SecuriTeam - Manipulating Microsoft SQL Server Using SQL Injection

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

This paper will focus on advanced techniques that can be used in an attack on an application utilizing Microsoft SQL Server as a backend. These techniques demonstrate how an attacker could use a SQL Injection vulnerability to retrieve the database content from behind a firewall and penetrate the internal network.

Credit:
The complete paper can be found at:
http://www.appsecinc.com/presentations/Manipulating_SQL_Server_Using_SQL_Injection.pdf
The information has been provided by Cesar Cerrudo and Aaron C. Newman of Application Security.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Introduction:
This paper will not cover basic SQL syntax or SQL Injection. It is assumed that the reader has a strong understanding of these topics already. This paper will focus on advanced techniques that can be used in an attack on a (web) application utilizing Microsoft SQL Server as a backend.

These techniques demonstrate how an attacker could use a SQL Injection vulnerability to retrieve the database content from behind a firewall and penetrate the internal network. This paper is meant to educate security professionals of the potential devastating effects SQL Injection could have on an organization.

Web applications are becoming more secure because of the growing awareness of attacks such as SQL Injection. However, in large and complex applications, a single oversight can result in the compromise of the entire system. Specifically, many developers and administrators of (web) applications may have a false sense of security because they use stored procedures or mask an error messages returned to the browser. This may lead them to believe that they cannot be compromised by this vulnerability.

While we discuss Microsoft SQL Server in this paper, this is no way indicative that Microsoft SQL Server is any less secure than other database platforms such as Oracle or IBM DB2. SQL injection is not a defect of Microsoft SQL Server - it is also a problem for every other database vendor as well. Perhaps the biggest issue with Microsoft SQL Server is the flexibility of the system. This flexibility is what allows it to be subverted so far by SQL injection. This paper is meant to show that any time an administrator or developer allows arbitrary SQL to be executed they are practically leaving their system is open to being rooted. It is not meant to show that Microsoft SQL Server is inherently flawed.

	Why Silent Updates Boost Security
	PDF Silent HTTP Form Repurposing Attacks
	Frame Pointer Overwrite Demonstration (Linux)
	Format String Exploitation Demonstration (Linux)
	Hacking SOHO Routers
	Reflective Dll Injection
	Achieving Persistent HTML Injection via SNMP on Embedded Devices
	Lateral SQL Injection: a New Class of Vulnerability in Oracle
	Microsoft Windows DNS Stub Resolver Cache Poisoning (MS08-020)
	Cold Boot Attacks on Disk Encryption
	OpenBSD DNS Cache Poisoning and Multiple O/S Predictable IP ID Vulnerability
	Exploiting WDM Audio Drivers
	Securing and Hardening Linux Paper
	27Mhz Wireless Keyboard Analysis Report aka "We Know What You Typed Last Summer"
	Cryptanalysis of the Random Number Generator of the Windows Operating System