Advanced PostgreSQL SQL Injection & Filter Bypass Techniques

INTRODUCTION

According to the WhiteHat Website Security Statistics Report from 2009, SQL injection vulnerabilities make up to 17% of all web application vulnerabilities. Besides being very common, SQL injection vulnerabilities typically allow an attacker to read or even modify arbitrary data in the database used by the web application. This increases the risk resulting from such vulnerabilities.

In order to increase the overall security of web applications, companies today often implement web application firewalls or filters. While web application firewalls can indeed stop certain attacks, they are not a complete solution to web application vulnerabilities. This document demonstrates advanced blind SQL injection vulnerabilities on PostgreSQL databases. The document is result of a penetration test performed on a real system, with real web application firewall protecting a vulnerable web application.

The techniques used for exploitation in this document show how such a web application firewall can be bypassed and data extracted. The rest of the document is organized as follows. Section 2 sets the vulnerable web application and a simulation of a web application firewall based on keywords. Section 3 explains basics of blind SQL injection vulnerabilities. Section 4 shows how a web application firewall described in Section 2 can be bypassed to allow an attacker to issue practically any SQL query. Finally, Section 5 describes how blind SQL injection vulnerabilities can be exploited, with some techniques specific for PostgreSQL databases.

TABLE OF CONTENTS

    1. INTRODUCTION
    1. VULNERABLE WEB APPLICATION
    1. GENERAL BLIND SQL INJECTION ATTACKS
    1. FILTER BYPASSING TECHNIQUES
  • 4.1. DOLLAR-SIGNS
  • 4.2. DATABASE FUNCTIONS
    1. EXPLOITING BLIND SQL INJECTION IN POSTGRESQL
  • 5.1. IDENTIFICATION OF TABLE AND COLUMN NAMES
  • 5.1.1. TABLE DATA RETRIEVAL
  • 5.1.1.1. Data retrieval with the substr() function
  • 5.1.1.2. Data retrieval with the strpos() function
  • 5.1.1.3. Data retrieval with the get_byte() function
    1. CONCLUSION

Download: Adavanced Postgre SQL injection.pdf (154.0 KB)

Enjoy!

4 Likes