Transcript Attacking Data Stores

Attacking Data Stores
Brad Stancel
CSCE 813 Presentation
11/12/2012
Sources Consulted
•
Stuttard, D. and Pinto, M., The Web
Application Hacker's Handbook: Finding and
Exploiting Security Flaws 2nd Edition, 2011,
Wiley Publishing
Importance of Data Stores
•
•
•
Almost every web app uses data stores
Used to hold information vital to the
application
Often hold information crucial to the
application logic (access control, etc.)
Important Notes about Data Stores
•
•
•
•
Application interacts with the data store at
a specified security level
Common data stores are databases that use
SQL (Structure Query Language) to interact
& manipulate database
Other non-SQL type databases are becoming
more popular (i.e. NoSQL)
Some data stores specifically revolve
around access control (i.e. LDAP)
Interpreted vs. Compiled Languages
•
•
•
Injection Attacks can happen on either type
of language
Interpreted languages make it easier for
injection attacks (i.e. can type in code)
Compiled language injection attacks
generally use machine code
SQL Injection
•
•
•
•
Type of code injection common in
interpreted languages that use SQL data
stores
A lot of similarities across databases but
each vendor database may be a bit
different
Our focus today is on: MS-SQL, Oracle and
MySQL data stores
Fingerprinting the Database
•
•
Extract version string
o
MySQL
Look at Concatenation of Strings
Oracle
o MS-SQL
o MySQL
o
•
/*!32302 and 1=0*/
'serv'||'ices'
'serv'+'ices'
'serv' 'ices'
Look at how Numeric Data is handled
o
o
o
Oracle
MS-SQL
MySQL
BITAND(1,1)-BITAND(1,1)
@@PACK_RECEIVED-@@PACKRECEIVED
CONNECTION_ID()-CONNECTION_ID()
Testing for Injection Bugs
General Algorithm:
•
•
•
•
•
•
Supply unexpected data and syntax
Identify any anomalies
Observe and examine any error messages
Systematically modify input to confirm or disprove vulnerability
existence
Construct proof-of-concept that causes safe command to execute in
a verifiable way to prove flaw exists
Exploit the vulnerability by leveraging functionality and knowledge
of target language and/or its components
Testing for SQL Injection Bugs
Three Main Methods:
•
Injecting into String Data
•
Injecting into Numeric Data
•
Injecting into Query Structure
Injecting Into String Data
•
•
•
String data is encapsulated into single
quotation marks
Need to break out of these quotation marks
o
ex. Wiley' OR 'a'='a
Preliminary Steps to Test:
o
o
o
Submit a single quotation mark to see if error
occurs
Submit two quotation marks (escape sequence) and
look for error or odd behavior
Try SQL concatenation techniques discussed earlier
and if no behavior detected possible vulnerable
Injecting Into Numeric Data
•
•
•
Query may use numbers as strings so try
string data methods first
Remember to encode certain characters
Steps to Test:
o
o
o
Supply a mathematical expression equiv. to number
(responds same way = possible vulnerable)
Use more complicated expressions that use SQL
keywords.
Using ASCII commands to test are useful
 67-ASCII('A')
 51-ASCII(1)
Injecting Into Query Structure
•
Determine the Type of Statement
o
SELECT Statements
o
INSERT Statements
o
UPDATE Statements
o
DELETE Statements
o
UNION Operator (more of a technique)
SELECT Statements
•
•
•
Frequently used when returning data based
on user's actions
Attack entry point is usually the statement's
WHERE clause
Correct Example:
o
•
SELECT author,title,year FROM books WHERE
publisher = 'Wiley'
Malicious Example:
o
o
Input into web form: Wiley' OR 1=1-SELECT author,title,year FROM books WHERE
publisher = 'Wiley' OR 1=1--
INSERT Statements
•
•
•
Used to create a new row of data in a table
Example: Web app that allows users to self
register
Correct Example:
o
•
INSERT INTO users (username, password, privs)
VALUES ('daf','secret',1)
Malicious Example:
o
o
o
Input into web form: foo','bar',0)-INSERT INTO users (username, password, privs)
VALUES ('foo','bar',0)-MUST contain correct number of data types!
UPDATE Statements
•
•
Used to modify one or more rows of existing
data in a table
Correct Example:
o
•
Malicious Example:
o
o
•
UPDATE users SET password='newsecret' WHERE
user='brad' and password='secret'
Input into web form: admin'-UPDATE users SET password='newsecret' WHERE
user='admin'--
This example bypasses the password check
& changes the admin password!
DELETE Statements
•
•
•
•
•
Used to delete one or more rows of data in
a table
Can corrupt the entire table or database
Correct Example:
o
DELETE from users WHERE uid='brad'
Malicious Example:
o Input into web form: ' OR ' '='
o DELETE from users WHERE uid=' ' OR ' '=' '
This example deletes all user ID's in the
users table!
UNION Operator
•
•
•
•
•
Used to combine results of two or more
SELECT statements into a single result set
Supported by all major DBMS products
Fastest way to retrieve arbitrary
information when query results are
returned
Point of attack is usually the WHERE clause
of a SELECT statement
Additional SELECT statement must contain
correct number of data types
UNION Operator cont.
•
Example SELECT statement before:
o
•
Input put into web form:
o
•
•
SELECT author,title,year FROM books WHERE
publisher ='Wiley' (Where Wiley was submitted)
Wiley' UNION SELECT username,password,uid FROM
users--
Returns a dataset containing both the
authors,titles,year and
username,password,uid in one table
This example only works if users table has
three columns
Advanced Techniques
•
Out-of-Band Communication
•
Bypassing Filters
•
Using Comments & Circumventing
Validation
•
Second Order SQL Injection
•
Retrieving Data as Numbers
Escalating Attacks
•
•
•
Most applications employ one account for
database access
Rely on application-layer controls to
enforce segregation of access
Already have the data, why escalate?
Gain access to other hosted application data
o Compromise the OS of the database server
o Gain network access to access other systems
o Establish network connection to own system for
faster data retrieval
o Include own functions to enhance DB capabilities
o
Some Tools Used in SQL Exploitation
•
•
•
Absinthe - Automated Blind SQL Injection
Tool
SQLMap - Automatic SQL Injection Tool
Preventing SQL Injection
•
Validate input!
•
Escape certain characters and words
•
Use Stored Procedures to help
o
•
This does not completely solve the problem
Parameterized Queries
o
o
AKA: prepared statements
Application specifies query's structure
Summary, Comments and Questions
•
•
•
•
Attacking Data Stores can be done in a
variety of ways
Protecting Data Stores is of utmost
importance
Understanding how these attacks take place
enables one to better protect against them
Questions and Comments.........