SQL Injection Attacks and Defense - 2009

Recommendations

Info

Contents xi LAPSE. .................................................. 127 Security Compass Web Application Analysis Tool (SWAAT).. . . . . . . . . . . . 128 Microsoft Source Code Analyzer for SQL Injection................... 128 Microsoft Code Analysis Tool .NET (CAT.NET)..................... 129 Commercial Source Code Review Tools.. . . . . . . . . . . . . . . . . . . . . . . . . . 129 Ounce.................................................... 131 Source Code Analysis.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 CodeSecure.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Summary. ................................................... 133 Solutions Fast Track.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Frequently Asked Questions.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Chapter 4 Exploiting SQL Injection .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Introduction .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Understanding Common Exploit Techniques. ......................... 139 Using Stacked Queries.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Identifying the Database.......................................... 142 Non-Blind Fingerprint........................................ 142 Banner Grabbing.......................................... 144 Blind Fingerprint............................................ 146 Extracting Data through UNION Statements.. . . . . . . . . . . . . . . . . . . . . . . . . 148 Matching Columns. ......................................... 149 Matching Data Types .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Using Conditional Statements. .................................... 156 Approach 1: Time-based....................................... 157 Approach 2: Error-based....................................... 159 Approach 3: Content-based. ................................... 161 Working with Strings......................................... 161 Extending the Attack .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Using Errors for SQL Injection. ................................ 164 Error Messages in Oracle .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Enumerating the Database Schema.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 SQL Server .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 MySQL................................................... 177 Oracle.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Escalating Privileges............................................. 183 SQL Server .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Privilege Escalation on Unpatched Servers.. . . . . . . . . . . . . . . . . . . . . . 189 Oracle.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
xii Contents Stealing the Password Hashes .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 SQL Server .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 MySQL................................................... 194 Oracle.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 Oracle Components. ...................................... 196 APEX. .............................................. 196 Oracle Internet Directory .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Out-of-Band Communication .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 E-mail.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Microsoft SQL Server .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Oracle.................................................. 202 HTTP/DNS .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 File System. ............................................... 203 SQL Server.............................................. 204 MySQL. ............................................... 207 Oracle.................................................. 208 Automating SQL Injection Exploitation.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208 Sqlmap. .................................................. 208 Sqlmap Example .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 Bobcat.................................................... 211 BSQL .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Other Tools .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 Summary. ................................................... 215 Solutions Fast Track.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 Frequently Asked Questions.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 Chapter 5 Blind SQL Injection Exploitation......................... 219 Introduction .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 Finding and Confirming Blind SQL Injection. ........................ 221 Forcing Generic Errors........................................ 221 Injecting Queries with Side Effects............................... 222 Spitting and Balancing .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Common Blind SQL Injection Scenarios .. . . . . . . . . . . . . . . . . . . . . . . . . 225 Blind SQL Injection Techniques.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 Inference Techniques.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 Increasing the Complexity of Inference Techniques............... 230 Alternative Channel Techniques.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 Using Time-Based Techniques. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 Delaying Database Queries..................................... 235 MySQL Delays .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Page 2 and 3: Justin Clarke Lead Author and Techn
Page 4 and 5: Lead Author and Technical Editor Ju
Page 6 and 7: exploiting, and correcting software
Page 8 and 9: Dafydd Stuttard is the author of th
Page 10 and 11: Contents Chapter 1 What Is SQL Inje
Page 14 and 15: Contents xiii Generic MySQL Binary
Page 16 and 17: Contents xv Chapter 8 Code-Level De
Page 18 and 19: Contents xvii Increase the Verbosit
Page 20 and 21: Contents xix Ingres Cheat Sheet....
Page 22 and 23: Chapter 1 What Is SQL Injection? So
Page 24 and 25: What Is SQL Injection? • Chapter
Page 30 and 31: execute the query against the datab
Page 38 and 39: Incorrectly Handled Query Assembly
Page 40 and 41: } } reader = cmd.ExecuteReader(); r
Page 50 and 51: Chapter 2 Testing for SQL Injection
Page 52 and 53: Testing for SQL Injection • Chapt
Page 62 and 63:
Testing for SQL Injection • Chapt
Page 64 and 65:
SELECT * FROM products WHERE idprod
Page 66 and 67:
Page 68 and 69:
Page 70 and 71:
Page 72 and 73:
Page 74 and 75:
Page 76 and 77:
Page 78 and 79:
Page 80 and 81:
Page 82 and 83:
Page 84 and 85:
Page 86 and 87:
Page 88 and 89:
Page 90 and 91:
Page 92 and 93:
Figure 2.15 Exploitation Terminatin
Page 94 and 95:
Page 96 and 97:
Page 98 and 99:
Page 100 and 101:
Time Delays Testing for SQL Injecti
Page 102 and 103:
Page 104 and 105:
Page 106 and 107:
Page 108 and 109:
Page 110 and 111:
Page 112 and 113:
Summary Testing for SQL Injection
Page 114 and 115:
Page 116 and 117:
Chapter 3 Reviewing Code for SQL In
Page 118 and 119:
Reviewing Code for SQL Injection
Page 120 and 121:
Page 122 and 123:
Page 124 and 125:
Page 126 and 127:
Page 128 and 129:
mssql_bind() − adds a parameter t
Page 130 and 131:
OdbcCommand() − used to construct
Page 132 and 133:
Page 134 and 135:
Page 136 and 137:
Page 138 and 139:
Reviewing PL/SQL and T-SQL Code Rev
Page 140 and 141:
Page 142 and 143:
Page 144 and 145:
Page 146 and 147:
Page 148 and 149:
■■ ■■ ■■ ■■ URL: ht
Page 150 and 151:
■■ ■■ Platform: Windows Pri
Page 152 and 153:
Page 154 and 155:
Summary Reviewing Code for SQL Inje
Page 156 and 157:
Frequently Asked Questions Reviewin
Page 158 and 159:
Chapter 4 Exploiting SQL Injection
Page 160 and 161:
Exploiting SQL Injection • Chapte
Page 162 and 163:
Page 164 and 165:
Page 166 and 167:
Page 168 and 169:
Page 170 and 171:
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 178 and 179:
Page 180 and 181:
Page 182 and 183:
Approach 3: Content-based Exploitin
Page 184 and 185:
Page 186 and 187:
Page 188 and 189:
Error Messages in Oracle Exploiting
Page 190 and 191:
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
MySQL Exploiting SQL Injection •
Page 200 and 201:
Such a query will return output sim
Page 202 and 203:
Page 204 and 205:
SELECT name,spare4 FROM sys.user$ w
Page 206 and 207:
Page 208 and 209:
[+] Bruteforcing the sa password. T
Page 210 and 211:
Page 212 and 213:
Page 214 and 215:
Page 216 and 217:
Page 218 and 219:
select user_name,web_password_raw f
Page 220 and 221:
Page 222 and 223:
Page 224 and 225:
HTTP/DNS Exploiting SQL Injection
Page 226 and 227:
Page 228 and 229:
Page 230 and 231:
Page 232 and 233:
Page 234 and 235:
Page 236 and 237:
Summary Exploiting SQL Injection
Page 238 and 239:
Escalating Privileges Exploiting SQ
Page 240 and 241:
Chapter 5 Blind SQL Injection Explo
Page 242 and 243:
Blind SQL Injection Exploitation
Page 244 and 245:
Page 246 and 247:
Common Blind SQL Injection Scenario
Page 248 and 249:
Page 250 and 251:
Page 252 and 253:
1. Is the byte greater than 127? No
Page 254 and 255:
Page 256 and 257:
Using Time-Based Techniques Blind S
Page 258 and 259:
Page 260 and 261:
Page 262 and 263:
Page 264 and 265:
Page 266 and 267:
Page 268 and 269:
Page 270 and 271:
Page 272 and 273:
Page 274 and 275:
Page 276 and 277:
Page 278 and 279:
SELECT * FROM unknowntable UNION SE
Page 280 and 281:
Page 282 and 283:
Page 284 and 285:
Figure 5.13 Extracting Database Log
Page 286 and 287:
Page 288 and 289:
Summary Blind SQL Injection Exploit
Page 290 and 291:
Page 292 and 293:
Chapter 6 Exploiting the Operating
Page 294 and 295:
Exploiting the Operating System •
Page 296 and 297:
Page 298 and 299:
Page 300 and 301:
Page 302 and 303:
Page 304 and 305:
Page 306 and 307:
[operating systems] multi(0)disk(0)
Page 308 and 309:
Figure 6.13 Enabling CLR Integratio
Page 310 and 311:
Oracle Exploiting the Operating Sys
Page 312 and 313:
) c / ) ) ), bfilename('GETPWDIR',
Page 314 and 315:
As expected, this creates sp.txt fi
Page 316 and 317:
Page 318 and 319:
Page 320 and 321:
2 443 [+] Calling msfpayload3 to c
Page 322 and 323:
DBMS_ADVISOR is probably the shorte
Page 324 and 325:
EXECUTE IMMEDIATE q'!drop directory
Page 326 and 327:
Microsoft SQL Server Exploiting the
Page 328 and 329:
Page 330 and 331:
Figure 6.22 Creating an UNSAFE Bina
Page 332 and 333:
Page 334 and 335:
Executing Operating System Commands
Page 336 and 337:
Endnotes Exploiting the Operating S
Page 338 and 339:
Chapter 7 Advanced Topics Solutions
Page 340 and 341:
Using Case Variation Advanced Topic
Page 342 and 343:
4. The application URL decodes the
Page 344 and 345:
Advanced Topics • Chapter 7 323 D
Page 346 and 347:
Advanced Topics • Chapter 7 325 I
Page 348 and 349:
Advanced Topics • Chapter 7 327 w
Page 350 and 351:
Advanced Topics • Chapter 7 329 N
Page 352 and 353:
Advanced Topics • Chapter 7 331 m
Page 354 and 355:
Advanced Topics • Chapter 7 333 1
Page 356 and 357:
Using Hybrid Attacks Advanced Topic
Page 358 and 359:
Exploiting Authenticated Vulnerabil
Page 360 and 361:
Advanced Topics • Chapter 7 339
Page 362 and 363:
Chapter 8 Code-Level Defenses Solut
Page 364 and 365:
Code-Level Defenses • Chapter 8 3
Page 366 and 367:
Page 368 and 369:
Page 370 and 371:
END; Execute immediate 'SELECT coun
Page 372 and 373:
Page 374 and 375:
Validating Input in Java Code-Level
Page 376 and 377:
Page 378 and 379:
Page 380 and 381:
Page 382 and 383:
Page 384 and 385:
Page 386 and 387:
Page 388 and 389:
Page 390 and 391:
Page 392 and 393:
UTL_SMTP.HELO(v_connection,'mailhos
Page 394 and 395:
Summary Code-Level Defenses • Cha
Page 396 and 397:
Page 398 and 399:
Chapter 9 Platform-Level Defenses S
Page 400 and 401:
Platform-Level Defenses • Chapter
Page 402 and 403:
Page 404 and 405:
Figure 9.3 Whitelist Rule to Patch
Page 406 and 407:
Page 408 and 409:
Page 410 and 411:
Application Filters Platform-Level
Page 412 and 413:
Page 414 and 415:
Page 416 and 417:
Page 418 and 419:
Use Strong Cryptography to Protect
Page 420 and 421:
Page 422 and 423:
Page 424 and 425:
Page 426 and 427:
Page 428 and 429:
Page 430 and 431:
Page 432 and 433:
Additional Deployment Consideration
Page 434 and 435:
Page 436 and 437:
Chapter 10 References Solutions in
Page 438 and 439:
References • Chapter 10 417 For t
Page 440 and 441:
References • Chapter 10 419 It is
Page 442 and 443:
GROUP BY Statement References • C
Page 444 and 445:
References • Chapter 10 423 you a
Page 446 and 447:
References • Chapter 10 425 Table
Page 448 and 449:
Blind SQL Injection Functions: Micr
Page 450 and 451:
References • Chapter 10 429 the S
Page 452 and 453:
Microsoft SQL Server 2005 Hashes Re
Page 454 and 455:
Page 456 and 457:
References • Chapter 10 435 If MA
Page 458 and 459:
Page 460 and 461:
TYPE oracle_loader DEFAULT DIRECTOR
Page 462 and 463:
References • Chapter 10 441 When
Page 464 and 465:
Page 466 and 467:
Table 10.20 Continued. Troubleshoot
Page 468 and 469:
Enumerating Database Configuration
Page 470 and 471:
Local File Access References • Ch
Page 472 and 473:
References • Chapter 10 451 Infor
Page 474 and 475:
Page 476 and 477:
■■ ■■ ■■ ■■ Referen
Page 478 and 479:
Troubleshooting SQL Injection Attac
Page 480 and 481:
A abstract syntax tree (AST), 125 a
Page 482 and 483:
Index 461 confirming and terminatin
Page 484 and 485:
Index 463 errors application error,
Page 486 and 487:
Index 465 intercepting filters appl
Page 488 and 489:
Index 467 APEX, 196-197 Oracle inte
Page 490 and 491:
Index 469 mysql_query( ) function,
Page 492 and 493:
Index 471 blind SQL injection funct
Page 494:
Index 473 transformation functions,
show all

SQL Injection Attacks and Defense - 2009

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?