CNIT 129S: Securing

Web Applications

Ch 9: Attacking Data Stores

Part 2 of 2
Bypassing Filters
 Avoiding Blocked
Characters
• App removes or encodes some characters

• Single quotation mark is not needed for

injection into a numerical field

• You can also use string functions to

dynamically construct a string containing
filtered characters
 CHR or CHAR Function
• These queries work on Oracle and MS-SQL,
respectively
 Comment Symbol Blocked
• Code is

SELECT * from users WHERE name='uname'

• Try injecting this value for name:

' or 1=1 --
• To create

SELECT * from users WHERE name='' or 1=1 --'

• But the "--' is blocked

 Correct Syntax Without
Comment
• Injecting this value for name:

' or 'a'='a
• To create

SELECT * from users WHERE name=''

or 'a'='a'
 Circumventing Simple
Validation

• If "SELECT" is blocked, try these bypasses:

 Using SQL Comments
• If spaces are blocked, use comments instead

• MySQL allows comments within keywords

Second-Order SQL Injection

• Many applications handle data safely when it is

first entered into the database

• But it may later be processed in unsafe ways

 App Adds a Second Quote
• Register an account with this name:

foo'
• The correct way to insert that value is by adding a
second quote (link Ch 2a)

INSERT INTO users (username,

password, ID, privs) VALUES
('foo''', 'secret', 2248, 1)
 Password Change

• Requires user to input old password, and

compares it to the password retrieved with:

SELECT password FROM users WHERE

username = 'foo''

• This is a syntax error.

 Exploit
• Register a new user with this name:

' or 1 in (SELECT password FROM users

WHERE username = 'admin')--

• Perform a password change, and MS-SQL will

return this error, exposing the administrator
password
 Advanced Exploitation

• The previous attacks had a ready means of

exposing data

• Adding UNION to a query that returns the

results

• Returning data in an error message

 Denial of Service

• Turn off an MS-SQL database

' shutdown--

• Drop table

' drop table users--

 Retrieving Data as Numbers
• No strings fields may be vulnerable, because
single quotes are filtered

• Numeric fields are vulnerable, but only allow

you to retrieve numerical values

• Use functions to convert characters tonumbers

 Using an Out-of-Band
Channel

• You can inject a query but you can't see the

results

• Some databases allow you to make a network

connection inside the query language
MS-SQL 2000 and Earlier
 Oracle
• UTL_HTTP makes an HTTP request

• Attacker can use a netcat listener

 Oracle
• DNS request is even less likely to be blocked
 MySQL

• To retrieve the file, set up an SMB share on your

server

• Alowing anonymous write access

 Leveraging the Operating
System
• Sometimes you can get the ability to execute shell
commands

• Such as by using a PHP shell

• Then you can use built-in commands like

• tftp, mail, telnet

• Or copy data into a file in the Web root so you can

retrive it with a browser
 Conditional Responses:
"Blind SQL Injection"
• Suppose your query doesn't return any data you
can see, and

• You can't use an out-of-band channel

• You can still get data, if there's any detectable

behavior by the database that depends on your
query
 Example

• Put in this text for username, and anything for

password

admin' --

• You'll be logged in as admin

 True or False?

• This username will log in as admin:

admin' AND 1=1--

• This one will not log in

admin' AND 1=2--

 Finding One Letter
• This username will log in as admin:

• This one will not log in

Inducing Conditional Errors
• On an Oracle database, this query will produce
an error if the account "DBSNMP" exists

• If it doesn't, the "1/0" will never be evaluated

and it won't cause an error
Does User "AAAAA" Exist?
 Using Time Delays
• MS-SQL has a built-in WAITFOR command

• This query waits for 5 seconds if the current

database user is 'sa'
 Conditional Delays
• You can ask a yes/no question and get the
answer from the delay
 Testing Single Bits
• Using bitwise AND operator &

• And the POWER command

 MySQL Delays

• Current versions have a sleep function

• For older versions (prior to 5.0.12), use

benchmark to repeat a calculation many times
 Oracle
• No function to cause a delay, but you can use
URL_HTTP to connect to a non-existent server

• Causes a delay until the request times out

 Oracle
• This query causes a timeout if the default Oracle
account "DBSNMP" exists
 Beyond SQL Injection:
Escalating the Database
Attack
 Further Attacks
• SQL injection lets you get the data in the
database, but you can go further

• If database is shared by other applications,

you may be able to access other application's
data

• Compromise the OS of the database server

• Pivot: use the DB server to attack other

servers from inside the network
 Further Attacks
• Make network connections back out to your
own computer, to exfiltrate data and evade
IDS systems
• Extend database functionality by creating
user-defined functions
• You can reintroduce functionality that has
been removed or disabled

• Possible if you get database administrator

privileges
 MS-SQL
• xp_cmdshell stored procedure

• Included by default

• Allows DBA (Database Administrator) to execute

shell commands
 MS-SQL

• Other stored procedures also allow powerful

attacks

• xp_regread & xp_regwrite

 Dealing with Default
Lockdowns
• MS-SQL 2005 and later disable xp_cmdshell by
default, but you can just enable it if you are DBA
 MySQL
• load_file allows attacker to read a file

• "into outfile" allows attacker to write to a file

SQL Exploitation Tools
Algorithm
SQLMAP
Preventing SQL Injection
 Blocking Apostrophes

• Won't stop injection into numerical fields

• If you allow apostrophes into data fields by

doubling them, you can have second-order SQL
injection vulnerabilities
 Stored Procedures
• Developer defines a procedure

• Attacker can still inject with this password

• Resulting query
Parameterized Queries
 Vulnerable Code
• User input inserted into a command, which is
parsed later to match quotes
 Parameterized Version
• User input replaces placeholder "?"

• No parsing required, not vulnerable to SQLi

 Provisos
• Use parameterized queries for EVERY query
• Not just the ones that are obviously user-
controllable
• Every item of data should be parameterized
• Be careful if user data changes table or column names
• Allow only values from a whitelist of known safe
values
• You cannot use parameter placeholders for other parts
of the query, such as SORT BY ASC or SORT BY DESC
• If they must be adjusted, use whitelisting
 Defense in Depth
• Application should use low privileges when
accessing the database, not DBA

• Remove or disable unnecessary functions of DB

• Apply vendor patches

• Subscribe to vulnerability notification

services to work around new, unpatchable
vulnerabilities
Injecting into NoSQL
 NoSQL

• Doesn't require structured data like SQL

• Fields must be defined in a Schema, as Text,

Number, etc.

• Keys and values can be arbitrarily defined

• A new and less mature technology than SQL

 Injecting into MongoDB
• Example Login Code
 Injection
• Log in with this username, and any password

Marcus'//

• Javascript function becomes this:

 Another Injection
• Log in with this username, and any password

• This is always true (link Ch 9b)

 Injecting into XPATH

• XML Data
Store
 Injection
• This query retrieves a stored credit card number
from a username and password

• This injection:
 Finding XPATH Injection
Flaws
• These strings usually break the syntax

• These strings change behavior without breaking

syntax
Preventing XPATH Injection

• Filter inputs with a whitelist

• Remove these characters

 LDAP

• Lightweight Directory Access Protocol (LDAP)

• Used to store names, phone numbers, email

addresses, etc.

• Used in Microsoft Active Directory

• Also in OpenLDAP
 LDAP Queries
• Match a username

• Match any one of these conditions

• Match all of these conditions

LDAP Injection Limitations
• Possible, but less exploitable because

• Logical operators come before user-supplied

data, so attacker can't form "or 1=1"

• Directory attributes to be returned are hard-

coded and can't usually be manipulated

• Applications rarely return informative error

messages, so exploitation is "blind"