 Hello, hello everybody. Buenos dias a todos los que habláis español. How many of you speak Spanish? Oh, perfect. Well, first of all, thank you for coming this session about time-based blind sequel injection using heavy queries. Let me introduce myself. My name is Chema Alonso. I'm from Spain, and if you are wondering, no, I'm not a bullfighter and no, I'm not a flamenco singer, even if you think I look like. I work as a security consultant in a company in Spain called Informatica 64, and I'm also a Microsoft MVP. MVP stands for Most Valuable Professional, but some people said that it stands for Most Valuable Pets. I'm not sure which one is the right one. But MVPs don't work for Microsoft. It's just an award that Microsoft gives to some technician around the world and I'm an MVP in Windows security. Let me introduce my friend, my colleague, my co-speaker today. He does work for Microsoft, and he's happy. I don't know why. And he's a technical guy in a marketing department. He works as a Microsoft IT Pro evangelist helping people in the Microsoft TechNet program with Microsoft products and technologies and that kind of things. By the way, my name is Jose. Jose? Of course. He probably is a bullfighter. Thank you, Chema, for your presentation. Thank you all for your interest in this session. Well, the entire credit for this idea and for the vast majority of the presentation must be given to Chema as a security consultant. He's an expert in many hacking techniques. And around one and a half years ago, he started his PhD. So he started writing a paper on blind vulnerabilities in web applications. He conducted a lot of research in things such as blind path injections, blind LDAP injections, and blind SQL injections. In fact, he's the author of one of the most in-depth papers about blind LDAP injections, about LDAP injections in general. And I helped him present that paper on Black Hat Europe 2008, which was held in Amsterdam around four months ago. Everything went well there. So, as you can imagine, we end up in a typical Amsterdam coffee shop smoking some kind of substance. And with the enthusiasm of the moment, we thought, OK, why don't we send another paper to DEFCON in the USA, since even though our English is quite poor, people seem to understand us. So that's what we did. We sent our paper to DEFCON. The organization here at DEFCON, I don't know why they smoke, but they said, OK, this is good enough. So, come on over, and here we are with all of you. So, please, Gemma, introduce us into today's agenda. Well, this is the agenda for today's session. As you can see, this session has two parts. The first one is about things that you may probably know about topics as code injection, blind attacks, blind SQL injection, and tape-based blind SQL injection. And after finishing this part, we are going to get into the new part of this session and it's about how to perform a blind SQL injection and tape-based it, but without using the normal time delay function that databases have. In this case, we are going to use a new trick. It's a trick to get a time delay using a heavy query. Let's see how it works. At the end, we are going to have several demos and we are going to release a new tool. This tool is called Marathon Tool because it's a very slow tool but it worked very well and after that, you were free to do whatever you want here in Las Vegas. So, let's start for the beginning. Okay, let's start with that brief summary. 10 to 15 minutes review about things you probably know if you've been following a SQL injection or code injection attacks for the last five to six years. Coding injection has been a security problem since a long time ago. The first time most of us heard about it was back in December 25, 1998 when a guy that answered to the nickname of Rainforest Puppy published a paper on how to attack ASP application using SQL queries. It's been almost 10 years since then but it's still one of the main issues in web security. In fact, last September, a WASP open web application security project published a document rating the 10 most common security vulnerabilities in web application and code injection was rated in second place right after cross-site scripting. Nowadays, you can find plenty of documentation, guides, tutorials on how to do techniques such as XPath injection, LDAP injection, or SQL injection. Let's go now into reviewing a little bit about what a blind attack is. Most of you probably already know. But when an attacker is able to inject code into a vulnerable web application, it depends where he can inject the code and what he wants to do. He can follow many methods. Sometimes, if he can inject code in the name of the password field, he can use that injection to bypass the login page and access a private website. Other times, if he's able to inject code in the URL, he's able to extract directly in the web page response data from the database. But some other times, he's able to inject code, but he doesn't get any data directly out from the database or any error message that he could use to deduce information about the database. So these kind of environments give the developers and the testing teams, the security testing team, a full sense of security since... Can you hear me? Since... Since data is not directly exposed in the web page. But if the attacker is able to inject code, injecting some LDAP, Xpath or SQL queries, he's able to deduce data if the response page that he obtained, depending on the data, is different or has different behaviors. Okay, so blind attacks in summary are possible when web applications behave in a different way when you insert a query that is always true and when you insert a query that is always false. If you get different response, then that web application is possible vulnerable. Okay, so let's now go into blind SQL injections attack. If a web application that is using a relational database there, well, the attacker will of course inject a SQL query. The most easy way to find out a vulnerable web application to this is injecting something that is always true, like 1 equals to 1, looking at the behavior of the web page, then introducing something that is always false, like 1 equals to 2, looking at the response page and finding the difference. After you find a vulnerability in a web page, well, the attacker's only job is to find these different behaviors and then to construct the correct queries to be able to extract the data. So let me now go on more deeply on how to find these different behaviors. Okay, back in 2004, Cameron Hopkins delivered a very good presentation at Black Hat titled How to Automate Blind Attacks Against Web Application. In it, he described many methods on how to look for these different web page behaviors. So he used methods using different hatches, using different HTML structures, using different patterns, and even using different linear ASTI exams. Before that, in 2002, Chris Anley published a very famous paper called More Advanced SQL Injection Paper in which he described how to use a time response to look for difference in the behavior of the web pages. Finally, let me tell you about how to construct or how these queries are constructed really quickly. So once we've got different behaviors, what to do is to construct the query to extract the data. Normally, we use conditional operators, greater than, lesser than, equals to, et cetera, to compare the value that we want to extract from the database against a fixed value. Depending on the response that we get, if it's false or true response, then we will change that fixed value and iterate that process until we find out the correct value. In the example that you have in the slide, you have an example to find the ASTI value for the first letter of the first user name in a database. The example is for MySQL server, MS SQL server, and directly a database. At the end of the process and at the end of all the iterations, you are able to get all the complete username. Well, as you can imagine, this is a tough task to do in Manoli. So last year, many tools have been developed, and right now there are a lot of tools in the Internet to perform these kind of attacks. This one is SQL VF tools. There are several tools in this package, and it's focused in MySQL databases. This tool is able to extract all the database structure, all the data in tables, all the values of variables, and also it's possible to extract files from the server because this tool uses the load file function that allows MySQL to load files from the server. So it's possible to extract, for instance, using blind SQL injection attack, the password file, or the init file, or whatever in the server. This tool only uses keyboard searching, so it's only for one of the methods that Cameron Hotkey described. And if we are talking about tools for blind SQL injection, it's impossible to forget AppSinte. AppSinte is based on the principles described by Cameron Hotkey, and it's one of the most powerful tools and well-ended tool to perform a blind SQL injection attack. This tool is ready to work with Microsoft SQL Server, PostgreSQL, Sybase, and Oracle. And as you can see in this screenshot, it's possible to work with GET and Postparimeter, with cookies, with HTTP connection, and HTTP S connection. This tool should be initialized and it's going through always true injection and always false injection, and after that, it's possible to extract all the database structure, the username that the web application is using to connect against the database, the tables, and of course all the data that could be a spot in XML files. This tool is not ready to work with time-based blind SQL injection attacks and if you have to perform one of these steps, you need to use other tools. In some scenarios, in which it's possible to inject code, but there is no difference between the true answer page and the false answer page, time-based behavior should be used. In those scenarios, we can use the time delay function in the database to delay the answer. For instance, in Microsoft SQL Server, we can use the wait for function to delay the answer if the condition is true, so when the condition will be true, we will have a delay. If not, we are going to have a quicker answer. We can do something similar in Oracle Database, but in Oracle, we have to use a package in PL SQL language. This package is called DBMS Lock and the function is called sleep, but if you want to use this function, you have to inject code in PL SQL procedure and it's a little bit complicated to find an environment where to inject code in PL SQL procedure. In MySQL, we have two options. One of them is the sleep function that it comes along with version 5 and version 6 of this database and the benchmark function. The benchmark function is a special function that force the database to work a lot of time, so depending on the parameters set with this function, we can measure 6, 20, or 30 seconds that we can use to analyze a true or false behavior. In this example, you have the injection for Microsoft SQL Server. This injection is used in the wait for function and the database will stop by second if the condition, in this case, exceeds cell aesthetics from user, retrieve any data. If you are interested in this topic, last year here in DevCon, people from SensePost delivered a very nice presentation to tell it's all about the time and they have a very nice paper on the internet and you can grab it when you want. Well, and this is an example in the real world. This is an exploit. This is an exploit published last year in Millworm Web Security. This is an exploit for Solar Empire Web Game. As you can see, some people cannot stand losing. This is not the entire exploit. You can look for the entire exploit on the website and you have the URL in the white paper you have in the CD. This exploit has two parts. In red color is the time measuring and in blue color is the injection. As you can see, in this case, the injection takes place in the user agent perimeter of the HTTP header and is injected in a benchmark function that delays, force the database to delay more than seven seconds. So at the beginning, the exploit takes time stamp. Then after sending the package, takes another time stamp and compares both and if difference is greater than seven, then it means that that letter who had been tried out is part of the password. It's cool, no? Okay, here in the screenshot you have another tool, an example of a tool to automate a time-based method to perform a SQL injection attack. The tool is called SQL Ninja. It uses the wait for function described by Chris Handley and is ready to extract data out from a Microsoft SQL server database that is behind a vulnerable web application. Well, until here you probably knew all this. It's not new stuff. If you've been following SQL injection techniques for the last five, six, seven years, you probably knew all that. It was just a quick summary. But what happens in environments where we can inject code but we don't get any different behavior in the web page response? Then normally what we will use is what Chema just explained. Time delays to perform the attack. But what happens if behind that vulnerable web application, what we got is a database with no time delay functions? We can have a database such as DB2, Microsoft Access or even an Oracle database where we are not able to inject code in the PL SQL function. Do you think it will be possible to continue our attack and extract information in an environment like that? How many? Not many. We are here to explain that. That we are able Let's finish our presentation. If it was impossible we wouldn't be here. We are here to explain how it's possible to extract some data. So please, Chema, introduce us to this new topic. Just to interact so much with you yesterday. Well, before to know how to do this, we are going to analyze how a SQL query will be executing a database engine. Let's suppose this query with more than one condition, in this case with two conditions and they are joined with an end operator. Let's suppose that the first condition, condition one last 10 seconds and the second takes 100 seconds to be executed in the database engine. So the question is which condition should be executed first and which condition will be executed first in the database we are analyzing. Well, to now this let's have a look at the table and let's suppose that the heavy condition is not executed in first place. As you can see the worst condition is executed in all the cases so in all the cases we obtain a very bad performance in the response time because the heavy query will be executed. This is a very bad tuning decision and databases try to avoid this situation. As you can see only when the first one is true when the heavy condition is true we obtain 110 seconds and the difference between the true and the false with the heavy query is very difficult to measure because it's not a long time. On the other hand if the light condition is executed in first place we are going to obtain a big difference between the true in the first condition and the false in the first condition. The light condition is true the heavy condition will be executed so we are going to obtain the worst performance we are going to obtain a big amount of time but if the first condition is false it means that the second condition shouldn't be executed and then only 10 seconds is going to be the time. In this case we have a big difference between the true and the false it means if we obtain a long time it means the light condition is true and if we obtain a short time the light condition is false. With this we can construct binary logic to extract all the information from a database. We are going to construct a light query to extract the data and a heavy one to make a time difference ok but which condition will be executed first depending on the database it depends because some database has a special process before they execute the query this process is an optimization process and other databases don't have that process ok so let me explain a little bit how all this works as Chema has explained enterprise databases for performance purpose they go through an optimization process before they execute a work clause they try to analyze the condition inside the work clause so they try to execute first the conditions that are lighter ok first of all what they do is they get the statistics indexes density of values etc and try to find out this different cost in the conditions if they are not able to find any difference they go through a what it's called a prediction algorithm and try to find this different cost and if they are not able to do it with this method then they just behave as default depending on the database they will evaluate the work clause from left to right or from right to left databases like for example Oracle that always execute first the condition on the right side ok so the last condition is the one that is executed first sometimes in this kind of environment the performance algorithms make mistakes and we may help them and avoid mistakes if we introduce little tricks in the into the work into the work clause ok to avoid these kind of problems other other databases the ones that don't have a optimization process here is a developer task to establish which condition will be executed first databases such as Microsoft Access don't have performance optimization so the developer must say which condition will be evaluated first at the end it is possible to conduct this type of attacks that we are going to finish explaining next slide in any in any type of database engine ok but we have to know which behavior the database is following to evaluate the conditions ok ok well and we know that we can extract all the data with a like with a heavy condition and the last thing is how heavy conditions should be constructed well the trick is very easy we can use a very big cross joint between a table and crossing itself as many times as we need just to cross records in memory and make the database work a lot of time so in this example as you can see we are using the C user table and we are crossing this table eight times with itself and constructing a big query big amount of data in memory and as you can see the like condition is just an always true condition because we are comparing the first letter of the user name with 300 and all you know that is true ok well to construct heavy queries in different types of databases we can use the normal tables for instance in sql databases the Microsoft server databases we can use the data dictionary tables for instance if user or sees objects or sees files or whatever you want the public views are very useful for this attack for instance all user all objects or whatever you want in my sql version 5 we can use the schema tables and in Microsoft access we can use that tables depending on the version we can use mcs access objects or mcs access storage always in access databases we always have access privilege to these tables so these tables always succeed and we can use it and if not if we don't have any table and we don't have access privilege to any of these tables well I suppose you can guess any table in the databases you can use the common suspects like clients, customers news, logins, user, providers or whatever and I'm sure you can imagine one of these if not you shouldn't be here well and now we are going to do a string demo because this demo is working over Windows Vista and over virtual pc it's the worst environment to can imagine well we have hey stop we have in our testing environment we have this application this application has four databases first one is sql server 2005 the second one is oracle 10g access 2000 and access 2007 the first part of the application is a normal application in which we can apply the keyword sets for blind attacks so we can try with n equals to 1 and we receive this test as you see and if we inject this false injection we obtain nothing but in this other environment it's not possible to obtain this because no matter what we inject we always obtain the same result this is just because if any error occurs the developer give us a default result in this case it's the same result so in this case we can try with the wait for method and we can try for instance with the wait for method this one ok in this case we are going to use the wait for function in sql server and if the condition is true the database is going to stop for 5 second this demo only works if we count in spanish so what I told you I'm sorry if not exit it exits 1, 2, 3 4, 5 ok perfect and if we change the condition from exit to not exit we obtain a quicker answer ok but if we have an access to this function we can use our method with heavy queries in this case we are going to perform time delay using 7 times the same table in this case the sys the sys user table as you can see we use sys user as t1 sys user as t2 sys user as t3 and this condition will only be executed if the light condition in this case we select count aesthetics from sys user retrieve any data ok understood well yes let's copy and let's paste in the web browser internet explorer web browser wonderful everything ok 1, 2 3, 4 5 I don't want any problems well we cannot set up the time delay but we can measure time delay as you can see we can perform the same with oracle database to answer in this case with all users table ok copy the url look them out paste well in this case it's the same trick in this query we are using all users table as t1, as t2, as t3 and this query will be executed only if the light condition in this case exists from sys count aesthetics from all users retrieve any data this will be true and of course the heavy query will be executed so let's start 1, 2 1, 2 1, 2 3, 4 5, 6 7, 8 9, come on oracle 11 12, 13, 14 15, 26 could you bring me a copy oh perfect well and if we change the condition we obtain dc64 oracle well we can perform this with all the databases you can imagine the problem is how can we automate this because this is a tough task to do it manually so we can use a tool that we develop it's public from yesterday and the short code is available and it's very similar to this and we can try it for instance with first of all with sql server and let's try well first of all we have to set up the url then the perimeter the default value if the perimeter is injectable or not and this is the time in this case we are working in a local environment so we can go faster than in a real environment so with sql we can use for instance 6 1 second 1 second well in the way paper you have in the cd you have a little explanation of this perimeter but are very easy to understand well let's initiate this and let's in this case just the user well we can see what the application is doing in the first of all the application is looking for how many tables I need to construct a heavy query and this case is going to use the application is going to use 8 or 9 tables ok and now once the application has the number of tables it needs to construct the heavy queries it starts to look for the length of the user name in this case too because we have the user that nobody set up in the sql server databases now the query changes I mean we are not looking for the length of the user name we are looking for the value so we need to try out a new heavy query and now it's looking for a new heavy query and when the application has a new heavy query start looking for the for the values in this case the system user and as you can imagine the first one is the s can you guess the second one and the second one is well it finished the second one is the 8 so at the end you can get the system user well let's do this but with an access database in access we don't have any time delay function so we have to use mandatory this method if we can extract the information from there and we cleared the log yes do you really want to clear the log? I love my country access 2000 now we set up access 2000 the same ID now we are going to use the same parameters and as you can see here we have a default table in this case mcs access object but we can use whatever we want and let's initialate and now the panel change because in access we don't have data additionary so we can we have to use the table name and column name well you can perform a brute force attack or a dictionary attack looking for table using the same method ok and we can get the data ok and it's going to perform the same the log has a verbosity level so you can set to see a summary as we are seeing now or we can see all the query that is being thrown so you can see the URL and the whole query with all the tables too much information for me at this time in the morning so now the engine now the number of users in this table and the application is going to be working until it extracts all the data let's say the tool working and we are going to finish the slides working over Windows Vista, incredible well in the slide you have all the demos but with the web get tool and you can see all the queries that we have thrown against the database well this is the tool marathon tool and conclusions ok so conclusions time well as you have seen this method works with any kind of database and it doesn't matter if the database have a delay function or not it's not a very quick method it's slow depending on the queries we have to build but it's very useful finding vulnerabilities that are not shown up using other methods it's not a silver bullet but it's just another bullet in your pocket that you can use if you have to ok so now we'll leave you here our contact information about some other people that have helped us with this presentation coding the application and doing some research and we are going to be there and we will be in room 104 for questions on this session and we'll be heavily enjoying Las Vegas until Sunday so have a nice death con thank you all