Upload
yahya-nursalim
View
138
Download
3
Tags:
Embed Size (px)
Citation preview
Agenda
• What is SQL Injection?• DEMO: Backdoor web server• GreenSQL: Detailed Description• DEMO: GreenSQL• Other solutions• Future plans
What is SQL Injection ?
• Legitimate Query:
SELECT * from users where username = ‘Alice’ and password = ‘123456’
• Injected SQL code:
SELECT * from users where username = ‘Alice’ and password = ‘123456’ or ‘1’=‘1’
SQL Attacks Hazards
• Bypass Login page• Read files• Write Files• Dump sensitive information• Execute system commands• Create database back door• New Attack: Distribution of
Trojans
Demo: Attack
• MySQL commands– select “text” into outfile “file.txt”
• Find directory with write permissions– templates_c / templates / temp– images / files / cache
C99 Web shell
Simple Web Shells
• Execute system commands
• Simple Web shell:<?php system($_GET['cmd']); ?>
– system() function– $_GET['cmd']– $_POST['cmd']– $_REQUEST['cmd']
MySQL Attack DEMO
• More info here:
http://www.greensql.net/publications/backdoor-webserver-using-mysql-sql-injection
DemoDemo
What is GreenSQL?
• GreenSQL is a database firewall solution
• Protects against SQL injection attacks
• Management console• MySQL built in support
GreenSQL Diagram
GreenSQL Architecture
• Reverse Proxy
• Number of databases
• Number of backend DB servers
• Deployment options:– Can be installed together with the DB server– Can be installed on specialized server
How Query is Blocked
• Empty result is sent back to application
• Application can continue gracefully
• No TCP reset is send
• No errors is generated
GreenSQL Advantages
• Multiple modes– simulation / learning / active protection
• Easy Management
• Pattern Recognition (signatures)
• Heuristics (risk calculation)
• Open Source
GreenSQL Advantages 2
• Cross Platform
• Rapid Deployment
• Well established
• Web application independent
• The only free security solution for MySQL
• User Friendly WEB GUI/Management tool
Supported modes
• Simulation mode
• Block suspicious commands– Based on overall query risk
• Learning mode– Whilelist patterns of used SQL command
patterns
• Block new commands– Missing queries in Whitelist will be blocked.
Easy Management
• Management GUI
• IT Orientation
• Automatic Configuration– Learning Mode– Blocking mode
Pattern Recognition
• Detects administrative commands like: – create table/database– drop table/database– alter table structure
• Detects information disclosure commands– version() / current_user() / show tables
• Detects privileged commands– kill() / create_user() / load_file()
Example
Heuristic Analysis
• Access to sensitive tables increases risk query (users, accounts, credit information)
• SQL Comments
• Empty password string
• OR token
• UNION token
• SQL tautology (true statement)– or 1=1
Examples - Blocked
Examples - Blocked
Whitelist
Positive & Negative Security
• Positive Security– Learning mode– Whitelist
• Negative security– Pattern recognition– Heuristic Analyses
Multiplatform support
• Linux based:– CentOS / OpenSUSE / Fedora / Mandrake– Debian / Ubuntu
• BSD based– FreeBSD
• Windows (beta)
Rapid Deployment
• Pre-build packages for popular Linux distributions and for FreeBSD
• Simple installation and configuration scripts
• Two configuration files– General configuration / DB settings– MySQL patterns
Not only for Web Apps
• Defense in depth methodology
• IT oriented
• Support legacy applications
• Does not require application configuration change
• Can be configured to listen on the original DB socket which database uses a different one.
Open Source
• Free
• Open Source
• GPL License
• MySQL support
Well established
• Hundreds of newsletter subscribers• A bunch of the security reviews and hundreds
bug fixes• Active support forum• Production version• A bunch of blog reviews• Sourceforge version for more that a year.• Featured by popular resources:
– http://www.linux.com/– http://www.phpmagazine.net/– http://www.tecchannel.de/
Console - DEMO
• Demo version is available here:
• http://demo.greensql.net/
Related OS Solutions
• Snort IDS/Prelude
• ModSecurity
• PHPIDS
• MySQL built in security
• Kernel IDS solutions
Future Version
• DB User permissions
• Support for PostgreSQL
• Higher heuristic detection
• More reports
Google Database Firewall