Sam Bowne, profile picture
Uploaded bySam Bowne
973 views

CNIT 129S: 9: Attacking Data Stores (Part 2 of 2)

The document provides an in-depth guide on various SQL injection techniques used to exploit vulnerabilities in web applications, particularly focusing on bypassing filters, second-order SQL injection, conditional responses, and advanced exploitation methods. It discusses how to manipulate and retrieve data using different database commands and techniques across various database systems like MS-SQL and MySQL. Additionally, it highlights prevention strategies such as using parameterized queries, implementing proper access controls, and securing against NoSQL and LDAP injections.

Embed presentation

Downloaded 42 times
CNIT 129S: Securing Web Applications Ch 9: Attacking Data Stores Part 2 of 2
Bypassing Filters
Avoiding Blocked Characters • App removes or encodes some characters • Single quotation mark is not needed for injection into a numerical field • You can also use string functions to dynamically construct a string containing filtered characters
CHR or CHAR Function • These queries work on Oracle and MS-SQL, respectively
Comment Symbol Blocked • Code is SELECT * from users WHERE name='uname' • Try injecting this value for name: ' or 1=1 -- • To create SELECT * from users WHERE name='' or 1=1 --' • But the "--' is blocked
Correct Syntax Without Comment • Injecting this value for name: ' or 'a'='a • To create SELECT * from users WHERE name='' or 'a'='a'
Circumventing Simple Validation • If "SELECT" is blocked, try these bypasses:
Using SQL Comments • If spaces are blocked, use comments instead • MySQL allows comments within keywords
Second-Order SQL Injection • Many applications handle data safely when it is first entered into the database • But it may later be processed in unsafe ways
App Adds a Second Quote • Register an account with this name: foo' • The correct way to insert that value is by adding a second quote (link Ch 2a) INSERT INTO users (username, password, ID, privs) VALUES ('foo''', 'secret', 2248, 1)
Password Change • Requires user to input old password, and compares it to the password retrieved with: SELECT password FROM users WHERE username = 'foo'' • This is a syntax error.
Exploit • Register a new user with this name: ' or 1 in (SELECT password FROM users WHERE username = 'admin')-- • Perform a password change, and MS-SQL will return this error, exposing the administrator password
Advanced Exploitation • The previous attacks had a ready means of exposing data • Adding UNION to a query that returns the results • Returning data in an error message
Denial of Service • Turn off an MS-SQL database ' shutdown-- • Drop table ' drop table users--
Retrieving Data as Numbers • No strings fields may be vulnerable, because single quotes are filtered • Numeric fields are vulnerable, but only allow you to retrieve numerical values • Use functions to convert characters tonumbers
Using an Out-of-Band Channel • You can inject a query but you can't see the results • Some databases allow you to make a network connection inside the query language
MS-SQL 2000 and Earlier
Oracle • UTL_HTTP makes an HTTP request • Attacker can use a netcat listener
Oracle • DNS request is even less likely to be blocked
MySQL • To retrieve the file, set up an SMB share on your server • Alowing anonymous write access
Leveraging the Operating System • Sometimes you can get the ability to execute shell commands • Such as by using a PHP shell • Then you can use built-in commands like • tftp, mail, telnet • Or copy data into a file in the Web root so you can retrive it with a browser
Conditional Responses: "Blind SQL Injection" • Suppose your query doesn't return any data you can see, and • You can't use an out-of-band channel • You can still get data, if there's any detectable behavior by the database that depends on your query
Example • Put in this text for username, and anything for password admin' -- • You'll be logged in as admin
True or False? • This username will log in as admin: admin' AND 1=1-- • This one will not log in admin' AND 1=2--
Finding One Letter • This username will log in as admin: • This one will not log in
Inducing Conditional Errors • On an Oracle database, this query will produce an error if the account "DBSNMP" exists • If it doesn't, the "1/0" will never be evaluated and it won't cause an error
Does User "AAAAA" Exist?
Using Time Delays • MS-SQL has a built-in WAITFOR command • This query waits for 5 seconds if the current database user is 'sa'
Conditional Delays • You can ask a yes/no question and get the answer from the delay
Testing Single Bits • Using bitwise AND operator & • And the POWER command
MySQL Delays • Current versions have a sleep function • For older versions (prior to 5.0.12), use benchmark to repeat a calculation many times
Oracle • No function to cause a delay, but you can use URL_HTTP to connect to a non-existent server • Causes a delay until the request times out
Oracle • This query causes a timeout if the default Oracle account "DBSNMP" exists
Beyond SQL Injection: Escalating the Database Attack
Further Attacks • SQL injection lets you get the data in the database, but you can go further • If database is shared by other applications, you may be able to access other application's data • Compromise the OS of the database server • Pivot: use the DB server to attack other servers from inside the network
Further Attacks • Make network connections back out to your own computer, to exfiltrate data and evade IDS systems • Extend database functionality by creating user-defined functions • You can reintroduce functionality that has been removed or disabled • Possible if you get database administrator privileges
MS-SQL • xp_cmdshell stored procedure • Included by default • Allows DBA (Database Administrator) to execute shell commands
MS-SQL • Other stored procedures also allow powerful attacks • xp_regread & xp_regwrite
Dealing with Default Lockdowns • MS-SQL 2005 and later disable xp_cmdshell by default, but you can just enable it if you are DBA
MySQL • load_file allows attacker to read a file • "into outfile" allows attacker to write to a file
SQL Exploitation Tools
Algorithm
SQLMAP
Preventing SQL Injection
Blocking Apostrophes • Won't stop injection into numerical fields • If you allow apostrophes into data fields by doubling them, you can have second-order SQL injection vulnerabilities
Stored Procedures • Developer defines a procedure • Attacker can still inject with this password • Resulting query
Parameterized Queries
Vulnerable Code • User input inserted into a command, which is parsed later to match quotes
Parameterized Version • User input replaces placeholder "?" • No parsing required, not vulnerable to SQLi
Provisos • Use parameterized queries for EVERY query • Not just the ones that are obviously user- controllable • Every item of data should be parameterized • Be careful if user data changes table or column names • Allow only values from a whitelist of known safe values • You cannot use parameter placeholders for other parts of the query, such as SORT BY ASC or SORT BY DESC • If they must be adjusted, use whitelisting
Defense in Depth • Application should use low privileges when accessing the database, not DBA • Remove or disable unnecessary functions of DB • Apply vendor patches • Subscribe to vulnerability notification services to work around new, unpatchable vulnerabilities
Injecting into NoSQL
NoSQL • Doesn't require structured data like SQL • Fields must be defined in a Schema, as Text, Number, etc. • Keys and values can be arbitrarily defined • A new and less mature technology than SQL
Injecting into MongoDB • Example Login Code
Injection • Log in with this username, and any password Marcus'// • Javascript function becomes this:
Another Injection • Log in with this username, and any password • This is always true (link Ch 9b)
Injecting into XPATH • XML Data 
 Store
Injection • This query retrieves a stored credit card number from a username and password • This injection:
Finding XPATH Injection Flaws • These strings usually break the syntax • These strings change behavior without breaking syntax
Preventing XPATH Injection • Filter inputs with a whitelist • Remove these characters
LDAP • Lightweight Directory Access Protocol (LDAP) • Used to store names, phone numbers, email addresses, etc. • Used in Microsoft Active Directory • Also in OpenLDAP
LDAP Queries • Match a username • Match any one of these conditions • Match all of these conditions
LDAP Injection Limitations • Possible, but less exploitable because • Logical operators come before user-supplied data, so attacker can't form "or 1=1" • Directory attributes to be returned are hard- coded and can't usually be manipulated • Applications rarely return informative error messages, so exploitation is "blind"

More Related Content

PDF
CNIT 129S: 10: Attacking Back-End Components
bySam Bowne
 
PDF
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)
bySam Bowne
 
PDF
Ch 9 Attacking Data Stores (Part 2)
bySam Bowne
 
PDF
Ch 10: Attacking Back-End Components
bySam Bowne
 
PDF
CNIT 129S: 11: Attacking Application Logic
bySam Bowne
 
PPTX
Sqlmap
byRushikesh Kulkarni
 
PPTX
SQL injection prevention techniques
bySongchaiDuangpan
 
PDF
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
bySam Bowne
 
CNIT 129S: 10: Attacking Back-End Components
bySam Bowne
 
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)
bySam Bowne
 
Ch 9 Attacking Data Stores (Part 2)
bySam Bowne
 
Ch 10: Attacking Back-End Components
bySam Bowne
 
CNIT 129S: 11: Attacking Application Logic
bySam Bowne
 
Sqlmap
byRushikesh Kulkarni
 
SQL injection prevention techniques
bySongchaiDuangpan
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
bySam Bowne
 

What's hot

PDF
Thick Client Penetration Testing.pdf
bySouvikRoy114738
 
PPTX
Command injection
bypenetration Tester
 
PPT
Sql injection attack
byRajKumar Rampelli
 
PDF
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
byKathirvel Ayyaswamy
 
PDF
C programming for problem solving
byAnuradha Moti T
 
PPSX
Digital signature
byNisha Menon K
 
PPTX
Sql injection
byZidh
 
PPSX
How a Developer can Troubleshoot a SQL performing poorly on a Production DB
byCarlos Sierra
 
PPTX
DEF CON 23 - Hacking Web Apps @brentwdesign
bybrentwdesign
 
PPTX
Ppt on sql injection
byashish20012
 
PDF
Secure coding guidelines
byZakaria SMAHI
 
PPTX
SQL Injections (Part 1)
byn|u - The Open Security Community
 
PDF
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
bySam Bowne
 
PPT
Sql injection
byNitish Kumar
 
PPTX
Cross Site Scripting: Prevention and Detection(XSS)
byAman Singh
 
PPTX
Sql injection
byHemendra Kumar
 
PDF
Sql Injection - Vulnerability and Security
bySandip Chaudhari
 
PDF
Domain Driven Design com Python
byFrederico Cabral
 
PPTX
Server-side template injection- Slides
byAmit Dubey
 
PPTX
Sqlmap
byInstitute of Information Security (IIS)
 
Thick Client Penetration Testing.pdf
bySouvikRoy114738
 
Command injection
bypenetration Tester
 
Sql injection attack
byRajKumar Rampelli
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
byKathirvel Ayyaswamy
 
C programming for problem solving
byAnuradha Moti T
 
Digital signature
byNisha Menon K
 
Sql injection
byZidh
 
How a Developer can Troubleshoot a SQL performing poorly on a Production DB
byCarlos Sierra
 
DEF CON 23 - Hacking Web Apps @brentwdesign
bybrentwdesign
 
Ppt on sql injection
byashish20012
 
Secure coding guidelines
byZakaria SMAHI
 
SQL Injections (Part 1)
byn|u - The Open Security Community
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
bySam Bowne
 
Sql injection
byNitish Kumar
 
Cross Site Scripting: Prevention and Detection(XSS)
byAman Singh
 
Sql injection
byHemendra Kumar
 
Sql Injection - Vulnerability and Security
bySandip Chaudhari
 
Domain Driven Design com Python
byFrederico Cabral
 
Server-side template injection- Slides
byAmit Dubey
 
Sqlmap
byInstitute of Information Security (IIS)
 

Viewers also liked

PDF
CNIT 121: 14 Investigating Applications
bySam Bowne
 
PDF
CNIT 121: 9 Network Evidence
bySam Bowne
 
PDF
CNIT 121: 17 Remediation Introduction (Part 1)
bySam Bowne
 
PDF
iOS Threats - Malicious Configuration Profiles, Threat, Detection & Mitigation
byLacoon Mobile Security
 
PDF
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
bySam Bowne
 
PDF
Ch 4: Footprinting and Social Engineering
bySam Bowne
 
PDF
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
bySam Bowne
 
PDF
CNIT 121: 10 Enterprise Services
bySam Bowne
 
PDF
Practical Malware Analysis: Ch 8: Debugging
bySam Bowne
 
PDF
CNIT 127 Ch 6: The Wild World of Windows
bySam Bowne
 
PDF
CNIT 40: 6: DNSSEC and beyond
bySam Bowne
 
PDF
CNIT 129S: Ch 6: Attacking Authentication
bySam Bowne
 
PDF
CNIT 121: 11 Analysis Methodology
bySam Bowne
 
PDF
CNIT 129S: Ch 3: Web Application Technologies
bySam Bowne
 
PDF
CNIT 129S: 8: Attacking Access Controls
bySam Bowne
 
PDF
CNIT 121: 2 IR Management Handbook
bySam Bowne
 
PDF
CNIT 129S: Securing Web Applications Ch 1-2
bySam Bowne
 
PDF
CNIT 129S: Ch 4: Mapping the Application
bySam Bowne
 
PDF
CNIT 121: 12 Investigating Windows Systems (Part 3)
bySam Bowne
 
PDF
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
bySam Bowne
 
CNIT 121: 14 Investigating Applications
bySam Bowne
 
CNIT 121: 9 Network Evidence
bySam Bowne
 
CNIT 121: 17 Remediation Introduction (Part 1)
bySam Bowne
 
iOS Threats - Malicious Configuration Profiles, Threat, Detection & Mitigation
byLacoon Mobile Security
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
bySam Bowne
 
Ch 4: Footprinting and Social Engineering
bySam Bowne
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
bySam Bowne
 
CNIT 121: 10 Enterprise Services
bySam Bowne
 
Practical Malware Analysis: Ch 8: Debugging
bySam Bowne
 
CNIT 127 Ch 6: The Wild World of Windows
bySam Bowne
 
CNIT 40: 6: DNSSEC and beyond
bySam Bowne
 
CNIT 129S: Ch 6: Attacking Authentication
bySam Bowne
 
CNIT 121: 11 Analysis Methodology
bySam Bowne
 
CNIT 129S: Ch 3: Web Application Technologies
bySam Bowne
 
CNIT 129S: 8: Attacking Access Controls
bySam Bowne
 
CNIT 121: 2 IR Management Handbook
bySam Bowne
 
CNIT 129S: Securing Web Applications Ch 1-2
bySam Bowne
 
CNIT 129S: Ch 4: Mapping the Application
bySam Bowne
 
CNIT 121: 12 Investigating Windows Systems (Part 3)
bySam Bowne
 
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
bySam Bowne
 

Similar to CNIT 129S: 9: Attacking Data Stores (Part 2 of 2)

PDF
CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)
bySam Bowne
 
PDF
Chapter 14 sql injection
bynewbie2019
 
PPT
PHP - Introduction to Advanced SQL
byVibrant Technologies & Computers
 
PPT
Sql Injection Adv Owasp
byAung Khant
 
PPT
Advanced SQL Injection
byamiable_indian
 
PDF
Sq linjection
byMahesh Gupta (DBATAG) - SQL Server Consultant
 
PPTX
Sql injection
byNuruzzaman Milon
 
PDF
sql-inj_attack.pdf
byssuser07cf8b
 
PPT
Sql injection
byNikunj Dhameliya
 
PDF
SQL Injection
byAbhinav Nair
 
PDF
Think Like a Hacker - Database Attack Vectors
byMark Ginnebaugh
 
PPT
A Brief Introduction in SQL Injection
bySina Manavi
 
PPTX
Sql injection
byMehul Boghra
 
PPT
SQLSecurity.ppt
byLokeshK66
 
PPT
SQLSecurity.ppt
byCNSHacking
 
PPTX
SQL Injection Stegnography in Pen Testing
by191013607gouthamsric
 
PPTX
SQL Injection Sql Injection Typesagdsgdsgdsgbdshfdshbfdshbfdshbfdhsh
byRAKIBULISLAM529074
 
PPTX
References - sql injection
byMohammed
 
PPTX
References
byMohammed
 
PPT
Sql security
bySafwan Hashmi
 
CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)
bySam Bowne
 
Chapter 14 sql injection
bynewbie2019
 
PHP - Introduction to Advanced SQL
byVibrant Technologies & Computers
 
Sql Injection Adv Owasp
byAung Khant
 
Advanced SQL Injection
byamiable_indian
 
Sq linjection
byMahesh Gupta (DBATAG) - SQL Server Consultant
 
Sql injection
byNuruzzaman Milon
 
sql-inj_attack.pdf
byssuser07cf8b
 
Sql injection
byNikunj Dhameliya
 
SQL Injection
byAbhinav Nair
 
Think Like a Hacker - Database Attack Vectors
byMark Ginnebaugh
 
A Brief Introduction in SQL Injection
bySina Manavi
 
Sql injection
byMehul Boghra
 
SQLSecurity.ppt
byLokeshK66
 
SQLSecurity.ppt
byCNSHacking
 
SQL Injection Stegnography in Pen Testing
by191013607gouthamsric
 
SQL Injection Sql Injection Typesagdsgdsgdsgbdshfdshbfdshbfdshbfdhsh
byRAKIBULISLAM529074
 
References - sql injection
byMohammed
 
References
byMohammed
 
Sql security
bySafwan Hashmi
 

More from Sam Bowne

PDF
Introduction to the Class & CISSP Certification
bySam Bowne
 
PDF
Cyberwar
bySam Bowne
 
PDF
3: DNS vulnerabilities
bySam Bowne
 
PDF
8. Software Development Security
bySam Bowne
 
PDF
4 Mapping the Application
bySam Bowne
 
PDF
3. Attacking iOS Applications (Part 2)
bySam Bowne
 
PDF
12 Elliptic Curves
bySam Bowne
 
PDF
11. Diffie-Hellman
bySam Bowne
 
PDF
2a Analyzing iOS Apps Part 1
bySam Bowne
 
PDF
9 Writing Secure Android Applications
bySam Bowne
 
PDF
12 Investigating Windows Systems (Part 2 of 3)
bySam Bowne
 
PDF
10 RSA
bySam Bowne
 
PDF
12 Investigating Windows Systems (Part 1 of 3
bySam Bowne
 
PDF
9. Hard Problems
bySam Bowne
 
PDF
8 Android Implementation Issues (Part 1)
bySam Bowne
 
PDF
11 Analysis Methodology
bySam Bowne
 
PDF
8. Authenticated Encryption
bySam Bowne
 
PDF
7. Attacking Android Applications (Part 2)
bySam Bowne
 
PDF
7. Attacking Android Applications (Part 1)
bySam Bowne
 
PDF
5. Stream Ciphers
bySam Bowne
 
Introduction to the Class & CISSP Certification
bySam Bowne
 
Cyberwar
bySam Bowne
 
3: DNS vulnerabilities
bySam Bowne
 
8. Software Development Security
bySam Bowne
 
4 Mapping the Application
bySam Bowne
 
3. Attacking iOS Applications (Part 2)
bySam Bowne
 
12 Elliptic Curves
bySam Bowne
 
11. Diffie-Hellman
bySam Bowne
 
2a Analyzing iOS Apps Part 1
bySam Bowne
 
9 Writing Secure Android Applications
bySam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
bySam Bowne
 
10 RSA
bySam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
bySam Bowne
 
9. Hard Problems
bySam Bowne
 
8 Android Implementation Issues (Part 1)
bySam Bowne
 
11 Analysis Methodology
bySam Bowne
 
8. Authenticated Encryption
bySam Bowne
 
7. Attacking Android Applications (Part 2)
bySam Bowne
 
7. Attacking Android Applications (Part 1)
bySam Bowne
 
5. Stream Ciphers
bySam Bowne
 

Recently uploaded

PDF
The Tale of Melon City poem ppt by Sahasra
bybitrasahasra
 
PPTX
4 G8_Q3_L4 (Evaluating opinion editorials for textual evidence and quality).pptx
byNorafeSahagun
 
PPTX
Accounting Skills Paper-II (Registers of PACs and Credit Co-operative Societies)
byDr. Sushil Bansode
 
PDF
Analyzing the data of your initial survey
byThelma Villaflores
 
PPTX
Planning Assessment for Outcome-based Education
byAdri Jovin
 
PPTX
Overview of how to Create a Model in Odoo 18
byCeline George
 
PDF
Biology Practical Class 12th 2025 PDF(2)-2-52.pdf
bySCPRPWomenCollegeChi
 
PPTX
Partial Correlation - Values of r₁₂.₃, r₂₃.₁ & r₁₃.₂ r₁₂, r₁₃ and r₂₃
bySundar B N
 
PDF
Most Imp Chapters & Weightage for Boards 2025.pdf
byTamannaSagar
 
PPTX
Details of Epithelial and Connective Tissue.pptx
byAshish Umale
 
PPTX
How to Configure Push & Pull Rule in Odoo 18 Inventory
byCeline George
 
PPTX
Repeat Orders_ Use Odoo Blanket Agreement
byCeline George
 
PPTX
Basics in Phytochemistry, Extraction, Isolation methods, Characterisation etc.
byD. Y. Patil College of Pharmacy, Kolhapur.
 
PPTX
The Cell & Cell Cycle-detailed structure and function of organelles.pptx
byAshish Umale
 
PPTX
Partial Correlation of Coefficient - Values of r₁₂.₃, r₂₃.₁ & r₁₃.₂
bySundar B N
 
PPTX
PARENTAL ROUTES OF DRUGS ADMINISTRATION .pptx
byAneetaSharma15
 
PPTX
Expected Revenue Report In Odoo 18 CRM
byCeline George
 
PPTX
UNIT 1: COMMUNICATION SKILLS, BARRIERS TO COMMUNICATION, PERSPECTIVES IN COMM...
byPOOJA KARVANDE
 
PDF
Micro Economics for class 12 and class 11
bysurajbajaj4116
 
PDF
Multiple Myeloma , definition, etiology, PP, CM , DE and management
byNisha Borsa
 
The Tale of Melon City poem ppt by Sahasra
bybitrasahasra
 
4 G8_Q3_L4 (Evaluating opinion editorials for textual evidence and quality).pptx
byNorafeSahagun
 
Accounting Skills Paper-II (Registers of PACs and Credit Co-operative Societies)
byDr. Sushil Bansode
 
Analyzing the data of your initial survey
byThelma Villaflores
 
Planning Assessment for Outcome-based Education
byAdri Jovin
 
Overview of how to Create a Model in Odoo 18
byCeline George
 
Biology Practical Class 12th 2025 PDF(2)-2-52.pdf
bySCPRPWomenCollegeChi
 
Partial Correlation - Values of r₁₂.₃, r₂₃.₁ & r₁₃.₂ r₁₂, r₁₃ and r₂₃
bySundar B N
 
Most Imp Chapters & Weightage for Boards 2025.pdf
byTamannaSagar
 
Details of Epithelial and Connective Tissue.pptx
byAshish Umale
 
How to Configure Push & Pull Rule in Odoo 18 Inventory
byCeline George
 
Repeat Orders_ Use Odoo Blanket Agreement
byCeline George
 
Basics in Phytochemistry, Extraction, Isolation methods, Characterisation etc.
byD. Y. Patil College of Pharmacy, Kolhapur.
 
The Cell & Cell Cycle-detailed structure and function of organelles.pptx
byAshish Umale
 
Partial Correlation of Coefficient - Values of r₁₂.₃, r₂₃.₁ & r₁₃.₂
bySundar B N
 
PARENTAL ROUTES OF DRUGS ADMINISTRATION .pptx
byAneetaSharma15
 
Expected Revenue Report In Odoo 18 CRM
byCeline George
 
UNIT 1: COMMUNICATION SKILLS, BARRIERS TO COMMUNICATION, PERSPECTIVES IN COMM...
byPOOJA KARVANDE
 
Micro Economics for class 12 and class 11
bysurajbajaj4116
 
Multiple Myeloma , definition, etiology, PP, CM , DE and management
byNisha Borsa
 
In this document
Powered by AI

Introduction to securing web applications by addressing SQL injection and how filters can be bypassed.

Methods to bypass blocked characters in SQL injection, including dynamic string construction and comment symbol usage.

Alternative injection techniques when facing comment blocks by using correct syntax and registered user scenarios.

Demonstrates exploiting second-order SQL injection vulnerabilities during password change processes.

Further exploits including advanced data retrieval through UNION queries and Denial of Service attacks.

Explains how numeric and character conversion can aid in SQL injection and the use of functions for exploitation.

Utilizing the underlying operating system to execute shell commands or cause conditional responses based on database reactions.

Methods to conduct blind SQL injection through conditional responses and using time delays to infer database behavior.

Exploring further vulnerabilities and escalation techniques leveraging SQL injections for broader system access.

SQL injection risks associated with stored procedures and how default security settings can be manipulated by DBAs.

Prevention methods including use of parameterized queries and the importance of applying defense in depth.

Introduction to NoSQL databases, their structure, and basic injection vulnerabilities for authentication processes.

Techniques for injecting into XML data stores and LDAP queries, highlighting limitations and preventive measures against such attacks.

CNIT 129S: 9: Attacking Data Stores (Part 2 of 2)

  • 1.
    CNIT 129S: Securing WebApplications Ch 9: Attacking Data Stores Part 2 of 2
  • 2.
  • 3.
    Avoiding Blocked Characters • Appremoves or encodes some characters • Single quotation mark is not needed for injection into a numerical field • You can also use string functions to dynamically construct a string containing filtered characters
  • 4.
    CHR or CHARFunction • These queries work on Oracle and MS-SQL, respectively
  • 5.
    Comment Symbol Blocked •Code is SELECT * from users WHERE name='uname' • Try injecting this value for name: ' or 1=1 -- • To create SELECT * from users WHERE name='' or 1=1 --' • But the "--' is blocked
  • 6.
    Correct Syntax Without Comment •Injecting this value for name: ' or 'a'='a • To create SELECT * from users WHERE name='' or 'a'='a'
  • 7.
    Circumventing Simple Validation • If"SELECT" is blocked, try these bypasses:
  • 8.
    Using SQL Comments •If spaces are blocked, use comments instead • MySQL allows comments within keywords
  • 9.
    Second-Order SQL Injection •Many applications handle data safely when it is first entered into the database • But it may later be processed in unsafe ways
  • 10.
    App Adds aSecond Quote • Register an account with this name: foo' • The correct way to insert that value is by adding a second quote (link Ch 2a) INSERT INTO users (username, password, ID, privs) VALUES ('foo''', 'secret', 2248, 1)
  • 11.
    Password Change • Requiresuser to input old password, and compares it to the password retrieved with: SELECT password FROM users WHERE username = 'foo'' • This is a syntax error.
  • 12.
    Exploit • Register anew user with this name: ' or 1 in (SELECT password FROM users WHERE username = 'admin')-- • Perform a password change, and MS-SQL will return this error, exposing the administrator password
  • 13.
    Advanced Exploitation • Theprevious attacks had a ready means of exposing data • Adding UNION to a query that returns the results • Returning data in an error message
  • 14.
    Denial of Service •Turn off an MS-SQL database ' shutdown-- • Drop table ' drop table users--
  • 15.
    Retrieving Data asNumbers • No strings fields may be vulnerable, because single quotes are filtered • Numeric fields are vulnerable, but only allow you to retrieve numerical values • Use functions to convert characters tonumbers
  • 17.
    Using an Out-of-Band Channel •You can inject a query but you can't see the results • Some databases allow you to make a network connection inside the query language
  • 18.
  • 19.
    Oracle • UTL_HTTP makesan HTTP request • Attacker can use a netcat listener
  • 20.
    Oracle • DNS requestis even less likely to be blocked
  • 21.
    MySQL • To retrievethe file, set up an SMB share on your server • Alowing anonymous write access
  • 22.
    Leveraging the Operating System •Sometimes you can get the ability to execute shell commands • Such as by using a PHP shell • Then you can use built-in commands like • tftp, mail, telnet • Or copy data into a file in the Web root so you can retrive it with a browser
  • 23.
    Conditional Responses: "Blind SQLInjection" • Suppose your query doesn't return any data you can see, and • You can't use an out-of-band channel • You can still get data, if there's any detectable behavior by the database that depends on your query
  • 24.
    Example • Put inthis text for username, and anything for password admin' -- • You'll be logged in as admin
  • 25.
    True or False? •This username will log in as admin: admin' AND 1=1-- • This one will not log in admin' AND 1=2--
  • 26.
    Finding One Letter •This username will log in as admin: • This one will not log in
  • 27.
    Inducing Conditional Errors •On an Oracle database, this query will produce an error if the account "DBSNMP" exists • If it doesn't, the "1/0" will never be evaluated and it won't cause an error
  • 28.
  • 29.
    Using Time Delays •MS-SQL has a built-in WAITFOR command • This query waits for 5 seconds if the current database user is 'sa'
  • 30.
    Conditional Delays • Youcan ask a yes/no question and get the answer from the delay
  • 31.
    Testing Single Bits •Using bitwise AND operator & • And the POWER command
  • 32.
    MySQL Delays • Currentversions have a sleep function • For older versions (prior to 5.0.12), use benchmark to repeat a calculation many times
  • 33.
    Oracle • No functionto cause a delay, but you can use URL_HTTP to connect to a non-existent server • Causes a delay until the request times out
  • 34.
    Oracle • This querycauses a timeout if the default Oracle account "DBSNMP" exists
  • 35.
  • 36.
    Further Attacks • SQLinjection lets you get the data in the database, but you can go further • If database is shared by other applications, you may be able to access other application's data • Compromise the OS of the database server • Pivot: use the DB server to attack other servers from inside the network
  • 37.
    Further Attacks • Makenetwork connections back out to your own computer, to exfiltrate data and evade IDS systems • Extend database functionality by creating user-defined functions • You can reintroduce functionality that has been removed or disabled • Possible if you get database administrator privileges
  • 38.
    MS-SQL • xp_cmdshell storedprocedure • Included by default • Allows DBA (Database Administrator) to execute shell commands
  • 39.
    MS-SQL • Other storedprocedures also allow powerful attacks • xp_regread & xp_regwrite
  • 40.
    Dealing with Default Lockdowns •MS-SQL 2005 and later disable xp_cmdshell by default, but you can just enable it if you are DBA
  • 41.
    MySQL • load_file allowsattacker to read a file • "into outfile" allows attacker to write to a file
  • 42.
  • 43.
  • 44.
  • 45.
  • 46.
    Blocking Apostrophes • Won'tstop injection into numerical fields • If you allow apostrophes into data fields by doubling them, you can have second-order SQL injection vulnerabilities
  • 47.
    Stored Procedures • Developerdefines a procedure • Attacker can still inject with this password • Resulting query
  • 48.
  • 49.
    Vulnerable Code • Userinput inserted into a command, which is parsed later to match quotes
  • 50.
    Parameterized Version • Userinput replaces placeholder "?" • No parsing required, not vulnerable to SQLi
  • 51.
    Provisos • Use parameterizedqueries for EVERY query • Not just the ones that are obviously user- controllable • Every item of data should be parameterized • Be careful if user data changes table or column names • Allow only values from a whitelist of known safe values • You cannot use parameter placeholders for other parts of the query, such as SORT BY ASC or SORT BY DESC • If they must be adjusted, use whitelisting
  • 52.
    Defense in Depth •Application should use low privileges when accessing the database, not DBA • Remove or disable unnecessary functions of DB • Apply vendor patches • Subscribe to vulnerability notification services to work around new, unpatchable vulnerabilities
  • 53.
  • 54.
    NoSQL • Doesn't requirestructured data like SQL • Fields must be defined in a Schema, as Text, Number, etc. • Keys and values can be arbitrarily defined • A new and less mature technology than SQL
  • 56.
    Injecting into MongoDB •Example Login Code
  • 57.
    Injection • Log inwith this username, and any password Marcus'// • Javascript function becomes this:
  • 58.
    Another Injection • Login with this username, and any password • This is always true (link Ch 9b)
  • 59.
    Injecting into XPATH •XML Data 
 Store
  • 61.
    Injection • This queryretrieves a stored credit card number from a username and password • This injection:
  • 62.
    Finding XPATH Injection Flaws •These strings usually break the syntax • These strings change behavior without breaking syntax
  • 63.
    Preventing XPATH Injection •Filter inputs with a whitelist • Remove these characters
  • 64.
    LDAP • Lightweight DirectoryAccess Protocol (LDAP) • Used to store names, phone numbers, email addresses, etc. • Used in Microsoft Active Directory • Also in OpenLDAP
  • 65.
    LDAP Queries • Matcha username • Match any one of these conditions • Match all of these conditions
  • 66.
    LDAP Injection Limitations •Possible, but less exploitable because • Logical operators come before user-supplied data, so attacker can't form "or 1=1" • Directory attributes to be returned are hard- coded and can't usually be manipulated • Applications rarely return informative error messages, so exploitation is "blind"