RSS Alerts

Related Links

Related Stories

  • US Treasury website hacked
    A website operated by the US Treasury was suspended on Tuesday after the site was hacked.
  • Symantec hacked in SQL attack
    Symantec's Japanese support website has been hacked using an SQL injection attack, the company confirmed yesterday.
  • Infosecurity weekly brief - September 15, 2009
    Breaches, threats, protections and security directions - we summarise what's been happening in the world of information security over the past week.
  • Web 2.0 sites prime hacker target says report
    Web 2.0-driven websites are now a premier target for hackers, amounting to 21% of all reported hacking incidents, according to an IT security report from the Secure Enterprise 2.0 Forum.
  • More details emerge on Kaspersky hack
    As more details of the Kaspersky web site hack came to light yesterday, the same hacking forum posted details of a similar SQL injection attack, this time on a Portugese reseller for anti-malware firm BitDefender.

News

SQL injection attack leads to command execution

03 April 2009

SQL injection will take a new turn later this month at Black Hat Europe, when a security researcher shows how to take control of a database server using the technique.

Thus far, SQL injection has focused on altering data within the database, rather than attacking the underlying operating system. But researcher Bernardo Damele Assumpcao Guimaraes will be upgrading his SQLmap tool with functionality to execute arbitrary code on a database server.

"Modern database management systems are very powerful applications. They have built-in stored procedures and functions to read or write functions on the systems," Damele said. "They are not always enabled, but they can be re-enabled by attackers."

"In other cases, you can abuse some 'create function' privileges," he added. "By abusing that privilege, you can create any function from C source code. Having access to the C source code, you can write it to do whatever you want at a low level."

Damele will demonstrate three techniques. He will show how SQL injection on SQL Server 2000 and 2005 can be used to exploit a known buffer overflow bug in SQL Server that has already been patched by Microsoft.

A separate privilege escalation attack based on abuse of Windows Access Tokens renders SQL Server 2005 and 2008 vulnerable, alongside MySQL under certain circumstances.

Finally, he will unveil a third technique that he is keeping quiet until the event, but which involves file system access, and which will enable arbitrary command execution. That mystery attack will affect MySQL and Postgres.

"With any of these vectors, what you get is a full duplex connection, out of bounds. Using that tunnel, you can inject a shell connection, or a terminal service-like connection, which is a virtual network connection, or you can use meterpreter," said Damele. Meterpreter is an exploit contained in the Metaspolit framework.

Damele warned administrators to be careful when setting and maintaining account privileges on their database implementations.

 

This article is featured in:
Application Security Data Loss Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Copyright © 2010
Elsevier Ltd. All rights reserved.
Terms & Conditions | Privacy | Website Design Working with water