SQL Injection Attacks and Defense

Transcription

1 SQL Injection Attacks and Defense

2

3 SQL Injection Attacks and Defense Second Edition Justin Clarke AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO SAN FRANCISCO SINGAPORE SYDNEY TOKYO Syngress is an Imprint of Elsevier

4 Acquiring Editor: Development Editor: Project Manager: Designer: Chris Katsaropolous Heather Scherer Jessica Vaughan Russell Purdy Syngress is an imprint of Elsevier 225 Wyman Street, Waltham, MA 02451, USA 2012 Elsevier, Inc. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein). Notices Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods or professional practices, may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information or methods described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility. To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein. Library of Congress Cataloging-in-Publication Data Application submitted British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library. ISBN: Printed in the United States of America For information on all Syngress publications visit our website at

5 Acknowledgements Justin would like to thank the Syngress editing team (and especially Chris Katsaropoulos and Heather Scherer) for once again being willing to take on a book which (in the publishing industry) has a ridiculous number of authors involved. He d also like to thank, in his role as chief cat-herder, the author team for all pulling together to get this project completed.

6

7 Justin would like to dedicate this book to his daughter Adena for being a continual delight to him. Dave would like to express heartfelt thanks to his extremely beautiful wife Nicole and daughter Isla Rose, who continuously support and inspire him in all endeavors. Sumit sid Siddharth would like to thank his beautiful wife Supriya and his gorgeous daughter Shriya for their support. He would also like to thank his pentest team at 7Safe for putting up with him. Alberto would like to dedicate this book to all the hackers worldwide who have researched the material and written the tools described in this book. I would also like to dedicate it to Franziskaner Weissbier Brewery, Munich, without which my contribution would not have been possible.

8

9 Contributing Authors Rodrigo Marcos Alvarez (CREST consultant, MSc, BSc, CISSP, CNNA, OPST, MCP) is the technical director of SECFORCE, a leading penetration testing consultancy. When not leading the technical team, Rodrigo still enjoys getting actively involved in the delivery of security assessments and getting his hands dirty writing tools and working on interesting new hacking techniques. Rodrigo is a contributor to the OWASP project and a security researcher. He is particularly interested in network protocol analysis via fuzzing testing. Among other projects, he has released TAOF, a protocol agnostic GUI fuzzer, and proxyfuzz, a TCP/UDP proxy which fuzzes network traffic on the fly. Rodrigo has also contributed to the web security field by releasing bsishell, a python interacting blind SQL injection shell and developing TCP socket reusing attacking techniques. Kevvie Fowler (GCFA Gold, CISSP, MCTS, MCDBA, MCSD, MCSE) leads the TELUS Security Intelligence Analysis practice where he delivers advanced event analysis and proactive intelligence to protect customers against present and emerging threats. He is also the founder and principal consultant of Ringzero, a security research and forensic services company. Kevvie s recent research has focused on database forensics, rootkits and native encryption flaws which he has presented at industry conferences including Black Hat, SecTor and OWASP AppSec Asia. Kevvie is author of SQL Server Forensic Analysis and contributing author to several information security and forensics books. As a recognized SANS forensicator and GIAC Advisory Board member he helps guide the direction of emerging security and forensic research. Kevvie serves as a trusted advisor to public and private sector clients and his thought leadership has been featured within Information Security Magazine, Dark Reading and Kaspersky Threatpost. Dave Hartley is a Principal Security Consultant for MWR InfoSecurity operating as a CHECK and CREST Certified Consultant (Application and Infrastructure). MWR InfoSecurity supply services which support their clients in identifying, managing and mitigating their Information Security risks. Dave has performed a wide range of security assessments and provided a myriad of consultancy services for clients in a number of different sectors, including financial institutions, entertainment, media, telecommunications, and software development companies and government organizations worldwide. Dave also sits on the CREST assessors and NBISE advisory panels, where he invigilates examinations and collaboratively develops new CREST examination modules. CREST is a standards-based organization for penetration test suppliers incorporating a best practice technical certification program for individual consultants. Dave has also been actively engaged in creating a US centric examination process in conjunction with NBISE. ix

10 x Contributing Authors Dave has been working in the IT Industry since 1998 and his experience includes a range of IT Security fields and disciplines. Dave is a published author and regular contributor to many information security periodicals and is also the author of the Bobcat SQL injection exploitation tool. Alexander Kornbrust is the founder of Red-Database-Security, a company specializing in database security. He provides database security audits, security training and consulting to customers worldwide. Alexander is also involved with designing and developing the McAfee Security Scanner for Databases, the leading tool for database security. Alexander has worked with Oracle products since 1992 and his specialties are the security of Oracle databases and architectures. He has reported more than 1200 security bugs to Oracle and holds a masters degree (Diplom-Informatiker) in computer science from the University of Passau. Erlend Oftedal works as a consultant at Bekk Consulting AS in Oslo in Norway and has been head of Bekk s security competency group for several years. He spends his days as a security adviser and developer for Bekk s clients, and he also does code reviews and security testing. He has done talks on web application security at both software development and security conferences like Javazone and OWASP AppSec Europe, and at user groups and universities in Norway and abroad. He is a security researcher and is very involved in the OWASP Norway chapter. He is also a member of the Norwegian Honeynet Project. Erlend holds a masters degree in computer science from the Norwegian University of Science and Technology (NTNU). Gary O Leary-Steele (CREST Consultant) is the Technical Director of Sec-1 Ltd, based in the UK. He currently provides senior-level penetration testing and security consultancy for a variety of clients, including a number of large online retailers and financial sector organizations. His specialties include web application security assessment, network penetration testing and vulnerability research. Gary is also the lead author and trainer for the Sec-1 Certified Network Security Professional (CNSP) training program that has seen more than 3000 attendees since its launch. Gary is credited by Microsoft, RSA, GFI, Splunk, IBM and Marshal Software for the discovery of security flaws within their commercial applications. Alberto Revelli is a security researcher and the author of sqlninja, an open source toolkit that has become a weapon of choice when exploiting SQL Injection vulnerabilities on web applications based on Microsoft SQL Server. As for his day job, he works for a major commodities trading company, mostly breaking and then fixing anything that happens to tickle his curiosity. During his career he has assisted a multitude of companies including major financial institutions, telecom operators, media and manufacturing companies. He