2012/03/22

SQL Injections by binary search

we moved here http://radzserg.com/2012/03/22/sql-injections-by-binary-search/


Yesterday someone tried to hack one of the projects I'm working on. Yesterday I was busy all the day. When I started to work it was about 4 PM. And what did I see in error logs

2012-03-21T04:20:27-05:00 CRIT (2): Exception information:
Message: CURL error (http://myproject.com/path_to_api.php): The requested URL returned error: 500
Stack trace:
....
Request Parameters:
Array
(
    [id] => 11874362999999.9' or Length((select distinct column_name from `information_schema`.columns where table_schema=0x123(I changed real name) and table_name=0x321(I changed real name) limit 0,1))<8 and 'x'='x
)

At first I did not even gave special importance to this. I thought somebody try to check sql injection to urls. I knew that all he can see it's just an error page. I started to check logs.

Then I found such query
[id] => 11874362999999.9' or ascii(substring((select concat(system_settings.val,0x5e,system_settings.code,0x5e,system_settings.id) from {our_scheme_name}.system_settings limit 17,1),19,1))<118 and 'x'='x

And it looks really scary, because hacker already knew our DB structure. (Then I understood he has known it in first query, I was confusing by encoded names i.e. 0x123 hexadecimal number) I've immediately blocked him by IP. And started investigation.

All such errors was from one page, it became clear that we have a hole here. I started to check code, we did a api call. I went thought this call and what did I find in one very old class?

'select * from some_table where id=\''.$id.'\';

classic... :(

So how did it work? He added his query but he got only error page, without any valuable info. And let's see how it works

select *
from some_table
where id= 11874362999999.9'
    or Length((select distinct column_name from `information_schema`.columns where table_schema=0x123(I changed real name) and table_name=0x321(I changed real name) limit 0,1))<8 and 'x'='x'


if his query was succeed he got standard page. If it was failed he got error message. Then he use binary search, look at that query

ascii(substring((select concat(system_settings.val,0x5e,system_settings.code,0x5e,system_settings.id) from {our_scheme_name}.system_settings limit 17,1),19,1))<118

He picked up the values ​​character by character by binary search. Initially he got DB structure(looks like he used some automatic tool) then he started works with tables, making more clever requests.

To get DB structure you need to perform thousands of queries.

Fortunately we stopped him soon and closed the hole and he couldn't get valuable info. But it was very unpleasant.

But be careful! Those freaks don't sleep. Follow the classic simple rules.
- Do not use this shit  'select * from some_table where id=\''.$id.'\';
- Do not store passwords as plain text
- Analyze suspicious user behavior (I'm gonna wright about that last 2 months :))


And finally, I found this cheatsheet - read it even if you are familiar with most of the examples, in order to refresh the memories.
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/



No comments:

Post a Comment