BLIND SQL INJECTION (UBC)



Similar documents
Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

If you know the enemy and know yourself, you need not fear the result of a hundred battles.

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

Security and Control Issues within Relational Databases

Using Free Tools To Test Web Application Security

Manipulating Microsoft SQL Server Using SQL Injection

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Penetration Testing with Kali Linux

Internal Penetration Test

Attack and Penetration Testing 101

Ficha técnica de curso Código: IFCPR140c. SQL Injection Attacks and Defense

Testing Web Applications for SQL Injection Sam Shober

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Vulnerability Assessment and Penetration Testing

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Web Application Penetration Testing

Guarding Against SQL Server Attacks: Hacking, cracking, and protection techniques.

Automating SQL Injection Exploits

How I hacked PacketStorm ( )

Hosts HARDENING WINDOWS NETWORKS TRAINING

The Top Web Application Attacks: Are you vulnerable?

CYBERTRON NETWORK SOLUTIONS

MatriXay Database Vulnerability Scanner V3.0

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Penetration: from Application down to OS

Thick Client Application Security

Integrigy Corporate Overview

MySQL Security: Best Practices

Passing PCI Compliance How to Address the Application Security Mandates

Lotus Domino Security

Web Application Security

Top 10 Database. Misconfigurations.

Analysis of SQL injection prevention using a proxy server

Blind SQL Injection Are your web applications vulnerable?

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

Understanding Security Testing

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Webapps Vulnerability Report

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

SQL Injection January 23, 2013

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Check list for web developers

Data Breaches and Web Servers: The Giant Sucking Sound

Agenda. SQL Injection Impact in the Real World Attack Scenario (1) CHAPTER 8 SQL Injection

Start Secure. Stay Secure. Blind SQL Injection. Are your web applications vulnerable? By Kevin Spett

Why The Security You Bought Yesterday, Won t Save You Today

Common Criteria Web Application Security Scoring CCWAPSS

SQL Injection 2.0: Bigger, Badder, Faster and More Dangerous Than Ever. Dana Tamir, Product Marketing Manager, Imperva

Deciphering The Prominent Security Tools Ofkali Linux

Conducting Web Application Pentests. From Scoping to Report For Education Purposes Only

CRYPTUS DIPLOMA IN IT SECURITY

What is Web Security? Motivation

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

Understanding Web Application Security Issues

Penetration Testing - a way for improving our cyber security

Penetration Test Report

Hack Your SQL Server Database Before the Hackers Do

Ethical Hacking and Information Security. Foundation of Information Security. Detailed Module. Duration. Lecture with Hands On Session: 90 Hours

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

How to Audit the Top Ten E-Business Suite Security Risks

Professional Penetration Testing Techniques and Vulnerability Assessment ...

Evaluation of Penetration Testing Software. Research

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

GFI White Paper PCI-DSS compliance and GFI Software products

(WAPT) Web Application Penetration Testing

Database Security Guide

Database Auditing: Best Practices. Rob Barnes, CISA Director of Security, Risk and Compliance Operations

Why Web Applications are making a hackers life easy. Presented by Jon Grew BT SBS

Web Applications Security: SQL Injection Attack

Five Steps to Improve Internal Network Security. Chattanooga Information security Professionals

Penetration Testing //Vulnerability Assessment //Remedy

Improved Penetration Testing of Web Apps and Databases with MatriXay

Web Engineering Web Application Security Issues

WHITEPAPER. Nessus Exploit Integration

Certified Ethical Hacker (CEH) Ethical Hacking & Counter Measures Course 9962; 5 Days, Instructor-Led

Certified Ethical Hacker Exam Version Comparison. Version Comparison

Why Should You Care About Security Issues? SySmox WEB security Top seven ColdFusion Security Issues

1. What is SQL Injection?

IT HEALTHCHECK TOP TIPS WHITEPAPER

Building a Robust Web Application Security Plan

SQL Injection. By Artem Kazanstev, ITSO and Alex Beutel, Student

SANDCAT THE WEB APPLICATION SECURITY ASSESSMENT SUITE WHAT IS SANDCAT? MAIN COMPONENTS. Web Application Security

Threat Modelling for Web Application Deployment. Ivan Ristic (Thinking Stone)

Time-Based Blind SQL Injection using Heavy Queries A practical approach for MS SQL Server, MS Access, Oracle and MySQL databases and Marathon Tool

Oracle Security Auditing

Oracle Security Auditing

Transcription:

WaveFront Consulting Group BLIND SQL INJECTION (UBC) Rui Pereira,B.Sc.(Hons),CISSP,CIPS ISP,CISA,CWNA,CPTS/CPTE WaveFront Consulting Group Ltd ruiper@wavefrontcg.com www.wavefrontcg.com 1 This material is Copyrighted by the WaveFront Consulting Group Ltd, and must not be used, copied or otherwise distributed, in whole or in part, without the express written permission of the author(s). Please contact ruiper@wavefrontcg.com if you have any doubts about the copyright restrictions applicable to this publication. 2

WHO AM I Rui (Roy) Pereira Over 25 years in Information Technology industry Last 13 years specializing in Information Security and Audit CISSP and CISA certified, CIPS ISP, CWNA, CPTS/CPTE Independent consultant Specializing in Threat-Risk Assessments, Investigations, DRP/BCP Penetration Testing and Vulnerability Assessments Policy Development, Security Awareness and Education Applications Security, PCI/SOX Compliance Security Architecture Design and Implementation Wireless and Telecommunications Security Customers include BC and Alberta Governments, E- Comm, ICBC, LDB, Citadel Commerce, Top Producer, etc. Teach various courses at BCIT and UBC, including Intro to Computer Crime and Wireless Network Security 3 AGENDA Database Attacks Verbose SQL Injection Blind SQL Injection An Example Finding Blind SQL Injection W3AF, Samurai, SQLMap Fixing SQL Injection 4

DATABASE ATTACKS Listed as one of SANS Top 20 Security Risks for 2007 http://www.sans.org/top20/#s7 Indirect Attacks Attack the application which uses the database SQL Injection (Verbose and Blind) Direct Attacks Exploit vulnerabilities in database system and underlying OS Buffer overflows, weak passwords or access control, lack of auditing, vulnerable services, etc. Includes password guessing, cracking, stealing Includes bypassing database and accessing underlying disk file/storage structures 5 DIRECT DATABASE ATTACKS SQL Slammer/Saphire Worm hit in January 2003 Exploited a buffer overflow vulnerability in Microsoft's SQL Server and MSDE 2000 Infected more than 90% of vulnerable hosts in 10 mins www.caida.org/publications/papers/2003/sapphire/sapphire.html www.microsoft.com/technet/security/bulletin/ms02-039.mspx Exploit in Metasploit Framework 3 exploits/windows/ mssql/ms02_039_slammer.rb (also is MSF2) Other exploits exist in MSF2&3, and elsewhere SQL 2K HELO Overflow, www.securityfocus.com/bid/5411 SQL 2K5 sqldmo.dll ActiveX Buffer Overflow, http://www.securityfocus.com/bid/25594 6

SQL SERVER If trusted connections are used, then OS access may be sufficient for database access Trusted connections use Windows accounts to access the database Blank sa admin accounts are a problem With Oracle problem is huge number of seeded accounts If xp_cmdshell and similar procedures are available, can access OS functionality Even if xp_cmdshell is not available, can be re-enabled with sp_configure Can enter multiple SQL commands together on same line 7 DATABASE COUNTERMEASURES Enforce strong password policies Change default account passwords Oracle has over 600 of these, SQL Server has sa Patch database and underlying OS Setup ongoing patch management process Harden (secure) database and OS installs Remove dangerous xp_ and sp_ procedures, or restrict access to them (SQL Server) Code applications securely to reduce risk of SQL Injection Architect web applications to reduce risk of compromise, impact should compromise occur Restrict access to database ports via internal and external network and host-based firewalls 8

SQL INJECTION Attacking the application which uses the database Attacker includes SQL statements or fragments as input to the application Application accepts this input and passes it, as is, to the backend database for processing Application does not validate client input Allows authentication bypass, unauthorized access to data (crud), access to OS system commands Example: http://www.testfire.net/bank/login.aspx Finding potentially vulnerable sites using Google inurl:"id=10 (Michael Sutton s Blog) 9 SQL INJECTION Normal Query SELECT COUNT (*) FROM User.tbl WHERE UserName= Rui AND Password= IamaWalrus Malicious Query SELECT COUNT (*) FROM User.tbl WHERE UserName= OR 1=1-- AND Password= OR 1=1" is always true, matches every record in table "--" comments out rest of query 10

WHAT CAN AN ATTACKER DO? Bypass authentication and access controls Determine structure of backend database Database enumeration Unauthorized access to data Including passwords and credit card numbers if stored in plaintext Unauthorized changes to data Including deletion of records and tables, insertion of records Able to run Operating System commands 11 SQL INJECTION Verbose (Normal) SQL Injection Attacker relies on SQL error messages to piece together the SQL code being executed, enumerate backend database tables, columns, etc. Blind SQL Injection Application does not return SQL error messages Its behavior when subjected to erroneous input is used to detect SQL Injection possibilities We ask the server a series of true/false questions and build up our results from the answers 12

VERBOSE SQL INJECTION Error message The close brackets ) were provided on input Microsoft OLE DB Provider for ODBC Drivers error 80040e14 ([Microsoft][ODBC Microsoft Access Driver] Extra ) In query expression Username= AND Password = /_employees/login3.asp, line 49 13 BLIND SQL INJECTION These statements don t generate errors, give same result: http://www.acme.com/pressrels.jsp?pressrelid=5 AND 1=1 http://www.acme.com/pressrels.jsp?pressrelid=4+1 These don t generate errors (or return nothing): http://www.acme.com/pressrels.jsp?pressrelid=5 AND 1=2 http://www.acme.com/pressrels.jsp?pressrelid=5 AND USER_NAME() = dbo But this statement returns press release #5: http://www.acme.com/pressrels.jsp?pressrelid=5 AND USER_NAME() = sa So we know the current user name is sa! 14

BLIND SQL INJECTION In practice tests are done character by character A binary search is used to speed things up http://.../...jsp?pressrelid=5 AND ascii(lower( substring((select TOP 1 name FROM sysobjects WHERE xtype='u'), 1, 1))) > 109 If the fifth press release is returned, then first letter comes after m http://.../...jsp?pressrelid=5 AND ascii(lower( substring((select TOP 1 name FROM sysobjects WHERE xtype='u'), 1, 1))) > 116 If the fifth press release is not returned, then letter is greater than ASCII 109 ( n ) and less than 116 ( t ) And so on... 15 BLIND SQL INJECTION A secure application would reject such requests because it treats the user s input as a value The value 5 AND 1=2 would cause a type mismatch error (if passed to a stored procedure) The server would not display a press release (may display generic or custom error message) Simply disabling the display of database error messages does not offer sufficient protection against SQL injection attacks 16

TYPES OF BLIND SQL INJECTION Conditional Response SELECT field FROM table WHERE otherfield= value AND 1=1 produces normal page SELECT field FROM table WHERE otherfield= value' AND 1=2 produces different page Conditional Error SELECT 1/0 FROM table WHERE field= value will generate error if field= value Time Delays SQL engine executes a long running query or a time delay statement depending on the logic injected Attacker can measure how long page takes to load to see if injected statement is true 17 BLIND SQL EXAMPLE WordPress is Open Source Blogging software Blind SQL Injection in WordPress 2.1.3 Advisory at http://www.waraxe.us/advisory-50.html Exploit at http://www.waraxe.us/ftopict-1776.html Uses time delays to get hash of WordPress password one character at a time Can then brute force hash (no salt), or create valid session cookie from hash 18

FINDING SQL INJECTION Manual Tests Automated Scanners HP WebInspect IBM Rational Appscan Cenzic Hailstorm Syhunt Sandcat Paros Proxy W3AF etc... SQL Injection Tools SQLMap SQL Ninja (SQL Server) SQLIx etc 19 FIXING SQL INJECTION Validate all user input to ensure it is appropriate for the particular information the field represents User names do not usually contain semicolons (;), tildes (~) or ampersands (&) May contain single quotes though (O Brien) In general, limit all client-supplied data to alpha-numeric characters whenever possible Filter out potentially dangerous characters Major culprits are the single quote ( ), double dash (--), and semicolon (;) Remove these entirely Replace them with safe equivalents Use HTML encoding like &code; or &#number; Other characters that can be used for SQL Injection include ", / \ * & ( ) $ % ^ @ ~? 20

FIXING SQL INJECTION Filtering and validation should be part of a global facility called when any page is loaded / submitted It should be done on all pages and fields But see subsequent section on data validation and on black vs. white listing Use language platform tools to handle potentially dangerous characters Such as cfqueryparam in ColdFusion Do not create dynamic SQL queries using simple string concatenation Replace individual single quotes in string data with two single quotes Ensure numeric variables contain numeric data 21 FIXING SQL INJECTION Run the database and web server under low privilege accounts Do not access database from Web server using dba or database owner accounts Do not run database under privileged system account Do not run Web Server as root or administrator Do not allow database server to initiate outbound access (use internal firewalls) This does not prevent SQL Injection, but reduces the impact of such attacks 22

FIXING SQL INJECTION Use parameterized queries (.NET), prepared statements (Java) Use strongly typed parameters Use stored procedures to abstract data access, so users do not directly access tables and views Access control can then be applied to stored procedures instead of the underlying tables and views NEVER take input from client and add it verbatim to SQL statements Do not pass SQL statements, or fragments of SQL statements, as parameters to stored procedures Stored procedures (should) prevent attacker from providing SQL code to be executed Parameters are treated as literal values, not as executable code 23 FIXING SQL INJECTION Turn off verbose SQL error messages Can still use Blind SQL Injection Improve application level filters to better detect these kinds of attacks mod_security on Linux Apache Web Servers Can be deployed as a separate server for Windows IIS shops Use web application firewalls and Intrusion Detection / Prevention Systems (IDS/IPS) 24

WEB APPLICATION ARCHITECTURE Graphic Microsoft, with additions 25 DATABASE SCANNERS Work with various database systems Oracle, SQL Server, MySQL, DB2, Sybase Look for configuration issues, as well as vulnerabilities AppDetectivePro www.appsecinc.com/products/appdetective Audit and pen-test components Integrigy AppSentry www.integrigy.com/products/appsentry Tests Oracle e-business Suite, Web Application Server SCUBA (free) www.imperva.com/products/scuba.html More of an audit tool Nessus has several Oracle and SQL Server checks 26

SQL INJECTION REFERENCES Advanced SQL Injection in SQL Server Applications, http://www.nextgenss.com/papers/advanced_sql_injection.pdf More Advanced SQL Injection, http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf SQL Injection Walkthrough, http://www.securiteam.com/securityreviews/5dp0n1p76e.html SQL Injection Attacks by Example, http://www.unixwiz.net/techtips/sql-injection.html SQL Injection Whitepaper, http://www.spidynamics.com/papers/sqlinjectionwhitepaper.pdf SQL Injection: Finding and Fixing It, http://www.acunetix.com/websitesecurity/sql-injection.htm Blind SQL Injection, http://www.spidynamics.com/whitepapers/ Blind_SQLInjection.pdf and www.imperva.com/resources/adc/blind_sql_server_injection.html SQL Security Website, http://www.sqlsecurity.com/ 27 SQL INJECTION REFERENCES The Database Hacker's Handbook: Defending Database Servers, David Litchfield / Chris Anley / John Heasman / Bill Grindlay, Wiley, 2005 How Prevalent Are SQL Injection Vulnerabilities?, http://portal.spidynamics.com/blogs/msutton/archive/2006/09/26/h ow-prevalent-are-sql-injection-vulnerabilities_3f00_.aspx SQL Injection Cheat Sheet, http://ferruh.mavituna.com/makale/sqlinjection-cheatsheet/ MS-SQL Injection Cheat Sheet (and others), http://pentestmonkey.net/blog/mssql-sql-injection-cheat-sheet/ 28

Thank You Rui Pereira,B.Sc.(Hons),CISSP,CIPS ISP,CISA,CWNA,CPTS/CPTE WaveFront Consulting Group Ltd 604 961 0701 ruiper@wavefrontcg.com www.wavefrontcg.com 29

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information