SQL Injection attacks and defense pdf

Justin Clarke Lead Author and Technical Editor

Rodrigo Marcos Alvarez

Dave Hartley

Joseph Hemler

Alexander Kornbrust

Haroon Meer

Gary O’Leary-Steele

Alberto Revelli

Marco Slaviero

Dafydd Stuttard

Elsevier, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively

“Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work.

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work is

sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state.

In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other

incidental or consequential damages arising out from the Work or its contents. Because some states do not

allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation

may not apply to you.

You should always use reasonable care, including backup and other appropriate precautions, when working

with computers, networks, data, and files.

Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author

UPDATE®,” and “Hack Proofing®,” are registered trademarks of Elsevier, Inc. “Syngress: The Definition

of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think

Like One™” are trademarks of Elsevier, Inc. Brands and product names mentioned in this book are

trademarks or service marks of their respective companies.

PUBLISHED BY

Syngress Publishing, Inc.

Elsevier, Inc.

30 Corporate Drive

Burlington, MA 01803

SQL Injection Attacks and Defense

Copyright © 2009 by Elsevier, Inc. All rights reserved. Printed in the United States of America. Except as

permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in

any form or by any means, or stored in a database or retrieval system, without the prior written permission

of the publisher, with the exception that the program listings may be entered, stored, and executed in

a computer system, but they may not be reproduced for publication.

Printed in the United States of America

1 2 3 4 5 6 7 8 9 0

ISBN 13: 978-1-59749-424-3

Publisher: Laura Colantoni Page Layout and Art: SPI

Acquisitions Editor: Rachel Roumeliotis Copy Editor: Audrey Doyle

Developmental Editor: Matthew Cater Indexer: SPI

Lead Author and Technical Editor: Justin Clarke Cover Designer: Michael Kavish

Project Manager: Heather Tighe

For information on rights, translations, and bulk sales, contact Matt Pedersen, Director of Corporate Sales,

Elsevier; email m.pedersen@elsevier.com.

Library of Congress Cataloging-in-Publication Data

Application Submitted

Justin Clarke is a co-founder and Director of Gotham Digital Science, an information

security consulting firm that works with clients to identify, prevent, and manage security

risks. He has over twelve years’ experience in testing the security of networks, web

applications, and wireless networks for large financial, retail, and technology clients in

the United States, United Kingdom and New Zealand.

Justin is a contributing author to a number of computer security books, as well as

a speaker at many conferences and events on security topics, including Black Hat USA,

EuSecWest, OSCON, ISACA, RSA, SANS, OWASP, and the British Computer Society.

He is the author of the Open Source SQLBrute blind SQL injection exploitation tool,

and is the Chapter Leader for the London chapter of OWASP.

Lead Author and Technical Editor

iii

iv

Rodrigo Marcos Alvarez (MSc, BSc, CREST, CISSP, CNNA, OPST,

MCP) is the founder and technical director of SECFORCE. SECFORCE

is a UK-based IT security consultancy that offers vendor-independent and

impartial IT security advice to companies across all industry fields.

Rodrigo is a contributor to the OWASP project and a security researcher.

He is particularly interested in network protocol analysis via fuzzing testing.

Among other projects, he has released TAOF, a protocol agnostic GUI fuzzer,

and proxyfuzz, a TCP/UDP proxy which fuzzes on the fly. Rodrigo has

also contributed to the web security field by releasing bsishell, a python

interacting blind SQL injection shell and developing TCP socket reusing

attacking techniques.

Dave Hartley has been working in the IT security industry since 1998.

He is currently a security consultant for Activity Information Management,

based in the United Kingdom, where he is responsible for the development

and delivery of Activity’s technical auditing services.

Dave has performed a wide range of security assessments and provided

a myriad of consultancy services for clients in a number of different sectors,

including financial institutions, entertainment, media, telecommunications,

and software development companies and government organizations

worldwide. Dave is a CREST certified consultant and part of Activity’s

CESG CHECK team. He is also the author of the Bobcat SQL injection

exploitation tool.

Dave would like to express heartfelt thanks to his extremely beautiful

and understanding wife Nicole for her patience and support.

Joseph Hemler (CISSP) is a co-founder and Director of Gotham Digital

Science, an information security consulting firm that works with clients to

identify, prevent, and manage security risks. He has worked in the realm of

application security for over 9 years, and has deep experience identifying,

Contributing Authors

v

exploiting, and correcting software security flaws. Prior to founding GDS,

Mr. Hemler was a senior security engineer at Ernst & Young’s Advanced

Security Center.

Mr. Hemler has authored source code analysis tools and written

multiple scripts for identifying and exploiting network and web

application vulnerabilities. He is a contributing author to books in

the area of application security, frequently blogs on the GDS Security

Blog, and often speaks at various information security conferences and

training seminars. Mr. Hemler graduated with a Bachelors of Business

Administration from the University of Notre Dame.

Alexander Kornbrust is the founder of Red-Database-Security.

He provides Oracle security audits, security training and consulting

to customers worldwide.

Alexander has worked since 1992 with Oracle and his specialties are

the security of Oracle databases and secure architectures. Alexander has

reported more than 300 security bugs to Oracle.

Alexander holds a masters degree (Diplom-Informatiker) in computer

science from the University of Passau.

Haroon Meer is the Technical Director of SensePost. He joined SensePost

in 2001 and has not slept since his early childhood. He has played in most

aspects of IT Security from development to deployment and currently gets

most of his kicks from reverse engineering, application assessments, and

similar forms of pain. Haroon has spoken and trained at Black Hat, Defcon,

Microsoft Tech-Ed, and other conferences. He loves “Deels,” building new

things, breaking new things, reading, deep find-outering, and making up

new words. He dislikes sleep, pointless red-tape, dishonest people, and

watching cricket.

Gary O’Leary-Steele (CREST Consultant) is the Technical Director of

Sec-1 Ltd, based in the UK. He currently provides senior-level penetration

testing and security consultancy for a variety of clients, including a number

of large online retailers and financial sector organizations. His specialties

vi

include web application security assessment, network penetration testing

and vulnerability research. Gary is also the lead author and trainer for the

Sec-1 Certified Network Security Professional (CNSP) training program

that has seen more than 3,000 attendees since its launch.

Gary is credited by Microsoft, RSA, GFI and Marshal Software for the

discovery of security flaws within their commercial applications.

Alberto Revelli is a security researcher and the author of sqlninja, an open

source toolkit that has become a “weapon of choice” when exploiting

a SQL Injection vulnerability on a web application based on Microsoft

SQL Server. As for his day job, he works as a senior security consultant for

Portcullis Computer Security, mostly breaking into web applications and

into any other thing that happens to tickle his curiosity.

During his career he has assisted a multitude of clients including

major financial institutions, telecom operators, media and manufacturing

companies. He has been invited as a speaker to several security conferences,

including EuSecWest, CONFidence, Shakacon, and SOURCE. He is the

Technical Director of the Italian Chapter of OWASP and he is one of the

authors of the OWASP Testing Guide. Prior to joining Portcullis, Alberto

worked for Spike Reply and McKinsey&Company.

He currently resides in London, enjoying its awful weather and its

crazy nightlife together with his girlfriend.

Marco Slaviero (MSc) is an associate at SensePost, a South African

information security company focused on providing penetration

testing services to global clients in the financial services, mining and

telecommunications sectors. Marco specializes in web application

assessments with a side interest in thick applications and network

assessments.

Marco has spoken on SQL Injection at Black Hat USA, and he

developed the proof-of-concept Squeeza tool.

Marco lives with Juliette, his wonderful wife, who gave him the

space to contribute to this book.

vii

Dafydd Stuttard is the author of the best-selling Web Application Hacker’s

Handbook. Under the alias “PortSwigger” he created the popular Burp Suite

of web application hacking tools. Dafydd has developed and presented

training courses at the Black Hat security conferences around the world.

Dafydd is a Principal Security Consultant at Next Generation Security

Software, where he leads the web application security competency. He has

ten years’ experience in security consulting and specializes in the penetration

testing of web applications and compiled software. Dafydd holds Masters

and Doctorate degrees in philosophy from the University of Oxford.

This page intentionally left blank

Contents

Chapter 1 What Is SQL Injection? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Understanding How Web Applications Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

A Simple Application Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

A More Complex Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Understanding SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

High-Profile Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Understanding How It Happens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Dynamic String Building . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Incorrectly Handled Escape Characters . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Incorrectly Handled Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Incorrectly Handled Query Assembly . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Incorrectly Handled Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Incorrectly Handled Multiple Submissions . . . . . . . . . . . . . . . . . . . . . . . 19

Insecure Database Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Chapter 2 Testing for SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Finding SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Testing by Inference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Identifying Data Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

GET Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

POST Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Other Injectable Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Manipulating Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Information Workf low . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Database Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Commonly Displayed SQL Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Microsoft SQL Server Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

MySQL Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Oracle Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

ix

x Contents

Application Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Generic Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

HTTP Code Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Different Response Sizes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Blind Injection Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Confirming SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Differentiating Numbers and Strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Inline SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Injecting Strings Inline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Injecting Numeric Values Inline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Terminating SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Database Comment Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Using Comments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Executing Multiple Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Time Delays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Automating SQL Injection Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Tools for Automatically Finding SQL Injection . . . . . . . . . . . . . . . . . . . . . . 81

HP WebInspect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

IBM Rational AppScan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

HP Scrawlr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

SQLiX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Paros Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Chapter 3 Reviewing Code for SQL Injection . . . . . . . . . . . . . . . . . . . . . . . 95

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Reviewing Source Code for SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Dangerous Coding Behaviors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Dangerous Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Following the Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Following Data in PHP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Following Data in Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Following Data in C# . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Reviewing PL/SQL and T-SQL Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Automated Source Code Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Yet Another Source Code Analyzer (YASCA) . . . . . . . . . . . . . . . . . . . . . . 125

Pixy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

AppCodeScan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Contents xi

LAPSE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Security Compass Web Application Analysis Tool (SWAAT) . . . . . . . . . . . . 128

Microsoft Source Code Analyzer for SQL Injection . . . . . . . . . . . . . . . . . . 128

Microsoft Code Analysis Tool .NET (CAT.NET) . . . . . . . . . . . . . . . . . . . . 129

Commercial Source Code Review Tools . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Ounce . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Source Code Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

CodeSecure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Chapter 4 Exploiting SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Understanding Common Exploit Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Using Stacked Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Identifying the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Non-Blind Fingerprint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Banner Grabbing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Blind Fingerprint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Extracting Data through UNION Statements . . . . . . . . . . . . . . . . . . . . . . . . . 148

Matching Columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Matching Data Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Using Conditional Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Approach 1: Time-based . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Approach 2: Error-based . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Approach 3: Content-based . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Working with Strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Extending the Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Using Errors for SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Error Messages in Oracle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Enumerating the Database Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

MySQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Oracle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Escalating Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Privilege Escalation on Unpatched Servers . . . . . . . . . . . . . . . . . . . . . . 189

Oracle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

xii Contents

Stealing the Password Hashes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

MySQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Oracle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Oracle Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

APEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Oracle Internet Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Out-of-Band Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

E-mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Microsoft SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Oracle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

HTTP/DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

MySQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Oracle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Automating SQL Injection Exploitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Sqlmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Sqlmap Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Bobcat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

BSQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Other Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

Chapter 5 Blind SQL Injection Exploitation . . . . . . . . . . . . . . . . . . . . . . . . 219

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

Finding and Confirming Blind SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . 221

Forcing Generic Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Injecting Queries with Side Effects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

Spitting and Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

Common Blind SQL Injection Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . 225

Blind SQL Injection Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

Inference Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Increasing the Complexity of Inference Techniques . . . . . . . . . . . . . . 230

Alternative Channel Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

Using Time-Based Techniques..................................... 235

Delaying Database Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

MySQL Delays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

Contents xiii

Generic MySQL Binary Search Inference Exploits . . . . . . . . . . . . . . 237

Generic MySQL Bit-by-Bit Inference Exploits . . . . . . . . . . . . . . . . . 237

SQL Server Delays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

Generic SQL Server Binary Search Inference Exploits . . . . . . . . . . . . 240

Generic SQL Server Bit-by-Bit Inference Exploits . . . . . . . . . . . . . . 240

Oracle Delays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240

Time-Based Inference Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

Using Response-Based Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

MySQL Response Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

SQL Server Response Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

Oracle Response Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

Returning More Than One Bit of Information . . . . . . . . . . . . . . . . . . . . . 247

Using Alternative Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Database Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

DNS Exfiltration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

E-mail Exfiltration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

HTTP Exfiltration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

Automating Blind SQL Injection Exploitation . . . . . . . . . . . . . . . . . . . . . . . . . 258

Absinthe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

BSQL Hacker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

SQLBrute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

Sqlninja . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

Squeeza . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

Chapter 6 Exploiting the Operating System . . . . . . . . . . . . . . . . . . . . . . . 271

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

Accessing the File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Reading Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

MySQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

Microsoft SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

Oracle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

Writing Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

MySQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292

Microsoft SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

Oracle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

Executing Operating System Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

Direct Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

xiv Contents

Oracle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

DBMS_SCHEDULER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

PL/SQL Native . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

Other Possibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Alter System Set Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

PL/SQL Native 9i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Buffer Overflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

Custom Application Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

MySQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

Microsoft SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

Consolidating Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

Chapter 7 Advanced Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318

Evading Input Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318

Using Case Variation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

Using SQL Comments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

Using URL Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320

Using Dynamic Query Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

Using Null Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323

Nesting Stripped Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324

Exploiting Truncation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324

Bypassing Custom Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326

Using Non-Standard Entry Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327

Exploiting Second-Order SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

Finding Second-Order Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332

Using Hybrid Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

Leveraging Captured Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

Creating Cross-Site Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

Running Operating System Commands on Oracle . . . . . . . . . . . . . . . . . . 336

Exploiting Authenticated Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340