Blind SQL Injection - Optimization Techniques

Blind SQL Injection - Optimization Techniques

• 1.
  Blind SQL injectionOptimization techniques Rodrigo Marcos December 2007
• 2.
  Agenda What is(blind) SQL injection Available Open Source tools Blind SQL injection optimizations Demo Conclusions Questions
• 3.
  What is SQLinjection? Well known and exploited technique Mainly exploited in web environments It abuses improper user input validation Allows an attacker to reach the database
• 4.
  SQL injection examplehttp://victim/listproducts.asp?cat= books SELECT * from PRODUCTS WHERE category=‘ books ’ http://victim/listproducts.asp?cat= books’ or ‘1’=‘1 SELECT * from PRODUCTS WHERE category=‘ books’ or ‘1’=‘1 ’ Basically, on SQL injection the attacker gets results.
• 5.
  What is blindSQL injection? Same vulnerability as SQL injection *Very* common vulnerability Sometimes (wrongly) ignored during tests as unexploitable or not detected The attacker can not retrieve results The attacker can only retrieve a True/False condition
• 6.
  Blind SQL injectionexample http://victim/showproduct.asp?id= 238 SELECT * from PRODUCTS WHERE id= 238 Sometimes, due to the code surronding the SQL query (grouped or sorted) the attacker can’t UNION and no ‘good’ ways of exploitation are found http://victim/showproduct.asp?id= 238 and 1=1 http://victim/showproduct.asp?id= 238 and 1=2 SELECT * from PRODUCTS WHERE id= 238 and 1=1 SELECT * from PRODUCTS WHERE id= 238 and 1=2 Blind SQL happens if the requests above return different results
• 7.
  Exploiting True/False conditionsSelect user returns ‘dbo’ SUBSTRING(‘Select user’, 1, 1) = ‘d’ SUBSTRING(‘Select user’, 2, 1) = ‘b’ SUBSTRING(‘Select user’, 3, 1) = ‘o’ http://victim/showproduct.asp?id= 238 and SUBSTRING(‘Select user’, 1, 1) = ‘d’  TRUE http://victim/showproduct.asp?id= 238 and SUBSTRING(‘Select user’, 1, 1) = ‘X’  FALSE
• 8.
  Available solutions CustomScript: We can script it and discover each letter Set a space: [a-z] + [A-Z] + [0-9] + [symbols] Loop for every character Absinthe http://www.0x90.org/releases/absinthe/ BSQLBF http://www.unsec.net/download/bsqlbf.pl http://www.unsec.net/download/bsqlbf.avi SQLMap, SQLBrute.py
• 9.
  Available solutions Customscripts: Not reusable. I got sick of writing dirty BSQL injection scripts… Available open source tools: Some of them are too dumb trying to be smart (and don’t work in special situations) Most are not interactive None are optimized for speed
• 10.
  Blind SQL injectionsoptimizations Narrow down the charset: ASCII( UPPER (SUBSTRING((SQL Query), Position, 1)))= ASCII(SUBSTRING((SQL Query), Position, 1)) ASCII( LOWER (SUBSTRING((SQL Query), Position, 1)))= ASCII(SUBSTRING((SQL Query), Position, 1)) If first one true, character is uppercase If second one true, character is uppercase If both are true, it is a number or symbol
• 11.
  Blind SQL injectionsoptimizations Searching character space: [a,b,c,d,e,f,g,h,I,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z] Sequential search: Not optimum Divide and conquer! Character => ‘m’ [m,n,o,p,q,r,s,t,u,v,w,x,y,z] else [a,b,c,d,e,f,g,h,I,j,k,l]
• 12.
  Blind SQL injectionsoptimizations Big numbers for table enumeration Typical MSSQL table id: 2089058478 Absinthe: Increase exponentially from 0 by factor of two Narrow down when upper limit is discovered Optimization: CAST(Number as varchar) and treat is as a string with numbers
• 13.
  bsqlishell.py I wantedto code something generic to forget about custom scripts I wanted to write optimum techniques as BSQL injection is *REALLY* slow Interactive shell + scriptable (Scapy like) bsqlishell.py is fast(er)!! Portable (python rocks!)
• 14.
  Demo
• 15.
  and more… Interactionsucks! I want something scriptable! from bsishell import * pre = “http://www.vulnerable.com?id=1’ and “ post = “ or ‘1’=‘2” user() table_enumeration()
• 16.
  Conclusions Blind SQLinjection can be exploited and it really makes a difference The attack can be optimized for fewer requests to the database bsqlishell.py is quite cool (shameless propaganda)
• 17.
  Thanks Questions?