libinjection: a C library for SQLi detection, from Black Hat USA 2012

libinjection
a C library for SQLi detection and generation
through lexical analysis of real world attacks
Nick Galbreath @ngalbreath nickg@client9.com

Wednesday July 25, 2012 2:45PM
Augustus I+II, Caesar's Palace, Las Vegas

The latest version of this presentation:

http://
www.client9.com/

20120725/
2

whoami
‣ Director of Engineering @ Etsy
‣ Enterprise, Fraud, Security, Email, Fun
‣ Know a little bit about c, e.g. stringencoders:

‣ C library for string processing

‣ used by every ad server in the world

‣ used in Chrome browser

‣ http://code.google.com/p/stringencoders

Nick Galbreath @ngalbreath

The Next 14 Minutes

‣ Why is detecting SQLi hard
‣ The algorithm behind libinjection
‣ The results
‣ Next Steps


Detecting SQLi
from User Input
is a Hard Problem

It's Easy to Get Started
with Regular Expressions!
s/UNIONs+(ALL)?/i
‣ At least two open source WAF use regular
expressions.
‣ Failure cases in closed-source WAFs also
indicate regexp.


SQL IS HUGE
‣ Turing Complete! (sorta)
‣ 1992 SQL Spec: bit.ly/10fmhZ
‣ 625 pages of plain text
‣ 2003 SQL Spec: bit.ly/OB5vfW
‣ 128 pages of pure BNF
‣ No one implements exactly
‣ Everyone has extensions, exceptions, bugs


It's more complicated
than you think.
‣ Recursive commenting rules
‣ A single number can't be done in a single
regexp.
‣ Really Loosely Typed
‣ String rules - OMFG. You think you know but
you have no idea.
‣ Come see my talk at DEFCON this Friday at...
4:20 pm


RegExp Soup
(?:)s*whens*d+s*then)|(?:"s*(?:#|--|{))|(?:/*!s?d+)|(?:ch(?:a)?rs*(s*d)|(?:(?:(n?and|x?or|not)s+||||&&)s*w+()
(?:[s()]cases*()|(?:)s*likes*()|(?:havings*[^s]+s*[^ws])|(?:ifs?([dw]s*[=<>~])
(?:"s*ors*"?d)|(?:x(?:23|27|3d))|(?:^.?"$)|(?:(?:^["]*(?:[d"]+|[^"]+"))+s*(?:n?and|x?or|not||||&&)s*[w"[+&!@(),.-])|(?:[^ws]w+s*[|-]
s*"s*w)|(?:@w+s+(and|or)s*["d]+)|(?:@[w-]+s(and|or)s*[^ws])|(?:[^ws:]s*dW+[^ws]s*".)|(?:Winformation_schema|table_nameW)
(?:"s**.+(?:or|id)W*"d)|(?:^")|(?:^[ws"-]+(?<=ands)(?<=ors)(?<=xors)(?<=nands)(?<=nots)(?<=||)(?<=&&)w+()|(?:"[sd]*[^ws]+W*d
W*.*["d])|(?:"s*[^ws?]+s*[^ws]+s*")|(?:"s*[^ws]+s*[Wd].*(?:#|--))|(?:".**s*d)|(?:"s*ors[^d]+[w-]+.*d)|(?:[()*<>%+-][w-]+[^ws]
+"[^,])
(?:d"s+"s+d)|(?:^admins*"|(/*)+"+s?(?:--|#|/*|{)?)|(?:"s*or[ws-]+s*[+<>=(),-]s*[d"])|(?:"s*[^ws]?=s*")|(?:"W*[+=]+W*")|(?:"s*[!=|]
[ds!=+-]+.*["(].*$)|(?:"s*[!=|][ds!=]+.*d+$)|(?:"s*likeW+[w"(])|(?:siss*0W)|(?:wheres[sw.,-]+s=)|(?:"[<>~]+")
(?:unions*(?:all|distinct|[(!@]*)?s*[([]*s*select)|(?:w+s+likes+")|(?:likes*"%)|(?:"s*likeW*["d])|(?:"s*(?:n?and|x?or|not ||||&&)s+[s
w]+=s*w+s*having)|(?:"s**s*w+W+")|(?:"s*[^?ws=.,;)(]+s*[(@"]*s*w+W+w)|(?:selects*[[]()sw.,"-]+from)|(?:find_in_sets*()
(?:ins*(+s*select)|(?:(?:n?and|x?or|not ||||&&)s+[sw+]+(?:regexps*(|soundss+likes*"|[=d]+x))|("s*ds*(?:--|#))|(?:"[%&<>^=]+ds*(=|
or))|(?:"W+[w+-]+s*=s*dW+")|(?:"s*iss*d.+"?w)|(?:"|?[w-]{3,}[^ws.,]+")|(?:"s*iss*[d.]+s*W.*")
(?:[dW]s+ass*["w]+s*from)|(?:^[Wd]+s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|
truncate|load|alter|delete|update|insert|desc)s+(?:(?:group_)concat|char|load_file)s?(?)|(?:ends*);)|("s+regexpW)|(?:[s(]load_files*()
(?:@.+=s*(s*select)|(?:d+s*ors*d+s*[-+])|(?:/w+;?s+(?:having|and|or|select)W)|(?:ds+groups+by.+()|(?:(?:;|#|--)s*(?:drop|alter))|(?:
(?:;|#|--)s*(?:update|insert)s*w{2,})|(?:[^w]SETs*@w+)|(?:(?:n?and|x?or|not ||||&&)[s(]+w+[s)]*[!=+]+[sd]*["=()])
(?:"s+ands*=W)|(?:(s*selects*w+s*()|(?:*/from)|(?:+s*d+s*+s*@)|(?:w"s*(?:[-+=|@]+s*)+[d(])|(?:coalesces*(|@@w+s*[^ws])|(?:W!
+"w)|(?:";s*(?:if|while|begin))|(?:"[sd]+=s*d)|(?:orders+bys+ifw*s*()|(?:[s(]+cased*W.+[tw]hen[s(])
(?:(select|;)s+(?:benchmark|if|sleep)s*?(s*(?s*w+)
(?:creates+functions+w+s+returns)|(?:;s*(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)s*[[(]?w{2,})
(?:alters*w+.*characters+sets+w+)|(";s*waitfors+times+")|(?:";.*:s*goto)
(?:procedures+analyses*()|(?:;s*(declare|open)s+[w-]+)|(?:creates+(procedure|function)s*w+s*(s*)s*-)|(?:declare[^w]+[@#]s*w+)|(execs*
(s*@)
(?:selects*pg_sleep)|(?:waitfors*delays?"+s?d)|(?:;s*shutdowns*(?:;|--|#|/*|{))
(?:sexecs+xp_cmdshell)|(?:"s*!s*["w])|(?:fromW+information_schemaW)|(?:(?:(?:current_)?user|database|schema|connection_id)s*([^)]*)|(?:";?
s*(?:select|union|having)s*[^s])|(?:wiifs*()|(?:execs+master.)|(?:union select @)|(?:union[w(s]*select)|(?:select.*w?user()|(?:into[s+]+
(?:dump|out)files*")
(?:merge.*usings*()|(executes*immediates*")|(?:W+d*s*havings*[^s-])|(?:matchs*[w(),+-]+s*againsts*()
(?:,.*[)da-f"]"(?:".*"|Z|[^"]+))|(?:Wselect.+W*from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)s*(s*spaces*()
(?:[$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)])
(?:(sleep((s*)(d*)(s*))|benchmark((.*),(.*))))
(?:(union(.*)select(.*)from))
(?:^(-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|1e309)$)


Guns and Butter
‣ In 2005, right here at Black Hat, Hanson and
Patterson presented:
Guns and Butter: Towards Formal Axioms of
Validation (http://bit.ly/OBe7mJ)
‣ …formally proved that for any regex validator, we
could construct either a safe query which would be
ﬂagged as dangerous, or a dangerous query which
would be ﬂagged as correct.
‣ (summary from libdejector documentation)


Existing WAFs

‣ Visual inspection shows bugs
‣ Don't see very much in testing
‣ Don't see much or any false positive testing
‣ Closed source WAF have zero accountability
(e.g. there is no formal disclosure of what they
detect or not, and how they do it)


CAN WE DO BETTER?


Key Insight

‣ A SQLi attack must be parsed as SQL with
the original query.
‣ "Is it a SQLi attack?" becomes
"Could it be a SQL snippet?"
‣ "does this input start as a sql snippet"


Only 3 Contexts
User input is only "injected" into SQL in three
ways:
‣ As-Is
‣ Inside a single quoted string
‣ Inside a double quoted string
(I suppose another would be inside a comment,
but we can't do everything)


Identiﬁcation of SQL
snippets without context
is hard
‣ 1-917-660-3400 my phone number or an
arithmetic expression?
‣ @ngalbreath my twitter account or a SQL
variable?


Existing SQL Parsers

‣ Only parse their ﬂavor of SQL
‣ Not well designed to handle snippets
‣ Hard to extend
‣ Worried about correctness
... so I wrote my own!


Tokenization

‣ Converts input into a stream of tokens
‣ Uses "master list" of keywords and functions
across all databases.
‣ Handles comments, string, literals, weirdos.


5000224' UNION USER_ID>0--

[ ('...500224', string),
('UNION', union operator),
('USER_ID', name),
('>', operator),
('0', number),
('--.....', comment) ]


Meet the Tokens
‣ none/name ‣ group-like operation
‣ variable ‣ union-like operator
‣ string ‣ logical operator
‣ regular operator ‣ function
‣ unknown ‣ comma
‣ number ‣ semi-colon
‣ comment ‣ left parens
‣ keyword ‣ right parens


Merging,
Specialization,
Disambiguation
‣ "IS", "NOT" ==> "IS NOT" (single op)
‣ "NATURAL", "JOIN" => "NATURAL JOIN"
‣ ("+", operator) -> ("+", "unary operator")
‣ (COS, function), (1, number) ==>
(COS, name), (1, number) functions are
followed with a parenthesis.


Folding

‣ This step actually isn't needed to detect, but
is needed to reduce false positives.
‣ Converts simple arithmetic expressions into a
single value (don't try to evaluate them).
‣ 1-917-660-3400 -> "1"


Knows nothing about SQLi

‣ So far this is purely a parsing problem.
‣ Knows nothing about SQLi (which is evolving)
‣ Can be 100% tested against any SQL input
(not SQLi) for correctness.


Fingerprints
‣ The token types of a user input form a hash or
a ﬁngerprint.
‣ -6270" UNION ALL SELECT 5594, 5594, 5594, 5594, 5594, 5594,
5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594,
5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594,
5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594, 5594,
5594, 5594, 5594, 5594, 5594# AND "JWWQ"="JWWQ

‣ becomes "sUk1,1,1,1,1,1,1,1,&"

‣ Now let's generate ﬁngerprints from Real
World Data.
‣ Can we distinguish between SQLi and benign
input?

Training on SQLi

‣ Parse known SQLi attacks from
‣ SQLi vulnerability scanners
‣ Published reports
‣ SQLI How-Tos
‣ > 32,000 total


Training on real Input
‣ 100s of Millions of user inputs from Etsy's log
were also parsed.
‣ Large enough to get a good sample (Top 50
USA site)
‣ Old enough to have lots of odd ways of query
string formatting.
‣ Full text search with an diverse subject
domain


How many tokens are
needed to determine if a
user input
is SQLi or not?

5
No matter long the input is.

480 out of 1,048,576 are SQLi
n,(k( 1))Un n)ok( s)Unk 1)o1B n,(k1 s&n&s k(vv) sosos 1oks, sk)&1 1)o1f 1)o1k n);k& 1&1Bf 1)o1o s&os n,(kf s;k; n&1o1
1o(f( f(k,( 1ok1 1oksc so1f( sk)&f soso( 1),(1 s))&( s))&1 &f()o nok(1 k1,1k 1&f(n soko1 1Unk1 1ok(1 n))kk 1Unk( soko(
1)o(1 s)ok1 sov&s n;kn( nok(k s))&f sovso 1)ok1 s))&o 1)ok( s&sos n&k(1 s&vso so1c sUk(k k1,1, 1)o(n 1)o(k 1Bf(1 1kf(1
s&ko1 s&k(o 1)k1 sk);k 1&f(1 1Unkf s)k1 sos&( 1&(k1 1))on s&kc nUk(o 1;ko( 1)B1 sokc n)o1& no1oo 1&(kn s&1oo so1o1
s)o1f 1&(kf s)o1k s)o1o f(1)o n&1o( s)o1B 1okv, sk)&( 1;kok sok1 f(k() 1Ukv, s&1of 1&1oo n&1f( 1))); 1)))& 1&1of sovo1
s&1ov s)&1o sono1 1o((f 1)))) 1o(s) s)&1f 1&1ov 1Uk1k n))ok k()ok nkksc 1Uk1c n))of s&(k1 s)&1B n;kks n)o(k kf(n, f(f(1
sovov s&1o( sovos s&1o1 vok1, sovok sUk1 1o((( 1)))k 1&1o1 f(f() 1)))o n))o( 1)))U k1k(k 1Uk1, 1&1f( so(s) 1)))B f(n()
n))o1 s)&(1 1)of( 1,(k1 sk)B1 f(1,f 1,(k( 1Bk(1 1onos 1o1f( 1,f(1 1B1c s&okc s;ko( sk1os s&oko 1ono1 1,(kf sB1 1));k
s;kf( n)kks s;kok sk1o1 s;k(( 1o((1 1o1Bf so(f( n;kf( s&k(1 1&1o( nof(1 s);kk sk1c 1))o( s);ko s);kn sok1, s;k(1 1)kks
s);kf so(os so1ov s;k1, 1))Uk soknk s))k1 1)B1o 1)B1c n);k( n;kok s;k(o s);k( sok1o sok1c sf(n, s);k& sB1&s s;k1o sUno1
s))kk n);kf 1&so1 sokn, n;ko( n);kk n);kn n);ko s&1on sof(k n;k&k k1o(s sonos sk1&1 sof(f 1oso1 1;knc sUknk f()of n&(1)
s&ko( sof() ok1o1 n,f(1 1o(1) s;kkn s;kks 1o(kn sof(1 sUkn, s)k1c 1;kn( s)k1o s;k&k skks s;n:k no(o1 s))o( k(ok( so(ks
so(kk so(kn so(ko s))o1 n)&(k o1kf( s))ok ;kknc skksc so(k1 n;k(( s&o(1 s))of so(k) n;k(1 n&(o1 s&kok sov:o s)of( sU(kk
sU(kn f(v,1 sk)of 1)&f( sk)ok no1f( sU(ks oUk1, 1ok1c s&(1) s&kos 1ok1k sUnk1 1)ono 1of(1 so1o( s;knn s;knk 1of() vUk1,
no1of 1&no1 sk)o1 s)B1 1)&o( sUk1& s&(k) 1o1)o f()&f sk)o( n&f(1 so1of 1)on& 1)B1& so1oo no1o1 so1ok 1ok1, 1of(n no1o(
so1os s;kn( 1of(f sUnkf 1o(n) s&1os no(k1 n)))o n)))k 1kk(1 1;k(o 1)()s s&k1o s)B1& n)&1f n))&( sUk1, n)&1o no1&1 n)));
sf(1) 1;k(1 n)))& sokf( 1;k(( ook1, n)of( sUk1c s)B1c n&(k1 sUk1o s)B1o 1Ukf( okkkn s&vos s)o(k 1)&1f 1Uk1 1))&o 1))&f
1)&1B 1)&(k s,1), f(1o1 s)&f( s)o(1 sUkf( s&k&s 1okf( 1)&(1 1))&1 1;kf( 1))&( sokos 1))ok 1o1of 1o(1o 1kksc 1o1oo 1Uk(k
1))of 1o1ov Ukkkn 1,(f( 1ok(k so1Uk s&1f( sokok of(1) 1;k&k kf(1) sk)k1 s&v:o sok&s n)o1o n)o1f sUn(k 1o1o( 1o1o1 1))o1
sov&1 n));k n))&f sk)kk s)&(k 1)Unk n))&1 sU((k 1)k1o 1);kk s;kvc 1);ko 1);kn 1)k1c s;kvk 1);kf 1Uks, s&o(k 1);k& s)&o(
s&(1o s&f() 1,1), 1);k( sk)Un sk)Uk s&f(1 1)&1o 1Uksc nUnk( so((k 1o1kf s&1Bf 1))kk kvk(1 n&o1o f(1)& &f(1) 1))k1 so(((
s))Un s))Uk n,(f( 1)Uk1 s),(1 s&knk 1))B1 s)kks 1Uk no(1) n)&f( s)ok( s))B1 sos 1&(1o s)Uk1 s));k so(1) 1&o(1 sok(1
nUk(k n&1of 1B1 sB1c n&1oo so(1o 1k1c sok(s sok(o sok(k so((s so1kf 1;kks s)))B sf(s) 1&o1o n)k1o s)))U sonk1 kf(1,
1o(kf 1,s), s)))k so1&1 s)))o s&nos s&1Uk s&o1o 1o(k1 so1Bf s;k[k sB1os of()o s;k[n s)))& s&(f( so1&s s&no1 so1&o s)));

Possible that more token types will be added to help
reduce false positives.


The Library
‣ > 100k query strings can be checked per
second
‣ C, logic is under 1000 LOC
‣ No memory allocation
‣ Fixed, stable memory usage (~500 on stack)
‣ No threads
‣ Could go even faster


Sample Usage

sfilter sf; // on stack, ~500 bytes
const char* ucg = "my user input";
bool issqli = is_sqli(&sf,
ucg, strlen(ucg));
// tada

metadata on input is in struct sﬁlter;
(names subject to change, cleanup)


Test Cases

‣ All input test cases available
‣ Including false positives found along the way
‣ Code coverage reports


Python Prototype

‣ Algorithm in python as well
‣ Not as up-to-date as the C version
‣ Working on it
‣ Runs under PyPy (and quite fast)


Make Existing Systems
Work Better
‣ The Tokenizer could be ripped out, to make a
"SQL normalizer/simplifier"
‣ all white space normalized

‣ all comments removed

‣ all numbers in various flavors converted to "1"

‣ all strings converted to a fixed value "foo"

‣ Makes existing regular expressions work
better and detect more.


Great for Fuzzers

‣ The SQLi ﬁngerprints are actually a great
source of templates for fuzzers and SQLi
generators
‣ Take ﬁngerprint and turn it back into SQL


Available Now
http://www.client9.com/libinjection/
‣ source code on github
‣ BSD License
(only to track how this gets used)
‣ Due to high commercial demand, I'm switching
to GPL. This is only to force discussions with
third-parties on integration, etc. My goal is to
get this used, so if this is barrier let me know!


Help!
‣ More SQLi test cases!
‣ More real-world test cases
‣ Missing some PGSQL / Oracle string insanity
‣ Need better understanding of non-ASCII
usage
‣ Porting to other languages
(it's not that hard).


More Analysis at DEFCON 20

New Techniques in SQLi Obfuscation
SQL never before used in SQLi

http://www.client9.com/20120727/
July 27, 2012 Friday, 4:20pm at the Rio


Slides and Source Code:
http://www.client9.com/libinjection/

Contact: Nick Galbreath
@ngalbreath
nickg@client9.com nickg@etsy.com

and... join my mailing list for updates
and early access to slides, code
Thanks for coming by!

Photos courtesy Ken Lee @kennysan http://ﬂic.kr/s/
aHsjBbEnz1

40

libinjection: a C library for SQLi detection, from Black Hat USA 2012

More Related Content

Viewers also liked (12)

Similar to libinjection: a C library for SQLi detection, from Black Hat USA 2012 (20)

More from Nick Galbreath (12)

Recently uploaded (20)

libinjection: a C library for SQLi detection, from Black Hat USA 2012

Editor's Notes