A security researcher plans to demonstrate attacks that use SQL injection as a stepping stone to take full control of database servers at the upcoming Black Hat Europe conference. If successfully exploited, the attacks give the hacker complete control over the database server operating system, file system and the rest of the internal network machines.
SQL injection consistently rates as one of the top vulnerabilities
affecting Web applications. But for all the attention paid to it, one
researcher feels the full impact of SQL injection has yet to be
fully demonstrated in public.
This month at Black Hat Europe, security researcher Bernardo Damele Assumpcao Guimaraes
plans to rectify that by exploring ways SQL injection can be
used in a multistage attack to threaten your internal network.
The presentation will focus on how to exploit a single vulnerability
in a Web application to get complete control of the database
server and endanger the internal network as a whole, he
"The vulnerability itself can be considered as a stepping stone to
the actual target, which is the complete control of its server, either
operating system, file system or the rest of the internal network
machines," he said. "Once the attacker detects a SQL injection flaw on
the Web application, he can manipulate the SQL statement that is passed
from the application to the database server, which is then executed. By
abusing some database design flaws and functionalities it is possible
for an attacker to perform a multistage attack to get complete control
over the database server operating system, file system and internal
His presentation will cover MySQL, PostgreSQL and Microsoft SQL
Server running on either Linux or Windows in combination with the PHP,
ASP and ASP.Net Web application programming languages.
Among other things, the attacks he will demonstrate can be used to
achieve file access on the database's underlying file system and
operating system memory protection bypass.
As is standard at Black Hat conferences, he will also be releasing a tool - in this case, a new version of sqlmap
that can be used to launch these attacks as well as an exploit for
a vulnerability affecting Microsoft SQL Server that was patched in
February. A whitepaper on the hacks is forthcoming as well.
In general, to protect themselves against SQL injection, enterprises
should look to harden their database servers properly as well as
maintain a commitment to the security development lifecycle, he said.
They should also look to implement well-configured Web Intrusion
Prevention System solutions based on anomaly detection, the researcher
"There is still not enough attention in the software development
lifecycle to security," he said. "It's an easy-to-detect flaw and can
easily lead to data exfiltration and manipulation...a lot has been said
on this specific vulnerability, but not all of the aspects and
implications have been uncovered yet."
The Black Hat Europe conference
will be held in Amsterdam from April 14-17.