sans @night talk: sql injection exploited
DESCRIPTION
This presentation was given at the SANS Rpcky Mountain Conference in Denver, CO June 2014. The presentation had a rather large portion that was demo. That is not captured here. Sorry.TRANSCRIPT
1
SQL Injection ExploitedMICAH HOFFMAN
SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 2
SQL Injection in the News
SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 3
Who am I?◦ Infosec Engineer / Pentester◦ NoVA Hacker◦ PwnWiki.io Curator◦ Recon-ng module Writer◦ SANS Instructor (SEC542)◦ Hiker / Backpacker
Novahackers.com
SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 4
Great ExpectationsoWhat is SQL Injection (SQLi)?
oWhat can an attacker exploiting SQLi do?
oTools to exploit SQLi
oAppropriate places to practice SQLi exploitation
oDemo of SQLi exploitation
oHow do you prevent SQLi?
SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 5
What is SQL Injection (SQLi)?oWeb application vulnerability
oAttacker runs commands on the database server through the vulnerable web app
SQLi here
Gets an attacker in here
SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 6
This is SQL Injection Normal URL
◦ http://example.com/user.php?name=admin&password=a◦ Web application sends the following SQL to the database:
◦ SELECT * FROM accounts WHERE user='admin' AND password='a'◦ Returns 1 record
SQL Injection Example URL◦ http://example.com/user.php?name=admin' or 1=1 -- &password=a◦ SELECT * FROM accounts WHERE user='admin' or 1=1 -- ' AND password='a'
◦ Returns all records because 1 always equals 1
SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 7
Would SQLi Exploitation in License Plates Actually Work?
SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 8
What can an attacker do? Not all SQL injection is the same – some allow greater access
Things an attacker can do by exploiting SQLi◦ Inside the database server
◦ Read records in databases / Steal records (Confidentiality/Authorization)◦ Write to records in databases (Integrity)◦ Delete records in databases (Availability)◦ Circumvent authentication (if SQLi is found in the authentication mechanism)
◦ On the database server’s underlying system◦ Read/Write files to/from the server file system◦ Execute commands on the server operating system◦ Compromise the server◦ Pivot into internal network and attack other systems
SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 9
SQLi Discovery and Exploitation Tools
COTS◦ App Scanners - Acunetix / Netsparker / NTO Spider◦ Vuln Scanners - Nessus / Nexpose / Qualys / Metasploit / Core Impact
Free◦ Sqlmap◦ Sqlninja◦ BBQSQL
SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 10
“Safe” Testing Targets Samurai Web Testing Framework (SamuraiWTF) - FREE
◦ http://www.samurai-wtf.org/◦ VMWare image and ISO◦ Attack tools and many web application victim targets◦ Has SamuraiWTF “Course” PDF◦ Used by SANS Web App Hacking (SEC542) course
Individual Vulnerable Apps◦ WebGoat◦ Mutillidae◦ Gruyere◦ McAfee HacMe
SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 11
Demo using SamuraiWTF
SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 12
Preventing SQLi through Education
System Administrator◦ Ensure database is running as a user/service account with least privilege◦ Ensure operating system and applications are patched and hardened
Database Administrator◦ Ensure each application has its own account in the database◦ Ensure each account has the explicit permissions required for the app◦ Ensure the server is hardened and risky options are disabled
Application Developer◦ Sanitize, filter and validate all data before sending to database◦ Use SQLi-prevention mechanisms (parameterized queries, stored procedures)
correctly
Testing◦ Perform security assessments, penetration testing, against your systems
SANS Administrator:◦ SEC464 – Security Baseline
SANS Developer:◦ DEV522 – Defending Web Apps◦ DEV536 – Secure Coding
SANS Defender:◦ SEC434 – Log Management◦ SEC440 – Crit. Sec. Controls◦ SEC502 – Perimeter Protection
SANS Attacker:◦ SEC504 – Hacker Techniques◦ SEC542 – Web App Pentest◦ SEC560 – Net Pentest
SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 13
Questions? Resources
◦ Information about web app vulnerabilities, how to test and remediate - OWASP – http://owasp.org◦ SQL Injection Cheat Sheet - http://websec.ca/kb/sql_injection
Key Testing Tools◦ Sqlmap - sqlmap.org
◦ Docs are on the http://github.com/sqlmapproject/sqlmap/wiki page◦ SamuraiWTF
◦ http:// www.samurai-wtf.org and http://sourceforge.net/projects/samurai/files/
My Blog: http://webbreacher.blogspot.com