Sql injection

Páginas: 8 (1988 palabras) Publicado: 29 de diciembre de 2010
Advanced SQL injection to operating system full control
Bernardo Damele Assumpção Guimarães

Black Hat Briefings Europe Amsterdam (NL) – April 16, 2009

Who I am
Bernardo Damele Assumpção Guimarães: • • • • Proud father IT security engineer sqlmap lead developer MySQL UDF repository developer

2

SQL injection definition
• SQL injection attacks are a type of injection attack, inwhich SQL commands are injected into data-plane input in order to affect the execution of predefined SQL statements • It is a common threat in web applications that lack of proper sanitization on usersupplied input used in SQL queries
3

SQL injection techniques
• Boolean based blind SQL injection:
par=1 AND ORD(MID((SQL query), Nth char, 1)) > Bisection num--

• UNION query (inband) SQLinjection:
par=1 UNION ALL SELECT query--

• Batched queries SQL injection:
par=1; SQL query;-4

How far can an attacker go by exploiting a SQL injection?

5

Scope of the analysis
• Three database software:
– MySQL on Windows – PostgreSQL on Windows and Linux – Microsoft SQL Server on Windows

• Three web application languages:
– ASP on Microsoft IIS, Windows – ASP.NET on MicrosoftIIS, Windows – PHP on Apache and Microsoft IIS
6

Batched queries
• In SQL, batched queries are multiple SQL statements, separated by a semicolon, and passed to the database • Example: SELECT col FROM table1 WHERE id=1; DROP table2;
7

Batched queries support

Programming languages and their DBMS connectors default support for batched queries
8

File system read access

9

Fileread access on MySQL
• LOAD_FILE() function can be used to read either a text or a binary file • Session user must have these privileges:
– FILE – CREATE TABLE for the support table

10

File read access on MySQL
Via batched queries SQL injection technique:
SELECT HEX(LOAD_FILE('C:/example.exe')) INTO DUMPFILE 'C:/WINDOWS/Temp/hexkflwl'; CREATE TABLE footable(data longtext); LOAD DATAINFILE 'C:/WINDOWS/Temp/hexkflwl' INTO TABLE footable FIELDS TERMINATED BY 'MFsIgeUPsa' (data);
11

File read access on MySQL
Via any SQL injection enumeration technique:
• Retrieve the length of the support table's field value • Dump the support table's field value in chunks of 1024 characters

On the attacker box:
• Assemble the chunks into a single string • Decode it from hex and write ona local file
12

File read access on PostgreSQL
• COPY statement can be used to read a text file
– User-defined function can be used to read a binary file

• Session user must be a super user to call this statement

13

File read access on PostgreSQL
Via batched queries SQL injection technique:
CREATE TABLE footable(data bytea); COPY footable(data) FROM '/etc/passwd';

14

Fileread access on PostgreSQL
Via any SQL injection enumeration technique:
• Count the number of entries in the support table • Dump the support table's field entries base64 encoded via ENCODE() function

On the attacker box:
• Assemble the entries into a single string • Decode it from base64 and write on a local file
15

File read access on MS SQL Server
• BULK INSERT statement can beabused to read either a text or a binary file and save its content on a table text field • Session user must have these privileges:
– INSERT – ADMINISTER BULK OPERATIONS – CREATE TABLE
16

File read access on MS SQL Server
Via batched queries SQL injection technique:
CREATE TABLE footable(data text); CREATE TABLE footablehex(id INT IDENTITY(1, 1) PRIMARY KEY, data VARCHAR(4096)); BULK INSERTfootable FROM 'C:/example.exe' WITH (CODEPAGE='RAW', FIELDTERMINATOR='QLKvIDMIjD', ROWTERMINATOR='dqIgILsFoi');
17

File read access on MS SQL Server
[…] WHILE (@counter > filepath')

• Session user must have CONTROL SERVER privilege • On the attacker box:
– Split the file in chunks of 64Kb – Convert each chunk to its plain text debug script format
27

File write access on MS SQL...
Leer documento completo

Regístrate para leer el documento completo.

Estos documentos también te pueden resultar útiles

  • Sql injection
  • Sql Injection
  • sql injection
  • SQL Injection
  • SQL Injection en SQL Server y función convert()
  • Sql injection
  • Sql injection
  • Sql injection

Conviértase en miembro formal de Buenas Tareas

INSCRÍBETE - ES GRATIS