SQL Injections Intro.

Greg Bugaj, SCJP ISSA DC 405

6/21/2013

Agenda
Disclaimer What are SLQ Injection Into to SQL Attack Vectors Bypassing filters Demos Countermeasures Questions

Disclaimer

All code shown today is for educational and research purposes only In many countries it is illegal to use this type of attack Demonstrated Website owners have been notified of the problem

SQL Injections
SQL injection code injection technique that exploits a security vulnerability in application occurs at the database layer of an application. SQL - Structured Query Language Used to communicate with the database ANSI-compliant SQL

SQL Injections
Authentication Bypass Information Disclosure Compromised Data Integrity Compromised Availability of Data Remote Command Execution

Basic SQL
Select Insert Update Delete Union SQL statement breakdown

SQL - Select
1. Select Information from a table SELECT * FROM table where field=1

SQL - Insert
1. Add new records to database INSERT INTO tablename (id, name) values(10, Greg)

SQL - Update
1. Updating existing records UPDATE table set fieldA=123 WHERE somefield=2323

UPDATE table set fieldB=Greg

SQL - Delete
1. Delete records DELETE FROM tableA where somefield=1221

DELETE FROM tableA

10

SQL - Union
1. Combine two or more SELECT statements. SELECT column_name(s) FROM table_name1 UNION SELECT column_name(s) FROM table_name2

11

Terminators

; Semi colon ends current SQL query and starts a new one SELECT * FROM users ; DROP TABLE users Stacked Query -- Double dash ignores remaining query string Select * FROM users -- limit 10 Can be used in conjunction SELECT * FROM users WHERE id=''; DROP TABLE users; -- ' AND password=''

12

Where Clause Pruning

Powerful SQL technique SQL trick for allowing a query to return either a full set or a specified subset 1=1 == TRUE SELECT * FROM users WHERE (id = :id) OR (-1 = :id))

13

SQL Injection Cause

Executed via front end of the Web Application GET URL parameter http://host.com/item.php?cat=1&id=11 Form POST fields <form action=some.php method=post> <input name='name'/> <input type='password' name='passwd'/> </form>

14

Techniques

Normal SQL Injections Errors & Exception Unexpected output O'Reilly != O\'Reilly
Blind SQL Injections No errors A lot of guesswork Introduction of a delay as part of a malicious SQL statement

15

SQL Injection Types

Passive Exposing database information Information retrieval

Active Altering database information Insertion Deletion

16

Testing for Vulnerability

Manual Time consuming Automated SQL injection scanners only scan for known vulnerabilities Google Incorrect syntax near
17

Toolbox

SQLIer SQLbftools SQLibf SQLBrute BobCat SQLMap Absinthe SQL Injection Pen-testing Tool SQID SQLNinja FJ-Injector Framwork Automagic SQL Injector NGSS SQL Injector
18

Identifying Vulnerable Site

Given unexpected input site behaves oddly
Single Quote Double Quote 1 Single Quote one a Single Quote a ; Single Quote semicolon

Input > Satans little minion

Nothing found for Satan\s little minion You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'
19

Identifying Vulnerable Site

' or 1=1-" or 1=1-or 1=1-' or 'a'='a " or "a"="a ') or ('a'='a

20

Bypassing Filters
Escaping entities %26%23039 == &#039 == (single quote) %26 == & %23 == # 039 Entity number Select * FROM users WHERE username=secret%26%23039 OR %26%23039X%26%23039=%26%23039X Evaluated as > Select * FROM users WHERE username=secret OR X = X This evaluates to always true Char function Char(83,101,108,101,99,116,32,42,32,102,114,111,109,32,117,115,101,114,115 ) Select * from users Concat & Hex functions CONCAT('0x', HEX('/var/log/messages')) 0x2F7661722F6C6F672F6D65737361676573

21

Bypassing Filters

Injecting AND 1=(SELECT LOAD_FILE('var/log/messages') ) MySQL Error '\'var/log/messages\') ) limit 5 = 1 order by average desc limit 10' at line 1)

22

Bypassing Filters
1=(SELECT LOAD_FILE('var/log/messages') ) MySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'var/log/messages\') ) limit 5 -- = 1 order by average desc limit 10' at line 1) Char Hex 1=(SELECT LOAD_FILE(0x2F7661722F6C6F672F6D65737361676573)

23

Bypassing Blacklists
What are Blacklists Blacklist (DELETE, EXEC)
DEL/**/ETE /**/ D/**EVIL**/ELE/**/TE

24

Escape Characters
%26%23039 OR %26%23039X%26%23039=%26%23039X OR X = X

25

Demos
Prerecorded demos

26

Countermeasures
System Administrators
White List / Blacklist Input Validation Least Privileges Application firewalls

Developer
Stored Procedures Parameterized queries Exception handling
27

Whitelist Input validation

UrlScan v3.0
restricts the types of HTTP requests that IIS will process
[SQL Injection Headers] AppliesTo=.asp,.aspx [SQL Injection Headers Strings] -@ ; also catches @@ alter delete drop exec insert

SNORT
Create rule to check for SQL attack
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL Injection "; flow:to_server,established; uricontent:".php | .aspx | .asp"; pcre:"/(\%27)|(\')|(\-\-)|(%23)|(#)/i"; classtype:Web-application-attack; sid :9099; rev:5;)

28

Least Privileges
Enforce least privileges
CREATE / DELETE Does not guarantee security

Access to portion of data

Create views

29

Application Firewalls
Software
Easy to install and maintain

Hardware
Expensive Plug and Play

Examples:
dotDefender webApp.SECURE SonicWALL WatchGuard

30

References

http://www.owasp.org/index.php/OWASP_Testing_Guide_Ap pendix_C:_Fuzz_Vectors#Passive_SQL_Injection_.28SQP.29 http://upload.wikimedia.org/wikipedia/en/a/aa/SQL_ANATOM Y_wiki.svg http://www.cisco.com/web/about/security/intelligence/sql_injec tion.html

31