SQL Injection 2
SQL Injection 2
The first two are responses to well-formed SQL, while the latter is for
bad SQL: this distinction will be very useful when trying to guess the
structure of the query.
The first steps are to guess some field names: we're reasonably sure
that the query includes "email address" and "password", and there
may be things like "US Mail address" or "userid" or "phone number".
We'd dearly love to perform a SHOW TABLE, but in addition to not
knowing the name of the table, there is no obvious vehicle to get the
output of this command routed to us.
So we'll do it in steps. In each case, we'll show the whole query as we
know it, with our own snippets shown specially. We know that the tail
end of the query is a comparison with the email address, so let's guess
email as the name of the field:
SELECT f i e l d l i s t
FROM tab le
WHERE f i e l d= x ' ' AND emai l IS NULL; -';-
The intent is to use a proposed field name (email) in the constructed
query and find out if the SQL is valid or not. We don't care about
matching the email address (which is why we use a dummy 'x'), and
the -- marks the start of an SQL comment. This is an effective way to
"consume" the final quote provided by application and not worry about
matching them.
If we get a server error, it means our SQL is malformed and a syntax
error was thrown: it's most likely due to a bad field name. If we get
any kind of valid response, we guessed the name correctly. This is the
case whether we get the "email unknown" or "password was sent"
response.
Note, however, that we use the AND conjunction instead of OR: this is
intentional. In the SQL schema mapping phase, we're not really
concerned with guessing any particular email addresses, and we do
not want random users inundated with "here is your password" emails
from the application - this will surely raise suspicions to no good
purpose. By using the AND conjunction with an email address that
couldn't ever be valid, we're sure that the query will always return zero
rows and never generate a password-reminder email.
Submitting the above snippet indeed gave us the "email address
unknown" response, so now we know that the email address is stored
in a field email. If this hadn't worked, we'd have tried email_address
or mail or the like. This process will involve quite a lot of guessing.
Next we'll guess some other obvious names: password, user ID, name,
and the like. These are all done one at a time, and anything other than
"server failure" means we guessed the name correctly.
SELECT f i e l d l i s t
FROM tab le
WHERE emai l = 'x ' AND user id IS NULL; -';-
As a result of this process, we found several valid field names:
• email
• passwd
• login_id
• full_name
There are certainly more (and a good source of clues is the names of
the fields on forms), but a bit of digging did not discover any. But we
still don't know the name of the table that these fields are found in -
how to find out?
The application's built-in query already has the table name built into it,
but we don't know what that name is: there are several approaches for
finding that (and other) table names. The one we took was to rely on a
subselect.
A standalone query of
SELECT COUNT(* ) FROM tabname
Returns the number of records in that table, and of course fails if the
table name is unknown. We can build this into our string to probe for
the table name:
SELECT email, passwd, login_id, full_name
FROM tab le
WHERE emai l = x' ' AND 1=(SELECT COUNT(*) FROM tabname );
--';
We don't care how many records are there, of course, only whether
the table name is valid or not. By iterating over several guesses, we
eventually determined that members was a valid table in the
database. But is it the table used in this query? For that we need yet
another test using table.field notation: it only works for tables that
are actually part of this query, not merely that the table exists.
SELECT email, passwd, login_id, full_name
FROM members
WHERE email = 'x' AND members.email IS NULL; --';
When this returned "Email unknown", it confirmed that our SQL was
well formed and that we had properly guessed the table name. This
will be important later, but we instead took a different approach in the
interim.
Mail me a password
We then realized that though we are not able to add a new record to
the members database, we can modify an existing one, and this
proved to be the approach that gained us entry.
From a previous step, we knew that [email protected] had an
account on the system, and we used our SQL injection to update his
database record with our email address:
SELECT email, passwd, login_id, full_name
FROM members
WHERE ema i l = x' ' ;
UPDATE members
SET emai l = ' s teve@unixwiz .net '
WHERE emai l = '[email protected] ';
After running this, we of course received the "we didn't know your
email address", but this was expected due to the dummy email
address provided. The UPDATE wouldn't have registered with the
application, so it executed quietly.
We then used the regular "I lost my password" link - with the updated
email address - and a minute later received this email:
From: [email protected]
To: [email protected]
Subject: Intranet login
Now it was now just a matter of following the standard login process to
access the system as a high-ranked MIS staffer, and this was far
superior to a perhaps-limited user that we might have created with our
INSERT approach.
We found the intranet site to be quite comprehensive, and it included -
among other things - a list of all the users. It's a fair bet that many
Intranet sites also have accounts on the corporate Windows network,
and perhaps some of them have used the same password in both
places. Since it's clear that we have an easy way to retrieve any
Intranet password, and since we had located an open PPTP VPN port
on the corporate firewall, it should be straightforward to attempt this
kind of access.
We had done a spot check on a few accounts without success, and we
can't really know whether it's "bad password" or "the Intranet account
name differs from the Windows account name". But we think that
automated tools could make some of this easier.
Other Approaches
Mitigations
$sth->execute($emai l ) ;
Secure version
PreparedStatement ps = connection.prepareStatement(
"SELECT email FROM member WHERE name = ?" ) ;
ps.setString(1, formFie ld) ;
ResultSet rs = ps.executeQuery();
Here, $email is the data obtained from the user's form, and it is
passed as positional parameter #1 (the first question mark), and
at no point do the contents of this variable have anything to do
with SQL statement parsing. Quotes, semicolons, backslashes,
SQL comment notation - none of this has any impact, because
it's "just data". There simply is nothing to subvert, so the
application is be largely immune to SQL injection attacks.
There also may be some performance benefits if this prepared
query is reused multiple times (it only has to be parsed once),
but this is minor compared to the enormous security benefits.
This is probably the single most important step one can take to
secure a web application.
Limit databas
and segregate
In the case at hand, we observed just two interactions that are
made not in the context of a logged-in user: "log in" and "send
me password". The web application ought to use a database
connection with the most limited rights possible: query-only
access to the members table, and no access to any other table.
The effect here is that even a "successful" SQL injection attack is
going to have much more limited success. Here, we'd not have
been able to do the UPDATE request that ultimately granted us
access, so we'd have had to resort to other avenues.
Once the web application determined that a set of valid
credentials had been passed via the login form, it would then
switch that session to a database connection with more rights.
It should go almost without saying that sa rights should never
be used for any web-based application.
Use stored pro
When the database server supports them, use stored procedures
for performing access on the application's behalf, which can
eliminate SQL entirely (assuming the stored procedures
themselves are written properly).
By encapsulating the rules for a certain action - query, update,
delete, etc. - into a single procedure, it can be tested and
documented on a standalone basis and business rules enforced
(for instance, the "add new order" procedure might reject that
order if the customer were over his credit limit).
For simple queries this might be only a minor benefit, but as the
operations become more complicated (or are used in more than
one place), having a single definition for the operation means it's
going to be more robust and easier to maintain.
Note: it's always possible to write a stored procedure that itself
constructs a query dynamically: this provides no protection
against SQL Injection - it's only proper binding with
prepare/execute or direct SQL statements with bound variables
that provide this protection.
Isolate the we
Even having taken all these mitigation steps, it's nevertheless
still possible to miss something and leave the server open to
compromise. One ought to design the network infrastructure to
assume that the bad guy will have full administrator access to
the machine, and then attempt to limit how that can be
leveraged to compromise other things.
For instance, putting the machine in a DMZ with extremely
limited pinholes "inside" the network means that even getting
complete control of the webserver doesn't automatically grant
full access to everything else. This won't stop everything, of
course, but it makes it a lot harder.
Configure erro
The default error reporting for some frameworks includes
developer debugging information, and this cannot be shown to
outside users. Imagine how much easier a time it makes for an
attacker if the full query is shown, pointing to the syntax error
involved.
This information is useful to developers, but it should be
restricted - if possible - to just internal users.
Note that not all databases are configured the same way, and not all
even support the same dialect of SQL (the "S" stands for "Structured",
not "Standard"). For instance, most versions of MySQL do not support
subselects, nor do they usually allow multiple statements: these are
substantially complicating factors when attempting to penetrate a
network.
We'd like to emphasize that though we chose the "Forgotten password"
link to attack in this particular case, it wasn't really because this
particular web application feature is dangerous. It was simply one of
several available features that might have been vulnerable, and it
would be a mistake to focus on the "Forgotten password" aspect of the
presentation.
This Tech Tip has not been intended to provide comprehensive
coverage on SQL injection, or even a tutorial: it merely documents the
process that evolved over several hours during a contracted
engagement. We've seen other papers on SQL injection discuss the
technical background, but still only provide the "money shot" that
ultimately gained them access.
But that final statement required background knowledge to pull off,
and the process of gathering that information has merit too. One
doesn't always have access to source code for an application, and the
ability to attack a custom application blindly has some value.
Thanks to David Litchfield and Randal Schwartz for their technical
input to this paper, and to the great Chris Mospaw for graphic design
(© 2005 by Chris Mospaw, used with permission).
Other resources
A classic example of SQL injection starts with a query that looks something like:
If the login.php program in this example blindly sets the variables to the values that
come from the user, a malicious user can bypass the authentication. Consider the
following inputs:
This simple example barely scratches the surface of the kinds of attacks that can be made
using SQL injection. Depending on the DBMS, it may be possible to do multiple queries
via an injection by separating each with a semicolon:
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
which is, of course, a rather destructive injection. MySQL does not allow multiple
queries in a statement, but PostgreSQL is susceptible to this technique.
Web site and/or database search functions are particularly dangerous because they display
their output; if a malicious user can inject any query they choose, they can capture the
entire contents of the database. The UNION keyword can turn a query such as:
A certain amount of guessing column names and types is required if an attacker does not
have access to the database schema, but they are often not very hard to guess given some
understanding of the application. Some database systems, notably Microsoft SQL Server,
seem to deliberately shoot themselves in the foot by providing the schema for all tables in
a generally accessible database, thereby removing all the guesswork.
Injection also requires a certain amount of imagination to visualize the kinds of queries
that might be going on behind the input boxes of a web form. It requires quite a bit of
trial and error unless one has access to the source; this is why the majority of reported
SQL injections are in free software or open source web applications.
Note that it is not only web forms using the POST method that are vulnerable, many web
applications that use the GET method are vulnerable to injections via the URL:
http://vulnerablewebapp.com/login.php?\
name=%27%20OR%201%3D1%20&pass=%27%20OR%201%3D1%20LIMIT%201
Like many other web vulnerabilities, SQL injection stems from insufficient filtering of
user input. Unfortunately, it is sometimes difficult to determine what kinds of input
should be accepted (for example the password "' OR 1=1" would not necessarily seem
illegal) and using various filtering functions provided by the language may not actually
prevent injections. The PHP addslashes() function is often used to sanitize user input
because it will put a backslash in front of single quotes which will stop the kinds of
injections described above. Unfortunately, there are techniques to circumvent this
particular 'fix' as well.
Probably the simplest way to protect queries from SQL injection is by using prepared
statements with placeholders. Any reasonable database interface will provide a way to
use this functionality and in many cases, it is fairly portable between languages and DBM
systems.
Instead of directly interpolating string values into query strings, a query is prepared using
'?' as a placeholder for the variables as shown in the following pseudocode:
Another way to defend against injections is by ensuring that all user input is passed
through a database specific quoting function before being used in a query:
$name = db_quote($name);
$pass = db_quote($pass);
SELECT id FROM users WHERE name=$name AND pass=$pass;
Depending on the language and database API, this method may also be fairly portable.
The final recommended technique is also the most complicated; but it can provide an
additional level of security if stored procedures are available for the DBMS. Stored
procedures are queries (and more complicated functions) that are created by the database
administrator and stored with the database. These procedures are then called by the
application code to do any queries that they require. The equivalent of the prepare
functionality is done on the procedures at the time they are stored and with proper coding,
this will prevent injections. One of the main advantages is that these procedures run with
the privileges of the user that stored them, instead of the user invoking them and this
allows the application to have a much more limited set of privileges than it would
normally require. The upshot is that it can protect the database from reading or writing
even if the application is subverted in some way.
SQL injections are clearly a serious security problem, but one that can be thwarted
relatively easily once one understands the problem and the ways to program around it.
Another great article. One of the many horrors of MS-SQL is the incredible amount of
functionality
available to a SQL injection attacker. MS-SQL can be made to open a connection to any
other
database, even on other hosts or networks. A SQL injection attack against MS-SQL can
allow the
attacker to tell your database to connect to any random instance of SQL Server and
replicate itself.
This obviously takes all the guesswork out of trying to reverse engineer the schema. An
attacker
can rip off an entire MS-SQL instance with a single HTTP request.
Guess work?
Posted Mar 30, 2006 23:49 UTC (Thu) by GreyWizard (subscriber, #1026) [Link]
Basically, you are suggesting that in order to kill a fly, you should use a proper gun,
practice at a firing range, isolate the fly in a safe environment, surgically optimize your
eye-hand coordination, calculate environmental influences, suppress urges to start
shooting at random, before taking a shot at removing the annoying intruder.
Sure, if a gun is my only tool, I'd go through all that. But I'd rather whack the bastard
with a newspaper.
Nonsense
Posted Mar 31, 2006 15:07 UTC (Fri) by GreyWizard (subscriber, #1026) [Link]
That is a perfectly ridiculous analogy. Whining that the database has too many features
that might be useful for someone exploiting SQL injection vulnerabilities in an unrelated
application is not so much swatting the fly as cursing the publisher for printing a
newspaper that's too hard to swing while the thing is still buzzing around your head.
Nonsense
Posted Mar 31, 2006 15:36 UTC (Fri) by hppnq (guest, #14462) [Link]
So what are you suggesting then? That we should all write perfect code? Yes, that would
solve the problem. Is it realistic? Not a chance in hell.
It follows quite simply that it's wise to start off with as little resources and interfaces as
possible if you care about security.
RTFA
Posted Mar 31, 2006 22:17 UTC (Fri) by GreyWizard (subscriber, #1026) [Link]
Contrary to your raving, filtering user input does not require perfect code. I suggest
reading the article to which this thread is attached. There you will find suggestions such
as using prepared statements or stored procedures. As stated above, "SQL injections [...]
can be thwarted relatively easily once one understands the problem and the ways to
program around it." On the other hand, no database can provide protection from gaping
security holes in external applications.
Mmmmhh
Posted Apr 1, 2006 8:53 UTC (Sat) by hppnq (guest, #14462) [Link]
It seems to me that we are making a lot of fuss about something that we basically feel the
same about. If you take the time to calm down and read the comments as well as the
article you might see this too.
Now, you were the one that brought up the topics of sloppy programming and "security
through obscurity", taking this discussion explicitly to the realm of the real world, where
the perfect solution does not exist. You observed that database features are no excuse for
bad programming, while I am of the opinion that they should not be an excuse.
In the real world resources are limited. At some point a decision will have to be made: is
it good enough? Since security means nothing in the laboratory, and everything in the real
world, this is a very important observation. This is also why I mention writing perfect
code: it cannot be done, and the only way to avoid having to make suboptimal decisions
is to remove the necessity of making those decisions. This is a classic trade-off between
security and functionality.
Instead of having to protect features one does not need, it is better to not have them
available in the first place. That of course leaves more resources available to get the
actual job done: defining the correct interfaces to the functionality you want to provide or
use and protecting those interfaces properly.
On the other hand, no database can provide protection from gaping security holes in
external applications.
This is the same problem. Do take some time to think about it.
You reply to a comment about security through obscurity with an irrelevant analogy to
shooting mosquitoes, and now you accuse me of not reading what I reply to? You rant
and rave about the impossibility of perfect code, and now you tell me to calm down?
Amusing. But your airy hand waving about "protecting features one doesn't need" still
misses the point: using the dumbest database available would be a trade-off between
security and functionality only if this were an effective substitute for plugging SQL
injection holes in the application. As long as there are remote exploits the application
cannot meet even the least demanding security requirements with any database.
This is really not so complicated. Practice what you preach, especially with regard to
taking the time to think about it.
Well, I just tried to add some more perspective to your rather simplistic "thou shalt not
program sloppily" statement. It appears to me that in your enthusiasm to slight me, you
seem to miss your own point completely.
*plonk*
Perspective Indeed
Posted Apr 4, 2006 2:58 UTC (Tue) by GreyWizard (subscriber, #1026) [Link]
You are confused. "Database features do not excuse sloppy applications" is simple. "Thou
shalt not program sloppily" is simplistic. The latter is your contribution, not mine.
Rambling about mosquitoes, whining about perfect code, splitting hairs over "are" and
"should" and pretending I don't understand my own point is your idea of adding
perspective, is it? Spare me such generosity.
SQL injection attacks
Posted Mar 31, 2006 11:06 UTC (Fri) by pdc (subscriber, #1353) [Link]
To try to avoid this we do all access from a web app to the SQL Server database via
stored procedures, with user input passed as parameters. At least then you can reastrict
the privileges of the web application to just the procedures it needs to use. Makes the
database development rather tedious, however.
SQL injection attacks
Posted Mar 31, 2006 19:20 UTC (Fri) by dwkunkel (subscriber, #5999) [Link]
I use Oracle stored procedures to simplify my web applications. All the business logic is
handled by stored procedures and there is no sql in the web pages. The pages just pass
parameters to the appropriate stored procedure.
An Oracle stored procedure can return multiple reference cursors that can be cast to Java
ResultSets and used directly in a web page. The reference cursors can also be converted
to Cached RowSets and used in Data Transfer Objects. Performance is quite good
because everything is done in a single trip to the database.
I don't know about SQL Server, but I find Oracle's PL/SQL to be an easy to use
programming language that makes it relatively simple to produce very readable code.
I hadn't heard of the CHAR() injection strategy briefly mentioned in the article. Google is
not being helpful about it. Anyone have more information on that one? It sounds
particularly nasty.
SQL injection attacks
Posted Mar 30, 2006 10:14 UTC (Thu) by NAR (subscriber, #1313) [Link]
Great article. I've worked on a project which displayed the results of an SQL query in a
HTML page and once I played with inserting HTML code into the database to break the
output. However, I didn't try to break the SQL insert commands. I think I've just found an
interesting pet project for the afternoon :-)
Bye,NAR
SQL injection attacks
Posted Mar 31, 2006 15:46 UTC (Fri) by hppnq (guest, #14462) [Link]
It's important to note that the details of quoting strings are DBMS-dependent, and PHP's
addslashes() is insufficient (or in some cases just plain wrong). Some of the comments on
the PHP addslashes() doc page go into the details. It's always better to use a DBMS-
specific quoting function (e.g. mysql_real_escape_string) than to blindly add backslashes.
Which is why PHP's "magic quotes" feature is so annoyingly useless.
This tendency to SQL injection is one of the reasons people see PHP as an inherently
insecure language, or at least one that encourages insecure programming.
input filtering
Posted Mar 30, 2006 14:51 UTC (Thu) by ccyoung (subscriber, #16340) [Link]
what is needed is one filter function for each data type. this not only formats but does
type checking. for example, db_get_string may not allow quotes and punctuation,
whereas db_get_text might be more forgiving.
a big gotcha in PHP is it's confusion between 0, null, and an empty string.
The prepared statement functionality, at least in some databases, is actually even better
than this article suggests: it causes the statement with the question marks to be parsed to
generate the sequence of database-internal operations which will be performed. Then
when the arguments are filled, it doesn't need to escape the strings, because it doesn't
unescape them; it doesn't treat any characters specially at this point. Furthermore, since
all of the parsing is already done when user input comes in, it can't be induced to perform
unexpected operations, because the sequence of operations it will perform is already
determined at this point.
Furthermore, it's often faster, because it can cache the execution plan for the query,
because all of the "SELECT id FROM users WHERE user=? AND pass=?" parts are
identical, and the parsing can be a significant portion of the query time, since there's a
bunch of effort in figuring out what's going on, and that the useful optimization for this
query is the unique index on users.user.
does not show the end quote (') after $name and $pass. Would it not translate to this:
SELECT id FROM users WHERE name='' OR 1=1' AND pass='' OR 1=1 LIMIT 1';
> SELECT id FROM users WHERE name='' OR 1=1' AND pass='' OR 1=1 LIMIT 1';
jake
There is a simpler fix, which also stops other attacks too... do proper input validation---if
something is suppsesd to be a number, make sure it really is. Numbers like "1 OR 1=1"
(without the quotes) can do evil things in contexts expecting numbers. Input validation
stops that too.
Using magic_quote_qpc, SQL syntax randomisation, etc are all useful backstops in case
you somehow fail to properly validate something. I have my doutbs about the security of
stored procedures when fed evil input, unless handling it safely is a primary design goal.
Sadly there is no agreement about parameters in prepared statements. ODBC and MySQL
wants ?. Postgresql want $1, $2, etc and oracle accept $<almost anythihg>. (This sort of
thing is one of the "joys" of writng multiple database server SQL.)
As other have pointed out, '1 OR 1=1' can be a valid password. Or at least, a validating
routine for valid password should accept this; something like '1hotguys = 1' is a valid
password...
So, input validation is not a silver bullet; it's just a step in the journey.
Using a stored procedure help because the data will be used just as it is: data. You can't
turn the input in a variation of the execute query (at least, note easily). Of course, bad
data could trigger other kind of problems (like, say, a buffer overflow attack on the
RDBMS).
A for the syntax for placeholders in prepared statements, with the Perl DBI at least, the
syntax is the same for every RDBMS. And having worked with MySQL, Oracle and
SQLite with PHP, I don't recall having seen different syntax used; maybe it was because I
was not using the 'direct' API (like mysql_xx, oc8_xx, etc.) but instead using abstraction
layer, like PEAR DB. But if you are writing multiple database server application, I would
guess that this is a 'sine qua none' condition. At least for me!