SQL Injection Attacks and Defense - 2009

Recommendations

Info

Contents xvii Increase the Verbosity of Web Server Logs.. . . . . . . . . . . . . . . . . . . . . . . . . 409 Deploy the Web and Database Servers on Separate Hosts.. . . . . . . . . . . . . . 409 Configure Network Access Control. ............................. 409 Summary. ................................................... 410 Solutions Fast Track.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410 Frequently Asked Questions.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 Chapter 10 References. ........................................ 415 Introduction .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416 Structured Query Language (SQL) Primer.. . . . . . . . . . . . . . . . . . . . . . . . . . . 416 SQL Queries.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416 SELECT Statement........................................ 417 UNION Operator. ....................................... 417 INSERT Statement.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418 UPDATE Statement. ...................................... 418 DELETE Statement........................................ 418 DROP Statement .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420 CREATE TABLE Statement .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420 ALTER TABLE Statement................................... 420 GROUP BY Statement..................................... 421 ORDER BY Clause.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421 Limiting the Result Set.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421 SQL Injection Quick Reference. .................................. 422 Identifying the Database Platform.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422 Identifying the Database Platform via Time Delay Inference .. . . . . . . . . 423 Identifying the Database Platform via SQL Dialect Inference.......... 423 Combining Multiple Rows into a Single Row.. . . . . . . . . . . . . . . . . . . 424 Microsoft SQL Server Cheat Sheet.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425 Enumerating Database Configuration Information and Schema.................................. 425 Blind SQL Injection Functions: Microsoft SQL Server .. . . . . . . . . . . . . 427 Microsoft SQL Server Privilege Escalation .. . . . . . . . . . . . . . . . . . . . . . 427 OPENROWSET Reauthentication Attack..................... 428 Attacking the Database Server: Microsoft SQL Server.. . . . . . . . . . . . . . 429 System Command Execution via xp_cmdshell .. . . . . . . . . . . . . . . . . 429 xp_cmdshell Alternative. ................................. 430 Cracking Database Passwords............................... 430 Microsoft SQL Server 2005 Hashes .. . . . . . . . . . . . . . . . . . . . . . . . . 431 File Read/Write........................................ 431
xviii Contents MySQL Cheat Sheet .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431 Enumerating Database Configuration Information and Schema .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431 Blind SQL Injection Functions: MySQL. ....................... 432 Attacking the Database Server: MySQL .. . . . . . . . . . . . . . . . . . . . . . . . 433 System Command Execution............................... 433 Cracking Database Passwords............................... 434 Attacking the Database Directly............................. 434 File Read/Write........................................ 434 Oracle Cheat Sheet .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435 Enumerating Database Configuration Information and Schema .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435 Blind SQL Injection Functions: Oracle.......................... 436 Attacking the Database Server: Oracle. ......................... 437 Command Execution .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437 Reading Local Files...................................... 437 Reading Local Files (PL/SQL Injection Only) .. . . . . . . . . . . . . . . . . 438 Writing Local Files (PL/SQL Injection Only). ................. 439 Cracking Database Passwords............................... 440 Bypassing Input Validation Filters .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440 Quote Filters.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440 HTTP Encoding .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442 Troubleshooting SQL Injection Attacks. ............................. 443 SQL Injection on Other Platforms.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446 PostgreSQL Cheat Sheet. ..................................... 446 Enumerating Database Configuration Information and Schema .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447 Blind SQL Injection Functions: PostgreSQL...................... 448 Attacking the Database Server: PostgreSQL. ..................... 448 System Command Execution............................... 448 Local File Access........................................ 449 Cracking Database Passwords............................... 449 DB2 Cheat Sheet............................................ 449 Enumerating Database Configuration Information and Schema .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449 Blind SQL Injection Functions: DB2 .. . . . . . . . . . . . . . . . . . . . . . . . . . 450 Informix Cheat Sheet......................................... 451 Enumerating Database Configuration Information and Schema .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451 Blind SQL Injection Functions: Informix.. . . . . . . . . . . . . . . . . . . . . . . 452
Page 2 and 3: Justin Clarke Lead Author and Techn
Page 4 and 5: Lead Author and Technical Editor Ju
Page 6 and 7: exploiting, and correcting software
Page 8 and 9: Dafydd Stuttard is the author of th
Page 10 and 11: Contents Chapter 1 What Is SQL Inje
Page 12 and 13: Contents xi LAPSE. ................
Page 14 and 15: Contents xiii Generic MySQL Binary
Page 16 and 17: Contents xv Chapter 8 Code-Level De
Page 20 and 21: Contents xix Ingres Cheat Sheet....
Page 22 and 23: Chapter 1 What Is SQL Injection? So
Page 24 and 25: What Is SQL Injection? • Chapter
Page 30 and 31: execute the query against the datab
Page 38 and 39: Incorrectly Handled Query Assembly
Page 40 and 41: } } reader = cmd.ExecuteReader(); r
Page 50 and 51: Chapter 2 Testing for SQL Injection
Page 52 and 53: Testing for SQL Injection • Chapt
Page 64 and 65: SELECT * FROM products WHERE idprod
Page 68 and 69:
Testing for SQL Injection • Chapt
Page 70 and 71:
Page 72 and 73:
Page 74 and 75:
Page 76 and 77:
Page 78 and 79:
Page 80 and 81:
Page 82 and 83:
Page 84 and 85:
Page 86 and 87:
Page 88 and 89:
Page 90 and 91:
Page 92 and 93:
Figure 2.15 Exploitation Terminatin
Page 94 and 95:
Page 96 and 97:
Page 98 and 99:
Page 100 and 101:
Time Delays Testing for SQL Injecti
Page 102 and 103:
Page 104 and 105:
Page 106 and 107:
Page 108 and 109:
Page 110 and 111:
Page 112 and 113:
Summary Testing for SQL Injection
Page 114 and 115:
Page 116 and 117:
Chapter 3 Reviewing Code for SQL In
Page 118 and 119:
Reviewing Code for SQL Injection
Page 120 and 121:
Page 122 and 123:
Page 124 and 125:
Page 126 and 127:
Page 128 and 129:
mssql_bind() − adds a parameter t
Page 130 and 131:
OdbcCommand() − used to construct
Page 132 and 133:
Page 134 and 135:
Page 136 and 137:
Page 138 and 139:
Reviewing PL/SQL and T-SQL Code Rev
Page 140 and 141:
Page 142 and 143:
Page 144 and 145:
Page 146 and 147:
Page 148 and 149:
■■ ■■ ■■ ■■ URL: ht
Page 150 and 151:
■■ ■■ Platform: Windows Pri
Page 152 and 153:
Page 154 and 155:
Summary Reviewing Code for SQL Inje
Page 156 and 157:
Frequently Asked Questions Reviewin
Page 158 and 159:
Chapter 4 Exploiting SQL Injection
Page 160 and 161:
Exploiting SQL Injection • Chapte
Page 162 and 163:
Page 164 and 165:
Page 166 and 167:
Page 168 and 169:
Page 170 and 171:
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 178 and 179:
Page 180 and 181:
Page 182 and 183:
Approach 3: Content-based Exploitin
Page 184 and 185:
Page 186 and 187:
Page 188 and 189:
Error Messages in Oracle Exploiting
Page 190 and 191:
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
MySQL Exploiting SQL Injection •
Page 200 and 201:
Such a query will return output sim
Page 202 and 203:
Page 204 and 205:
SELECT name,spare4 FROM sys.user$ w
Page 206 and 207:
Page 208 and 209:
[+] Bruteforcing the sa password. T
Page 210 and 211:
Page 212 and 213:
Page 214 and 215:
Page 216 and 217:
Page 218 and 219:
select user_name,web_password_raw f
Page 220 and 221:
Page 222 and 223:
Page 224 and 225:
HTTP/DNS Exploiting SQL Injection
Page 226 and 227:
Page 228 and 229:
Page 230 and 231:
Page 232 and 233:
Page 234 and 235:
Page 236 and 237:
Summary Exploiting SQL Injection
Page 238 and 239:
Escalating Privileges Exploiting SQ
Page 240 and 241:
Chapter 5 Blind SQL Injection Explo
Page 242 and 243:
Blind SQL Injection Exploitation
Page 244 and 245:
Page 246 and 247:
Common Blind SQL Injection Scenario
Page 248 and 249:
Page 250 and 251:
Page 252 and 253:
1. Is the byte greater than 127? No
Page 254 and 255:
Page 256 and 257:
Using Time-Based Techniques Blind S
Page 258 and 259:
Page 260 and 261:
Page 262 and 263:
Page 264 and 265:
Page 266 and 267:
Page 268 and 269:
Page 270 and 271:
Page 272 and 273:
Page 274 and 275:
Page 276 and 277:
Page 278 and 279:
SELECT * FROM unknowntable UNION SE
Page 280 and 281:
Page 282 and 283:
Page 284 and 285:
Figure 5.13 Extracting Database Log
Page 286 and 287:
Page 288 and 289:
Summary Blind SQL Injection Exploit
Page 290 and 291:
Page 292 and 293:
Chapter 6 Exploiting the Operating
Page 294 and 295:
Exploiting the Operating System •
Page 296 and 297:
Page 298 and 299:
Page 300 and 301:
Page 302 and 303:
Page 304 and 305:
Page 306 and 307:
[operating systems] multi(0)disk(0)
Page 308 and 309:
Figure 6.13 Enabling CLR Integratio
Page 310 and 311:
Oracle Exploiting the Operating Sys
Page 312 and 313:
) c / ) ) ), bfilename('GETPWDIR',
Page 314 and 315:
As expected, this creates sp.txt fi
Page 316 and 317:
Page 318 and 319:
Page 320 and 321:
2 443 [+] Calling msfpayload3 to c
Page 322 and 323:
DBMS_ADVISOR is probably the shorte
Page 324 and 325:
EXECUTE IMMEDIATE q'!drop directory
Page 326 and 327:
Microsoft SQL Server Exploiting the
Page 328 and 329:
Page 330 and 331:
Figure 6.22 Creating an UNSAFE Bina
Page 332 and 333:
Page 334 and 335:
Executing Operating System Commands
Page 336 and 337:
Endnotes Exploiting the Operating S
Page 338 and 339:
Chapter 7 Advanced Topics Solutions
Page 340 and 341:
Using Case Variation Advanced Topic
Page 342 and 343:
4. The application URL decodes the
Page 344 and 345:
Advanced Topics • Chapter 7 323 D
Page 346 and 347:
Advanced Topics • Chapter 7 325 I
Page 348 and 349:
Advanced Topics • Chapter 7 327 w
Page 350 and 351:
Advanced Topics • Chapter 7 329 N
Page 352 and 353:
Advanced Topics • Chapter 7 331 m
Page 354 and 355:
Advanced Topics • Chapter 7 333 1
Page 356 and 357:
Using Hybrid Attacks Advanced Topic
Page 358 and 359:
Exploiting Authenticated Vulnerabil
Page 360 and 361:
Advanced Topics • Chapter 7 339
Page 362 and 363:
Chapter 8 Code-Level Defenses Solut
Page 364 and 365:
Code-Level Defenses • Chapter 8 3
Page 366 and 367:
Page 368 and 369:
Page 370 and 371:
END; Execute immediate 'SELECT coun
Page 372 and 373:
Page 374 and 375:
Validating Input in Java Code-Level
Page 376 and 377:
Page 378 and 379:
Page 380 and 381:
Page 382 and 383:
Page 384 and 385:
Page 386 and 387:
Page 388 and 389:
Page 390 and 391:
Page 392 and 393:
UTL_SMTP.HELO(v_connection,'mailhos
Page 394 and 395:
Summary Code-Level Defenses • Cha
Page 396 and 397:
Page 398 and 399:
Chapter 9 Platform-Level Defenses S
Page 400 and 401:
Platform-Level Defenses • Chapter
Page 402 and 403:
Page 404 and 405:
Figure 9.3 Whitelist Rule to Patch
Page 406 and 407:
Page 408 and 409:
Page 410 and 411:
Application Filters Platform-Level
Page 412 and 413:
Page 414 and 415:
Page 416 and 417:
Page 418 and 419:
Use Strong Cryptography to Protect
Page 420 and 421:
Page 422 and 423:
Page 424 and 425:
Page 426 and 427:
Page 428 and 429:
Page 430 and 431:
Page 432 and 433:
Additional Deployment Consideration
Page 434 and 435:
Page 436 and 437:
Chapter 10 References Solutions in
Page 438 and 439:
References • Chapter 10 417 For t
Page 440 and 441:
References • Chapter 10 419 It is
Page 442 and 443:
GROUP BY Statement References • C
Page 444 and 445:
References • Chapter 10 423 you a
Page 446 and 447:
References • Chapter 10 425 Table
Page 448 and 449:
Blind SQL Injection Functions: Micr
Page 450 and 451:
References • Chapter 10 429 the S
Page 452 and 453:
Microsoft SQL Server 2005 Hashes Re
Page 454 and 455:
Page 456 and 457:
References • Chapter 10 435 If MA
Page 458 and 459:
Page 460 and 461:
TYPE oracle_loader DEFAULT DIRECTOR
Page 462 and 463:
References • Chapter 10 441 When
Page 464 and 465:
Page 466 and 467:
Table 10.20 Continued. Troubleshoot
Page 468 and 469:
Enumerating Database Configuration
Page 470 and 471:
Local File Access References • Ch
Page 472 and 473:
References • Chapter 10 451 Infor
Page 474 and 475:
Page 476 and 477:
■■ ■■ ■■ ■■ Referen
Page 478 and 479:
Troubleshooting SQL Injection Attac
Page 480 and 481:
A abstract syntax tree (AST), 125 a
Page 482 and 483:
Index 461 confirming and terminatin
Page 484 and 485:
Index 463 errors application error,
Page 486 and 487:
Index 465 intercepting filters appl
Page 488 and 489:
Index 467 APEX, 196-197 Oracle inte
Page 490 and 491:
Index 469 mysql_query( ) function,
Page 492 and 493:
Index 471 blind SQL injection funct
Page 494:
Index 473 transformation functions,
show all

SQL Injection Attacks and Defense - 2009

Create successful ePaper yourself

Delete template?

Save as template?