Upload
guest378d3c
View
1.330
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
SQL Injection ~ Finding SQL Injection problems in 34 minutes
Daniel Uriah Clemens
SQL Injection ~ Big IdeasThese four attitudes will help us on our journey –
1. Courage – Be a hunter for information!
2. Humility – Remember you too, must ask questions!
3. Faith – The vulnerabilities exist, you must discover them!
4. Perseverance – Running a race takes endurance, and so does exploiting vulnerabilities.
Daniel Uriah Clemens
SQL Injection ~ Goals for this talk?1. Overview of SQL Injection (what is SQL Injection?)
2. How to Identify for SQL Injection Problems
3. Impacts from SQL Injection
4. Attack Patterns
5. Conclusion and Demo ( if time permits )
Daniel Uriah Clemens
SQL Injection ~ Overview - What is SQL Injection? Where does it take place?SQL Injection takes place in a few places.1) Input accepted from a website passed to a backend
database.2) Stored procedures within a database
Daniel Uriah Clemens
SQL Injection ~
Daniel Uriah Clemens PacketNinjas PacketNinjas L.L.CL.L.C
SQL Injection ~ How to identify injection points?Methdology1) Identify how the web application works.
1) Does it solely operate on POST’s from the client?2) Does it operate on server side dynamic content
creation?3) Remember asking the correct questions gets you the
prize!4) Are any parameters within the website
manipulatable?
Daniel Uriah Clemens
SQL Injection ~ Generic Checklist1) Mirror Website – Identify all comments in code (html or
javascript) Learn how things work.
2) Identify webapplication platform. 3) Identify how the webapplication works.4) GET(s)
1) Identify variables passed to application server or database
5) POST(s)1) Track down every input passed to the server within a POST
1) Map out the desired input types you want to look at.--
6) Start fuzzing the input with the power of “ ‘ “
Daniel Uriah Clemens
SQL Injection ~ Tools to aid you1) Brain2) HTTP Reference Guide3) HTTRACK4) SQL Query Analyzers 5) WebProxy’s
1) AtStake WebProxy2) ImmunitySec – Spike3) WebScarab4) ParosProxy
Daniel Uriah Clemens
SQL Injection ~ Example Server side input
SQL Injection ~ Response
Map out responses. If there aren’t any responses don’t give up!1) Look for client side input validation. If it exists
edit it out of the equation with an html editor or a hex editor , or a proxy server.
2) If there were no responses do things blindly with waitfor statements to see if sql syntax is getting executed. ‘OR 1 = 1 ‘+’ waitfor delay ‘0:0:03’ –
3) ‘SELECT * ‘||’ waitfor delay ‘0:0:03’ --
Daniel Uriah Clemens
SQL Injection ~ Finding SQL injectionOnce you have found places that are processing or
pulling data from a database…..
1)You want to test injection on the back end database.
- Straighforward Injection - Enter your “ `̀ “ ‘s look for exceptions
user = joe ‘ OR 1 = 1 – sp_passwd pass = whateveriwan
- Blind Injection – Enter your “ ‘‘ “ ‘s with SQL delay’s.
‘;waitfor delay ‘0:0:10’ -- Daniel Uriah Clemens
SQL Injection ~ Exploiting SQL Injection• The goal is to find out where you have landed in
your sql statement.• Usually this is a SELECT statement…how do
you find out where you are in the SQL Statement?
• What can you do with this once you have found where you land in an SQL statement?
Daniel Uriah Clemens
SQL Injection ~ What can we do with this?
Daniel Uriah Clemens
SQL Injection ~ Example Server Side Injection
Daniel Uriah Clemens
SQL Injection ~ Recon.. (Microsoft)1) Identify Server patch level @@version
(remember this is probably SELECT @@version -- )Variants include (blind)
2) ); @@version "||" select user waitfor delay '0:0:10'--
• ( OUTPUT )Microsoft SQL Server 2000 - 8.00.194 (Intel X86) Aug 6 2000 00:57:48 Copyright (c) 1988-2000 Microsoft Corporation Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 4)
Daniel Uriah Clemens
SQL Injection ~ Escalation Step 2 ( Identify db user) (remember the key is where you land in the select
statement )
user - - (no spaces but put them in to show the need)
if user ='dbo' SELECT @@version '+' select user --
‘+’ select user -- (concatentate your request)
Daniel Uriah Clemens
If everything went well and our desired result was ‘dbo’
Then we can expand our priviledges to doing anything we want!
SQL Injection ~ Basic System Compromise1) Execute stored procedures to download
a file from your hostile serverOR2) If you are firewalled…….
• Stored procedures include xp_cmdshell
Daniel Uriah Clemens
SQL Injection ~Upload a binary into a table, then have it
flushed to disk and then start netcat…
• This is tricky because you have to break your binary into parts and stuff since one table can only 8000chars.
Daniel Uriah Clemens
SQL Injection ~ System compromiseQuestions – What if we turned off stored
procedures?
A) It doesn’t matter if I am dbo , I can turn them on again.
• exec sp_addextendedproc N'xp_cmdshell', N'xplog70.dll‘ (this will turn our stored procedure back on)….we could also be sneaky and load any dll we want into the database and have it work as a trojan or something… hrm….
Daniel Uriah Clemens
SQL Injection ~ Other thoughts1)Most Publicly accessbile databases are
clustered so you just rooted tons of boxes.
2) If the database isn’t microsoft and its oracle… well, it gets even better.
Daniel Uriah Clemens
SQL Injection ~ ORACLE InjectionFollow our methodology 1) Find insertion points2) Figure out where we land in the select
statement3) Verify database type4) Utilize stored procedures... (oracle has millions
of stored procedures (I think above 900). OR use JAVA.io OR overflow a stored
procedure in oracle OR SQL inject within a stored procedure in ORACLE.
Daniel Uriah Clemens
SQL Injection ~ Other Attack patterns
• Watch weblogs for large amounts of small requests.
• Watch weblogs for any strange HTTP error codes that would be anything other than a 200 accept.– 302’s or 500 error codes – Persistent connections to a webapplication.– End users spidering website– Database crashes
Daniel Uriah Clemens
SQL Injection ~ ConclusionWe have scratched the surface with the basics of SQL
injection. Next time we can talk about other things1) Generating a webapplication assessment program2) Advanced exploitation techniques and tricks
Daniel Uriah Clemens
SQL Injection ~ Thank you!- Special thanks to God for Life,joy , strength and
hope! - Everyone at work that puts up with me!- Infragard members that let me share ideas!
Daniel Uriah Clemens