 Thank you. All right. So, we're going to do just a real brief thing about SQL injection. SQL injection often happens on websites. You have someone that has, say, a password thing. In this example, we got, you know, select star from users, and then you just pull it right out of the request object. So, what you can do is you can insert and code in there and make the database do all sorts of fun stuff for you. For example, you can make the database server make DNS requests. So, you just, in your SQL injection, make it so the database, in order to get its answer, it needs to look up an internet host address. So, you can look up a fictional host that we own. There can be really arbitrary data in there. So, there's an outbound connection, but it's made by the DNS server, so it's probably not trapped by a firewall. Probably the IDS isn't going to catch it. And it's really not all that hard. So, I'm going to show you a tool that we did to make it work. I'm assuming you have some knowledge of SQL injection, and you know something about DNS, web security. There's lots of different ways you can do SQL injection, and you can get data back, but we're just going to talk about DNS exfiltration. So, this tool is called Atomic Braille. So, why did we do it? Well, DNS is usually available, so, you know, we can do that. It also turns out that it's a lot faster than some of the exfiltration techniques. For example, streaming and changing page, you can often only do around a bit of information per injection. We can grab 200 bytes if we want to. I also looked at some of the tools that kind of fell over in places, and I said, you know, it would be fun to do a tool that kind of does some of that. And then, you know, it's just, it's fun, too. So, okay. And this tool attacks Oracle. Well, why would we attack Oracle? You know, there's a lot of Oracle tools, Oracle systems out there. Lots of the hacker tools seem to go against Microsoft, SQL Server, MySQL. I haven't seen a DNS exfiltration against Oracle before. So, let's show you a demo of it working. All right. So, we're going to do a wire shark capture, and then I'm going to make this laptop SQL inject the one here. So, as you can see, we're getting some HTTP requests. It's making DNS requests back. I'm not connected to the Internet, so the laptop is actually making DNS requests to itself, which the tool is capturing, extracting the information, and using that to do further injection. So, I don't know if you guys can see what it did, but this is an example of one of the queries. I guess you can't see what it actually looks like, but there's a lot of data in some of these. So, I'm going to show you a command line in my face, and now I'm just going to run it on this machine here. So, okay. So, let's see what it does. Right now, it's, you know, getting started. It's doing DNS exfiltration. There, it just got the schema for you. It got two lines of text from all those tables for you. There, we're done. It took, what, like, 10 seconds. So, let's look at some command line parameters we can do. We can tell it what IP to go to, what port to hit, you know, all the standard things. We can also tell it how many threads to use. We can tell it how big of DNS requests we want to make. So, if you want to be a little more stealthy, you could push that down so it looks a little more standard. All sorts of stuff like that. So, let's see. Let's take a look at another thing that this tool does, which is it gets kind of non-standard column names pretty easily. So, this is another schema that we're grabbing right here. It's got table names like valid table name with spaces and uppercase, lowercase letters. So, that's something that some tools aren't able to do. It's interesting to get that working. So, we'll go back to the presentation. Oh, it was nice enough to go back to the beginning. All right. So, what did we just do in the demo? I mean, it went through kind of fast. What just happened? This is an example of what it looks like on the database and web server. You know, it generated some spikes in the CPU because nothing else was happening on the system that I had at home. In this case, I was running a server that was a little slower, so it took about three minutes to get all the data. This is going on Oracle's HR schema, which is one of the standard schemas that comes with Oracle. So, if you install Oracle Express Edition, you get this HR schema. I added one table just because that's what I was keying off of in the SQL injection. I got that out in addition to the whole schema and all the data. I got out how it authenticates the username that the web server connects as, the web server's internal IP, the database's IP, what language it uses, and its host name. You could, after getting this sort of information, you could use SQL injection to do other things like port scan the internal network from SQL injection, but this tool is just grabbing data. So, all right. So, let's talk about absinthe. I think it's kind of a de facto standard of SQL injection tools. A lot of people use it. It's a great tool. So, I think it serves a useful comparison. Absinthe in Oracle, it likes to do change in page comparisons. So, on the graph, we see how long it took to get a portion of what I got in my tool. So, this is about three minutes like the last one. With absinthe, what we were able to get out is the username and the names of the tables in three minutes. So, we didn't get any column data. We didn't get any of the rows of data. So, okay. Well, how bad can that be, right? Once again, 20 seconds for the schema, three minutes for all the data in my tool. So, if we were to get all the columns for the employees table, which is the biggest, it ends up taking about 10 minutes in absinthe in this case on the server. So, there's a fairly big speed difference. Now, obviously, you know, you're doing about one bit versus 200 characters. There's going to be a speed difference. So, how do we do it? This is where I'm going to tell you what sequence my code goes through, how we encode it. So, you could build your own or you can see what I did. So, the sequence is, first of all, we're going to see if it works. I just put a tag in there that says, okay, if I get this back in DNS, I know it's working and I got you. So, then, also in that first request, I get back the number of tables in your database. So, then, we can get the table names, get the column names, get the column data types. You know, all that stuff Oracle keeps around in its database just for me to grab. And, also, we got username and other metadata. So, the DNS exfiltration part isn't just, you know, slap data into DNS. You've got to remember that the database is making the request. So, the database has to think it's a valid DNS request or it's not going to make it. So, that's the first thing to remember. So, what we did is, this is an example of what would come back. So, 0414243 is an example of some hex data. You can get numbers, you can get strings. We also have some characters in there to make sure that this is actually a request that I sent out and we're not getting it back out of order. Then you have your domain name on the end so it resolves back to your computer. So, for example, on an integer, how would you do this? How many of you can't read this? Okay, people in the back can't read. Basically, what we're doing is select util in adder dot host address. That tells Oracle, hey, do a DNS request. And then we're going to do a case because we can't have a null in there or that's going to throw everything off because null will say, oh, well, that's no longer a valid DNS request. Everything's got to be one to 63 characters. We've got to smash it in there. So, then we say, okay, is this a negative number? Okay. In this case, it's not going to be negative because it's the length of a name, but it does it the same for every number. So, is this small enough? Is this negative? So, if it's negative, then we put a tag on that. If it's not negative, then we just return it because you can't have a dash at the beginning of a DNS field. That would be invalid. So, things like that you just got to pay attention to when you're doing a tool. So, let's see, here's another one. This one is for getting raw data, like you can get blobs out of the database with this. So, basically, you need to do a substring to make sure, once again, you smash it down to the right size. You do a Udall raw cast from number. So, you got a number here. You're going to return it as hex encoded data. And Oracle is happy to do that for you. And hex encoded data fits nice into DNS. So, once again, you've got a trap. Make sure you don't get too many characters. You can't get zero characters, so you've got a trap null. Or for strings, you trap empty string too. Strings are a little tricky. I could have just done them as raw, but I ended up having a little more fun with it. I actually do a regex to see, is this a nice, valid string for me that I can just throw through? Or do I need to do some modifications, like do I need to encode it as raw? Is it too big? Do I need to chop it down? So, that's how I'm handling strings. So, atomic braille. What is it? It's a tool to exfiltrate arbitrary data from Oracle. It automates generating the injection string, so, I mean, you didn't see me typing out anything of how to inject it. That all gets built for you automatically. It receives and processes the DNS queries. You don't have to look at Wireshark, see what's coming back, read the data out yourself. It all does it behind the scenes. And then it just says, oh, well, this is how many tables you have. Let me go grab them. This is a table. How many columns does it have? All right, let me go grab them. The tool doesn't do everything. It won't cook you dinner even. But some other things it won't do for you. It won't find SQL injection sites for you. It doesn't process what Oracle calls the long data type because you can't do any of your nice functions on it. You can't say how long it is. You can't take a substring of it. It's pretty useless and it's deprecated by Oracle nicely. So, related work, I got a lot of the ideas of how to do this from some of these things you can read up on this sort of stuff if you want. Future work. The tool has issues with retrying things that fail and obviously they could fail sometime. I don't have a GUI as you saw, command line interface, other stuff like that, you know, threading better support for certain things. So, what can people do to prevent the sort of attack? Well, an easy thing to do would be to revoke privileges on you to Lynn at her to your web where you're connecting on the web. That will solve this problem. It will not solve timing, change in page, anything like that. You can, you should set up your DMZ so it's not making DNS requests because that's not going to be useful to you. But the most important thing is, you know, fixing those SQL injection sites in the first place. You just can't fix bad programming with patches all the time. Check inputs, double check. So, once again, I think said some of these things, but SQL injection is bad. It's fun to exploit the block DNS. So, we have t-shirts at the back of the room over there. We're going to have them in the Q&A session if you want to come by and talk to us. And you can go to our website. You can email me if you want. We'll be in room 104 for Q&A. And I think if someone has a question that they'd like the whole group for, or we can just head over to the Q&A group.