SQL Injection

SQL Injection ~ Finding SQL Injection problems in 34 minutes

Daniel Uriah Clemens

SQL Injection ~ Big IdeasThese four attitudes will help us on our journey –

1. Courage – Be a hunter for information!

2. Humility – Remember you too, must ask questions!

3. Faith – The vulnerabilities exist, you must discover them!

4. Perseverance – Running a race takes endurance, and so does exploiting vulnerabilities.


SQL Injection ~ Goals for this talk?1. Overview of SQL Injection (what is SQL Injection?)

2. How to Identify for SQL Injection Problems

3. Impacts from SQL Injection

4. Attack Patterns

5. Conclusion and Demo ( if time permits )


SQL Injection ~ Overview - What is SQL Injection? Where does it take place?SQL Injection takes place in a few places.1) Input accepted from a website passed to a backend

database.2) Stored procedures within a database


SQL Injection ~

Daniel Uriah Clemens PacketNinjas PacketNinjas L.L.CL.L.C

SQL Injection ~ How to identify injection points?Methdology1) Identify how the web application works.

1) Does it solely operate on POST’s from the client?2) Does it operate on server side dynamic content

creation?3) Remember asking the correct questions gets you the

prize!4) Are any parameters within the website

manipulatable?


SQL Injection ~ Generic Checklist1) Mirror Website – Identify all comments in code (html or

javascript) Learn how things work.

2) Identify webapplication platform. 3) Identify how the webapplication works.4) GET(s)

1) Identify variables passed to application server or database

5) POST(s)1) Track down every input passed to the server within a POST

1) Map out the desired input types you want to look at.--

6) Start fuzzing the input with the power of “ ‘ “


SQL Injection ~ Tools to aid you1) Brain2) HTTP Reference Guide3) HTTRACK4) SQL Query Analyzers 5) WebProxy’s

1) AtStake WebProxy2) ImmunitySec – Spike3) WebScarab4) ParosProxy


SQL Injection ~ Example Server side input

SQL Injection ~ Response

Map out responses. If there aren’t any responses don’t give up!1) Look for client side input validation. If it exists

edit it out of the equation with an html editor or a hex editor , or a proxy server.

2) If there were no responses do things blindly with waitfor statements to see if sql syntax is getting executed. ‘OR 1 = 1 ‘+’ waitfor delay ‘0:0:03’ –

3) ‘SELECT * ‘||’ waitfor delay ‘0:0:03’ --


SQL Injection ~ Finding SQL injectionOnce you have found places that are processing or

pulling data from a database…..

1)You want to test injection on the back end database.

- Straighforward Injection - Enter your “ `̀ “ ‘s look for exceptions

user = joe ‘ OR 1 = 1 – sp_passwd pass = whateveriwan

- Blind Injection – Enter your “ ‘‘ “ ‘s with SQL delay’s.

‘;waitfor delay ‘0:0:10’ -- Daniel Uriah Clemens

SQL Injection ~ Exploiting SQL Injection• The goal is to find out where you have landed in

your sql statement.• Usually this is a SELECT statement…how do

you find out where you are in the SQL Statement?

• What can you do with this once you have found where you land in an SQL statement?


SQL Injection ~ What can we do with this?


SQL Injection ~ Example Server Side Injection


SQL Injection ~ Recon.. (Microsoft)1) Identify Server patch level @@version

(remember this is probably SELECT @@version -- )Variants include (blind)

2) ); @@version "||" select user waitfor delay '0:0:10'--

• ( OUTPUT )Microsoft SQL Server 2000 - 8.00.194 (Intel X86) Aug 6 2000 00:57:48 Copyright (c) 1988-2000 Microsoft Corporation Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 4)


SQL Injection ~ Escalation Step 2 ( Identify db user) (remember the key is where you land in the select

statement )

user - - (no spaces but put them in to show the need)

if user ='dbo' SELECT @@version '+' select user --

‘+’ select user -- (concatentate your request)


If everything went well and our desired result was ‘dbo’

Then we can expand our priviledges to doing anything we want!

SQL Injection ~ Basic System Compromise1) Execute stored procedures to download

a file from your hostile serverOR2) If you are firewalled…….

• Stored procedures include xp_cmdshell


SQL Injection ~Upload a binary into a table, then have it

flushed to disk and then start netcat…

• This is tricky because you have to break your binary into parts and stuff since one table can only 8000chars.


SQL Injection ~ System compromiseQuestions – What if we turned off stored

procedures?

A) It doesn’t matter if I am dbo , I can turn them on again.

• exec sp_addextendedproc N'xp_cmdshell', N'xplog70.dll‘ (this will turn our stored procedure back on)….we could also be sneaky and load any dll we want into the database and have it work as a trojan or something… hrm….


SQL Injection ~ Other thoughts1)Most Publicly accessbile databases are

clustered so you just rooted tons of boxes.

2) If the database isn’t microsoft and its oracle… well, it gets even better.


SQL Injection ~ ORACLE InjectionFollow our methodology 1) Find insertion points2) Figure out where we land in the select

statement3) Verify database type4) Utilize stored procedures... (oracle has millions

of stored procedures (I think above 900). OR use JAVA.io OR overflow a stored

procedure in oracle OR SQL inject within a stored procedure in ORACLE.


SQL Injection ~ Other Attack patterns

• Watch weblogs for large amounts of small requests.

• Watch weblogs for any strange HTTP error codes that would be anything other than a 200 accept.– 302’s or 500 error codes – Persistent connections to a webapplication.– End users spidering website– Database crashes


SQL Injection ~ ConclusionWe have scratched the surface with the basics of SQL

injection. Next time we can talk about other things1) Generating a webapplication assessment program2) Advanced exploitation techniques and tricks


SQL Injection ~ Thank you!- Special thanks to God for Life,joy , strength and

hope! - Everyone at work that puts up with me!- Infragard members that let me share ideas!


Technology

SQL Injection