SQL injection attacks and defense - GBV

SQL Injection Attacksand Defense

Second Edition

Justin Clarke

ELSEVIER

AMSTERDAM • BOSTON • HEIDELBERG • LONDON

NEWYORK • OXFORD • PARIS • SAN DIEGO

SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO

Syngress is an Imprint of ElsevierSVNGRESS

Contents

Acknowledgements v

Dedication vii

Contributing Authors ix

Lead Author and Technical Editor xiii

Introduction xxvii

CHAPTER 1 What Is SQL Injection? 1

Introduction 1

Understanding How Web Applications Work 2

A Simple Application Architecture 3

A More Complex Architecture 4

Understanding SQL Injection 6

High-Profile Examples 9

Understanding How It Happens 13

Dynamic String Building 13

Incorrectly Handled Escape Characters 14

Incorrectly Handled Types 15

Incorrectly Handled Query Assembly 17

Incorrectly Handled Errors 18

Incorrectly Handled Multiple Submissions 19

Insecure Database Configuration 21

Summary 23

Solutions Fast Track 24

Frequently Asked Questions 25

CHAPTER 2 Testing for SQL Injection 27

Introduction 27

Finding SQL Injection 27

Testing by Inference 28

Identifying Data Entry 28

Manipulating Parameters 32

Information Workflow 35

Database Errors 36

Commonly Displayed SQL Errors 37

Application Response 49

Generic Errors 49

HTTP Code Errors 52

Different Response Sizes 53

XV

xvi Contents

Blind Injection Detection 54

Confirming SQL Injection 58

Differentiating Numbers and Strings 58

Inline SQL Injection 59

Injecting Strings Inline 59

Injecting Numeric Values Inline 63

Terminating SQL Injection 65

Database Comment Syntax 65

Using Comments 67

Executing Multiple Statements 70

Time Delays 74

Automating SQL Injection Discovery 76

Tools for Automatically Finding SQL Injection 77

HP Weblnspect 77

IBM Rational AppScan 79

HP Scrawlr 80

SQLiX 82

Paros Proxy/Zed Attack Proxy 83

Summary 85



CHAPTER 3 Reviewing Code for SQL Injection 89

Introduction 89

Reviewing Source Code for SQL Injection 89

Dangerous Coding Behaviors 92

Dangerous Functions 99

Following the Data 104

Following Data in PHP 104

Following Data in Java 109

Following Data in C# 110

Reviewing Android Application Code 111

Reviewing PL/SQL and T-SQL Code 118

Automated Source Code Review 126

Graudit 128

Yet Another Source Code Analyzer (YASCA) 129

Pixy 129

AppCodeScan 130

OWASP LAPSE+ Project 130

Microsoft Source Code Analyzer for SQL Injection 131

Microsoft Code Analysis Tool .NET (CAT.NET) 131

Contents xvii

RIPS—A Static Source Code Analyzer for Vulnerabilities

in PHP Scripts 132

CodeProAnalytiX 132

Teachable Static Analysis Workbench 132

Commercial Source Code Review Tools 133

Fortify Source Code Analyzer 134

Rational AppScan Source Edition 135

CodeSecure 135

Klocwork Solo 135

Summary 136



CHAPTER 4 Exploiting SQL Injection 139

Introduction 139

Understanding Common Exploit Techniques 140

Using Stacked Queries 142

Exploiting Oracle from Web Applications 142

Identifying the Database 143

Non-Blind Fingerprint 144

Banner Grabbing 146

Blind Fingerprint 149

Extracting Data Through UNION Statements 150

Matching Columns 151

Matching Data Types 153

Using Conditional Statements 158

Approach 1: Time-Based 159

Approach 2: Error-Based 163

Approach 3: Content-Based 165

Working with Strings 165

Extending the Attack 167

Using Errors for SQL Injection 168

Error Messages in Oracle 170

Enumerating the Database Schema 174

SQL Server 175

MySQL 178

PostgreSQL 183

Oracle 184

Injecting into "INSERT" Queries 188

First Scenario: Inserting User Determined Data 188

Second Scenario: Generating INSERT Errors 191

xviii Contents

Other Scenarios 193

Escalating Privileges 194

SQL Server 194

Privilege Escalation on Unpatched Servers 199

Oracle 200

SYS.LT 201

SYS.DBMS_CDC_PUBLISH 202

Getting Past the CREATE PROCEDURE Privilege 202

Cursor Injection 202

SYS.KUPPSPROC 203

Weak Permissions 203

Stealing the Password Hashes 204

SQL Server 204

MySQL 206

PostgreSQL 206

Oracle 207

Oracle Components 209

Out-of-Band Communication 211

E-mail 211

Microsoft SQL Server 211

Oracle 214

HTTP/DNS 215

File System 215

SQL Server 216

MySQL 218

Oracle 219

SQL Injection on Mobile Devices 219

Automating SQL Injection Exploitation 223

sqlmap 224

Bobcat 225

BSQL 226

Other Tools 227

Summary 228



CHAPTER 5 Blind SQL Injection Exploitation 233

Introduction 233

Finding and Confirming Blind SQL Injection 234

Forcing Generic Errors 235

Injecting Queries with Side Effects 235

Contents xix

Splitting and Balancing 235

Common Blind SQL Injection Scenarios 237

Blind SQL Injection Techniques 239

Inference Techniques 239

Increasing the Complexity of Inference Techniques 243

Alternative Channel Techniques 249

Using Time-Based Techniques 249

Delaying Database Queries 249

MySQL Delays 250

PostgreSQL Delays 252

SQL Server Delays 254

Oracle Delays 257

Time-Based Inference Considerations 257

Using Response-Based Techniques 258

MySQL Response Techniques 259

PostgreSQL Response Techniques 260

SQL Server Response Techniques 261

Oracle Response Techniques 263

Returning More Than 1 bit of Information 264

Using Alternative Channels 267

Database Connections 267

DNS Exfiltration 269

Email Exfiltration 273

HTTP Exfiltration 273

ICMP Exfiltration 276

Automating Blind SQL Injection Exploitation 276

Absinthe 276

BSQL Hacker 278

SQLBrute 280

Sqlmap 282

Sqlninja 283

Squeeza 284

Summary 286



CHAPTER 6 Exploiting the Operating System 289

Introduction 289

Accessing the File System 290

Reading Files 290

MySQL 291

XX Contents


Oracle 304

PostgreSQL 306

Writing Files 306

MySQL 307


Oracle 315

PostgreSQL 316

Executing Operating System Commands 317

MySQL 318

WAMP Environments 318


Oracle 322

Privilege Escalation 322

Code Execution Via Direct Access 325

Executing Code as SYSDBA 330

PostgreSQL 330

Consolidating Access 333

Summary 335



CHAPTER 7 Advanced Topics 339

Introduction 339

Evading Input Filters 339

Using Case Variation 340

Using SQL Comments 340

Using URL Encoding 341

Using Dynamic Query Execution 342

Using Null Bytes 345

Nesting Stripped Expressions 345

Exploiting Truncation 346

Bypassing Custom Filters 347

Using Non-Standard Entry Points 348

Exploiting Second-Order SQL Injection 350

Finding Second-Order Vulnerabilities 352

Exploiting Client-Side SQL Injection 355

Accessing Local Databases 355

Attacking Client-Side Databases 356

Using Hybrid Attacks 358

Leveraging Captured Data 358

Contents xxi

Creating Cross-Site Scripting 358

Running Operating System Commands on Oracle 359

Exploiting Authenticated Vulnerabilities 360

Summary 361



CHAPTER 8 Code-Level Defenses 365

Introduction 365

Domain Driven Security 366

Using Parameterized Statements 371

Parameterized Statements in Java 372

Parameterized Statements in .NET (C#) 373

Parameterized Statements in PHP 376

Parameterized Statements in PL/SQL 377

Parameterized Statements in mobile apps 377

Parameterized Statements in iOS Applications 377

Parameterized Statements in Android Applications 378

Parameterized Statements in HTML5 Browser Storage 378

Validating Input 379

Whitelisting 379

Known Value Validation 380

Blacklisting 383

Validating Input in Java 384

Validating Input in .NET 386

Validating Input in PHP 386

Validating Input in Mobile Applications 387

Validating Input in HTML5 387

Encoding Output 387

Encoding to the Database 388

Encoding for Oracle 388

Encoding for Microsoft SQL Server 390

Encoding for MySQL 393

Encoding for PostgreSQL 394

Avoiding NoSQL injection 395

Canonicalization 396

Canonicalization Approaches 397

Working with Unicode 397

Design Techniques to Avoid the Dangers of SQL Injection 399

Using Stored Procedures 399

Using Abstraction Layers 400

xxii Contents

Handling Sensitive Data 401

Avoiding Obvious Object Names 403

Setting up Database Honeypots 404

Additional Secure Development Resources 404

Summary 405



CHAPTER 9 Platform Level Defenses 409

Introduction 499

Using Runtime Protection 410

Web Application Firewalls 411

Using ModSecurity 411

Intercepting Filters 417

Web Server Filters 417

Application Filters 420

Implementing the Filter Pattern in Scripted Languages...421Filtering Web Service Messages 422

Non-Editable Versus Editable Input Protection 422

URL/Page-Level Strategies 422

Page Overriding 423

URL Rewriting 423

Resource ProxyingAVrapping 424

Aspect-Oriented Programing (AOP) 424

Application Intrusion Detection Systems (IDSs) 424

Database Firewall 425

Securing the Database 425

Locking Down the Application Data 426

Use the Least-Privileged Database Login 426

Segregated Database Logins 426

Revoke PUBLIC Permissions 427

Use Stored Procedures 427

Use Strong Cryptography to Protect Stored Sensitive

Data 427

Maintaining an Audit Trail 428

Locking Down the Database Server 431

Additional Lockdown of System Objects 431

Restrict Ad Hoc Querying 432

Strengthen Controls Surrounding Authentication 432

Run in the Context of a Least-Privileged Operating

System Account 433

Contents xxiii

Ensure That the Database Server Software is Patched 433

Additional Deployment Considerations 434

Minimize Unnecessary Information Leakage 434

Suppress Error Messages 434

Use an Empty Default Web Site 436

Use Dummy Host Names for Reverse DNS Lookups 436

Use Wildcard SSL Certificates 437

Limit Discovery Via Search Engine Hacking 437

Disable Web Services Description Language (WSDL)

Information 438

Increase the Verbosity of Web Server Logs 438

Deploy the Web and Database Servers on Separate Hosts ....439

Configure Network Access Control 439

Summary 439



CHAPTER 10 Confirming and Recovering from

SQL Injection Attacks 443

Introduction 443

Investigating a Suspected SQL Injection Attack 443

Following Forensically Sound Practices 444

Analyzing Digital Artifacts 446

Web Server Log Files 446

Database Execution Plans 452

Transaction Log 462

Database Object Time Stamps 468

So, You're a Victim—Now What? 472

Containing the Incident 472

Assessing the Data Involved 473

Notifying the Appropriate Individuals 474

Determining What Actions the Attacker Performed on

the System 474

Recovering from a SQL Injection Attack 475

Determining the Payload of an Attack 476

Recovering from Attacks Carrying Static Payloads 477

Recovering from Attacks Carrying Dynamic

Payloads 479

Summary 481



xxiv Contents

CHAPTER 11 References 485

Introduction 485

Structured Query Language (SQL) Primer 486

SQL Queries 486

SELECT Statement 486

UNION Operator 487

INSERT Statement 487

UPDATE Statement 488

DELETE Statement 488

DROP Statement 488

CREATE TABLE Statement 488

ALTER TABLE Statement 490

GROUP BY Statement 490

ORDER BY Clause 490

Limiting the Result Set 491

SQL Injection Quick Reference 492

Identifying SQL Injection Vulnerabilities 492

Identifying the Database Platform 495

Identifying the Database Platform Via Time DelayInference 496

Identifying the Database Platform Via SQL Dialect

Inference 497

Combining Multiple Rows into a Single Row 498

Microsoft SQL Server Cheat Sheet 498

Enumerating Database Configuration Information and

Schema 500

Blind SQL Injection Functions: Microsoft SQL

Server 500

Microsoft SQL Server Privilege Escalation 500

Attacking the Database Server: Microsoft SQL Server ...506

MySQL Cheat Sheet 508


Schema 508

Blind SQL Injection Functions: MySQL 509

Attacking the Database Server: MySQL 509

Oracle Cheat Sheet 511


Schema 511

Blind SQL Injection Functions: Oracle 511

Attacking the Database Server: Oracle 511

Contents xxv

PostgreSQL Cheat Sheet 517


Schema 517

Blind SQL Injection Functions: PostgreSQL 518

Attacking the Database Server: PostgreSQL 518

Bypassing Input Validation Filters 520

Quote Filters 520

HTTP Encoding 521

Troubleshooting SQL Injection Attacks 521

SQL Injection on Other Platforms 525

DB2 Cheatsheet 526


Schema 526

Blind SQL Injection Functions: DB2 526

Informix Cheat Sheet 526


Schema 527

Blind SQL Injection Functions: Informix 527

Ingres Cheat Sheet 528


Schema 528

Blind SQL Injection Functions: Ingres 528

Sybase Cheatsheet 529


Schema 529

Blind SQL Injection Functions: Sybase 530

Microsoft Access 530

Resources 531

SQL Injection White Papers 531

SQL Injection Cheat Sheets 531

SQL Injection Exploit Tools 531

Password Cracking Tools 532


Index 535

SQL injection attacks and defense - GBV

Documents

Transcript of SQL injection attacks and defense - GBV