Professional Documents
Culture Documents
6/21/2013
Agenda
Disclaimer What are SLQ Injection Into to SQL Attack Vectors Bypassing filters Demos Countermeasures Questions
Disclaimer
All code shown today is for educational and research purposes only In many countries it is illegal to use this type of attack Demonstrated Website owners have been notified of the problem
SQL Injections
SQL injection code injection technique that exploits a security vulnerability in application occurs at the database layer of an application. SQL - Structured Query Language Used to communicate with the database ANSI-compliant SQL
SQL Injections
Authentication Bypass Information Disclosure Compromised Data Integrity Compromised Availability of Data Remote Command Execution
Basic SQL
Select Insert Update Delete Union SQL statement breakdown
SQL - Select
1. Select Information from a table SELECT * FROM table where field=1
SQL - Insert
1. Add new records to database INSERT INTO tablename (id, name) values(10, Greg)
SQL - Update
1. Updating existing records UPDATE table set fieldA=123 WHERE somefield=2323
SQL - Delete
1. Delete records DELETE FROM tableA where somefield=1221
10
SQL - Union
1. Combine two or more SELECT statements. SELECT column_name(s) FROM table_name1 UNION SELECT column_name(s) FROM table_name2
11
Terminators
; Semi colon ends current SQL query and starts a new one SELECT * FROM users ; DROP TABLE users Stacked Query -- Double dash ignores remaining query string Select * FROM users -- limit 10 Can be used in conjunction SELECT * FROM users WHERE id=''; DROP TABLE users; -- ' AND password=''
12
13
Executed via front end of the Web Application GET URL parameter http://host.com/item.php?cat=1&id=11 Form POST fields <form action=some.php method=post> <input name='name'/> <input type='password' name='passwd'/> </form>
14
Techniques
Normal SQL Injections Errors & Exception Unexpected output O'Reilly != O\'Reilly
Blind SQL Injections No errors A lot of guesswork Introduction of a delay as part of a malicious SQL statement
15
16
Toolbox
SQLIer SQLbftools SQLibf SQLBrute BobCat SQLMap Absinthe SQL Injection Pen-testing Tool SQID SQLNinja FJ-Injector Framwork Automagic SQL Injector NGSS SQL Injector
18
20
Bypassing Filters
Escaping entities %26%23039 == ' == (single quote) %26 == & %23 == # 039 Entity number Select * FROM users WHERE username=secret%26%23039 OR %26%23039X%26%23039=%26%23039X Evaluated as > Select * FROM users WHERE username=secret OR X = X This evaluates to always true Char function Char(83,101,108,101,99,116,32,42,32,102,114,111,109,32,117,115,101,114,115 ) Select * from users Concat & Hex functions CONCAT('0x', HEX('/var/log/messages')) 0x2F7661722F6C6F672F6D65737361676573
21
Bypassing Filters
Injecting AND 1=(SELECT LOAD_FILE('var/log/messages') ) MySQL Error '\'var/log/messages\') ) limit 5 = 1 order by average desc limit 10' at line 1)
22
Bypassing Filters
1=(SELECT LOAD_FILE('var/log/messages') ) MySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'var/log/messages\') ) limit 5 -- = 1 order by average desc limit 10' at line 1) Char Hex 1=(SELECT LOAD_FILE(0x2F7661722F6C6F672F6D65737361676573)
23
Bypassing Blacklists
What are Blacklists Blacklist (DELETE, EXEC)
DEL/**/ETE /**/ D/**EVIL**/ELE/**/TE
24
Escape Characters
%26%23039 OR %26%23039X%26%23039=%26%23039X OR X = X
25
Demos
Prerecorded demos
26
Countermeasures
System Administrators
White List / Blacklist Input Validation Least Privileges Application firewalls
Developer
Stored Procedures Parameterized queries Exception handling
27
SNORT
Create rule to check for SQL attack
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL Injection "; flow:to_server,established; uricontent:".php | .aspx | .asp"; pcre:"/(\%27)|(\')|(\-\-)|(%23)|(#)/i"; classtype:Web-application-attack; sid :9099; rev:5;)
28
Least Privileges
Enforce least privileges
CREATE / DELETE Does not guarantee security
29
Application Firewalls
Software
Easy to install and maintain
Hardware
Expensive Plug and Play
Examples:
dotDefender webApp.SECURE SonicWALL WatchGuard
30
References
31