SQL injection reloaded: access to the operating system

SQL (Structured Query Language) injection lets attackers not only manipulate a database, but to immediately take control of a complete server along with the operating system. (Further information about this is available in The H Security feature – Lethal injection - SQL injection – attack and defence. Bernardo Damele Assumpcao Guimaraes, a security specialist, demonstrated this at the Black Hat hacker conference with his sqlmap tool. The tool that Guimaraes developed has a repertoire of attack methods to use against all three current SQL servers – running on both Windows and Linux.

Sqlmap detects whether MySQL, PostgreSQL or Microsoft SQL Server is involved and automatically selects the appropriate attack route for each one. Guimaraes says the methods used to attain the various objectives of the attack differ fundamentally depending on the type of server. Different user rights are required as well, according to the target, but he says most database installations have user rights configured, by default, in a way that allows the sqlmap attacks to be successful.

Unlike previously known SQL injections, sqlmap doesn't confine itself to reading out values from the database, changing tables or attaching content to tables. More than that, this tool is designed to automate far more complex attacks by making stacked queries. Previously known SQL injections only constitute the preliminary stage, a stepping stone to what sqlmap can really do.

The open source tool incorporates functions for reading from, and writing to, the filing system, apparently enabling an attacker to transfer any binary or text files from the target to his own computer – provided he knows the exact file name and path. Depending on server type, sqlmap uses different but standardised SQL commands to read the files. The file on the database server is then copied into a table that the tool creates automatically, whose content is then again written to the attacker's machine.

Write access takes a rather more complex form: sqlmap first converts the file concerned into a hexadecimal string, divides the string into pieces not more than 1024 bytes in size in the case of MySQL, and then copies the pieces into a table in two passes, first 1024 bytes, then the rest. The content of the table is then copied into a file in the temp folder on the database server. Guimaraes explains that chopping up the files lets him get around any restrictions that may be present in the web front end associated with the database server. If sqlmap detects a Microsoft SQL Server, the uploaded file is split into 64-kilobyte chunks – precisely the size processed by debug.exe used on Windows machines – and sqlmap tells debug.exe to build a singe executable file from the 64-kilobyte files.

These functions, especially write access of course, form a stepping stone towards the real purpose of sqlmap, which is to obtain full remote access by SQL injection. For this purpose, Guimaraes has given his tool the function -os-pwn. If this parameter is used, sqlmap automatically provides the meterpreter client associated with the known Metasploit Framework with the parameters desired by the attacker and copies the client to the server via an adaptation of File Upload. Sqlmap first encodes meterpreter with Metasploit's own msfencode encoder in order to mislead any virus scanners that may be present during the upload process.

Guimaraes says none of the 42 current virus scanners can detect a file that was processed with one of Metasploit's 13 encoders. Yet these encoders have long been sufficiently well known. Following the upload, depending on the operating system concerned, sqlmap uses either sys_exe() or xp_cmdshell() (MS SQL) to run meterpreter. Protective measures against such attacks are well known: web application developers must ensure that no SQL commands are passed on to the database server. They have to filter out such commands immediately after they have been input to the web front end.

(Uli Ries)

(crve)