Summary
SQL Injection vulnerabilities occur whenever input is used in the construction of a SQL query without being adequately constrained or sanitized. The use of dynamic SQL (the construction of SQL que- ries by concatenation of strings) opens the door to these vulnera- bilities. SQL injection allows an attacker to access the SQL servers. It allows for the execution of SQL code under the privileges of the user used to connect to the database.
MySQL server has a few particularities so that some exploits need to be specially customized for this application. That’s the subject of this section.
How to Test
When an SQL injection vulnerability is found in an application backed by a MySQL database, there are a number of attacks that could be performed depending on the MySQL version and user privileges on DBMS.
MySQL comes with at least four versions which are used in pro- duction worldwide, 3.23.x, 4.0.x, 4.1.x and 5.0.x. Every version has a set of features proportional to version number.
• From Version 4.0: UNION • From Version 4.1: Subqueries
• From Version 5.0: Stored procedures, Stored functions and the
view named INFORMATION_SCHEMA
• From Version 5.0.2: Triggers
It should be noted that for MySQL versions before 4.0.x, only Boolean or time-based Blind Injection attacks could be used, since the subquery functionality or UNION statements were not imple- mented.
From now on, we will assume that there is a classic SQL injection vulnerability, which can be triggered by a request similar to the the
one described in the Section on Testing for SQL Injection.
The Single Quotes Problem
Before taking advantage of MySQL features, it has to be taken in consideration how strings could be represented in a statement, as often web applications escape single quotes.
MySQL quote escaping is the following: ‘A string with \’quotes\’’
That is, MySQL interprets escaped apostrophes (\’) as characters and not as metacharacters.
So if the application, to work properly, needs to use constant strings, two cases are to be differentiated:
[1] Web app escapes single quotes (‘ => \’) [2] Web app does not escape single quotes (‘ => ‘)
Under MySQL, there is a standard way to bypass the need of sin- gle quotes, having a constant string to be declared without the need for single quotes.
Let’s suppose we want to know the value of a field named ‘pass- word’ in a record, with a condition like the following:
[1] password like ‘A%’
[2] The ASCII values in a concatenated hex:
password LIKE 0x4125
[3] The char() function:
password LIKE CHAR(65,37)
Multiple mixed queries:
MySQL library connectors do not support multiple queries sepa- rated by ‘;’ so there’s no way to inject multiple non-homogeneous SQL commands inside a single SQL injection vulnerability like in Microsoft SQL Server.
For example the following injection will result in an error:
Information gathering Fingerprinting MySQL
Of course, the first thing to know is if there’s MySQL DBMS as a back end database. MySQL server has a feature that is used to let other DBMS ignore a clause in MySQL dialect. When a comment block (‘/**/’) contains an exclamation mark (‘/*! sql here*/’) it is interpreted by MySQL, and is considered as a normal comment block by other DBMS as explained in MySQL manual.
Example: http://www.example.com/pls/bookstore/books.search?au-
thor=DICK’||’ENS
http://www.example.com/page.php?id=2
1 ; update tablename set code=’javascript code’ where 1 --
Database name in use
There is the native function DATABASE() In band injection:
Inferential injection:
Result Expected:
A string like this:
INFORMATION_SCHEMA
From MySQL 5.0 a view named [INFORMATION_SCHEMA] was created. It allows us to get all informations about databases, ta- bles, and columns, as well as procedures and functions.
Here is a summary of some interesting Views.
All of this information could be extracted by using known tech- niques as described in SQL Injection section.
Attack vectors Write in a File
If the connected user has FILE privileges and single quotes are not escaped, the ‘into outfile’ clause can be used to export query re- sults in a file.
Note: there is no way to bypass single quotes surrounding a file- name. So if there’s some sanitization on single quotes like escape (\’) there will be no way to use the ‘into outfile’ clause.
Result Expected:
If MySQL is present, the clause inside the comment block will be interpreted.
Version
There are three ways to gain this information:
[1] By using the global variable @@version [2] By using the function [VERSION()]
[3] By using comment fingerprinting with a version number
/*!40110 and 1=0*/ which means
These are equivalent as the result is the same. In band injection:
Inferential injection:
Result Expected:
A string like this:
Login User
There are two kinds of users MySQL Server relies upon.
[1] [USER()]: the user connected to the MySQL Server.
[2] [CURRENT_USER()]: the internal user who is executing the query.
There is some difference between 1 and 2. The main one is that an anonymous user could connect (if allowed) with any name, but the MySQL internal user is an empty name (‘’). Another difference is that a stored procedure or a stored function are executed as the creator user, if not declared elsewhere. This can be known by using CURRENT_USER.
In band injection:
Inferential injection:
Result Expected:
A string like this: if(version >= 4.1.10) add ‘and 1=0’ to the query.
1 AND 1=0 UNION SELECT @@version /*
1 AND @@version like ‘4.0%’
5.0.22-log
1 AND 1=0 UNION SELECT USER()
1 AND USER() like ‘root%’
user@hostname
1 AND 1=0 UNION SELECT DATABASE()
1 AND DATABASE() like ‘db%’
dbname Tables_in_INFORMATION_SCHEMA ..[skipped].. SCHEMATA SCHEMA_PRIVILEGES TABLES TABLE_PRIVILEGES COLUMNS COLUMN_PRIVILEGES VIEWS ROUTINES TRIGGERS USER_PRIVILEGES DESCRIPTION ..[skipped]..
All databases the user has (at least) SELECT_priv The privileges the user has for each DB All tables the user has (at least) SELECT_priv The privileges the user has for each table All columns the user has (at least) SELECT_priv The privileges the user has for each column All columns the user has (at least) SELECT_priv Procedures and functions (needs EXECUTE_priv) Triggers (needs INSERT_priv)
Privileges connected User has
BENCHMARK(#ofcycles,action_to_be_performed )
The benchmark function could be used to perform timing attacks, when blind injection by boolean values does not yield any results.
See. SLEEP() (MySQL > 5.0.x) for an alternative on benchmark. For a complete list, refer to the MySQL manual at http://dev.mysql. com/doc/refman/5.0/en/functions.html
Tools
• Francois Larouche: Multiple DBMS SQL Injection tool -
http://www.sqlpowerinjector.com/index.htm
• ilo--, Reversing.org - sqlbftools
• Bernardo Damele A. G.: sqlmap, automatic SQL injection tool -
http://sqlmap.org/
• Muhaimin Dzulfakar: MySqloit, MySql Injection takeover tool -
http://code.google.com/p/mysqloit/
• http://sqlsus.sourceforge.net/
References Whitepapers
• Chris Anley: “Hackproofing MySQL” -
http://www.databasesecurity.com/mysql/HackproofingMySQL. pdf
Case Studies
• Zeelock: Blind Injection in MySQL Databases -
http://archive.cert.uni-stuttgart.de/bugtraq/2005/02/ msg00289.html