Time-Based Blind SQL Injection using Heavy Queries

7,843 views
7,525 views

Published on

This presentation was delivered in Defcon 16 held in Las Vegas in 2008. It´s about Blind SQL Injection Techniques.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
7,843
On SlideShare
0
From Embeds
0
Number of Embeds
2,318
Actions
Shares
0
Downloads
222
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Time-Based Blind SQL Injection using Heavy Queries

  1. 1. Speakers: Chema Alonso José Parada Informática64 Microsoft MS MVP Windows Security IT Pro Evangelist [email_address] [email_address]
  2. 2. Agenda <ul><li>Code Injections </li></ul><ul><ul><li>What are Blind Attacks? </li></ul></ul><ul><ul><li>Blind SQL Injection Attacks </li></ul></ul><ul><ul><li>Time-Based Blind SQL Injection </li></ul></ul><ul><li>Time-Based Blind SQL Injection using heavy queries </li></ul><ul><ul><li>Heavy Queries </li></ul></ul><ul><ul><li>Optimization processes </li></ul></ul><ul><ul><ul><li>Demos with MS SQL Server, Oracle, Acess </li></ul></ul></ul><ul><ul><li>Marathon Tool </li></ul></ul><ul><ul><ul><li>Demo </li></ul></ul></ul><ul><ul><li>Conclusions </li></ul></ul>
  3. 3. Code Injection Attacks <ul><li>(Lazy) Developers use input parameters directly in queries without sanitizing them previously. </li></ul><ul><ul><li>Command Injection </li></ul></ul><ul><ul><li>SQL Injection </li></ul></ul><ul><ul><li>LDAP Injection </li></ul></ul><ul><ul><li>Xpath Injection </li></ul></ul>
  4. 4. Blind Attacks <ul><li>Attacker injects code but can´t access directly to the data. </li></ul><ul><li>However this injection changes the behavior of the web application. </li></ul><ul><li>Then the attacker looks for differences between true code injections (1=1) and false code injections (1=2) in the response pages to extract data. </li></ul><ul><ul><li>Blind SQL Injection </li></ul></ul><ul><ul><li>Biind Xpath Injection </li></ul></ul><ul><ul><li>Blind LDAP Injection </li></ul></ul>
  5. 5. Blind SQL Injection Attacks <ul><li>Attacker injects: </li></ul><ul><ul><li>“ True where clauses” </li></ul></ul><ul><ul><li>“ False where clauses“ </li></ul></ul><ul><ul><li>Ex: </li></ul></ul><ul><ul><ul><li>Program.php?id=1 and 1=1 </li></ul></ul></ul><ul><ul><ul><li>Program.php?id=1 and 1=2 </li></ul></ul></ul><ul><li>Program doesn’t return any visible data from database or data in error messages. </li></ul><ul><li>The attacker can´t see any data extracted from the database. </li></ul>
  6. 6. Blind SQL Injection Attacks <ul><li>Attacker analyzes the response pages looking for differences between “True-Answer Page” and “False-Answer Page”: </li></ul><ul><ul><li>Different hashes </li></ul></ul><ul><ul><li>Different html structure </li></ul></ul><ul><ul><li>Different patterns (keywords) </li></ul></ul><ul><ul><li>Different linear ASCII sums </li></ul></ul><ul><ul><li>“ Different behavior” </li></ul></ul><ul><ul><ul><li>By example: Response Time </li></ul></ul></ul>
  7. 7. Blind SQL Injection Attacks <ul><li>If any difference exists, then: </li></ul><ul><ul><li>Attacker can extract all information from database </li></ul></ul><ul><ul><li>How? Using “booleanization” </li></ul></ul><ul><ul><ul><li>MySQL: </li></ul></ul></ul><ul><ul><ul><ul><li>Program.php?id=1 and 100>(ASCII(Substring(user(),1,1))) </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>“ True-Answer Page” or “False-Answer Page”? </li></ul></ul></ul></ul></ul><ul><ul><ul><li>MSSQL: </li></ul></ul></ul><ul><ul><ul><ul><li>Program.php?id=1 and 100>(Select top 1 ASCII(Substring(name,1,1))) from sysusers) </li></ul></ul></ul></ul><ul><ul><ul><li>Oracle: </li></ul></ul></ul><ul><ul><ul><ul><li>Program.php?id=1 and 100>(Select ASCII(Substr(username,1,1))) from all_users where rownum<=1) </li></ul></ul></ul></ul>
  8. 8. Blind SQL Injection Attacks: Tools <ul><ul><li>SQLbfTools: Extract all information from MySQL databases using patterns </li></ul></ul>
  9. 9. Blind SQL Injection Attacks: Tools <ul><li>Absinthe: Extract all information from MSSQL, PostgreSQL, Sybase and Oracle Databases using Linear sum of ASCII values. </li></ul>
  10. 10. Blind SQL Injection Attacks: Tools <ul><li>Absinthe: Extract all information from MSSQL, PostgreSQL, Sybase and Oracle Databases using Linear sum of ASCII values. </li></ul>
  11. 11. Time-Based Blind SQL Injection <ul><li>In scenarios with no differences between “True-Answer Page” and “False-Answer Page”, time delays could be use. </li></ul><ul><li>Injection forces a delay in the response page when the condition injected is True. </li></ul><ul><ul><li>- Delay functions: </li></ul></ul><ul><ul><ul><li>SQL Server: waitfor </li></ul></ul></ul><ul><ul><ul><li>Oracle: dbms_lock.sleep </li></ul></ul></ul><ul><ul><ul><li>MySQL: sleep or Benchmark Function </li></ul></ul></ul><ul><ul><li>Ex: </li></ul></ul><ul><ul><ul><li>; if (exists(select * from users)) waitfor delay '0:0:5’ </li></ul></ul></ul>
  12. 12. Exploit for Solar Empire Web Game
  13. 13. Time-Based Blind SQL Injection: Tools <ul><li>SQL Ninja: Use exploitation of “Waitfor” method in MSSQL Databases </li></ul>
  14. 14. Time-Based Blind SQL Injection <ul><li>And in these scenarios with no differences between “true-answer page” and “false-answer page”… </li></ul><ul><li>What about databases engines without delay functions, i.e., MS Access, Oracle connection without PL/SQL support, DB2, etc…? </li></ul><ul><li>Is possible to perform an exploitation of Time-Based Blind SQL Injection Attacks? </li></ul>
  15. 15. “ Where-Clause” execution order <ul><li>Select “whatever “ </li></ul><ul><li>From whatever </li></ul><ul><li>Where condition1 and condition2 </li></ul><ul><li>- Condition1 lasts 10 seconds </li></ul><ul><li>- Condition2 lasts 100 seconds </li></ul><ul><li>Which condition should be executed first? </li></ul>
  16. 16. The heavy condition first Condition2 (100 sec) Condition1 (10 sec) Condition2 & condition1 Response Time TRUE FALSE FALSE 110 sec TRUE TRUE TRUE 110 sec FALSE Not evaluated FALSE 100 sec
  17. 17. The light condition first Condition1 (10 sec) Condition2 (100 sec) Condition1 & condition2 Response Time TRUE FALSE FALSE 110 sec TRUE TRUE TRUE 110 sec FALSE Not evaluated FALSE 10 sec
  18. 18. Time-Based Blind SQL Injection using Heavy Queries <ul><li>Attacker can perform an exploitation delaying the “True-answer page” using a heavy query. </li></ul><ul><li>It depends on how the database engine evaluates the where clauses in the query. </li></ul><ul><li>There are two types of database engines: </li></ul><ul><ul><li>Databases without optimization process </li></ul></ul><ul><ul><li>Databases with optimization process </li></ul></ul>
  19. 19. Databases without optimization process <ul><ul><li>The engine evaluates the condition in the where-clause from left to right or from right to left depending on the database engine </li></ul></ul><ul><ul><ul><li>Select items from table where codition1 and condition2. </li></ul></ul></ul><ul><ul><li>It is a developer task to evaluate the lighter condition in first place for better performance. </li></ul></ul><ul><ul><li>Examples: </li></ul></ul><ul><ul><ul><li>Oracle (without statistics or poor tuned): Right to Left </li></ul></ul></ul><ul><ul><ul><li>Access: Right to Left </li></ul></ul></ul>
  20. 20. Databases with optimization process <ul><li>The engine estimates the cost of the condition evaluations in the where clause and executes the lighter first. No matter where it is. </li></ul><ul><ul><ul><li>Select items from table where codition1 and condition2. </li></ul></ul></ul><ul><ul><li>It is a database engine task to improve the performance of the query. </li></ul></ul><ul><li>Examples </li></ul><ul><ul><li>MS SQL Server </li></ul></ul><ul><ul><li>Oracle (statistics ON and well tuned) </li></ul></ul><ul><li>An Attacker could exploit a Blind SQL Injection attack using heavy queries to obtain a delay in the “True-answer page” in both cases. </li></ul>
  21. 21. Time-Based Blind SQL Injection using Heavy Queries <ul><li>Attacker could inject a heavy Cross-Join condition for delaying the response page in True-Injections. </li></ul><ul><li>The Cross-join injection must be heavier than the other condition. </li></ul><ul><li>Attacker only have to know or to guess the name of a table with select permission in the database. </li></ul><ul><li>Example in MSSQL: </li></ul><ul><ul><li>Program.php?id=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>0 and 300>(select top 1 ascii(substring(name,1,1)) from sysusers) </li></ul></ul>
  22. 22. “ Default” tables to construct a heavy queries <ul><ul><li>Microsoft SQL Server </li></ul></ul><ul><ul><ul><li>sysusers </li></ul></ul></ul><ul><ul><li>Oracle </li></ul></ul><ul><ul><ul><li>all_users </li></ul></ul></ul><ul><ul><li>MySQL (versión 5) </li></ul></ul><ul><ul><ul><li>information_schema.columns </li></ul></ul></ul><ul><ul><li>Microsoft Access </li></ul></ul><ul><ul><ul><li>MSysAccessObjects (97 & 2000 version) </li></ul></ul></ul><ul><ul><ul><li>MSysAccessStorage (2003 & 2007) </li></ul></ul></ul>
  23. 23. “ Default” tables to construct a heavy queries <ul><li>… or whatever you can guess </li></ul><ul><ul><li>Clients </li></ul></ul><ul><ul><li>Customers </li></ul></ul><ul><ul><li>News </li></ul></ul><ul><ul><li>Logins </li></ul></ul><ul><ul><li>Users </li></ul></ul><ul><ul><li>Providers </li></ul></ul><ul><ul><li>… .Use your imagination… </li></ul></ul>
  24. 24. Demo 1: MS SQL Server <ul><li>Query lasts 14 seconds -> True-Answer </li></ul>
  25. 25. Demo 1: MS SQL Server <ul><li>Query lasts 1 second -> False-Answer </li></ul>
  26. 26. Demo 2: Oracle <ul><li>Query Lasts 22 seconds –> True-Answer </li></ul>
  27. 27. Demo 2: Oracle <ul><li>Query Lasts 1 second –> False-Answer </li></ul>
  28. 28. Demo 3: Access 2000 <ul><li>Query Lasts 6 seconds –> True-Answer </li></ul>
  29. 29. Demo 3: Access 2000 <ul><li>Query Lasts 1 second –> False-Answer </li></ul>
  30. 30. Demo 4: Access 2007 <ul><li>Query Lasts 39 seconds –> True-Answer </li></ul>
  31. 31. Demo 4: Access 2007 <ul><li>Query Lasts 1 second –> False-Answer </li></ul>
  32. 32. Marathon Tool <ul><li>Automates Time-Based Blind SQL Injection Attacks using Heavy Queries in SQL Server, MySQL, MS Access and Oracle Databases. </li></ul><ul><li>Schema Extraction from known databases </li></ul><ul><li>Extract data using heavy queries not matter in which database engine (without schema) </li></ul><ul><li>Developed in .NET </li></ul><ul><li>Source code available </li></ul>
  33. 34. Conclusions <ul><li>Time-Based Blind SQL Injection using Heavy Queries works with any database. </li></ul><ul><li>The delay generated with a heavy query depends on the environment of the database and the network connection. </li></ul><ul><li>It is possible to extract all the information stored in the database using this method. </li></ul><ul><li>It is another bullet…. </li></ul>
  34. 35. Questions?
  35. 36. <ul><li>Speakers: </li></ul><ul><ul><li>Chema Alonso </li></ul></ul><ul><ul><ul><li>[email_address] </li></ul></ul></ul><ul><ul><ul><li>Microsoft MVP Windows Security </li></ul></ul></ul><ul><ul><ul><li>Security Consultant </li></ul></ul></ul><ul><ul><ul><li>Informática64 </li></ul></ul></ul><ul><ul><li>José Parada </li></ul></ul><ul><ul><ul><li>[email_address] </li></ul></ul></ul><ul><ul><ul><li>Microsoft IT Pro Evangelist </li></ul></ul></ul><ul><ul><ul><li>Microsoft </li></ul></ul></ul><ul><li>Authors: </li></ul><ul><ul><li>Chema Alonso ( [email_address] ) </li></ul></ul><ul><ul><li>Daniel Kachakil ( [email_address] ) </li></ul></ul><ul><ul><li>Rodolfo Bordón ( [email_address] ) </li></ul></ul><ul><ul><li>Antonio Guzmán ( [email_address] ) </li></ul></ul><ul><ul><li>Marta Beltrán ( [email_address] ) </li></ul></ul>

×