Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012
Sources Consulted • Stuttard, D. and Pinto, M., The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition, 2011, Wiley Publishing
Importance of Data Stores • Almost every web app uses data stores • Used to hold information vital to the application • Often hold information crucial to the application logic (access control, etc.)
Important Notes about Data Stores • Application interacts with the data store at a specified security level • Common data stores are databases that use SQL (Structure Query Language) to interact & manipulate database • Other non-SQL type databases are becoming more popular (i.e. NoSQL) • Some data stores specifically revolve around access control (i.e. LDAP)
Interpreted vs. Compiled Languages • Injection Attacks can happen on either type of language • Interpreted languages make it easier for injection attacks (i.e. can type in code) • Compiled language injection attacks generally use machine code
SQL Injection • Type of code injection common in interpreted languages that use SQL data stores • A lot of similarities across databases but each vendor database may be a bit different • Our focus today is on: MS-SQL, Oracle and MySQL data stores
Fingerprinting the Database • Extract version string • MySQL /*!32302 and 1=0*/ • Look at Concatenation of Strings • Oracle 'serv'||'ices' • MS-SQL 'serv'+'ices' • MySQL 'serv' 'ices' • Look at how Numeric Data is handled • Oracle BITAND(1,1)-BITAND(1,1) • MS-SQL @@PACK_RECEIVED-@@PACKRECEIVED • MySQL CONNECTION_ID()-CONNECTION_ID()
Testing for Injection Bugs General Algorithm: • Supply unexpected data and syntax • Identify any anomalies • Observe and examine any error messages • Systematically modify input to confirm or disprove vulnerability existence • Construct proof-of-concept that causes safe command to execute in a verifiable way to prove flaw exists • Exploit the vulnerability by leveraging functionality and knowledge of target language and/or its components
Testing for SQL Injection Bugs Three Main Methods: • Injecting into String Data • Injecting into Numeric Data • Injecting into Query Structure
Injecting Into String Data • String data is encapsulated into single quotation marks • Need to break out of these quotation marks • ex. Wiley' OR 'a'='a • Preliminary Steps to Test: • Submit a single quotation mark to see if error occurs • Submit two quotation marks (escape sequence) and look for error or odd behavior • Try SQL concatenation techniques discussed earlier and if no behavior detected possible vulnerable
Injecting Into Numeric Data • Query may use numbers as strings so try string data methods first • Remember to encode certain characters • Steps to Test: • Supply a mathematical expression equiv. to number (responds same way = possible vulnerable) • Use more complicated expressions that use SQL keywords. • Using ASCII commands to test are useful • 67-ASCII('A') • 51-ASCII(1)
Injecting Into Query Structure • Determine the Type of Statement • SELECT Statements • INSERT Statements • UPDATE Statements • DELETE Statements • UNION Operator (more of a technique)
SELECT Statements • Frequently used when returning data based on user's actions • Attack entry point is usually the statement's WHERE clause • Correct Example: • SELECT author,title,year FROM books WHERE publisher = 'Wiley' • Malicious Example: • Input into web form: Wiley' OR 1=1-- • SELECT author,title,year FROM books WHERE publisher = 'Wiley' OR 1=1--
INSERT Statements • Used to create a new row of data in a table • Example: Web app that allows users to self register • Correct Example: • INSERT INTO users (username, password, privs) VALUES ('daf','secret',1) • Malicious Example: • Input into web form: foo','bar',0)-- • INSERT INTO users (username, password, privs) VALUES ('foo','bar',0)-- • MUST contain correct number of data types!
UPDATE Statements • Used to modify one or more rows of existing data in a table • Correct Example: • UPDATE users SET password='newsecret' WHERE user='brad' and password='secret' • Malicious Example: • Input into web form: admin'-- • UPDATE users SET password='newsecret' WHERE user='admin'-- • This example bypasses the password check & changes the admin password!
DELETE Statements • Used to delete one or more rows of data in a table • Can corrupt the entire table or database • Correct Example: • DELETE from users WHERE uid='brad' • Malicious Example: • Input into web form: ' OR ' '=' • DELETE from users WHERE uid=' ' OR ' '=' ' • This example deletes all user ID's in the users table!
UNION Operator • Used to combine results of two or more SELECT statements into a single result set • Supported by all major DBMS products • Fastest way to retrieve arbitrary information when query results are returned • Point of attack is usually the WHERE clause of a SELECT statement • Additional SELECT statement must contain correct number of data types
UNION Operator cont. • Example SELECT statement before: • SELECT author,title,year FROM books WHERE publisher ='Wiley' (Where Wiley was submitted) • Input put into web form: • Wiley' UNION SELECT username,password,uid FROM users-- • Returns a dataset containing both the authors,titles,year and username,password,uid in one table • This example only works if users table has three columns
Advanced Techniques • Out-of-Band Communication • Bypassing Filters • Using Comments & Circumventing Validation • Second Order SQL Injection • Retrieving Data as Numbers • Inference
Escalating Attacks • Most applications employ one account for database access • Rely on application-layer controls to enforce segregation of access • Already have the data, why escalate? • Gain access to other hosted application data • Compromise the OS of the database server • Gain network access to access other systems • Establish network connection to own system for faster data retrieval • Include own functions to enhance DB capabilities
Some Tools Used in SQL Exploitation • Absinthe - Automated Blind SQL Injection Tool • SQLMap - Automatic SQL Injection Tool
Preventing SQL Injection • Validate input! • Escape certain characters and words • Use Stored Procedures to help • This does not completely solve the problem • Parameterized Queries • AKA: prepared statements • Application specifies query's structure • Application specifies contents of each placeholder
Summary, Comments and Questions • Attacking Data Stores can be done in a variety of ways • Protecting Data Stores is of utmost importance • Understanding how these attacks take place enables one to better protect against them • Questions and Comments.........