New Techniques Obfuscate, Optimize SQL Injection Attacks
Black Hat researcher to demonstrate new methods for getting around defenses even more quickly to extract database data through SQLi
Ericka Chickowski July 09, 2013
SQL injection attacks already stand as one of the most effective means hackers use to break into enterprise database infrastructures today. Now the attack could get a boost in effectiveness when a researcher at Black Hat USA later this month takes the wraps off new techniques that will make it harder for defenses to detect SQL injection attempts and which will speed up the process of extracting data from databases through blind SQL injection attacks.
"It just came out of playing around with SQL injections and seeing what they were capable of," says Roberto Salgado, founder and CTO of security consultancy Websec. "I started discovering all of these improvements I could make and places where I could make the data extraction from the database faster."
Salgado's discoveries centered around both obfuscation and optimization of SQL injection attacks. On the obfuscation side, he refined techniques that take advantage of the discrepancies in the way that databases handle certain characters versus applications and the Web application firewalls that protect them.
"I started noticing how [by] sometimes changing just one character or adding one special thing -- if you can figure out or guess features of the database which maybe the developer of the firewall wasn't aware of -- it can be very easy to get around firewalls," he says.
TFor example, the way Oracle handles the null byte, or 00, is one such instance.
"Oracle just reads the null byte as the white space, so everything runs as normal. Whereas the firewall might see the null byte as something else, a lot of times null bytes will actually terminate programs," he says. "So some databases will just do a null byte and ignore it, thinking it's harmless on the whole, but it's really allowing that SQL injection to get by the firewall undetected."
While he believes the obfuscation techniques will certainly interest penetration testers, he believes that his techniques on the optimization side are the potential game changers for blind SQL injection.
"Having an optimized SQL injection can definitely help us because we're doing a lot fewer requests to the server, which will get the data faster," he says. "It will use less bandwidth and be less of a burden on the server, which means we can get the data faster without alerting as many people or giving them enough time to react to the attack."
The difficulty of blind SQL injection is that the attacker can extract only one character at a time, Salgado says.
"Sometimes we have the possibility when errors are enabled and showing we can just dump the data through errors, but that's not always possible," he says.
Salgado says his new methods are completely new, making it possible to extract database information through blind SQL injection 20 to 40 percent faster than the current optimization technique, called the bisection method. One of the techniques he will demonstrate is a method that makes it possible to cut down the current testing of parameters for single, double, or no quotes to a single test. So for a site with, say, 400 parameters, that's 800 fewer tests needed. Similarly, he has managed to reduce the number of requests to the server in other ways.
"With my method I'm able to successfully reduce the amount of characters required to look for to two. What it does is it maps the set of characters we'd be interested in looking for in a list to their position in that list, and then we convert that position to binary," he says "Then instead of having to extract letters and numbers, say from A to Z, zero to nine, all we have to look for at this point is just one or zero."
The demonstration that Salgado will do on obfuscation and optimization techniques at Black Hat will not only provide penetration testers with new techniques for improving on their SQL injection mojo, but it should also give those responsible for protecting database resources reason to pause. The faster and easier it is for attackers to get around Web application firewalls, the more imperative to see that they are no fix for SQL injection.
"I think what is really important to understand is that a firewall will not be the end goal -- it won't protect you against everything," he says, explaining that organizations should be looking to fix the root vulnerabilities in the application. "You should really have a security team look at your application, make sure that everything is secure, and then add the firewall as an extra step, just in case. A firewall will stop most script kiddies or amateurs, but they're a joke to anyone with slightly more sophistication."