Search

SQL injection exploitation internals

Loading...

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

1 comments

Comments 1 - 1 of 1 previous next Post a comment

Post a comment
Embed Video
Edit your comment Cancel

Notes on slide 1

2 Favorites

SQL injection exploitation internals - Presentation Transcript

  1. SQL injection exploitation internals How do I exploit this web application injection point? Intercon III, London January 9, 2009 Bernardo Damele A. G. bernardo.damele@gmail.com
  2. About me Bernardo Damele A. G. Proud father ● Penetration Tester and Security Researcher ● Currently working at Portcullis Computer Security Ltd ● sqlmap lead developer ● Intercon III, London – January 9, 2009 2
  3. SQL... what? (1/2) From the OWASP Testing Guide: ● “SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands” There are plenty of resources on the Net about SQL injection ● concept: it is a high-risk web application security flaw A long list of resources can be found on my delicious profile, ● http://delicious.com/inquis/sqlinjection I keep it updated with stuff I consider valuable ● A wise man once told me: ● “An image is worth thousands words” Intercon III, London – January 9, 2009 3
  4. SQL... what? (2/2) Source http://xkcd.com/327/ Intercon III, London – January 9, 2009 4
  5. State of art All right, tons of resources and I am still presenting about SQL injection, why? Because: New techniques have been released in the last year ● Some aspects have been over-looked in the past ● It is fun! ● Intercon III, London – January 9, 2009 5
  6. How does it work? Basically the steps to go through are: Detection of a possible SQL injection flaw ● SQL query syntax detection ● Back-end database management system fingerprint ● Depending on the session user privileges, back-end DBMS ● and some possible security settings in place server-side, a SQL injection issue leads on the DBMS server to: DBMS data unauthorized access ● File system read and write access ● Operating system command execution ● Intercon III, London – January 9, 2009 6
  7. sqlmap sqlmap is an automatic SQL injection tool: Developed in Python. Started on July 2006 initially by ● Daniele Bellucci, then I took over in December 2006 Licensed under the terms of GPLv2 ● Detects and take advantage of SQL injection vulnerabilities ● in web applications. The user can choose to: Perform an extensive back-end DBMS fingerprint ● Enumerate users, password hashes, privileges, ● databases, tables, columns and their datatypes Dump entire or user's specified database tables' entries ● Run custom SQL statements and more ● Intercon III, London – January 9, 2009 7
  8. sqlmap features (1/2) sqlmap key features: Full support for MySQL, Oracle, PostgreSQL and ● Microsoft SQL Server back-end DBMS software Full support for three SQL injection techniques: ● Inferential blind SQL injection ● UNION query SQL injection ● Stacked queries (multiple statements) support ● Target aquisition: from user, by parsing WebScarab/Burp ● proxies requests log files, by Google dorking Tests for injection flaws on GET and POST parameters, ● HTTP User-Agent header and Cookie values Intercon III, London – January 9, 2009 8
  9. sqlmap features (2/2) More features: Silent to verbose output messages ● Granularity in the user's options ● Support for concurrent HTTP requests (multi-threading) ● Estimated time of arrival ● Session save and resume ● Options from command line and/or configuration file ● Integration with Metasploit and w3af ● File system read and write access and operating system ● command execution by providing own queries, depending on the session user privileges and back-end DBMS Intercon III, London – January 9, 2009 9
  10. Real world Have you ever had a dream, Neo, that you were so sure was real? What if you were unable to wake from that dream? How would you know the difference between the dream world and the real world? Morpheus, The Matrix Intercon III, London – January 9, 2009 10
  11. Dealing with advertisements (1/3) In the real world web applications are often complex Usually the page content changes at each refresh They have inline counters, advertisement banner, clocks, ● etc. Inferential blind SQL injection algorithm is based on the concept that the HTTP responses differ depending on the SQL query Intercon III, London – January 9, 2009 11
  12. Dealing with advertisements (2/3) Obstacle If the page content does not depend only on the SQL statement and changes at each refresh then the algorithm may not work Intercon III, London – January 9, 2009 12
  13. Dealing with advertisements (3/3) Python library helped to solve this problem: for each HTTP response sqlmap calls a function that compares the returned page content with the untouched original page content: Return a measure of the page contents' similarity as a float ● in the range [0, 1] with a radio of 3. It works also when the original page is stable, but the ● injected query with a valid condition (True) differs If the automatic comparison fails, the user can provide a string or a regular expression to match on both original and True page contents and to not match on False page contents Intercon III, London – January 9, 2009 13
  14. To NULL or not to NULL (1/4) In standard SQL language NULL is allowed as a value for a ● table column field In the inferential blind SQL injection technique usually a ● bisection algorithm is used to identify if the ordinal value of the Nth query output character is higher of a certain ASCII table number: this causes the page content to be True or False The SQL statement used by sqlmap, depending on the back- ● end DBMS, is similar to: ASCII(SUBSTR((SQL query), Nth SQL query  output char, 1)) > Bisection algorithm  number Intercon III, London – January 9, 2009 14
  15. To NULL or not to NULL (2/4) Obstacle On some DBMS the substring function can not be used on NULL Intercon III, London – January 9, 2009 15
  16. To NULL or not to NULL (3/4) A possible solution for this problem consists in modifying all ● SQL query's columns explicitly: Casting its output to be a string ● Returning value ' ' (space) if the casted value is still ● NULL Example on MySQL 5.0. The SQL query to enumerate the ● column name first entry is: SELECT name FROM test.users LIMIT 0, 1 Casted SQL query: ● SELECT IFNULL(CAST(name AS CHAR(10000)),  CHAR(32)) FROM test.users LIMIT 0, 1 Intercon III, London – January 9, 2009 16
  17. To NULL or not to NULL (4/4) The inferential blind SQL injected statement will be then: ORD(MID((SELECT IFNULL(CAST(name AS  CHAR(10000)), CHAR(32)) FROM test.users  LIMIT 0, 1), Nth SQL query output character,  1)) > Bisection algorithm number URL encoded: ORD%28MID%28%28SELECT%20IFNULL%28CAST%28name %20AS%20CHAR%2810000%29%29%2C%20CHAR %2832%29%29%20FROM%20test.users%20LIMIT %200%2C%201%29%2C%201%2C%201%29%29%20%3E %2063 Intercon III, London – January 9, 2009 17
  18. SQL payload (1/3) You have got an injection point The injection point is in a SQL statement as follows: SELECT * FROM users WHERE id LIKE ((('%\" .  $_GET['id'] . \"%'))) LIMIT 0, 1 Intercon III, London – January 9, 2009 18
  19. SQL payload (2/3) Obstacle The injection is after a LIKE clause, within three parenthesis, the statement terminates with a LIMIT clause Intercon III, London – January 9, 2009 19
  20. SQL payload (3/3) In this example the SQL payload that sqlmap identifies is: id=1'))) AND ((('RaNd' LIKE 'RaNd In the inferential blind SQL injection algorithm will be: id=1'))) AND ORD(MID((SQL query), Nth SQL  query output character, 1)) > Bisection  algorithm number AND ((('RaNd' LIKE 'RaNd In the UNION query SQL injection technique will be: id=1'))) UNION ALL SELECT NULL, Concatenated  SQL query, NULL# AND ((('RaNd' LIKE 'RaNd Intercon III, London – January 9, 2009 20
  21. First demo I did every demo possible to see if the things would do what they were promising they would do Doug Hall Intercon III, London – January 9, 2009 21
  22. Bypass columns limitation (1/4) You have got an injection point It is vulnerable to UNION query SQL injection: sqlmap detected it for you by NULL bruteforcing or by ● ORDER BY clause bruteforcing, depending on your options Intercon III, London – January 9, 2009 22
  23. Bypass columns limitation (2/4) Obstacle The number of columns in the web application SELECT statement is lower than the number of columns of your UNION ALL SELECT statement Intercon III, London – January 9, 2009 23
  24. Bypass columns limitation (3/4) A possible solution consists in concatenating your SELECT ● statement columns in a single output by using the specific DBMS string concatenation operator or function Example on PostgreSQL 8.3 to retrieve users privileges ● The SQL query to inject is: ● SELECT usename, usecreatedb, usesuper,  usecatupd FROM pg_user Intercon III, London – January 9, 2009 24
  25. Bypass columns limitation (4/4) The injection will be: UNION ALL SELECT NULL, CHR(83)||CHR(114)|| CHR(108)||CHR(71)||CHR(86)||CHR(116)|| COALESCE(CAST(usename AS CHARACTER(10000)),  CHR(32))||CHR(104)||CHR(100)||CHR(122)|| CHR(81)||CHR(121)||CHR(90)|| COALESCE(CAST(usecreatedb AS  CHARACTER(10000)), CHR(32))||CHR(104)|| CHR(100)||CHR(122)||CHR(81)||CHR(121)|| CHR(90)||COALESCE(CAST(usesuper AS  CHARACTER(10000)), CHR(32))||CHR(104)|| CHR(100)||CHR(122)||CHR(81)||CHR(121)|| CHR(90)||COALESCE(CAST(usecatupd AS  CHARACTER(10000)), CHR(32))||CHR(75)|| CHR(121)||CHR(80)||CHR(65)||CHR(68)|| CHR(102), NULL FROM pg_user­­ Intercon III, London – January 9, 2009 25
  26. Going partial.. UNION (1/3) Obstacle You have got an injection point vulnerable to UNION query SQL injection. Only the query output's first entry or a range of entries is displayed in the page content Intercon III, London – January 9, 2009 26
  27. Going partial.. UNION (2/3) sqlmap automatizes a known technique: Changes the parameter value to its negative value causing ● the original query to produce no output Inspects and unpack the provided SQL statement: ● Calculates its output number of entries ● Limits it after the UNION ALL SELECT to return one ● entry at a time Repeat the previous action N times where N is equal to ● the number of entries Intercon III, London – January 9, 2009 27
  28. Going partial.. UNION (3/3) Example on MySQL 4.1 to enumerate list of databases ● The SQL query to inject is: ● SELECT db FROM mysql.db sqlmap identified the injection point as being an non-quoted ● parameter (integer) in the WHERE clause with the equal operator (simple scenario) The injection will be: ● id=­1 UNION ALL SELECT NULL,  CONCAT(CHAR(100,84,71,69,87,98),IFNULL(CAST (db AS CHAR(10000)), CHAR(32)),  CHAR(65,83,118,81,87,116)), NULL FROM  mysql.db LIMIT 0, 1# AND 6972=6972 Intercon III, London – January 9, 2009 28
  29. DBMS fingerprint (1/4) Back-end DBMS fingerprinting is a mandatory step to go ● through to take full advantage of a SQL injection flaw There are a few well known techniques and a few over-looked ● techniques sqlmap implements up to four techniques, three of these are ● in use by other tools: The user can force the back-end DBMS software value: no ● HTTP requests are sent to identify the software By default a basic DBMS fingerprint based on one or two ● techniques is done: only two HTTP requests are sent The user can choose to perform an extensive DBMS ● fingerprint based on four techniques: numerous (30+) HTTP requests are sent Intercon III, London – January 9, 2009 29
  30. DBMS fingerprint (2/4) The techniques implemented to perform an extensive back- ● end DBMS fingerprint are: Inband error messages ● Banner parsing ● SQL dialect ● Specific functions static output comparison ● On a default installation all of them are reliable ● On a hardened installation the last two are reliable ● Intercon III, London – January 9, 2009 30
  31. DBMS fingerprint (3/4) Example of basic back-end DBMS fingerprint on PostgreSQL 8.3 The techniques in use are two ● The two SQL queries injected to identify it are: ● AND integer::int=integer SQL dialect ● AND COALESCE(integer, NULL)=integer Specific function static output comparison ● Intercon III, London – January 9, 2009 31
  32. DBMS fingerprint (4/4) Example of extensive back-end DBMS fingerprint on Microsoft SQL Server 2005 The techniques in use are three ● The result is: ● active fingerprint: Microsoft SQL Server 2005 banner parsing fingerprint: Microsoft SQL Server  2005 Service Pack 0 version 9.00.1399 html error message fingerprint: Microsoft SQL Server Active fingerprint refers to SQL dialect and ● specific functions static output comparison Intercon III, London – January 9, 2009 32
  33. More on fingerprint Fingerprinting is a key step in penetration testing ● It is not only about back-end DBMS software ● There are techniques and tools to fingerprint the web server, ● the web application technology and their underlying system What about the back-end DBMS underlying system? ● sqlmap can fingerprint them without making extra requests: ● Web/application server and web application technology: by ● parsing the HTTP response headers (Server, X-AspNet- Version, X-Powered-By, etc.) – known technique Back-end DBMS operating system: by parsing the ● DBMS banner – over-looked technique Intercon III, London – January 9, 2009 33
  34. Second demo A demo, as in \"demolish\", or \"demonstration\"? Cyclops, X-Men: Evolution Intercon III, London – January 9, 2009 34
  35. Give me a SQL shell! It might comes in handy sometimes to be able to run your own SQL queries, mainly for file system read and write access and operating system command execution The tool inspects the provided statement: If it is a SELECT statement sqlmap uses, depending on ● user's options, the inferential blind or the UNION query technique to retrieve its output If it is a data manipulation statement, a transaction ● statement or any other valid SQL statement, it uses stacked queries to run it if the web application supports them Intercon III, London – January 9, 2009 35
  36. Automation vs granularity (1/2) sqlmap has been developed to make it simple for a busy penetration tester to detect and exploit SQL injection vulnerabilities in web applications Providing it with a source of targets, it can automatically: ● Detect all possible SQL injections and confirm them ● Identify the SQL query syntax ● Fingerprint the back-end DBMS ● The user does not have to look on the Net for DBMS ● specific queries then manually inject them to enumerate users password hashes, check if the session user is a DBA, enumerate table columns' datatype, etc. There is an option to dump the whole back-end DBMS ● Intercon III, London – January 9, 2009 36
  37. Automation vs granularity (2/2) The tester is a professional, he knows what he does and why ● There are options to specify: ● How to compare True and False HTTP responses ● A single or more testable parameters ● The SQL payload prefix and postfix ● A single or a range of entries to dump from a table ● A single or multiple columns to dump from a table ● Custom SQL statements to run ● Options can be specified from both command line and/or ● configuration file Options are documented in the user's manual with examples ● Intercon III, London – January 9, 2009 37
  38. Third demo I get tons of uninteresting mail, and system announcements about babies born, etc. At least a demo MIGHT have been interesting Richard Stallman Intercon III, London – January 9, 2009 38
  39. Limitations Can sqlmap fail to detect or to exploit a SQL injection vulnerability? Yes, in some cases mainly because it does not support: ● SQL injection on SQL clauses other than WHERE ● Time based blind SQL injection technique ● ...but I am working on these and others! Intercon III, London – January 9, 2009 39
  40. Want to contribute? I am always looking forward to code contributions Try it, find bugs, send feature requests, review the code and the documentation, contribute on the mailing lists! I can provide you with: Details on code internals ● Write access to the Subversion repository ● Access to the development platform ● A beer if you are in London area ● Intercon III, London – January 9, 2009 40
  41. Links and contacts Homepage: http://sqlmap.sourceforge.net Documentation: http://sqlmap.sourceforge.net/dev/index.html ● http://sqlmap.sourceforge.net/doc/README.pdf ● Mailing lists: https://lists.sourceforge.net/lists/listinfo/sqlmap-users ● https://lists.sourceforge.net/lists/listinfo/sqlmap-devel ● Personal contacts: E-mail / Jabber: bernardo.damele@gmail.com ● Blog: http://bernardodamele.blogspot.com ● Intercon III, London – January 9, 2009 41
  42. References OWASP Testing Guide, Open Web Application Security Project ● Exploit of a Mom, xkcd ● Deep Blind SQL Injection, Ferruh Mavituna (Portcullis Computer Security Ltd) ● Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability, ● Bernhard Mueller (SEC Consult Vulnerability Lab) Metasploit Framework, H D Moore and the Metasploit development team ● w3af, Andres Riancho and the w3af development team ● Data-mining with SQL Injection and Inference, David Litchfield (NGS Software) ● Advanced SQL Injection, Victor Chapela (Sm4rt Security Services) ● Python difflib, Python Software Foundation ● NULL (SQL), Wikipedia ● Agent oriented SQL abuse, Fernando Russ and Diego Tiscornia (CORE Security) ● Insight on UNION query SQL injection, Bernardo Damele A. G. ● DBMS Fingerprint, Daniele Bellucci (OWASP Backend Security Project) ● Intercon III, London – January 9, 2009 42
  43. Questions? Thanks for your attention Intercon III, London – January 9, 2009 43

+ Bernardo Damele A. G.Bernardo Damele A. G., 10 months ago

custom

5731 views, 2 favs, 7 embeds more stats

SQL injection exploitation internals: How do I expl more

More info about this document

© All Rights Reserved

Go to text version

  • Total Views 5731
    • 5554 on SlideShare
    • 177 from embeds
  • Comments 1
  • Favorites 2
  • Downloads 295
Most viewed embeds
  • 144 views on http://bernardodamele.blogspot.com
  • 21 views on http://sqlinjections.blogspot.com
  • 5 views on http://ferruh.mavituna.com
  • 4 views on http://ebook-magazines.blogspot.com
  • 1 views on http://203.208.35.101

more

All embeds
  • 144 views on http://bernardodamele.blogspot.com
  • 21 views on http://sqlinjections.blogspot.com
  • 5 views on http://ferruh.mavituna.com
  • 4 views on http://ebook-magazines.blogspot.com
  • 1 views on http://203.208.35.101
  • 1 views on http://www.brijj.com
  • 1 views on http://203.208.39.132

less

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate. If needed, use the feedback form to let us know more details.

Cancel
File a copyright complaint
Having problems? Go to our helpdesk?

Categories

Tags

-->
Search
RSS Feed
What's new?

© 2009 SlideShare Inc. All Rights Reserved