SQL Injection Attacks and Defense

Transcription

1 SQL Injection Attacks and Defense Justin Clarke Lead Author and Technical Editor Rodrigo Marcos Alvarez Dave Hartley Joseph Hemler Alexander Kornbrust Haroon Meer Gary O'Leary-Steele Alberto Revelli Marco Slaviero Dafydd Stuttard

2 Chapter 1 What Is SQL Injection? 1 Introduction 2 Understanding How Web Applications Work 2 A Simple Application Architecture 4 A More Complex Architecture 5 Understanding SQL Injection 6 High-Profile Examples 10 Understanding How It Happens 13 Dynamic String Building 13 Incorrectly Handled Escape Characters 14 Incorrectly Handled Types 15 Incorrectly Handled Query Assembly 17 Incorrectly Handled Errors 18 Incorrectly Handled Multiple Submissions 19 Insecure Database Configuration 21 Summary 24 Solutions Fast Track 24 Frequently Asked Questions 26 Chapter 2 Testing for SQL Injection 29 Introduction ~ 30 Finding SQL Injection 30 Testing by Inference 31 Identifying Data Entry 31 GET Requests 31 POST Requests 32 Other Injectable Data 35 Manipulating Parameters 36 Information Workflow 39 Database Errors 40 Commonly Displayed SQL Errors 41 Microsoft SQL Server Errors 41 MySQL Errors 46 Oracle Errors 49 ix

3 Application Response 51 Generic Errors 51 HTTP Code Errors 54 Different Response Sizes 55 Blind Injection Detection 56 Confirming SQL Injection 60 Differentiating Numbers and Strings 61 Inline SQL Injection 62 Injecting Strings Inline 62 Injecting Numeric Values Inline 65 Terminating SQL Injection 68 Database Comment Syntax 69 Using Comments 70 Executing Multiple Statements 74 Time Delays 79 Automating SQL Injection Discovery 80 Tools for Automatically Finding SQL Injection 81 HP Weblnspect 81 IBM Rational AppScan 83 HP Scrawlr 85 SQLiX 87 Paros Proxy 88 Summary 91 Solutions Fast Track 91 Frequently Asked Questions 93 Chapter 3 Reviewing Code for SQL Injection 95 Introduction 96 Reviewing Source Code for SQL Injection 96 Dangerous Coding Behaviors 98 Dangerous Functions 105 Following the Data 109 Following Data in PHP 110 Following Data in Java 114 Following Data in C# 115 Reviewing PL/SQL andt-sql Code 117 Automated Source Code Review 124 Yet Another Source Code Analyzer (YASCA) 125 Pixy 126 AppCodeScan 127

4 xi LAPSE 127 Security Compass Web Application Analysis Tool (SWAAT) 128 Microsoft Source Code Analyzer for SQL Injection 128 Microsoft Code Analysis Tool.NET (CAT.NET) 129 Commercial Source Code Review Tools 129 Ounce 131 Source Code Analysis 131 CodeSecure 132 Summary 133 Solutions Fast Track 133 Frequently Asked Questions 135 Chapter 4 Exploiting SQL Injection 137 Introduction 138 Understanding Common Exploit Techniques 139 Using Stacked Queries 141 Identifying the Database 142 Non-Blind Fingerprint 142 Banner Grabbing 144 Blind Fingerprint 146 Extracting Data through UNION Statements 148 Matching Columns 149 Matching Data Types 151 Using Conditional Statements 156 Approach 1: Time-based 157 Approach 2: Error-based 159 Approach 3: Content-based 161 Working with Strings Extending the Attack 163 Using Errors for SQL Injection 164 Error Messages in Oracle 167 Enumerating the Database Schema 170 SQL Server 171 MySQL 177 Oracle 180 Escalating Privileges 183 SQL Server 184 Privilege Escalation on Unpatched Servers 189 Oracle 190

5 xii Stealing the Password Hashes 192 SQL Server 192 MySQL 194 Oracle 194 Oracle Components 196 APEX 196 Oracle Internet Directory 197 Out-of-Band Communication Microsoft SQL Server 199 Oracle 202 HTTP/DNS 203 File System 203 SQL Server ' 204 MySQL 207 Oracle 208 Automating SQL Injection Exploitation 208 Sqlmap 208 Sqlmap Example 209 Bobcat 211 BSQL 212 Other Tools 214 Summary 215 Solutions Fast Track 215 Frequently Asked Questions 218 Chapter 5 Blind SQL Injection Exploitation 219 Introduction 220 Finding and Confirming Blind SQL Injection 221 Forcing Generic Errors 221 Injecting Queries with Side Effects 222 Spitting and Balancing 222 Common Blind SQL Injection Scenarios 225 Blind SQL Injection Techniques 225 Inference Techniques 226 Increasing the Complexity of Inference Techniques 230 Alternative Channel Techniques 234 Using Time-Based Techniques 235 Delaying Database Queries 235 MySQL Delays 235

6 xiii Generic MySQL Binary Search Inference Exploits 237 Generic MySQL Bit-by-Bit Inference Exploits 237 SQL Server Delays 238 Generic SQL Server Binary Search Inference Exploits 240 Generic SQL Server Bit-by-Bit Inference Exploits 240 Oracle Delays 240 Time-Based Inference Considerations 241 Using Response-Based Techniques 242 MySQL Response Techniques 242 SQL Server Response Techniques 244 Oracle Response Techniques 246 Returning More Than One Bit of Information 247 Using Alternative Channels 249 Database Connections 250 DNS Exfiltration 251 Exfiltration 255 HTTP Exfiltration 256 Automating Blind SQL Injection Exploitation 258 Absinthe 258 BSQL Hacker 260 SQLBrute 263 Sqlninja 264 Squeeza 265 Summary 267 Solutions Fast Track 267 Frequently Asked Questions 270 Chapter б Exploiting the Operating System 271 Introduction 272 Accessing the File System 273 Reading Files 273 MySQL 274 Microsoft SQL Server 280 Oracle 289 Writing Files 291 MySQL 292 Microsoft SQL Server 295 Oracle 300 Executing Operating System Commands 301 Direct Execution 301

7 xiv Oracle 301 DBMS_SCHEDULER 302 PL/SQL Native 302 Other Possibilities 303 Alter System Set Events 303 PL/SQL Native 9i 303 Buffer Overflows 304 Custom Application Code 304 MySQL 304 Microsoft SQL Server 305 Consolidating Access 309 Summary 312 Solutions Fast Track : 312 Frequently Asked Questions 314 Endnotes 315 Chapter 7 Advanced Topics 317 Introduction 318 Evading Input Filters 318 Using Case Variation 319 Using SQL Comments 319 Using URL Encoding 320 Using Dynamic Query Execution 322 Using Null Bytes 323 Nesting Stripped Expressions 324 Exploiting Truncation 324 Bypassing Custom Filters 326 Using Non-Standard Entry Points 327 Exploiting Second-Order SQL Injection 329 Finding Second-Order Vulnerabilities 332 Using Hybrid Attacks 335 Leveraging Captured Data 335 Creating Cross-Site Scripting 335 Running Operating System Commands on Oracle 336 Exploiting Authenticated Vulnerabilities 337 Summary 338 Solutions Fast Track 338 Frequently Asked Questions 340

8 xv Chapter 8 Code-Level Defenses 341 Introduction 342 Using Parameterized Statements 342 Parameterized Statements in Java 344 Parameterized Statements in.net (C#) 345 Parameterized Statements in PHP 347 Parameterized Statements in PL/SQL 348 Validating Input 349 Whitelisting 349 Blacklisting 351 Validating Input in Java 353 Validating Input in.net 354 Validating Input in PHP 354 Encoding Output 355 Encoding to the Database 355 Encoding for Oracle 356 Oracle dbms_assert 357 Encoding for Microsoft SQL Server 359 Encoding for MySQL 360 Canonicalization 362 Canonicalization Approaches 363 Working with Unicode 364 Designing to Avoid the Dangers of SQL Injection 365 Using Stored Procedures 366 Using Abstraction Layers 367 Handling Sensitive Data 368 Avoiding Obvious Object Names 369 Setting Up Database Honeypots 370 Additional Secure Development Resources 371 Summary 373 Solutions Fast Track 373 Frequently Asked Questions 375 Chapter 9 Platform-Level Defenses 377 Introduction 378 Using Runtime Protection 378 Web Application Firewalls 379 Using ModSecurity 380 Configurable Rule Set 380 Request Coverage 383

9 Request Normalization 383 Response Analysis 384 Intrusion Detection Capabilities 385 Intercepting Filters 386 Web Server Filters 386 Application Filters 389 Implementing the Filter Pattern in Scripted Languages 390 Filtering Web Service Messages 391 Non-Editable versus Editable Input Protection 391 URL/Page-Level Strategies 392 Page Overriding 392 URL Rewriting 393 Resource Proxying/Wrapping 393 Aspect-Oriented Programming (AOP) 393 Application Intrusion Detection Systems (IDSs) 394 Database Firewall 394 Securing the Database 395 Locking Down the Application Data 395 Use the Least-Privileged Database Login 395 Revoke PUBLIC Permissions 396 Use Stored Procedures 396 Use Strong Cryptography to Protect Stored Sensitive Data 397 Maintaining an Audit Trail 398 Oracle Error Triggers 398 Locking Down the Database Server 400 Additional Lockdown of System Objects 400 Restrict Ad Hoc Querying 401 Strengthen Controls Surrounding Authentication 401 Run in the Context of the Least-Privileged Operating System Account 401 Ensure That the Database Server Software Is Patched 402 Additional Deployment Considerations 403 Minimize Unnecessary Information Leakage 403 Suppress Error Messages 403 Use an Empty Default Web Site 406 Use Dummy Host Names for Reverse DNS Lookups 406 Use Wildcard SSL Certificates 407 Limit Discovery via Search Engine Hacking 407 Disable Web Services Description Language (WSDL) Information 408

10 xvii Increase the Verbosity of Web Server Logs 409 Deploy the Web and Database Servers on Separate Hosts 409 Configure Network Access Control 409 Summary 410 Solutions Fast Track 410 Frequently Asked Questions 412 Chapter 10 References 415 Introduction 416 Structured Query Language (SQL) Primer 416 SQL Queries 416 SELECT Statement 417 UNION Operator 417 INSERT Statement 418 UPDATE Statement 418 DELETE Statement 418 DROP Statement 420 CREATE TABLE Statement 420 ALTER TABLE Statement 420 GROUP BY Statement 421 ORDER BY Clause 421 Limiting the Result Set 421 SQL Injection Quick Reference 422 Identifying the Database Platform 422 Identifying the Database Platform via Time Delay Inference 423 Identifying the Database Platform via SQL Dialect Inference 423 Combining Multiple Rows into a Single Row 424 Microsoft SQL Server Cheat Sheet 425 Enumerating Database Configuration Information and Schema 425 Blind SQL Injection Functions: Microsoft SQL Server 427 Microsoft SQL Server Privilege Escalation 427 OPENROWSET Reauthentication Attack 428 Attacking the Database Server: Microsoft SQL Server 429 System Command Execution via xp_cmdshell 429 xp_cmdshell Alternative 430 Cracking Database Passwords 430 Microsoft SQL Server 2005 Hashes 431 File Read/Write 431

11 xviii MySQL Cheat Sheet 431 Enumerating Database Configuration Information and Schema 431 Blind SQL Injection Functions: MySQL 432 Attacking the Database Server: MySQL 433 System Command Execution 433 Cracking Database Passwords 434 Attacking the Database Directly 434 File Read/Write 434 Oracle Cheat Sheet 435 Enumerating Database Configuration Information and Schema 435 Blind SQL Injection Functions: Oracle Attacking the Database Server: Oracle 437 Command Execution 437 Reading Local Files 437 Reading Local Files (PL/SQL Injection Only) 438 Writing Local Files (PL/SQL Injection Only) 439 Cracking Database Passwords 440 Bypassing Input Validation Filters 440 Quote Filters 440 HTTP Encoding 442 Troubleshooting SQL Injection Attacks 443 SQL Injection on Other Platforms 446 PostgreSQL Cheat Sheet 446 Enumerating Database Configuration Information and Schema 447 Blind SQL Injection Functions: PostgreSQL 448 Attacking the Database Server: PostgreSQL 448 System Command Execution 448 Local File Access 449 Cracking Database Passwords 449 DB2 Cheat Sheet 449 Enumerating Database Configuration Information and Schema 449 Blind SQL Injection Functions: DB2 450 Informix Cheat Sheet 451 Enumerating Database Configuration Information and Schema 451 Blind SQL Injection Functions: Informix 452

12 xix Ingres Cheat Sheet 452 Enumerating Database Configuration Information and Schema 452 Blind SQL Injection Functions: Ingres 453 Microsoft Access 453 Resources 453 SQL Injection White Papers 453 SQL Injection Cheat Sheets 454 SQL Injection Exploit Tools 454 Password Cracking Tools 455 Solutions Fast Track 456 Index 459