SlideShare une entreprise Scribd logo

It all starts with the ' (SQL injection from attacker's point of view)

Miroslav Stampar
Miroslav Stampar

These are the slides from a talk "It all starts with the ' (SQL injection from attacker's point of view)" held at FSec 2011 conference (Croatia / Varazdin 22nd September 2011) by Miroslav Stampar

TechnologieVoyages
1  sur  25
Télécharger pour lire hors ligne
It all starts with the ' (SQL injection from attacker's point of view) Miroslav Štampar (dev@sqlmap.org)
What is SQL injection? “SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of DBMS server for parsing and execution” (source: msdn.microsoft.com) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 2
What is SQL injection? (2)  In plain speak, SQL injection is (mostly) about the unauthorized DBMS data access  Just in special cases, it's about the data modification together with system takeover  “Hello World” vulnerable code example (PHP/MySQL):  $sql = "SELECT * FROM table_name WHERE id =  " . $_GET["id"];  $result = mysql_query($sql) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 3
Well known cases  In period 2005 till 2007 Albert Gonzalez has stolen 130 million credit card numbers  June 2007 – Microsoft U.K. Website defaced  December 2009 – RockYou (32 million credentials stolen)  December 2009 – NASA  July 2010 – The Pirate Bay FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 4
Well known cases (2)  February 2011 – HBGary (Anonymous)  March 2011 – MySQL  March & May 2011 – Comodo (certificate reseller)  June 2011 – Sony, PBS (@LulzSec)  August 2011 – Nokia  September 2011 – NetNames DNS records (Betfair, The Telegraph, The Register, The National Geographic, UPS, Vodafone...) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 5
Attackers' motivation number of vulnerable sites collected x  time spent on each site = const. time spent on particular target /  motivation = const. (target = multiple (co)sites) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 6
Attackers' profiles 1) Targeting easy targets, unfocused, fast pace, predictable behavior, blabbering, don't really care about the target (“script kiddies”) 2) Persistent, focused, slow motion, covert, silent, higher than average technical skills, highly motivated (money, extortion, fame) (“black hats”/“crackers”/”bad guys”) 3) For fun and knowledge, could warn you about the problem found, don't want to cause any damage (”gray hats”/”hackers”/”good guys”) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 7
SQL injection techniques  Boolean/Blind – AND 1=1, slow, 1 bit per request, page differentiation based, low difference ratio represents True response, False otherwise (in most common cases)  Error-based – CONVERT(INT,(<subquery>)), fast, 1 (sub)query result per request, based on inclusion of subquery result(s) inside DBMS error message  Union/Inband – UNION ALL SELECT NULL,...,  (<subquery>),NULL,NULL,..., fastest, in FULL variant whole table dump per request, in PARTIAL variant 1 query result per request FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 8
SQL injection techniques (2)  Time-based – AND 1=IF(2>1,  BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,1 12))),0), slowest, 1 bit per request, delay represents True response, False otherwise  Stacked – ;INSERT INTO users VALUES (10,  'test', 'testpass'), affecting mainly Microsoft SQL and PostgreSQL platforms, required for data modification, system access (e.g. xp_cmdshell), UDF injection, there are also time and error-based variants for data retrieval  Other (DNS exfiltration, “Lateral”, Second order attacks, etc.) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 9
Attacking phases  Most SQL injection attacks can be dissected into following phases: 1) Searching for a vulnerable parameter (aka. “Injection point”) 2) Fingerprinting backend DBMS (for usage of proper payloads – e.g. error-based) 3) Finding a fastest applicable technique (U>E>B>T=S) 4) Enumeration (retrieving data of interest – e.g. usernames and passwords) 5) Eventual post-exploatation (underlying OS access, data modification, web server takeover) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 10
Attacking workflow (1)  Finding a potential target – underground forums (e.g. antichat.ru), IRC channels, Google (e.g. dorks), domain scanning (e.g. nmap ­p 80), SHODAN (specialized Computer Search Engine), “drive-by” (e.g. proxying of all casual everyday traffic), “hit-list”, etc.  Manual web-browser based GET/POST parameter tampering with “poisonous” SQL characters (e.g. appending character ' to the end of the original parameter value) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 11
Attacking workflow (2)  In case of a contained DBMS error attacker immediately proceeds with the “proper” (DBMS dependent) error-based payloads   FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 12
Attacking workflow (3)  Otherwise, following step is the usage of common boolean based payloads (e.g. AND  1=1­­%20, OR 1=1­­%20, etc.)   FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 13
Attacking workflow (4)  Along the attacking line, proper SQL injection prefix/suffix combination has to be “guessed”  For example, different payloads are needed in cases: ”SELECT * WHERE id='.$_GET[“id”] and ”SELECT * WHERE id=('.$_GET[“id”]')”  Adds one more dimension to the problem (more combinations)  Most common prefixes are: <blank>, ', “, '), “)  Problem of suffix finding can be most often circumvented by the usage of generic comment form: ­­%20 FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 14
Attacking workflow (5)  In case that boolean/blind injection worked, there is a great possibility for union/inband  Brute-force search for proper column number  ORDER BY fast column number finding technique  Looking if it's a partial or full inband case  Finding usable (presented) column FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 15
Attacking workflow (6)  If everything fails attacker could proceed (high motivation required) with common time-based payloads and/or stacked queries  Most commonly, this happens in INSERT/UPDATE/DELETE SQL injection cases (and DBMS error messages are suppressed)  Common payloads are: AND  1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(97))),0), ;IF(2>1) WAITFOR DELAY '0:0:5', ;SELECT COUNT(*)  FROM GENERATE_SERIES(1,5000000), etc. FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 16
Attacking workflow (7)  Enumeration phase consists of retrieving (”stealing”) data of interest:  Database and table names  Table dumps (e.g. users, admin,...)  System stored usernames and password hashes  User privileges and roles  Highly DBMS dependent (system database and table names, common function names, etc.)  Usage of automated tools is highly preferable in boolean/blind and time-based techniques FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 17
Attacking workflow (8)  Eventual post-exploitation is highly bounded by the applicable SQL injection technique(s) and current user privileges  Best/worst case scenario is the availability of stacked technique along with the “admin” privileges  UDF injection (e.g. functions for OS command execution), web shell (e.g. union/inband MySQL INTO OUTFILE), Metasploit payload upload and execution (e.g. stacked Microsoft SQL xp_cmdshell()), etc. FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 18
Process automation 1) Web Application Assessment Proxy (optional) – BURP, WebScarab 2) Automatic SQL injection detection and exploitation tool – sqlmap, Havij, sqlninja 3) Second order exploitation framework – Metasploit (optional) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 19
Introducing sqlmap  “sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database server(s)”  Unofficially, sqlmap is AIO (All-In-One) SQL injection tool  Over 10,000 repository updates and/or checkouts on a monthly basis  Part of most popular security distributions: Backtrack, Backbox, Web Security Dojo, OWASP Web Testing,... FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 20
sqlmap capabilities  Fully supported backend DBMSes (and growing): MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite, Firebird, Sybase and SAP MaxDB  Fully supported SQL injection techniques: Boolean/Blind, Error-based, Union/Inband (partial & full), Timed-based, Stacked  Enumeration of: database users, users' password hashes, users' privileges, users' roles, databases, tables and columns, etc. FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 21
sqlmap capabilities (2)  Automatic recognition and cracking of password hashes  Support for IDS/WAF evasion in form of “tampering” scripts  Web server file upload/download  Arbitrary OS command execution and retrieval of standard console output  Establishment of an out-of-band TCP/UDP connection between the attacker's machine and the database server (Metasploit, ICMPsh) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 22
Closing words (for attackers)  Learn SQL more than "well" – “SQL injection is 100% SQL. The rest is injection”  Setup (virtual) vulnerable environment entirely by yourself – for gaining better mindset and possessing LEGAL assessment testing machine  Mimic with comprehension what other “attackers” do – including automated tools (e.g. sqlmap)  Research defensive mechanisms – for advanced comprehension of the topic FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 23
Closing words (for defenders)  Use (only) prepared SQL statements (bullet- proof against SQL injection attacks)  Self-filtering procedures are prone to common “programmer's” mistakes (e.g. forgetting to hard type-cast the integer parameter value)  Turn-off error (DBMS) reports  Use least privileged run (non-admin “query” user)  Always expect worst scenario and setup accordingly (e.g. use GRANT/REVOKE mechanism accordingly) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 24
Questions? FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 25

Recommandé

sqlmap - why (not how) it works?
sqlmap - why (not how) it works?sqlmap - why (not how) it works?
sqlmap - why (not how) it works?
Miroslav Stampar
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internals
Miroslav Stampar
 
Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)
Bernardo Damele A. G.
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)
Bernardo Damele A. G.
 
sqlmap - Under the Hood
sqlmap - Under the Hoodsqlmap - Under the Hood
sqlmap - Under the Hood
Miroslav Stampar
 
Heuristic methods used in sqlmap
Heuristic methods used in sqlmapHeuristic methods used in sqlmap
Heuristic methods used in sqlmap
Miroslav Stampar
 
sqlmap - security development in Python
sqlmap - security development in Pythonsqlmap - security development in Python
sqlmap - security development in Python
Miroslav Stampar
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
ashish20012
 

Recommandé

sqlmap - why (not how) it works?
sqlmap - why (not how) it works?sqlmap - why (not how) it works?
sqlmap - why (not how) it works?
Miroslav Stampar
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internals
Miroslav Stampar
 
Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)
Bernardo Damele A. G.
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)
Bernardo Damele A. G.
 
sqlmap - Under the Hood
sqlmap - Under the Hoodsqlmap - Under the Hood
sqlmap - Under the Hood
Miroslav Stampar
 
Heuristic methods used in sqlmap
Heuristic methods used in sqlmapHeuristic methods used in sqlmap
Heuristic methods used in sqlmap
Miroslav Stampar
 
sqlmap - security development in Python
sqlmap - security development in Pythonsqlmap - security development in Python
sqlmap - security development in Python
Miroslav Stampar
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
ashish20012
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmap
Miroslav Stampar
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmap
Herman Duarte
 
Got database access? Own the network!
Got database access? Own the network!Got database access? Own the network!
Got database access? Own the network!
Bernardo Damele A. G.
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
Adhoura Academy
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection Attacks
Miroslav Stampar
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
Sayed Ahmad Naweed
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Mentorcs
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the database
Bernardo Damele A. G.
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
Asish Kumar Rath
 
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)
Bernardo Damele A. G.
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and prevention
helloanand
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL Injection
Sina Manavi
 
Sql injection in cybersecurity
Sql injection in cybersecuritySql injection in cybersecurity
Sql injection in cybersecurity
Sanad Bhowmik
 
Sqlmap
SqlmapSqlmap
Sqlmap
shamshad9
 
Sql injection
Sql injectionSql injection
Sql injection
Hemendra Kumar
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniques
SongchaiDuangpan
 
Sql injection
Sql injectionSql injection
Sql injection
Zidh
 
Sql injection
Sql injectionSql injection
Sql injection
Nitish Kumar
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
Rapid Purple
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection
Eguardian Global Services
 
Smashing the Buffer
Smashing the BufferSmashing the Buffer
Smashing the Buffer
Miroslav Stampar
 
Curious Case of SQLi
Curious Case of SQLiCurious Case of SQLi
Curious Case of SQLi
Miroslav Stampar
 

Contenu connexe

Tendances

Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)
Bernardo Damele A. G.
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL Injection
Sina Manavi
 

Tendances (20)

DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmap
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmap
 
Got database access? Own the network!
Got database access? Own the network!Got database access? Own the network!
Got database access? Own the network!
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection Attacks
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the database
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and prevention
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL Injection
 
Sql injection in cybersecurity
Sql injection in cybersecuritySql injection in cybersecurity
Sql injection in cybersecurity
 
Sqlmap
SqlmapSqlmap
Sqlmap
 
Sql injection
Sql injectionSql injection
Sql injection
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniques
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sql injection
Sql injectionSql injection
Sql injection
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection
 

En vedette

Advanced sql injection
Advanced sql injectionAdvanced sql injection
Advanced sql injection
badhanbd
 
MySQL Connector/J における SQL インジェクションの脆弱性
MySQL Connector/J における SQL インジェクションの脆弱性MySQL Connector/J における SQL インジェクションの脆弱性
MySQL Connector/J における SQL インジェクションの脆弱性
JPCERT Coordination Center
 
Spacewalkにおけるクロスサイト リクエストフォージェリ(CSRF)の脆弱性
Spacewalkにおけるクロスサイト リクエストフォージェリ(CSRF)の脆弱性Spacewalkにおけるクロスサイト リクエストフォージェリ(CSRF)の脆弱性
Spacewalkにおけるクロスサイト リクエストフォージェリ(CSRF)の脆弱性
JPCERT Coordination Center
 
Apache Tomcat における クロスサイトリクエストフォージェリ (CSRF) 保護メカニズム回避の脆弱性
Apache Tomcat における クロスサイトリクエストフォージェリ (CSRF) 保護メカニズム回避の脆弱性Apache Tomcat における クロスサイトリクエストフォージェリ (CSRF) 保護メカニズム回避の脆弱性
Apache Tomcat における クロスサイトリクエストフォージェリ (CSRF) 保護メカニズム回避の脆弱性
JPCERT Coordination Center
 
Blojsom におけるクロスサイトスクリプティングの脆弱性
Blojsom におけるクロスサイトスクリプティングの脆弱性Blojsom におけるクロスサイトスクリプティングの脆弱性
Blojsom におけるクロスサイトスクリプティングの脆弱性
JPCERT Coordination Center
 
Psychological science and beliefs
Psychological science and beliefsPsychological science and beliefs
Psychological science and beliefs
Lance Jones
 
Pelancaran bulan kecergasan 6 Julai 2013
Pelancaran bulan kecergasan 6 Julai 2013Pelancaran bulan kecergasan 6 Julai 2013
Pelancaran bulan kecergasan 6 Julai 2013
Laila Mustafa
 

En vedette (20)

Smashing the Buffer
Smashing the BufferSmashing the Buffer
Smashing the Buffer
 
Curious Case of SQLi
Curious Case of SQLiCurious Case of SQLi
Curious Case of SQLi
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and Now
 
2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)
 
Hash DoS Attack
Hash DoS AttackHash DoS Attack
Hash DoS Attack
 
Analysis of mass SQL injection attacks
Analysis of mass SQL injection attacksAnalysis of mass SQL injection attacks
Analysis of mass SQL injection attacks
 
Spot the Web Vulnerability
Spot the Web VulnerabilitySpot the Web Vulnerability
Spot the Web Vulnerability
 
Advanced SQL Injection Attack & Defenses
Advanced SQL Injection Attack & DefensesAdvanced SQL Injection Attack & Defenses
Advanced SQL Injection Attack & Defenses
 
Advanced sql injection
Advanced sql injectionAdvanced sql injection
Advanced sql injection
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and Now
 
MySQL Connector/J における SQL インジェクションの脆弱性
MySQL Connector/J における SQL インジェクションの脆弱性MySQL Connector/J における SQL インジェクションの脆弱性
MySQL Connector/J における SQL インジェクションの脆弱性
 
Spacewalkにおけるクロスサイト リクエストフォージェリ(CSRF)の脆弱性
Spacewalkにおけるクロスサイト リクエストフォージェリ(CSRF)の脆弱性Spacewalkにおけるクロスサイト リクエストフォージェリ(CSRF)の脆弱性
Spacewalkにおけるクロスサイト リクエストフォージェリ(CSRF)の脆弱性
 
Apache Tomcat における クロスサイトリクエストフォージェリ (CSRF) 保護メカニズム回避の脆弱性
Apache Tomcat における クロスサイトリクエストフォージェリ (CSRF) 保護メカニズム回避の脆弱性Apache Tomcat における クロスサイトリクエストフォージェリ (CSRF) 保護メカニズム回避の脆弱性
Apache Tomcat における クロスサイトリクエストフォージェリ (CSRF) 保護メカニズム回避の脆弱性
 
Blojsom におけるクロスサイトスクリプティングの脆弱性
Blojsom におけるクロスサイトスクリプティングの脆弱性Blojsom におけるクロスサイトスクリプティングの脆弱性
Blojsom におけるクロスサイトスクリプティングの脆弱性
 
SQL injection exploitation internals
SQL injection exploitation internalsSQL injection exploitation internals
SQL injection exploitation internals
 
SQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpSQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads Up
 
Psychological science and beliefs
Psychological science and beliefsPsychological science and beliefs
Psychological science and beliefs
 
Pelancaran bulan kecergasan 6 Julai 2013
Pelancaran bulan kecergasan 6 Julai 2013Pelancaran bulan kecergasan 6 Julai 2013
Pelancaran bulan kecergasan 6 Julai 2013
 
CHS Reunion Slide Show 2001
CHS Reunion Slide Show 2001CHS Reunion Slide Show 2001
CHS Reunion Slide Show 2001
 
Pertandingan kawad kaki peringkat daerah seremban 1
Pertandingan kawad kaki peringkat daerah seremban 1Pertandingan kawad kaki peringkat daerah seremban 1
Pertandingan kawad kaki peringkat daerah seremban 1
 

Similaire à It all starts with the ' (SQL injection from attacker's point of view)

Scalable Web Solutions - Use Case: Regulatory Reform In Vietnam On eZ Publish...
Scalable Web Solutions - Use Case: Regulatory Reform In Vietnam On eZ Publish...Scalable Web Solutions - Use Case: Regulatory Reform In Vietnam On eZ Publish...
Scalable Web Solutions - Use Case: Regulatory Reform In Vietnam On eZ Publish...
Ivo Lukač
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall Eng
Dmitry Evteev
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
Marco Morana
 
Sql injection manish file
Sql injection manish fileSql injection manish file
Sql injection manish file
yukta888
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
webhostingguy
 
6.Resource Exhaustion
6.Resource Exhaustion6.Resource Exhaustion
6.Resource Exhaustion
phanleson
 

Similaire à It all starts with the ' (SQL injection from attacker's point of view) (20)

Scalable Web Solutions - Use Case: Regulatory Reform In Vietnam On eZ Publish...
Scalable Web Solutions - Use Case: Regulatory Reform In Vietnam On eZ Publish...Scalable Web Solutions - Use Case: Regulatory Reform In Vietnam On eZ Publish...
Scalable Web Solutions - Use Case: Regulatory Reform In Vietnam On eZ Publish...
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall Eng
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms
 
4MMSR-3 web vulnerabilities-lecturer
4MMSR-3 web vulnerabilities-lecturer4MMSR-3 web vulnerabilities-lecturer
4MMSR-3 web vulnerabilities-lecturer
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
 
Real web-attack-scenario
Real web-attack-scenarioReal web-attack-scenario
Real web-attack-scenario
 
Top Security Threats for .NET Developers
Top Security Threats for .NET DevelopersTop Security Threats for .NET Developers
Top Security Threats for .NET Developers
 
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]
 
DNS Exfiltration Using sqlmap
DNS Exfiltration Using sqlmapDNS Exfiltration Using sqlmap
DNS Exfiltration Using sqlmap
 
HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hacking
 
Sql injection manish file
Sql injection manish fileSql injection manish file
Sql injection manish file
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
 
SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
 
QA Automation Extended Star
QA Automation Extended StarQA Automation Extended Star
QA Automation Extended Star
 
6.Resource Exhaustion
6.Resource Exhaustion6.Resource Exhaustion
6.Resource Exhaustion
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
 
HTML5 storage and communication - Zohar Arad
HTML5 storage and communication - Zohar AradHTML5 storage and communication - Zohar Arad
HTML5 storage and communication - Zohar Arad
 
Cross Domain Access Policy solution using Cross Origin Resource sharing
Cross Domain Access Policy solution using Cross Origin Resource sharingCross Domain Access Policy solution using Cross Origin Resource sharing
Cross Domain Access Policy solution using Cross Origin Resource sharing
 
Enabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using VirtualizationEnabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using Virtualization
 

Plus de Miroslav Stampar

Plus de Miroslav Stampar (8)

sqlmap - "One Tiny Step At a Time"
sqlmap - "One Tiny Step At a Time"sqlmap - "One Tiny Step At a Time"
sqlmap - "One Tiny Step At a Time"
 
Blind WAF identification
Blind WAF identificationBlind WAF identification
Blind WAF identification
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internals
 
Why everybody should do CTF / Wargames?
Why everybody should do CTF / Wargames?Why everybody should do CTF / Wargames?
Why everybody should do CTF / Wargames?
 
Improving Network Intrusion Detection with Traffic Denoise
Improving Network Intrusion Detection with Traffic DenoiseImproving Network Intrusion Detection with Traffic Denoise
Improving Network Intrusion Detection with Traffic Denoise
 
APT Attacks on Critical Infrastructure
APT Attacks on Critical InfrastructureAPT Attacks on Critical Infrastructure
APT Attacks on Critical Infrastructure
 
WARNING: Do Not Feed the Bears
WARNING: Do Not Feed the BearsWARNING: Do Not Feed the Bears
WARNING: Do Not Feed the Bears
 
Non-Esoteric XSS Tips & Tricks
Non-Esoteric XSS Tips & TricksNon-Esoteric XSS Tips & Tricks
Non-Esoteric XSS Tips & Tricks
 

Dernier

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Dernier (20)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

It all starts with the ' (SQL injection from attacker's point of view)

  • 1. It all starts with the ' (SQL injection from attacker's point of view) Miroslav Štampar (dev@sqlmap.org)
  • 2. What is SQL injection? “SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of DBMS server for parsing and execution” (source: msdn.microsoft.com) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 2
  • 3. What is SQL injection? (2)  In plain speak, SQL injection is (mostly) about the unauthorized DBMS data access  Just in special cases, it's about the data modification together with system takeover  “Hello World” vulnerable code example (PHP/MySQL):  $sql = "SELECT * FROM table_name WHERE id =  " . $_GET["id"];  $result = mysql_query($sql) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 3
  • 4. Well known cases  In period 2005 till 2007 Albert Gonzalez has stolen 130 million credit card numbers  June 2007 – Microsoft U.K. Website defaced  December 2009 – RockYou (32 million credentials stolen)  December 2009 – NASA  July 2010 – The Pirate Bay FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 4
  • 5. Well known cases (2)  February 2011 – HBGary (Anonymous)  March 2011 – MySQL  March & May 2011 – Comodo (certificate reseller)  June 2011 – Sony, PBS (@LulzSec)  August 2011 – Nokia  September 2011 – NetNames DNS records (Betfair, The Telegraph, The Register, The National Geographic, UPS, Vodafone...) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 5
  • 6. Attackers' motivation number of vulnerable sites collected x  time spent on each site = const. time spent on particular target /  motivation = const. (target = multiple (co)sites) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 6
  • 7. Attackers' profiles 1) Targeting easy targets, unfocused, fast pace, predictable behavior, blabbering, don't really care about the target (“script kiddies”) 2) Persistent, focused, slow motion, covert, silent, higher than average technical skills, highly motivated (money, extortion, fame) (“black hats”/“crackers”/”bad guys”) 3) For fun and knowledge, could warn you about the problem found, don't want to cause any damage (”gray hats”/”hackers”/”good guys”) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 7
  • 8. SQL injection techniques  Boolean/Blind – AND 1=1, slow, 1 bit per request, page differentiation based, low difference ratio represents True response, False otherwise (in most common cases)  Error-based – CONVERT(INT,(<subquery>)), fast, 1 (sub)query result per request, based on inclusion of subquery result(s) inside DBMS error message  Union/Inband – UNION ALL SELECT NULL,...,  (<subquery>),NULL,NULL,..., fastest, in FULL variant whole table dump per request, in PARTIAL variant 1 query result per request FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 8
  • 9. SQL injection techniques (2)  Time-based – AND 1=IF(2>1,  BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,1 12))),0), slowest, 1 bit per request, delay represents True response, False otherwise  Stacked – ;INSERT INTO users VALUES (10,  'test', 'testpass'), affecting mainly Microsoft SQL and PostgreSQL platforms, required for data modification, system access (e.g. xp_cmdshell), UDF injection, there are also time and error-based variants for data retrieval  Other (DNS exfiltration, “Lateral”, Second order attacks, etc.) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 9
  • 10. Attacking phases  Most SQL injection attacks can be dissected into following phases: 1) Searching for a vulnerable parameter (aka. “Injection point”) 2) Fingerprinting backend DBMS (for usage of proper payloads – e.g. error-based) 3) Finding a fastest applicable technique (U>E>B>T=S) 4) Enumeration (retrieving data of interest – e.g. usernames and passwords) 5) Eventual post-exploatation (underlying OS access, data modification, web server takeover) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 10
  • 11. Attacking workflow (1)  Finding a potential target – underground forums (e.g. antichat.ru), IRC channels, Google (e.g. dorks), domain scanning (e.g. nmap ­p 80), SHODAN (specialized Computer Search Engine), “drive-by” (e.g. proxying of all casual everyday traffic), “hit-list”, etc.  Manual web-browser based GET/POST parameter tampering with “poisonous” SQL characters (e.g. appending character ' to the end of the original parameter value) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 11
  • 12. Attacking workflow (2)  In case of a contained DBMS error attacker immediately proceeds with the “proper” (DBMS dependent) error-based payloads   FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 12
  • 13. Attacking workflow (3)  Otherwise, following step is the usage of common boolean based payloads (e.g. AND  1=1­­%20, OR 1=1­­%20, etc.)   FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 13
  • 14. Attacking workflow (4)  Along the attacking line, proper SQL injection prefix/suffix combination has to be “guessed”  For example, different payloads are needed in cases: ”SELECT * WHERE id='.$_GET[“id”] and ”SELECT * WHERE id=('.$_GET[“id”]')”  Adds one more dimension to the problem (more combinations)  Most common prefixes are: <blank>, ', “, '), “)  Problem of suffix finding can be most often circumvented by the usage of generic comment form: ­­%20 FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 14
  • 15. Attacking workflow (5)  In case that boolean/blind injection worked, there is a great possibility for union/inband  Brute-force search for proper column number  ORDER BY fast column number finding technique  Looking if it's a partial or full inband case  Finding usable (presented) column FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 15
  • 16. Attacking workflow (6)  If everything fails attacker could proceed (high motivation required) with common time-based payloads and/or stacked queries  Most commonly, this happens in INSERT/UPDATE/DELETE SQL injection cases (and DBMS error messages are suppressed)  Common payloads are: AND  1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(97))),0), ;IF(2>1) WAITFOR DELAY '0:0:5', ;SELECT COUNT(*)  FROM GENERATE_SERIES(1,5000000), etc. FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 16
  • 17. Attacking workflow (7)  Enumeration phase consists of retrieving (”stealing”) data of interest:  Database and table names  Table dumps (e.g. users, admin,...)  System stored usernames and password hashes  User privileges and roles  Highly DBMS dependent (system database and table names, common function names, etc.)  Usage of automated tools is highly preferable in boolean/blind and time-based techniques FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 17
  • 18. Attacking workflow (8)  Eventual post-exploitation is highly bounded by the applicable SQL injection technique(s) and current user privileges  Best/worst case scenario is the availability of stacked technique along with the “admin” privileges  UDF injection (e.g. functions for OS command execution), web shell (e.g. union/inband MySQL INTO OUTFILE), Metasploit payload upload and execution (e.g. stacked Microsoft SQL xp_cmdshell()), etc. FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 18
  • 19. Process automation 1) Web Application Assessment Proxy (optional) – BURP, WebScarab 2) Automatic SQL injection detection and exploitation tool – sqlmap, Havij, sqlninja 3) Second order exploitation framework – Metasploit (optional) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 19
  • 20. Introducing sqlmap  “sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database server(s)”  Unofficially, sqlmap is AIO (All-In-One) SQL injection tool  Over 10,000 repository updates and/or checkouts on a monthly basis  Part of most popular security distributions: Backtrack, Backbox, Web Security Dojo, OWASP Web Testing,... FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 20
  • 21. sqlmap capabilities  Fully supported backend DBMSes (and growing): MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite, Firebird, Sybase and SAP MaxDB  Fully supported SQL injection techniques: Boolean/Blind, Error-based, Union/Inband (partial & full), Timed-based, Stacked  Enumeration of: database users, users' password hashes, users' privileges, users' roles, databases, tables and columns, etc. FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 21
  • 22. sqlmap capabilities (2)  Automatic recognition and cracking of password hashes  Support for IDS/WAF evasion in form of “tampering” scripts  Web server file upload/download  Arbitrary OS command execution and retrieval of standard console output  Establishment of an out-of-band TCP/UDP connection between the attacker's machine and the database server (Metasploit, ICMPsh) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 22
  • 23. Closing words (for attackers)  Learn SQL more than "well" – “SQL injection is 100% SQL. The rest is injection”  Setup (virtual) vulnerable environment entirely by yourself – for gaining better mindset and possessing LEGAL assessment testing machine  Mimic with comprehension what other “attackers” do – including automated tools (e.g. sqlmap)  Research defensive mechanisms – for advanced comprehension of the topic FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 23
  • 24. Closing words (for defenders)  Use (only) prepared SQL statements (bullet- proof against SQL injection attacks)  Self-filtering procedures are prone to common “programmer's” mistakes (e.g. forgetting to hard type-cast the integer parameter value)  Turn-off error (DBMS) reports  Use least privileged run (non-admin “query” user)  Always expect worst scenario and setup accordingly (e.g. use GRANT/REVOKE mechanism accordingly) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 24
  • 25. Questions? FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 25