SQL Injection threat System in addition to attack database

Recent SQL injection attacks have shown that multilevel attacks with SQL injection provide an interactive GUI (graphical user interface) access to the operating system.

A European researcher has found that SQL injection is not just about attacking databases and Web pages, but the impact of a huge attack storm can also be a stepping stone into the operating system.

Portcullis, senior penetration tester for computer security, Alberto Revelli demonstrated a multilevel attack at the Eusecwest convention in London in Tuesday, which takes access to the underlying operating system in an interactive GUI way.

Revelli is also known as "Icesurfer", noting that today's database management systems have a number of tools and functional components that can be directly connected to the operating system and network. "This means that if I can attack a Web application through a SQL injection, I'm not limited to the data stored in the database, but I can also manage to gain interactive access to the host where the DBMS (database management System) resides," he said. ”

His attacks, combined with SQL injection attacks, IPS, and the avoidance of Web application firewalls, were designed to brute force the system administrator's password and to use the Web application as the initial stage of its attack. "In these cases, the Web application is a stepping stone to the real goal of reaching the host that deploys the DBMS," Revelli said. "He kept some details before he showed up on the eusec," he said.

He said the attack allowed an attacker to run commands on a compromised system and see the results of the attack. "Typically, this attack leads to a DOS (disk operating system) prompt, which is not very powerful," he said. My view is that it is possible to go further and in many cases to gain graphical access to the remote database server desktop. ”

Revelli will use Microsoft SQL Server as an example in its demo, but he says the attack applies to all database technologies. These vulnerabilities do not just exist in the database software, but are also made possible by Web applications, firewall rule sets, and other configurations. "Every component of this attack will take advantage of each vulnerability or some kind of misconfigured configuration of different parts of the architecture." ”

Once the attacker obtains remote access to the database, he can view the files, grab the data, close the database, and even penetrate the network more deeply.

This week Revelli also plans to release a new version of his Sqlninja attack tool, which he will use in the demo.

Defending against database/operating system attacks requires a combination of various measures, including minimal privileges, deep defenses, and security in mind when designing networks and Web pages, Revelli said.

"The key is to assess the risks exposed by a network, we should not only view SQL injection as a threat to the data stored on the database, but should be seen as a threat to the entire network." ”