1 / 14

Automated Estimation and Evaluation of SQL-injection Vulnerabilities

Automated Estimation and Evaluation of SQL-injection Vulnerabilities. Jonas Persson, Group 30 - Language based security 2006. Contents. The impact of SQL-injection Blindfolded SQL-injection What has been done before Automating the process Results Conclusions. Impact of SQL-injection.

trhonda
Download Presentation

Automated Estimation and Evaluation of SQL-injection Vulnerabilities

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Automated Estimation and Evaluation of SQL-injection Vulnerabilities Jonas Persson, Group 30 - Language based security 2006

  2. Contents • The impact of SQL-injection • Blindfolded SQL-injection • What has been done before • Automating the process • Results • Conclusions

  3. Impact of SQL-injection • Sysobjects –stores info on all tables in the database • Sysdatabases –stores info on all databases on server • Xp_cmdshell – executes arbitrary commands • Bcp – write to arbitrary file • Openrowset – transfer data from/to remote SQL-server • Xp_regwrite – write arbitrary registry values • Bulk insert – insert from arbitrary file

  4. Blindfolded SQL-injection • Should not rely on contents of error messages • The only relevant question is – did the query execute or not? • Procedure: • Determine errors • Find format and query structure • Exploit

  5. What has been done before • Automated datamining using blindfolded SQL-injection (Absinthe by Cameron Hotchkies) • Vulnerability scanning tools with support for finding SQL-injections

  6. Limitations • Absinthe only mines for data from existing injections, does not find the vulnerabilities • All vulnerability scanning tools I have tested only appends a single quote at the end of parameter values and report a vulnerability if the server returns a ”500 – internal server error”

  7. Automating the process • Determine errors • Appending ” AND ” should give incorrect syntax error • Appending ” AND 1=0 ” should result in error • Appending ” AND 1=1 ” should not result in error • Comparing to these results will tell us wether appending ” AND (any sql) ” executed or not

  8. Automating the process • Finding format • Appending ” -- ” might remove necessary ending parentheses • Breaking out of parentheses by trying to end them one by one until the query executes • More advanced formats does not require this procedure

  9. Automating the process • Finding the query structure • How many columns does the query select? Try ordering! ” ORDER BY 1 -- ” • Which types does the selected columns have? • Three base types strings, ints and dates • Append ” UNION ALL SELECT null -- ” • Append ” UNION ALL SELECT 1 -- ” • Append ” UNION ALL SELECT ’1’ -- ”

  10. Automating the process • Once you have found the format and structure, exploiting is easy! ” UNION ALL SELECT columns FROM table -- ”

  11. Automating the process • Checking the impact • Selecting from system tables • Running stored procedures • Connect to other servers through openrowset • Read files with bulk insert • Options are limitless!

  12. Results • A program that • Evaluates a parameter and returns how likely it is that the parameter is vulnerable and exploitable • Finds format and query structure • Estimates how vulnerable the parameter is on a scale from 1 to 10 • Reports its findings to the user, detailing the vulnerability and its impact

  13. Results

  14. Conclusions • As we just have seen it is indeed possible to automate the search and exploitation of SQL-injection vulnerabilities • The example can be extended in many different ways to create either a versatile audit tool or a powerful hacking tool

More Related