SQL injection consistently rates as one of the top vulnerabilities affecting Web applications. But for all the attention paid to it, one researcher feels the full impact of SQL injection has yet to be fully demonstrated in public.
This month at Black Hat Europe, security researcher Bernardo Damele Assumpcao Guimaraes plans to rectify that by exploring ways SQL injection can be used in a multistage attack to threaten your internal network.
The presentation will focus on how to exploit a single vulnerability in a Web application to get complete control of the database server and endanger the internal network as a whole, he explained.
"The vulnerability itself can be considered as a stepping stone to the actual target, which is the complete control of its server, either operating system, file system or the rest of the internal network machines," he said. "Once the attacker detects a SQL injection flaw on the Web application, he can manipulate the SQL statement that is passed from the application to the database server, which is then executed. By abusing some database design flaws and functionalities it is possible for an attacker to perform a multistage attack to get complete control over the database server operating system, file system and internal network."
His presentation will cover MySQL, PostgreSQL and Microsoft SQL Server running on either Linux or Windows in combination with the PHP, ASP and ASP.Net Web application programming languages.
Among other things, the attacks he will demonstrate can be used to achieve file access on the database's underlying file system and operating system memory protection bypass.
As is standard at Black Hat conferences, he will also be releasing a tool - in this case, a new version of sqlmap - that can be used to launch these attacks as well as an exploit for a vulnerability affecting Microsoft SQL Server that was patched in February. A whitepaper on the hacks is forthcoming as well.
In general, to protect themselves against SQL injection, enterprises should look to harden their database servers properly as well as maintain a commitment to the security development lifecycle, he said. They should also look to implement well-configured Web Intrusion Prevention System solutions based on anomaly detection, the researcher added.
"There is still not enough attention in the software development lifecycle to security," he said. "It's an easy-to-detect flaw and can easily lead to data exfiltration and manipulation...a lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered yet."
The Black Hat Europe conference will be held in Amsterdam from April 14-17.