2KKUU7ita
2KKUU7ita
2KKUU7ita
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
The Situation<br />
Chapter 15: Databases and Storage Systems<br />
A case study in hacking databases<br />
with Chip Andrews<br />
During a routine penetration test, Mr. Andrews<br />
performed the obligatory Google searches,<br />
domain name research, operating system fingerprinting,<br />
and port scans, but this particular<br />
website was locked down tight. Moving on<br />
to the web-based application running on the<br />
system, he was immediately confronted with a<br />
login page using SSL-encrypted forms authentication.<br />
By checking the source of the web<br />
page, he noticed that a hidden App_Name field<br />
was being passed to the application whenever<br />
a user attempted to log in to the site. Could it be<br />
that the developers might have failed to perform<br />
proper input validation on this innocent-looking<br />
parameter? The hunt was on.<br />
The Outcome<br />
First, it was time to assemble the toolkit. At<br />
the time of this penetration test, Mr. Andrews<br />
preferred to use the following: Paros Proxy,<br />
Absinthe, Cain & Abel, Data Thief, and the<br />
Microsoft SQL Server Management Studio/SQL<br />
Server (Express Edition), all of which are available<br />
free. For starters, he used Paros Proxy to<br />
allow for more control and visibility to the web<br />
requests made to the web server. After spidering<br />
the site for available pages and performing<br />
a quick vulnerability check for SQL injection, it<br />
was confirmed that the App_Name parameter<br />
appeared to cause the application to throw<br />
an Error 500 exception, indicating an application<br />
failure. Penetration tests are one of the<br />
rare occasions when an application failure is a<br />
desirable outcome.<br />
Because the application failure indicated that<br />
Mr. Andrews could inject unintended characters<br />
into the SQL code being sent from the<br />
application to the database, he could see<br />
whether it was an exploitable condition. A<br />
common test that works with Microsoft SQL<br />
Server databases is to inject a command, such<br />
as WAITFOR DELAY ’00:00:10’, which<br />
causes the database server to stall for 10 seconds.<br />
In an application that normally returns<br />
a page in one second or less, a consistent<br />
10-second delay is a good indicator that you<br />
can inject commands into the SQL stream.<br />
Next, Mr. Andrews attempted to use the<br />
Data Thief tool to attack the login page. This<br />
tool attempts to force the database to use an<br />
OPENROWSET command to copy data from<br />
the target database to Mr. Andrews’s database<br />
located on the Internet. This is usually a very<br />
efficient way to siphon large amounts of data<br />
from vulnerable databases, but in this case, his<br />
attack was foiled! The database administrator<br />
at the target had disabled the OPENROWSET<br />
functionality by properly configuring the Disable<br />
Adhoc Distributed Queries option.<br />
With diligence as his watchword, Mr. Andrews<br />
persisted with the next tool — Absinthe. This<br />
tool uses a technique called blind SQL injection<br />
to make determinations about data using<br />
simple yes or no questions of the database.<br />
For example, the tool might ask the database<br />
whether the first letter of a table is less than<br />
“L.” If yes, the application might do nothing, but<br />
if no, the application might throw an exception.<br />
Using this simple binary logic, it is possible to<br />
use this technique to reveal the entire database<br />
structure and even the data stored inside —<br />
albeit very slowly. Using the tool, he identified<br />
a table of sensitive customer information and<br />
downloaded several hundred records to show<br />
the client.<br />
(continued)<br />
307