1BO4r2U
1BO4r2U
1BO4r2U
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
111 112<br />
Web Application Penetration Testing<br />
Web Application Penetration Testing<br />
In this example the tester if checking whether the MySql version is 5.x<br />
or not, making the server to delay the answer by 10 seconds. The tester<br />
can increase the delay time and monitor the responses. The tester<br />
also doesn’t need to wait for the response. Sometimes he can set a<br />
very high value (e.g. 100) and cancel the request after some seconds.<br />
Stored Procedure Injection<br />
When using dynamic SQL within a stored procedure, the application<br />
must properly sanitize the user input to eliminate the risk of code injection.<br />
If not sanitized, the user could enter malicious SQL that will be<br />
executed within the stored procedure.<br />
Consider the following SQL Server Stored Procedure:<br />
Create procedure user_login @username varchar(20), @passwd<br />
varchar(20) As Declare @sqlstring varchar(250) Set @sqlstring = ‘ Select<br />
1 from users Where username = ‘ + @username + ‘ and passwd =<br />
‘ + @passwd exec(@sqlstring) Go<br />
User input: anyusername or 1=1’ anypassword<br />
This procedure does not sanitize the input, therefore allowing the return<br />
value to show an existing record with these parameters.<br />
NOTE: This example may seem unlikely due to the use of dynamic SQL<br />
to log in a user, but consider a dynamic reporting query where the user<br />
selects the columns to view. The user could insert malicious code into<br />
this scenario and compromise the data.<br />
Consider the following SQL Server Stored Procedure:<br />
Create procedure get_report @columnamelist varchar(7900) As Declare<br />
@sqlstring varchar(8000) Set @sqlstring = ‘ Select ‘ + @columnamelist<br />
+ ‘ from ReportTable‘ exec(@sqlstring) Go<br />
User input:<br />
1 from users; update users set password = ‘password’; select *<br />
This will result in the report running and all users’ passwords being<br />
updated.<br />
Automated Exploitation<br />
Most of the situation and techniques presented here can be performed<br />
in a automated way using some tools. In this article the tester can find<br />
information how to perform an automated auditing using SQLMap:<br />
https: /www.owasp.org/index.php/Automated_Audit_using_SQL-<br />
Map<br />
Tools<br />
• SQL Injection Fuzz Strings (from wfuzz tool) - https:/wfuzz.googlecode.com/svn/trunk/wordlist/Injections/SQL.txt<br />
• OWASP SQLiX<br />
• Francois Larouche: Multiple DBMS SQL Injection tool - SQL Power<br />
Injector<br />
• ilo--, Reversing.org - sqlbftools<br />
• Bernardo Damele A. G.: sqlmap, automatic SQL injection tool - http:/<br />
sqlmap.org/<br />
• icesurfer: SQL Server Takeover Tool - sqlninja<br />
• Pangolin: Automated SQL Injection Tool - Pangolin<br />
• Muhaimin Dzulfakar: MySqloit, MySql Injection takeover tool - http:/<br />
code.google.com/p/mysqloit/<br />
• Antonio Parata: Dump Files by SQL inference on Mysql - SqlDumper<br />
• bsqlbf, a blind SQL injection tool in Perl<br />
References<br />
• Top 10 2013-A1-Injection<br />
• SQL Injection<br />
Technology specific Testing Guide pages have been created for the following<br />
DBMSs:<br />
• Oracle<br />
• MySQL<br />
• SQL Server<br />
Whitepapers<br />
• Victor Chapela: “Advanced SQL Injection” - http:/www.owasp.org/<br />
images/7/74/Advanced_SQL_Injection.ppt<br />
• Chris Anley: “Advanced SQL Injection In SQL Server Applications” -<br />
https:/sparrow.ece.cmu.edu/group/731-s11/readings/anley-sql-inj.<br />
pdf<br />
• Chris Anley: “More Advanced SQL Injection” - http:/www.encription.<br />
co.uk/downloads/more_advanced_sql_injection.pdf<br />
• David Litchfield: “Data-mining with SQL Injection and Inference” -<br />
http:/www.databasesecurity.com/webapps/sqlinference.pdf<br />
• Imperva: “Blinded SQL Injection” - https:/www.imperva.com/lg/lgw.<br />
asp?pid=369<br />
• Ferruh Mavituna: “SQL Injection Cheat Sheet” - http:/ferruh.mavituna.com/sql-injection-cheatsheet-oku/<br />
• Kevin Spett from SPI Dynamics: “SQL Injection” - https:/docs.google.<br />
com/file/d/0B5CQOTY4YRQCSWRHNkNaaFMyQTA/edit<br />
• Kevin Spett from SPI Dynamics: “Blind SQL Injection” - http:/www.<br />
net-security.org/dl/articles/Blind_SQLInjection.pdf<br />
Testing for Oracle<br />
Summary<br />
Web based PL/SQL applications are enabled by the PL/SQL Gateway,<br />
which is is the component that translates web requests into database<br />
queries. Oracle has developed a number of software implementations,<br />
ranging from the early web listener product to the Apache mod_plsql<br />
module to the XML Database (XDB) web server. All have their own<br />
quirks and issues, each of which will be thoroughly investigated in this<br />
chapter. Products that use the PL/SQL Gateway include, but are not<br />
limited to, the Oracle HTTP Server, eBusiness Suite, Portal, HTMLDB,<br />
WebDB and Oracle Application Server.<br />
How to Test<br />
How the PL/SQL Gateway works<br />
Essentially the PL/SQL Gateway simply acts as a proxy server taking<br />
the user’s web request and passes it on to the database server where<br />
it is executed.<br />
[1] The web server accepts a request from a web client and determines<br />
if it should be processed by the PL/SQL Gateway.<br />
[2] The PL/SQL Gateway processes the request by extracting the requested<br />
package name, procedure, and variables.<br />
[3] The requested package and procedure are wrapped in a block of<br />
anonymous PL/SQL, and sent to the database server.<br />
[4] The database server executes the procedure and sends the results<br />
back to the Gateway as HTML.<br />
[5] The gateway sends the response, via the web server, back to the<br />
client.<br />
Understanding this point is important - the PL/SQL code does not exist<br />
on the web server but, rather, in the database server. This means<br />
that any weaknesses in the PL/SQL Gateway or any weaknesses in<br />
the PL/SQL application, when exploited, give an attacker direct access<br />
to the database server; no amount of firewalls will prevent this.<br />
URLs for PL/SQL web applications are normally easily recognizable<br />
and generally start with the following (xyz can be any string and<br />
represents a Database Access Descriptor, which you will learn more<br />
about later):<br />
http:/www.example.com/pls/xyz<br />
http:/www.example.com/xyz/owa<br />
http:/www.example.com/xyz/plsql<br />
While the second and third of these examples represent URLs from<br />
older versions of the PL/SQL Gateway, the first is from more recent<br />
versions running on Apache. In the plsql.conf Apache configuration file,<br />
/pls is the default, specified as a Location with the PLS module as the<br />
handler. The location need not be /pls, however. The absence of a file<br />
extension in a URL could indicate the presence of the Oracle PL/SQL<br />
Gateway. Consider the following URL:<br />
http:/www.server.com/aaa/bbb/xxxxx.yyyyy<br />
If xxxxx.yyyyy were replaced with something along the lines of “ebank.<br />
home,” “store.welcome,” “auth.login,” or “books.search,” then there’s a<br />
fairly strong chance that the PL/SQL Gateway is being used. It is also<br />
possible to precede the requested package and procedure with the<br />
name of the user that owns it - i.e. the schema - in this case the user<br />
is “webuser”:<br />
http:/www.server.com/pls/xyz/webuser.pkg.proc<br />
In this URL, xyz is the Database Access Descriptor, or DAD. A DAD<br />
specifies information about the database server so that the PL/SQL<br />
Gateway can connect. It contains information such as the TNS connect<br />
string, the user ID and password, authentication methods, and so on.<br />
These DADs are specified in the dads.conf Apache configuration file in<br />
more recent versions or the wdbsvr.app file in older versions. Some<br />
default DADs include the following:<br />
SIMPLEDAD<br />
HTMLDB<br />
ORASSO<br />
SSODAD<br />
PORTAL<br />
PORTAL2<br />
PORTAL30<br />
PORTAL30_SSO<br />
TEST<br />
DAD<br />
APP<br />
ONLINE<br />
DB<br />
OWA<br />
Determining if the PL/SQL Gateway is running<br />
When performing an assessment against a server, it’s important<br />
first to know what technology you’re actually dealing with. If you<br />
don’t already know, for example, in a black box assessment scenario,<br />
then the first thing you need to do is work this out. Recognizing<br />
a web based PL/SQL application is pretty easy. First, there<br />
is the format of the URL and what it looks like, discussed above.<br />
Beyond that there are a set of simple tests that can be performed<br />
to test for the existence of the PL/SQL Gateway.<br />
Server response headers<br />
The web server’s response headers are a good indicator as to<br />
whether the server is running the PL/SQL Gateway. The table below<br />
lists some of the typical server response headers:<br />
Oracle-Application-Server-10g<br />
Oracle-Application-Server-10g/10.1.2.0.0 Oracle-HTTP-Server<br />
Oracle-Application-Server-10g/9.0.4.1.0 Oracle-HTTP-Server<br />
Oracle-Application-Server-10g OracleAS-Web-Cache-<br />
10g/9.0.4.2.0 (N)<br />
Oracle-Application-Server-10g/9.0.4.0.0<br />
Oracle HTTP Server Powered by Apache<br />
Oracle HTTP Server Powered by Apache/1.3.19 (Unix) mod_<br />
plsql/3.0.9.8.3a<br />
Oracle HTTP Server Powered by Apache/1.3.19 (Unix) mod_<br />
plsql/3.0.9.8.3d<br />
Oracle HTTP Server Powered by Apache/1.3.12 (Unix) mod_<br />
plsql/3.0.9.8.5e<br />
Oracle HTTP Server Powered by Apache/1.3.12 (Win32) mod_<br />
plsql/3.0.9.8.5e<br />
Oracle HTTP Server Powered by Apache/1.3.19 (Win32) mod_<br />
plsql/3.0.9.8.3c<br />
Oracle HTTP Server Powered by Apache/1.3.22 (Unix) mod_<br />
plsql/3.0.9.8.3b<br />
Oracle HTTP Server Powered by Apache/1.3.22 (Unix) mod_<br />
plsql/9.0.2.0.0<br />
Oracle_Web_Listener/4.0.7.1.0EnterpriseEdition<br />
Oracle_Web_Listener/4.0.8.2EnterpriseEdition<br />
Oracle_Web_Listener/4.0.8.1.0EnterpriseEdition<br />
Oracle_Web_listener3.0.2.0.0/2.14FC1<br />
Oracle9iAS/9.0.2 Oracle HTTP Server<br />
Oracle9iAS/9.0.3.1 Oracle HTTP Server<br />
The NULL test<br />
SQL> BEGIN<br />
2 NULL;<br />
3 END;<br />
4 /<br />
PL/SQL procedure successfully completed.<br />
In PL/SQL, “null” is a perfectly acceptable expression:<br />
We can use this to test if the server is running the PL/SQL Gateway.<br />
Simply take the DAD and append NULL, then append NO-<br />
SUCHPROC: