SQLRelnjector Automated Exfiltrated Data Identification Jason A. Novak Assistant Director, Digital Forensics Chicago, IL Andrea London Digital Forensic Examiner Dallas, TX ::: : ;.: : :::t: '■■'■xX: : : v : • Mm 7 °8oo8 STROZ FRIEDBERG O Problem Historical Solution SQLRelnjector Demo Get It! Questions? Who We Are Bibliography HI, THIS iS YOOR SONS SCHOOL WE'RE HWING SOKE COflPUT^ TOBLE- i OH, DEAR - DID HE BREAK SDftETHlND? IN A WAV- Havij Target: http : //www .target, co m/i n d e x. a sp? i d = 1 2 3 F~l Keyword: Auto Detect Data Base: Auto Detect □ Syntax: Auto Detect Method: GET ▼ Type: Auto Detect r Post Data: Analyze Pause Load Save About Info Tables ReadFfres Cm d Shell Query Find Admin MD5 Settings Havij -Advanced SQL Injection Tool Version 1.14 Cracked by: Soul Zero Pro htt p : //ITS ecTeam.com http://forum.Itsecteam.com info@itsecteam.com Data Bases: MsSQL with error MsSQL no error MsSQL Blind MsSQL time based Ms Access MsAccess Blind Check for update Status: I'm IDLE Clear Log °8oo8 STROZ FRIEDBERG O DID VW WflEW SON Roberta DROP Table 5^^-- ? OH, YES L/TTlE BOBBY TABLES, WE CALL Hlrt. WELL UEVE LOST THIS VEW^STUPENT RECORDS. I HOPE YrTL/RE rWV AND I HOPE WVE LEARNED TO SWmZE WR PAWCE INPUTS. I ma P ^u+omot+iis SQL inieo+ion + 4- • + + takeover +00! and da\cho& Problem °8o88 STROZ FRIEDBERG O • 97% of data breach cases worldwide involve SQL injection attacks somewhere down the line. • On average the cost of data breach response and remediation is between $194 - $222 per record. • As of July 9 th , privacyrights.org cites 330 breaches in 2012 effecting 18.6 million records. (datalossdb.org reports much higher at 723 breaches thus far) Historical response is costly Fly a bunch of consultants to a data center They image the server Analyze the logs Determine what was exfiltrated from reviewing those logs. Typically running SQL commands against SQL server Only going to get costlier Problem °8o88 STROZ FRIEDBERG O U A SQLRelnjector °0000 STROZ FRIEDBERG o S i c=\ C:\WINDOWS\system32\cmd.exe Microsoft Win do us [Uersion 5.2.3790] Copyright 1985-2003 Microsoft Corp. C:\Documents and Sett ings\fldministrator>c :\python27\python .exe "C:\Documents ; Sett ings\fldministrator\Desktop\sqlRein jector .py ,p mm a ■■ No xnput log passed usage: sqlEe injector. py [-h] [-i I NLOG ] [-d DEFILE] [-w WEBSITE] [-j] [-c] [-k KNOUNCOOD] [-e COOKIE] I Replay an SQL injection attack from logs opt ional arguments : -h, — help show this help message and exit -i I NLOG, — inLog I NLOG Input appache log file parse -d DEFILE, — dbFile DEFILE Database log file to write out to -u WEBSITE, — uebsite WEBSITE Website to run against. Form of http: //hostname -j, — hauijParser Parse the returned data to reassemble Hauij output -c, — compareToGood Compare the returned data to a known good webpage to further automate identification of SQLi returned data -k KNOWNGOOD, — knounGood KNOWNGOOD Known good webpage to compare to -e COOKIE, —cookie COOKIE cookie C:\Documents and Sett ings\fldministrator> °8oo8 STROZ FRIEDBERG O Demo Time Where to Get It °8o88 STROZ FRIEDBERG O github.com/strozfriedberg °8oo8 STROZ FRIEDBERG O QUESTIONS? Bibliography and Thanks °8o88 STROZ FRIEDBERG O Exploits of a Mom / Little Bobby Tables by Randall Munroe - http://xkcd.com/327/ sqlmap by Bernardo Damele A.G. and Miroslav Stampar - http://sqlmap.org/ DVWA by RandomStorm - http://www.dvwa.co.uk/ Apache Log Parsing - apachelog Python Module, http://code.google.eom/p/apachelogA hfuecks@gmail.com; - Apache-LogRegex Module, search. cpan.org/dist/Apache-LogRegex/, Peter Hickman; Virtualization of Forensic Images - LiveView, http://liveview.sourceforge.netA CERT Software Engineering Institute Replaying SQL Injection Attacks - Bret Padres, http://cyberspeak.libsyn.com Injection Attack and Data Theft Statistics - Neira Jones, Barclay Card http://news.techworld.com/security/3331283/barclays-97- percent-of-data-breaches-still-due-to-sql-injection/ Thanks to: - Erin Nealy Cox - Cheri Carr - Scott Brown 13 Who We Are Jason A. Novak Assistant Director, Digital Forensics Chicago, IL jnovak@strozfriedberg.com °8oo8 STROZ FRIEDBERG O Andrea London Digital Forensic Examiner Dallas, TX alondon@strozfriedberg.com www. St roz F r i ed be rg . co m