Agent Oriented SQL Abuse

Agent Oriented SQL Abuse

Thursday, November 29, 2007
Fernando Russ, Diego Tiscornia
Pacsec '07, Nov 2007. Tokyo, Japan

In this talk we focus in analyzing the problems underlying the attack and penetration in the web application scenario, more specifically, using SQL Injection vulnerabilities we introduce the concept of SQL Agent. 

The SQL Agent acts as an efficient translator from SQL to HTTP requests that later exploit a SQL Injection on a given web application. Following the spirit of the Syscall Proxying agent technology (an agent that allows to proxy machine code-execution from the attacker’s machine to the target), it provides a way to abstract the complexity of exploitation /post-exploitation tasks in a homogeneous way.

Our implementation translates a SQL expression input by the user into an abstract tree-structured representation. This abstract representation is then applied a series of transformations to adapt it to the communication channel to be used. Communication channels are divided in two phases: the attack-rendering phase, and the response-decoding phase. During the attack-rendering phase, the structured representation is transformed into one or more attack-requests, each of which implements a data extraction method. An attack-request comprises all the information needed to perform an HTTP request that exploits a given vulnerability. It includes session information, authentication and the knowledge of which user input is needed to complete the attack-string (the actual attack). The response-decoding phase uses the knowledge of the previous phase to extract significative information from the attack-request’s response. 

As benefits of this new approach we can mention SQL execution, which permits the “execution” of a SQL expression by translating it to the context of a given SQL injection vulnerability. Possible SQL expressions to execute are only restricted by this context. It also abstracts the complexity of the vulnerability, when writing an exploit, it abstracts the user from details like exploitable query length, filtered characters, column type, bandwidth, etc. It also automatizes the steps to reach the state to execute the given vulnerability. E.g.: SSL, authentication and session management.
Apart from introducing the architecture and describe the implementation we will show a proof of concept, working code of a SQL Agent fully implemented in python. We will show some examples which demonstrate the benefits exploiting known SQL Injection vulnerabilities with our agent and compare them with the traditional approach.

Related information

SQL Agent | Zombie 2.0: A web-application attack model