of Ferdowsi University of Mashhad

SQL Injection Ability to inject SQL commands into the database engine Flaw in web application, not the DB or web server Many programmers are not fully aware of this problem 1

SQL Injection Risk Almost all databases and programming languages are vulnerable (MS SQL Server, MySQL, Oracle, Postgre, ) Attacker is able to: oadd new data o Delete current data o Modify current data Can gain access to other parts of the server 2

How SQL Injection Works Vulnerable Login Page uname = getrequeststring("username"); upass = getrequeststring("userpass"); sql = "SELECT * FROM Users WHERE Name ='" + uname + "' AND Pass ='" + upass + "'" 3

How SQL Injection Works ' or '1'='1 Vulnerable Login Page ' or '1'='1 sql = "SELECT * FROM Users WHERE Name ='' or '1'='1' AND Pass ='' or '1'='1''" 4

How SQL Injection Works admin'-- Vulnerable Login Page sql = "SELECT * FROM Users WHERE Name ='admin'--' AND Pass =''''" 5

SQL Injection Testing Methodology 1) Input Validation 2) Info. Gathering 3) 1=1 Attacks 5) OS Interaction 4) Extracting Data 6) OS Cmd Prompt 7) Expand Influence 6

Input Validation 1) Input Validation 2) Info. Gathering 3) 1=1 Attacks 5) OS Interaction 4) Extracting Data 6) OS Cmd Prompt 7) Expand Influence 7

Discovery of Vulnerabilities Vulnerabilities can be anywhere (check all entry points) ofields in web forms o Script parameters in URL query strings o Values stored in cookies,headers or hidden files Generate and insert random strings through fuzzing ocharacter Sequences: ' " ) # + > o Delay query: and sleep(10)=1 Analyze application s response 8

Information Gathering 1) Input Validation 2) Info. Gathering 3) 1=1 Attacks 5) OS Interaction 4) Extracting Data 6) OS Cmd Prompt 7) Expand Influence 9

Information Gathering Our goal is to find out the following: 1. Output Mechanism 2. Understand the query 3. Determine database type 4. Find out user privilege level 5. Determine OS interaction level 10

1) Exploring output mechanisms Using result sets in the web application Error messages Craft SQL queries that generate specific types of error messages with valuable information Blind SQL Injection Use time delays or error signatures to extract information Much slower and more difficult 11

Extracting Information with Error Messages ExtractValue Error (MySQL) and ExtractValue(1,Query) Result is unable to Extract values from xml string Type Mismatch (MS SQL) or 1=convert(int,Query) Error messages shows the data that could not get converted 12

Blind SQL Injection We can use different known outcomes and condition Or we can use if statements ; select if ((condition),sleep(10),1)) -- Can run all queries, but with no debugging information! Only Yes/No responses We can extract ASCII one bit at a time Very time consuming but easier with automated tools like BBQ 13

2) Understanding the Query The query can be: SELECT UPDATE INSERT Other Knowing the context helps What is the form / page trying to do with our input? What is the name of the field / parameter? 14

SELECT Statement Most injections will land in the middle of a select statement In the select, we almost always end up in the where section SELECT * FROM table WHERE x = 'normalinput' Injection Data -- GROUP BY x HAVING x = y ORDER BY x 15

UPDATE Statement In a change your password section of an app we may have: UPDATE users SET password = 'new password' WHERE login = logged.user AND password = 'old password If you inject a new password and comment the rest, you end up changing every password in the table! 16

Determining a SELECT Query Structure 1. Try to replicate an error-free navigation Could be as simple as ' and '1'='1 Or ' and '1'='2 2. Generate specific query Determine table and column names ' union select table_name form information_schema.tables 17

3) Determining Database Engine Type Most times the error messages will let us know which type of database engine we are working with In other cases We can make an educated guess based on OS and Web Server Or we can use DB-specific characters, commands or stored procedures Manually request database information (blind SQL injection) 18

Some Differences MS SQL T-SQL MySQL Access Oracle PL/SQL DB2 Postgres PL/pgSQL Concaten ate Strings ' '+' ' concat (" ", " ") " "&" " ' ' ' ' " "+" " ' ' ' ' Null replace Isnull() Ifnull() Iff(Isnull()) Ifnull() Ifnull() COALESCE() Position CHARINDEX LOCATE() InStr() InStr() InStr() TEXTPOS() Op Sys interactio n xp_cmdshell select into outfile / dumpfile #date# utf_file import from export to Call Cast Yes No No No Yes Yes 19

1 = 1 Attacks 1) Input Validation 2) Info. Gathering 3) 1=1 Attacks 5) OS Interaction 4) Extracting Data 6) OS Cmd Prompt 7) Expand Influence 20

System Tables General INFORMATION_SCHEMA TABLES COLUMNS. Oracle SYS USER_TABLES USER_VIEWS ALL_TABLES USER_TAB_COLUMNS USER_CATALOG MySQL Mysql User Host MS SQL Server Master Sysobjects Syscolumns Systypes Sysdatabases 21

Enumeration using Metadata Enumerating databases in MySQL Select schema_name from information_schema.schemata Enumerating tables in MySQL Select column_name from information_schema.tables where table_schema= dbname Enumerating columns in MySQL Select column_name from information_schema.columns where table_name = tablename 22

Mitigation Techniques Primary Defenses: Use of Prepared Statements (Parameterized Queries) Use of Stored Procedures Escaping all User Supplied Input Additional Defenses: Also Enforce: Least Privilege Also Perform: White List Input Validation 23

Question!? 24