Ms SQL Server Injection Technology in Sybase

West follow: the original article is from the exposure of database hackers-Database Server Protection Technology. If you really want to study database security, you can buy one to see if it supports genuine versions. This article is from Chapter 1.

Sybase attacks and defense are a broad topic. Therefore, this chapter attempts to extract the essence of the problem and demonstrate some interesting attacks and scenarios. In terms of defense, if possible, many measures can be taken to increase the difficulty of attacks. This chapter involves many defense issues.

However, you must first locate the Sybase server and determine its configuration.

14.1 target discovery
The first step to attack the Sybase server is to locate the server in the network. This section describes multiple methods to locate the Sybase server.

14.1.1 scan Sybase
As you have noticed earlier, Sybase listens to some well-known TCP ports-5000-5004, 8181, and 8182. It is easy to configure Sybase to listen to different ports, but these well-known ports are really helpful. Using port scanning tools, such as Fyodor's nMap (http://www.insecure.org/nmap), is the best way to locate a host through a specific known open port.

If you can remotely access the Windows registry in the network, it is very useful to check the ODBC data source. In

HKEY_LOCAL_MACHINESoftwareODBC

Search for SybaseServerName and NetworkAddress in to view the host name, IP address, and TCP port of any ODBC Data Source configured on the host in question.

If the company has an LDAP basic structure, you can also use LDAP to query.

14.1.2 Sybase version
The response packet for failed Sybase authentication contains the master (major) version number and minor (minor) version number of the server. Therefore, the version number can be obtained for packets that fail to authenticate the server. The data packet looks like the following:

Ethernet Header

...

IP Header

...

TCP Header

Source port: 5000

Destport: 1964

Flags: 0 × 18 (ack psh)

...

Raw Data

04 01 00 4e 00 00 00 00 ad 14 00 06 05 00 00 00 (N)

0a 73 71 6c 20 73 65 72 76 65 72 0c 05 00 00 e5 (SQL server)

23 00 a2 0f 00 00 01 0e 05 5a 5a 5a 5a 5a 00 01 (# zzzzzzz)

00 0e 00 4c 6f 67 69 6e 20 66 61 69 6c 65 64 2e (Login failed .)

0a 00 00 00 fd 02 00 00 00 00 00 00 00 ()

The four bytes followed by the string "SQL server" are version numbers -- 0 × 0c = 12, 0 × 05 = 5, so the host version number is 12.5.0.0. Using this method to get the version number is not all of the story-you need to verify and select @ version to get the information-at least get some hint. The server sending the preceding data packet is actually running ASE 12.5.1.

The version number of the Sybase server may be obtained by slightly deleting the authentication data packet. According to our experiment, even if the authentication log option is set, the deleted authentication attempt will not be logged. This is good, because we don't really need to try authentication; we just want to get the server version information in the error response.

To record failed and successful authentication attempts to the log, run the following command:

Sp_configure 'Log audit logon failure ', 1

Sp_configure 'Log audit logon success ', 1

At the end of this chapter, you can find the C source code that implements a simplified tool. This Code allows you to get the Sybase version by deleting simple authentication data packets.

14.1.3 Identity Authentication
In the default out of the box configuration, Sybase passes a password on the network in plain text. This is so obvious and well-known security risk that almost all companies have adopted some mitigation-or adopt Sybase recommendations and deploy a more advanced authentication method, for example, Kerberos, or encrypted IPSec channels or similar measures. Even so, the default configuration occasionally appears, so pay attention to the traffic from the Sybase client to the common Sybase server port-, where there may be a clear password.

Because most local database authentication mechanisms are supported, man-in-the-middle attacks may also be launched. This scenario occurs when attackers pretend to be a database server. Generally, attackers will have to intrude into a DNS or WINS server to do so, but this depends on the name resolution infrastructure in the network and may be able to directly attack.

14.2 attack Sybase
This section describes the techniques used to attack the Sybase server. These technologies can be applied to multiple situations. For example, several techniques listed in "SQL injection" are related to every situation where attackers can issue arbitrary SQL queries.

14.2.1 SQL Injection in Sybase
Sybase has a special question about SQL injection, because it shares the ancestral code based on Microsoft SQL Server. Because SQL Injection on the Microsoft platform has been thoroughly studied, and Sybase shares many of the same nature, this makes Microsoft SQL Server vulnerable to SQL injection attacks (batch queries, full subselect support, and very helpful error messages), even if attackers do not know much about Sybase, it is also very likely to "find a nearby path ". In addition, Sybase provides a set of new functions that can be exploited by attackers in the context of SQL injection attacks. Java integration is a very typical example.

This section provides brief information about the latest SQL injection technology, evaluates the effectiveness of Microsoft SQL Server attack technology in the Sybase environment that has been promoted everywhere, and then studies some Sybase-specific technologies, for example, Java-In-SQL interacts with the file system through the proxy table.

Before going into the SQL Injection mechanism, we should briefly discuss the severity and effective scope. If the Sybase server (and XP Service) is running as a low-privilege user, the Sybase user that the Web application is used to connect is low-privileged and the latest patch is fully installed, this fundamentally reduces the actual impact of SQL injection. However, this is still a serious problem, because attackers can still do everything that applications can do for data, but it reduces the possibility that attackers can access the database server as an internal network.

We will give a general discussion of defense in the subsequent sections of this chapter.

14.2.2 basics of SQL Injection
To properly discuss SQL injection, an application sample that can fully demonstrate the problem is required. Usually people are most concerned about SQL Injection in Web applications, so we will use a very simple Web application as an example. It is difficult to determine the technical platform for the application sample, because Sybase supports many mechanisms. Because Java is a key part of Sybase policy, a small Servlet-based Java Web application may be an appropriate example.

The following is the source code of a small Java Servlet sample. The program queries books in the Sybase default database pubs2 according to the title containing the specific search string. You can install it on any Servlet-supported Web server, such as Tomcat.

Import java. io .*;

Import java. lang .*;

Import java.net .*;

Import java. SQL .*;

Import javax. servlet .*;

Import javax. servlet. http .*;

Import com. sybase. jdbc2.jdbc .*;

Public class BookQuery extends HttpServlet

{

Public void init (ServletConfig config) throws. ServletException

{

Super. init (config );

}

Public void destroy (){}

Protected void processRequest (

HttpServletRequest request,

HttpServletResponse response)

Throws ServletException, IOException

{

PrintWriter out = response. getWriter ();

Try

{

Response. setContentType ("text/html ");

Out. println ("

Results </title>

Out. println ("<bodyxhl> Search results

Class. forName ("corn. Sybase. jdbc2.jdbc. SybDriver ");

Connection con = DriverManager. getConnection ("jdbc:

Sybase: Tds: sybtest: 5000 "," sa "," sapassword ");

Statement stmt = con. createStatement ();

String search = request. getParameter ("search ");

ResultSet rs = stmt.exe cuteQueryt "select * from

Pubs2.. titles where UPPER (title) like UPPER ('%' + search + "% ')");

Int numberOfColumns = rs. getMetaData (). getColumnCount ();

Rs. next ();

Out. println ("<TABLE border = l> ");

While (! Rs. isAfterLast ())

{

Out. print ("<TR> ");

For (int I = 1; I <= numberOf Columns; I ++)

{

Out. print ("<TD> ");

Out. print (rs. getString (I ));

Out. print ("</TD> ");

}

Out. print ("</TR> ");

Rs. next ();

}

Rs. close ();

Out. println ("</TABLE> ");

Out. println ("</body> ");

Out. println ("

}

Catch (SQLException e)

{

While (e! = Null)

{

Out. println (e );

E = e. getNextException ();

}

}

Catch (Exception e)

{

Out. printin ("Exception:" + e );

}

}

Protected void doGet (HttpServletRequest request, HttpServletResponse

Response)

Throws ServletException, IOException

{

ProcessRequest (request, response );

}

Protected void do Post (HttpServletRequest request,

HttpServletResponse response)

Throws ServletException, IOException

{

ProcessRequest (request