SQL Injection Lessons from X-Force Emergency Response Service Investigations
Posted by Harlan Carvey on May 08, 2009 at 1:46 PM EDT.
The Frequency X blog has visited the topic of SQL Injection on a number of occasions; however, it is worth delving into again to emphasize exactly how much internal network access attackers can gain through vulnerable web applications. Over the past several years, SQL injection has been THE means for accessing entire infrastructures on many of the engagements that our Emergency Response Service (ERS) team has handled.
SQL injection can be pretty simple and straightforward. Yet, through this vector, an attacker could infiltrate deep into an infrastructure and be relatively unseen. What many database administrators don’t understand is that SQL injection doesn’t merely allow the attacker to manipulate the data in a web application’s underlying database – it can provide direct access to the operating system that database is running on. Using features like xp_cmdshell in Microsoft SQL Server, SQL injection can be leveraged to run dos shell commands against the underlying operating system of the SQL Server at the same privilege level as the database application, which is most often SYSTEM level.
Very often, while examining the logs, you'll see the attacker perform recon, using 'dir' and 'type' commands to examine the contents of the local disk, and then using 'ipconfig' and 'ping' to check network connectivity. From there, the attacker then uses variations of the 'net' command to add a user to the system (or domain) and to locate other systems on the network running either SQL Server or MSDE.
The means of getting malware on a system is equally simple and straightforward. ERS has seen indications of the use of TFTP to download files to a system. Another favorite tactic is to use SQL injection to create an FTP script file, and then run the FTP command line client against it. Some administrators may not realize there is an FTP client on Windows systems by default or may not be familiar with what an FTP script is or looks like. Once the malware is on a system, the attacker is able to execute it remotely through the use of SQL injection. Some of what's been done has been to download wget.exe to systems so that additional files can be downloaded to the system (and executed); the use of this tool leaves some tell-tale and interesting artifacts.
In some incidents, we’ve seen SQL injection used to load 512 byte chunks of an executable file into tables in a database. The intruder then has the database reassemble the chunks, in order, to a file on the system itself, which can then be executed through numerous different means including the creation of a new stored procedure. Sometimes this technique is used when xp_cmdshell has been properly locked down by the database administrator, although in other cases this is simply an efficient means to load malware into a network through a SQL injection vulnerability.
As database servers are often considered to be well protected, they may have access to internal networks with sensitive information on them. Once the attacker controls the database machine, it is used as a gateway to probe deeper into the victim’s infrastructure. Jumping from system to system is relatively simple with SQL injection...locating other systems on the network running database software (ie, MS SQL Server or MSDE) is relatively straight forward, particularly if SQL traffic is allowed through the firewall between database servers.
In many incidents, ERS has seen that once malware is loaded on a system and executed, SQL injection to that particular system stops. The malware provides attackers with remote access to the desktop of the database server, by reaching out of the infrastructure on port 80. You can often tell that the attacker then had access to the system via the Windows Explorer shell by various artifacts left on the system. Running at SYSTEM level privileges, attackers can and have installed sniffers, specific tools to collect passwords, and even run searches across the network using the MS search capability.
The bad guys are getting in and are not being detected; they're finding and taking what they want and leaving, not bothering to clean up. Most often, ERS gets called when an outside third party calls the customer and tells them that a fraud investigation had identified them as a common point of purchase or activity; in some cases, this is months after the fact.
Developing proper web application and database security are complicated tasks that involve numerous components. Administrators should work directly with professional security consultants to develop secure applications and mitigate the SQL injection threat.