Attacking Data Stores
Brad StancelCSCE 813 Presentation11/12/2012
Stuttard, D. and Pinto, M.,The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition, 2011, Wiley Publishing
Importance of Data Stores
Almost every web app uses data storesUsed to hold information vital to the applicationOften hold information crucial to the application logic (access control, etc.)
Important Notes about Data Stores
Application interacts with the data store at a specified security levelCommon data stores are databases that use SQL (Structure Query Language) to interact & manipulate databaseOther non-SQL type databases are becoming more popular (i.e. NoSQL)Some data stores specifically revolve around access control (i.e. LDAP)
Interpreted vs. Compiled Languages
Injection Attacks can happen on either type of languageInterpreted languages make it easier for injection attacks (i.e. can type in code)Compiled language injection attacks generally use machine code
Type of code injection common in interpreted languages that use SQL data storesA lot of similarities across databases but each vendor database may be a bit differentOur focus today is on: MS-SQL, Oracle and MySQL data stores
Fingerprinting the Database
Extract version stringMySQL/*!32302 and 1=0*/Look at Concatenation of StringsOracle'serv'||'ices'MS-SQL'serv'+'ices'MySQL'serv' 'ices'Look at how Numeric Data is handledOracleBITAND(1,1)-BITAND(1,1)MS-SQL@@PACK_RECEIVED-@@PACKRECEIVEDMySQLCONNECTION_ID()-CONNECTION_ID()
Testing for Injection Bugs
General Algorithm:Supply unexpected data and syntaxIdentify any anomaliesObserve and examine any error messagesSystematically modify input to confirm or disprove vulnerability existenceConstruct proof-of-concept that causes safe command to execute in a verifiable way to prove flaw existsExploit the vulnerability by leveraging functionality and knowledge of target language and/or its components
Testing for SQL Injection Bugs
Three Main Methods:Injecting into String DataInjecting into Numeric DataInjecting into Query Structure
Injecting Into String Data
String data is encapsulated into single quotation marksNeed to break out of these quotation marksex. Wiley' OR 'a'='aPreliminary Steps to Test:Submit a single quotation mark to see if error occursSubmit two quotation marks (escape sequence) and look for error or odd behaviorTry SQL concatenation techniques discussed earlier and if no behavior detected possible vulnerable
Injecting Into Numeric Data
Query may use numbers as strings so try string data methods firstRemember to encode certain charactersSteps to Test:Supply a mathematical expression equiv. to number (responds same way = possible vulnerable)Use more complicated expressions that use SQL keywords.Using ASCII commands to test are useful67-ASCII('A')51-ASCII(1)
Injecting Into Query Structure
Determine the Type of StatementSELECT StatementsINSERT StatementsUPDATE StatementsDELETE StatementsUNION Operator (more of a technique)
Frequently used when returning data based on user's actionsAttack entry point is usually the statement's WHERE clauseCorrect Example:SELECT author,title,year FROM books WHERE publisher = 'Wiley'Malicious Example:Input into web form: Wiley' OR 1=1--SELECT author,title,year FROM books WHERE publisher = 'Wiley' OR 1=1--
Used to create a new row of data in a tableExample: Web app that allows users to self registerCorrect Example:INSERT INTO users (username, password, privs) VALUES ('daf','secret',1)Malicious Example:Input into web form: foo','bar',0)--INSERT INTO users (username, password, privs) VALUES ('foo','bar',0)--MUST contain correct number of data types!
Used to modify one or more rows of existing data in a tableCorrect Example:UPDATE users SET password='newsecret' WHERE user='brad' and password='secret'Malicious Example:Input into web form: admin'--UPDATE users SET password='newsecret' WHERE user='admin'--This example bypasses the password check & changes the admin password!
Used to delete one or more rows of data in a tableCan corrupt the entire table or databaseCorrect Example:DELETE from users WHERE uid='brad'Malicious Example:Input into web form:' OR ' '='DELETE from users WHERE uid='' OR ' '=' 'This example deletes all user ID's in the users table!
Used to combine results of two or more SELECT statements into a single result setSupported by all major DBMS productsFastest way to retrieve arbitrary information when query results are returnedPoint of attack is usually the WHERE clause of a SELECT statementAdditional SELECT statementmustcontain correct number of data types
UNION Operator cont.
Example SELECT statement before:SELECT author,title,year FROM books WHERE publisher ='Wiley' (Where Wiley was submitted)Input put into web form:Wiley'UNIONSELECT username,password,uid FROM users--Returns a dataset containing both the authors,titles,year and username,password,uid in one tableThis example only works if users table has three columns
Out-of-Band CommunicationBypassing FiltersUsing Comments & Circumventing ValidationSecond Order SQL InjectionRetrieving Data as NumbersInference
Most applications employ one account for database accessRely on application-layer controls to enforce segregation of accessAlready have the data, why escalate?Gain access to other hosted application dataCompromise the OS of the database serverGain network access to access other systemsEstablish network connection to own system for faster data retrievalInclude own functions to enhance DB capabilities
Some Tools Used in SQL Exploitation
Absinthe - Automated Blind SQL Injection ToolSQLMap - Automatic SQL Injection Tool
Preventing SQL Injection
Validate input!Escape certain characters and wordsUse Stored Procedures to helpThis does not completely solve the problemParameterized QueriesAKA: prepared statementsApplication specifies query's structureApplication specifies contents of each placeholder
Summary, Comments and Questions
Attacking Data Stores can be done in a variety of waysProtecting Data Stores is of utmost importanceUnderstanding how these attacks take place enables one to better protect against themQuestions and Comments.........