SQL Injection Attacks and Defense - 2009

Exploiting SQL Injection • Chapter 4 199
will be illustrated here, and some more in Chapter 5, when talking specifically about blind
SQL injection, but the examples cannot cover all possibilities. So, if you are not able to
extract data using a normal HTTP connection and the database user that is performing
the queries is powerful enough, use your creativity: An OOB communication can be the
fastest way to successfully exploit the vulnerable application.
E-mail
Databases are very often critical parts of any infrastructure, and as such it is of the utmost
importance that their administrators can quickly react to any problem that might arise. This is
why most modern DBMSs offer some kind of e-mail functionality that can be used to automatically
send and receive e-mail messages in response to certain situations. For instance,
if a new application user is added to a company’s profile the company administrator might be
notified by e-mail automatically as a security precaution. The configuration of how to send
the e-mail in this case is already completed; all an attacker needs to do is construct an exploit
that will extract interesting information, package the data in an e-mail, and queue the e-mail
using database-specific functions. The e-mail will then appear in the attacker’s mailbox.
Microsoft SQL Server
As is often the case, Microsoft SQL Server provides a nice built-in feature for sending
e-mails. Actually, depending on the SQL server version, there might be not one, but two
different e-mailing subsystems: SQL Mail (SQL Server 2000, 2005, and 2008) and Database
Mail (SQL Server 2005 and 2008).
SQL Mail was the original e-mailing system for SQL Server. Microsoft announced with
the release of SQL Server 2008 that this feature has been deprecated, and will be removed
in future versions. It uses the Messaging Application Programming Interface (MAPI), and
therefore it needs a MAPI messaging subsystem to be present on the SQL Server machine
(e.g., Microsoft Outlook, but not Outlook Express) to send e-mails. Moreover, the e-mail
client needs to be already configured with the Post Office Protocol 3/Simple Mail Transfer
Protocol (POP3/SMTP) or Exchange server to connect to, and with an account to use
when connected. If the server you are attacking has SQL Mail running and configured,
you only need to give a try to xp_startmail (to start the SQL Client and log on to the mail
server) and xp_sendmail (the extended procedure to send an e-mail message with SQL
Mail). xp_startmail optionally takes two parameters (@user and @password) to specify the
MAPI profile to use, but in a real exploitation scenario it’s quite unlikely that you have
this information, and in any case you might not need it at all: If such parameters are not
provided, xp_startmail tries to use the default account of Microsoft Outlook, which is what
is typically used when SQL Mail is configured to send e-mail messages in an automated way.
Regarding xp_sendmail, its syntax is as follows (only the most relevant options are shown):