SQL Injection Attacks and Defense Second Edition Justin Clarke ELSEVIER AMSTERDAM • BOSTON • HEIDELBERG • LONDON NEW YORK • OXFORD • PARIS • SAN DIEGO SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO Syngress is an Imprint of Elsevier SVNGRESS
SQL Injection Attacksand Defense
Second Edition
Justin Clarke
ELSEVIER
AMSTERDAM • BOSTON • HEIDELBERG • LONDON
NEWYORK • OXFORD • PARIS • SAN DIEGO
SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO
Syngress is an Imprint of ElsevierSVNGRESS
Contents
Acknowledgements v
Dedication vii
Contributing Authors ix
Lead Author and Technical Editor xiii
Introduction xxvii
CHAPTER 1 What Is SQL Injection? 1
Introduction 1
Understanding How Web Applications Work 2
A Simple Application Architecture 3
A More Complex Architecture 4
Understanding SQL Injection 6
High-Profile Examples 9
Understanding How It Happens 13
Dynamic String Building 13
Incorrectly Handled Escape Characters 14
Incorrectly Handled Types 15
Incorrectly Handled Query Assembly 17
Incorrectly Handled Errors 18
Incorrectly Handled Multiple Submissions 19
Insecure Database Configuration 21
Summary 23
Solutions Fast Track 24
Frequently Asked Questions 25
CHAPTER 2 Testing for SQL Injection 27
Introduction 27
Finding SQL Injection 27
Testing by Inference 28
Identifying Data Entry 28
Manipulating Parameters 32
Information Workflow 35
Database Errors 36
Commonly Displayed SQL Errors 37
Application Response 49
Generic Errors 49
HTTP Code Errors 52
Different Response Sizes 53
XV
xvi Contents
Blind Injection Detection 54
Confirming SQL Injection 58
Differentiating Numbers and Strings 58
Inline SQL Injection 59
Injecting Strings Inline 59
Injecting Numeric Values Inline 63
Terminating SQL Injection 65
Database Comment Syntax 65
Using Comments 67
Executing Multiple Statements 70
Time Delays 74
Automating SQL Injection Discovery 76
Tools for Automatically Finding SQL Injection 77
HP Weblnspect 77
IBM Rational AppScan 79
HP Scrawlr 80
SQLiX 82
Paros Proxy/Zed Attack Proxy 83
Summary 85
Solutions Fast Track 85
Frequently Asked Questions 87
CHAPTER 3 Reviewing Code for SQL Injection 89
Introduction 89
Reviewing Source Code for SQL Injection 89
Dangerous Coding Behaviors 92
Dangerous Functions 99
Following the Data 104
Following Data in PHP 104
Following Data in Java 109
Following Data in C# 110
Reviewing Android Application Code 111
Reviewing PL/SQL and T-SQL Code 118
Automated Source Code Review 126
Graudit 128
Yet Another Source Code Analyzer (YASCA) 129
Pixy 129
AppCodeScan 130
OWASP LAPSE+ Project 130
Microsoft Source Code Analyzer for SQL Injection 131
Microsoft Code Analysis Tool .NET (CAT.NET) 131
Contents xvii
RIPS—A Static Source Code Analyzer for Vulnerabilities
in PHP Scripts 132
CodeProAnalytiX 132
Teachable Static Analysis Workbench 132
Commercial Source Code Review Tools 133
Fortify Source Code Analyzer 134
Rational AppScan Source Edition 135
CodeSecure 135
Klocwork Solo 135
Summary 136
Solutions Fast Track 136
Frequently Asked Questions 137
CHAPTER 4 Exploiting SQL Injection 139
Introduction 139
Understanding Common Exploit Techniques 140
Using Stacked Queries 142
Exploiting Oracle from Web Applications 142
Identifying the Database 143
Non-Blind Fingerprint 144
Banner Grabbing 146
Blind Fingerprint 149
Extracting Data Through UNION Statements 150
Matching Columns 151
Matching Data Types 153
Using Conditional Statements 158
Approach 1: Time-Based 159
Approach 2: Error-Based 163
Approach 3: Content-Based 165
Working with Strings 165
Extending the Attack 167
Using Errors for SQL Injection 168
Error Messages in Oracle 170
Enumerating the Database Schema 174
SQL Server 175
MySQL 178
PostgreSQL 183
Oracle 184
Injecting into "INSERT" Queries 188
First Scenario: Inserting User Determined Data 188
Second Scenario: Generating INSERT Errors 191
xviii Contents
Other Scenarios 193
Escalating Privileges 194
SQL Server 194
Privilege Escalation on Unpatched Servers 199
Oracle 200
SYS.LT 201
SYS.DBMS_CDC_PUBLISH 202
Getting Past the CREATE PROCEDURE Privilege 202
Cursor Injection 202
SYS.KUPPSPROC 203
Weak Permissions 203
Stealing the Password Hashes 204
SQL Server 204
MySQL 206
PostgreSQL 206
Oracle 207
Oracle Components 209
Out-of-Band Communication 211
E-mail 211
Microsoft SQL Server 211
Oracle 214
HTTP/DNS 215
File System 215
SQL Server 216
MySQL 218
Oracle 219
SQL Injection on Mobile Devices 219
Automating SQL Injection Exploitation 223
sqlmap 224
Bobcat 225
BSQL 226
Other Tools 227
Summary 228
Solutions Fast Track 229
Frequently Asked Questions 231
CHAPTER 5 Blind SQL Injection Exploitation 233
Introduction 233
Finding and Confirming Blind SQL Injection 234
Forcing Generic Errors 235
Injecting Queries with Side Effects 235
Contents xix
Splitting and Balancing 235
Common Blind SQL Injection Scenarios 237
Blind SQL Injection Techniques 239
Inference Techniques 239
Increasing the Complexity of Inference Techniques 243
Alternative Channel Techniques 249
Using Time-Based Techniques 249
Delaying Database Queries 249
MySQL Delays 250
PostgreSQL Delays 252
SQL Server Delays 254
Oracle Delays 257
Time-Based Inference Considerations 257
Using Response-Based Techniques 258
MySQL Response Techniques 259
PostgreSQL Response Techniques 260
SQL Server Response Techniques 261
Oracle Response Techniques 263
Returning More Than 1 bit of Information 264
Using Alternative Channels 267
Database Connections 267
DNS Exfiltration 269
Email Exfiltration 273
HTTP Exfiltration 273
ICMP Exfiltration 276
Automating Blind SQL Injection Exploitation 276
Absinthe 276
BSQL Hacker 278
SQLBrute 280
Sqlmap 282
Sqlninja 283
Squeeza 284
Summary 286
Solutions Fast Track 286
Frequently Asked Questions 288
CHAPTER 6 Exploiting the Operating System 289
Introduction 289
Accessing the File System 290
Reading Files 290
MySQL 291
XX Contents
Microsoft SQL Server 296
Oracle 304
PostgreSQL 306
Writing Files 306
MySQL 307
Microsoft SQL Server 310
Oracle 315
PostgreSQL 316
Executing Operating System Commands 317
MySQL 318
WAMP Environments 318
Microsoft SQL Server 318
Oracle 322
Privilege Escalation 322
Code Execution Via Direct Access 325
Executing Code as SYSDBA 330
PostgreSQL 330
Consolidating Access 333
Summary 335
Solutions Fast Track 335
Frequently Asked Questions 337
CHAPTER 7 Advanced Topics 339
Introduction 339
Evading Input Filters 339
Using Case Variation 340
Using SQL Comments 340
Using URL Encoding 341
Using Dynamic Query Execution 342
Using Null Bytes 345
Nesting Stripped Expressions 345
Exploiting Truncation 346
Bypassing Custom Filters 347
Using Non-Standard Entry Points 348
Exploiting Second-Order SQL Injection 350
Finding Second-Order Vulnerabilities 352
Exploiting Client-Side SQL Injection 355
Accessing Local Databases 355
Attacking Client-Side Databases 356
Using Hybrid Attacks 358
Leveraging Captured Data 358
Contents xxi
Creating Cross-Site Scripting 358
Running Operating System Commands on Oracle 359
Exploiting Authenticated Vulnerabilities 360
Summary 361
Solutions Fast Track 362
Frequently Asked Questions 363
CHAPTER 8 Code-Level Defenses 365
Introduction 365
Domain Driven Security 366
Using Parameterized Statements 371
Parameterized Statements in Java 372
Parameterized Statements in .NET (C#) 373
Parameterized Statements in PHP 376
Parameterized Statements in PL/SQL 377
Parameterized Statements in mobile apps 377
Parameterized Statements in iOS Applications 377
Parameterized Statements in Android Applications 378
Parameterized Statements in HTML5 Browser Storage 378
Validating Input 379
Whitelisting 379
Known Value Validation 380
Blacklisting 383
Validating Input in Java 384
Validating Input in .NET 386
Validating Input in PHP 386
Validating Input in Mobile Applications 387
Validating Input in HTML5 387
Encoding Output 387
Encoding to the Database 388
Encoding for Oracle 388
Encoding for Microsoft SQL Server 390
Encoding for MySQL 393
Encoding for PostgreSQL 394
Avoiding NoSQL injection 395
Canonicalization 396
Canonicalization Approaches 397
Working with Unicode 397
Design Techniques to Avoid the Dangers of SQL Injection 399
Using Stored Procedures 399
Using Abstraction Layers 400
xxii Contents
Handling Sensitive Data 401
Avoiding Obvious Object Names 403
Setting up Database Honeypots 404
Additional Secure Development Resources 404
Summary 405
Solutions Fast Track 406
Frequently Asked Questions 407
CHAPTER 9 Platform Level Defenses 409
Introduction 499
Using Runtime Protection 410
Web Application Firewalls 411
Using ModSecurity 411
Intercepting Filters 417
Web Server Filters 417
Application Filters 420
Implementing the Filter Pattern in Scripted Languages...421Filtering Web Service Messages 422
Non-Editable Versus Editable Input Protection 422
URL/Page-Level Strategies 422
Page Overriding 423
URL Rewriting 423
Resource ProxyingAVrapping 424
Aspect-Oriented Programing (AOP) 424
Application Intrusion Detection Systems (IDSs) 424
Database Firewall 425
Securing the Database 425
Locking Down the Application Data 426
Use the Least-Privileged Database Login 426
Segregated Database Logins 426
Revoke PUBLIC Permissions 427
Use Stored Procedures 427
Use Strong Cryptography to Protect Stored Sensitive
Data 427
Maintaining an Audit Trail 428
Locking Down the Database Server 431
Additional Lockdown of System Objects 431
Restrict Ad Hoc Querying 432
Strengthen Controls Surrounding Authentication 432
Run in the Context of a Least-Privileged Operating
System Account 433
Contents xxiii
Ensure That the Database Server Software is Patched 433
Additional Deployment Considerations 434
Minimize Unnecessary Information Leakage 434
Suppress Error Messages 434
Use an Empty Default Web Site 436
Use Dummy Host Names for Reverse DNS Lookups 436
Use Wildcard SSL Certificates 437
Limit Discovery Via Search Engine Hacking 437
Disable Web Services Description Language (WSDL)
Information 438
Increase the Verbosity of Web Server Logs 438
Deploy the Web and Database Servers on Separate Hosts ....439
Configure Network Access Control 439
Summary 439
Solutions Fast Track 440
Frequently Asked Questions 441
CHAPTER 10 Confirming and Recovering from
SQL Injection Attacks 443
Introduction 443
Investigating a Suspected SQL Injection Attack 443
Following Forensically Sound Practices 444
Analyzing Digital Artifacts 446
Web Server Log Files 446
Database Execution Plans 452
Transaction Log 462
Database Object Time Stamps 468
So, You're a Victim—Now What? 472
Containing the Incident 472
Assessing the Data Involved 473
Notifying the Appropriate Individuals 474
Determining What Actions the Attacker Performed on
the System 474
Recovering from a SQL Injection Attack 475
Determining the Payload of an Attack 476
Recovering from Attacks Carrying Static Payloads 477
Recovering from Attacks Carrying Dynamic
Payloads 479
Summary 481
Solutions Fast Track 481
Frequently Asked Questions 483
xxiv Contents
CHAPTER 11 References 485
Introduction 485
Structured Query Language (SQL) Primer 486
SQL Queries 486
SELECT Statement 486
UNION Operator 487
INSERT Statement 487
UPDATE Statement 488
DELETE Statement 488
DROP Statement 488
CREATE TABLE Statement 488
ALTER TABLE Statement 490
GROUP BY Statement 490
ORDER BY Clause 490
Limiting the Result Set 491
SQL Injection Quick Reference 492
Identifying SQL Injection Vulnerabilities 492
Identifying the Database Platform 495
Identifying the Database Platform Via Time DelayInference 496
Identifying the Database Platform Via SQL Dialect
Inference 497
Combining Multiple Rows into a Single Row 498
Microsoft SQL Server Cheat Sheet 498
Enumerating Database Configuration Information and
Schema 500
Blind SQL Injection Functions: Microsoft SQL
Server 500
Microsoft SQL Server Privilege Escalation 500
Attacking the Database Server: Microsoft SQL Server ...506
MySQL Cheat Sheet 508
Enumerating Database Configuration Information and
Schema 508
Blind SQL Injection Functions: MySQL 509
Attacking the Database Server: MySQL 509
Oracle Cheat Sheet 511
Enumerating Database Configuration Information and
Schema 511
Blind SQL Injection Functions: Oracle 511
Attacking the Database Server: Oracle 511
Contents xxv
PostgreSQL Cheat Sheet 517
Enumerating Database Configuration Information and
Schema 517
Blind SQL Injection Functions: PostgreSQL 518
Attacking the Database Server: PostgreSQL 518
Bypassing Input Validation Filters 520
Quote Filters 520
HTTP Encoding 521
Troubleshooting SQL Injection Attacks 521
SQL Injection on Other Platforms 525
DB2 Cheatsheet 526
Enumerating Database Configuration Information and
Schema 526
Blind SQL Injection Functions: DB2 526
Informix Cheat Sheet 526
Enumerating Database Configuration Information and
Schema 527
Blind SQL Injection Functions: Informix 527
Ingres Cheat Sheet 528
Enumerating Database Configuration Information and
Schema 528
Blind SQL Injection Functions: Ingres 528
Sybase Cheatsheet 529
Enumerating Database Configuration Information and
Schema 529
Blind SQL Injection Functions: Sybase 530
Microsoft Access 530
Resources 531
SQL Injection White Papers 531
SQL Injection Cheat Sheets 531
SQL Injection Exploit Tools 531
Password Cracking Tools 532
Solutions Fast Track 532
Index 535