Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

[BruCON] SQL Injection: How far does the rabbit hole go ?

Leave a comment Posted by on September 18, 2009

Justin Clarke – SQL Injection: How far does the rabbit hole go ?

Author of SQLBrute, Primary author of SQL Injection Attack and Defense (Syngress)

Most, if not all, SQL injection techniques have been around for 7-10 years.

Albert Gonzalez displayed as an example of why the current solutions to combat SQL Injection don’t seem to be used effectively in the business world.

Problems

  • Legacy systems
  • Lack of developer knowledge / common developer practice
  • Low hanging fruit
  • Architectural anomalies

Problems Solved ?

  • Parameterised SQL
    • Yes, but careful with that unsanitised data
  • Object relational mapping systems
    • Still watchout for that SQL Injection
  • Inclusion list input validation
    • If it’s tight enough… and used everywhere
  • Contextual encoding of dangerous characters
    • As long as you handle EVERYTHING and make sure you handle encoding correctly
    • Good example is the OWASP ESAPI project (not perfect, but a good starting point)

Asprox example of injecting <scriptsrc> into user defined data in the backend database through SQL injection vulnerabilities in an ASP application (T-SQL based). By using Google to find possible targets, it used botnets to attempt to inject code into the database. At it’s height 90,000 pages were infected with the original variant.

This was an example of uses of SQL Injection not for data theft, but instead for attacker users.

So where next ?

  • Pure attacks
    • SQL Injection for data theft (done)
    • Worms
  • Hybrid attacks
    • Scripting malware (done)
    • SQL Injection as a foothold (done)
    • Cross Site Scripting / other scripting attacks
    • SQL Injection delivered malware
    • SQL Injection as command and control
      • Decentalised (hard to disable)
    • SQL Injection as reconnaissance

Oracle supports the use of Java as stored procedures. MS SQL Server 2008 does the same with .NET.

Video demo: Proof of concept: SQL Worm

Worm designed to scan all RFC:1918 addresses and infect systems found to be vulnerable to SQL Injection. The demo simple re-infects other systems (PoC code). The use of SQL Injection as a worm is possible, but impractical.

Conference, Security , ,

Comments are closed.

%d bloggers like this: