[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200402231716.49576.tonu@please.do.not.remove.this.spam.ee>
Date: Mon, 23 Feb 2004 17:16:49 +0200
From: Tõnu Samuel <tonu@...ase.do.not.remove.this.spam.ee>
To: <bugtraq@...urityfocus.com>
Subject: Somewhat new SQL Injection concept
Hi!
While I believe I know something about SQL Injection I have not found any
publications related to way of abuse I am going to describe here. Somewhat it
is not new at all but it seems to work in many weird situations.
Currently all penetration testers efforts seem to be focused on "blind
hacking". Penetration tester can get free access to SQL subsystem and execute
any commands but not able to get any other result back than error messages
(or even not them). There are many publications describing how to fingerprint
databases in blind. This posting just adds one more way.
Often I have found web sites, which also include banks and other usually
not-so-bad-security sites which are vulnerable to blind SQL Injection.
My example uses MySQL because this seems to be most used database on the web
and also I know it best. Meanwhile similar techniques can apply to others. In
every SQL there is a one "feature" which is actually very nice. It allows to
use comments in SQL clauses like this:
SELECT * FROM table /* foo */
In MySQL, there is a extension to it which allows insert MySQL specific code
in way:
SELECT /*! SQL_NO_CACHE */ FROM table
Comments shown above treated as comments in every database except MySQL. MySQL
takes a look inside of comments and may change his behaviour. For example,
this gets executed only, if MySQL is version 4.0.0 or higher:
SELECT /*!40000 SQL_NO_CACHE */ FROM table
It seems bit unusable but in many situations I have found it working through
SQL injection holes when other techiques are not very useful. And this can be
extremely useful for penetration tester to find out database in use and his
version in blind:
Just trying
http://foo/web.php?table=38 I get normal screen
http://foo/web.php?table=38/*%20s*/ I get normal screen
http://foo/web.php?table=38/*!%20s*/ I get different screen because syntax
error in comments - WOW MySQL is in use!
http://foo/web.php?table=38/*!30000%20s*/ same. MySQL is at least 3.x.x
http://foo/web.php?table=38/*!40000%20s*/ same. MySQL is at least 4.x.x
http://foo/web.php?table=38/*!50000%20s*/ Normal screen. MySQL is below 5.x.x
http://foo/web.php?table=38/*!40020%20s*/ Normal screen. MySQL is below 4.0.20
http://foo/web.php?table=38/*!40017%20s*/ broken screen. at least 4.0.17
http://foo/web.php?table=38/*!40018%20s*/ Normal screen. MySQL is below 4.0.18
We can conclude that MySQL running on site is 4.0.17.
Stupid? Yes. But it works really often. This is useful information because
then we may know if we have interest to database or not. In MySQL for example
all series (3.x.x,4.x.x and 5.x.x) have VERY different functionality. It is
good to get information about it so easily.
Another, independent idea. This works on most systems without change. Look at
default behaviour of MySQL database engine:
mysql> select 9e0;
+-----+
| 9e0 |
+-----+
| 9 |
+-----+
1 row in set (0.02 sec)
mysql> select 9e2;
+-----+
| 9e2 |
+-----+
| 900 |
+-----+
1 row in set (0.00 sec)
Most language interpreters are trying to guess something about their input. I
have seen cases when input gets validated against length and passed. So I can
freely pass 9e9 to some database query in backend. PHP guys often suggest
using functions like is_int($_GET['foo']). Yes, it is int! and it is 3 chars
long. But it may take your database server down. I had nice penetration
testing case when there was nearly impossible to get anny error message from
the system. Finally I managed to send some 9e999 somewhere as input which
leaded message similar "PHP timeout of 30 seconds in somehing.inc". Who works
for penetration testing knows how important is any information about system
internals. I was able to download this INC file which leaded to data leak.
About me:
Running company which does some specialized software for secure web
applications. We also sometime do penetration testing and security
consulting. In past I have developed e-banking solutions to different big
banks, worked for MySQL AB as security man and have consulted Fortune 500
companies.
Disclaimer: This is not related to MySQL in any way. Bug is in programmers who
still haven't learned how to treat user input. magic_quotes in PHP just do
mess giving false sense of security. Don't blame me on that. I am just a
messenger.
Powered by blists - more mailing lists