Automated Estimation and Evaluation of SQL-injection Vulnerabilities

Automated Estimation and Evaluation of SQL-injection Vulnerabilities Jonas Persson, Group 30 - Language based security 2006

Contents • The impact of SQL-injection • Blindfolded SQL-injection • What has been done before • Automating the process • Results • Conclusions

Impact of SQL-injection • Sysobjects –stores info on all tables in the database • Sysdatabases –stores info on all databases on server • Xp_cmdshell – executes arbitrary commands • Bcp – write to arbitrary file • Openrowset – transfer data from/to remote SQL-server • Xp_regwrite – write arbitrary registry values • Bulk insert – insert from arbitrary file

Blindfolded SQL-injection • Should not rely on contents of error messages • The only relevant question is – did the query execute or not? • Procedure: • Determine errors • Find format and query structure • Exploit

What has been done before • Automated datamining using blindfolded SQL-injection (Absinthe by Cameron Hotchkies) • Vulnerability scanning tools with support for finding SQL-injections

Limitations • Absinthe only mines for data from existing injections, does not find the vulnerabilities • All vulnerability scanning tools I have tested only appends a single quote at the end of parameter values and report a vulnerability if the server returns a ”500 – internal server error”

Automating the process • Determine errors • Appending ” AND ” should give incorrect syntax error • Appending ” AND 1=0 ” should result in error • Appending ” AND 1=1 ” should not result in error • Comparing to these results will tell us wether appending ” AND (any sql) ” executed or not

Automating the process • Finding format • Appending ” -- ” might remove necessary ending parentheses • Breaking out of parentheses by trying to end them one by one until the query executes • More advanced formats does not require this procedure

Automating the process • Finding the query structure • How many columns does the query select? Try ordering! ” ORDER BY 1 -- ” • Which types does the selected columns have? • Three base types strings, ints and dates • Append ” UNION ALL SELECT null -- ” • Append ” UNION ALL SELECT 1 -- ” • Append ” UNION ALL SELECT ’1’ -- ”

Automating the process • Once you have found the format and structure, exploiting is easy! ” UNION ALL SELECT columns FROM table -- ”

Automating the process • Checking the impact • Selecting from system tables • Running stored procedures • Connect to other servers through openrowset • Read files with bulk insert • Options are limitless!

Results • A program that • Evaluates a parameter and returns how likely it is that the parameter is vulnerable and exploitable • Finds format and query structure • Estimates how vulnerable the parameter is on a scale from 1 to 10 • Reports its findings to the user, detailing the vulnerability and its impact

Results

Conclusions • As we just have seen it is indeed possible to automate the search and exploitation of SQL-injection vulnerabilities • The example can be extended in many different ways to create either a versatile audit tool or a powerful hacking tool

Automated Estimation and Evaluation of SQL-injection Vulnerabilities

Automated Estimation and Evaluation of SQL-injection Vulnerabilities

Presentation Transcript

SQL injection

SQL Injection

SQL INJECTION

SQL Injection

Automated Estimation and Evaluation of SQL-injection Vulnerabilities

SQL Injection

SQL Injection

SQL Injection

SQL Injection

SQL Injection

SQL Injection

SQL Injection

SQL Injection

SQL Injection

SQL Vulnerabilities

SQL Injection

SQL INJECTION

SQL Injection

SQL Injection