Advanced PostgreSQL SQL Injection and Filter Bypass Techniques.pdf

(154 KB) Pobierz

Advanced

PostgreSQL SQL

Injection and Filter

Bypass Techniques

INFIGO-TD-2009

INFIGO-TD-2009-04

2009-06-

2009-06-17

Leon Juranić

leon.juranic@infigo.hr

This document contains information protected by copyright. No part of this document

may be photocopied, reproduced, or translated to another language without the prior

written consent of INFIGO IS.

TABLE OF CONTENTS

1. INTRODUCTION

2. VULNERABLE WEB APPLICATION

3. GENERAL BLIND SQL INJECTION ATTACKS

4. FILTER BYPASSING TECHNIQUES

4.1.

4.2.

OLLAR

SIGNS

ATABASE FUNCTIONS

5. EXPLOITING BLIND SQL INJECTION IN POSTGRESQL

5.1. I

DENTIFICATION OF TABLE AND COLUMN NAMES

5.1.1. T

ABLE DATA RETRIEVAL

5.1.1.1.

Data retrieval with the substr() function

5.1.1.2.

Data retrieval with the strpos() function

5.1.1.3.

Data retrieval with the get_byte() function

6. CONCLUSION

INFIGO-TD-2009-04

3/15

NTRODUCTION

According to the WhiteHat Website Security Statistics Report from 2009 (available at

http://www.whitehatsec.com/home/assets/WPStatsreport_100107.pdf),

SQL

injection

vulnerabilities make up to 17% of all web application vulnerabilities. Besides being very common,

SQL injection vulnerabilities typically allow an attacker to read or even modify arbitrary data in

the database used by the web application. This increases the risk resulting from such

vulnerabilities.

In order to increase the overall security of web applications, companies today often implement

web application firewalls or filters. While web application firewalls can indeed stop certain

attacks, they are not a complete solution to web application vulnerabilities.

This document demonstrates advanced blind SQL injection vulnerabilities on PostgreSQL

databases. The document is result of a penetration test performed on a real system, with real

web application firewall protecting a vulnerable web application.

The techniques used for exploitation in this document show how such a web application firewall

can be bypassed and data extracted. The rest of the document is organized as follows. Section

2 sets the vulnerable web application and a simulation of a web application firewall based on

keywords. Section 3 explains basics of blind SQL injection vulnerabilities. Section 4 shows how

a web application firewall described in Section 2 can be bypassed to allow an attacker to issue

practically any SQL query. Finally, Section 5 describes how blind SQL injection vulnerabilities

can be exploited, with some techniques specific for PostgreSQL databases.

INFIGO-TD-2009-04

4/15

ULNERABLE WEB APPLICATION

In order to demonstrate the vulnerability and exploitation techniques, a simple vulnerable web

application will be used. The vulnerable web application queries a PostgreSQL database by a

user ID in order to retrieve the user’s first name, last name and the username. The listing below

shows the vulnerable SQL query highlighted in yellow. The ID parameter, used in the

pg_exec()

function is vulnerable to SQL injection attacks. As the application does not print

any values retrieved from the database back to the user, this is a case of a blind SQL injection,

where the attacker does not directly see results of his queries. Finally, as the ID is a numerical

parameter, it does not have to be quoted in the query. This is important as in this case the

magic_quotes

PHP feature does not prevent SQL injection attacks.

The

query.php

script code is displayed below:

include ("sqlinjectionfilter.php");

if (!isset($_GET['id']))

{

exit(0);

}

if (SQLInjectionTest($_GET['id']))

{

echo "<h1> SQL INJECTION DETECTED!!! </h1>";

exit(0);

}

echo "<hr>";

$connection = pg_connect("dbname=template1 user=postgres") or

die("Connection failed");

$myresult = pg_exec($connection, "SELECT * FROM users WHERE

id=" .$_GET['id'] . ";");

/* ...

...

As this document is result of a real penetration test, in which the vulnerable application similar

to the one displayed above was protected with a web application firewall, another PHP script

has been developed to simulate the web application firewall. The simulation has been

implemented as a simple function,

SQLInjectionTest().

Similarly to a real web application firewall, this function parses user input and uses a regular

expression to determine if it contains an SQL command. If an SQL command has been detected,

the script will drop the query and it will never reach the vulnerable function. The

sqlinjectionfilter.php

script, which implements this simple web application firewall,

is shown below. The rest of the document describes exploitation techniques that can be used in

order to evade such web application firewalls. The attacks used are based on classic blind SQL

injection attacks, but further expanded so that some specifics of PostgreSQL implementations

are abused.

INFIGO-TD-2009-04

5/15

Plik z chomika:

musli_com

Inne pliki z tego folderu:

Buffer Overflow Attacks - Detect Exploit Prevent.pdf (5507 KB)
Advanced SQL Injection 2.pdf (2048 KB)
Advanced SQL Injection.pdf (1898 KB)
A Practical Message Falsification Attack on WPA.pdf (547 KB)
Apache en tant que reverse proxy.pdf (1517 KB)

Advanced PostgreSQL SQL Injection and Filter Bypass Techniques.pdf

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: