Attackers continue to come up with new ways to take advantage of SQL injection vulnerabilities.
One case in point is a new SQL injection attack technique against websites that serve up binary file content like PDFs from dynamically built URLs, said researchers from FishNet Security.
Their methods give attackers the means to stealthily extract data and serve up hidden malware by attacking SQL injection vulnerabilities on these types of sites — even if the user hardened the back-end database serving up content to the Web application.
The technique they developed came from a real-world penetration test and code review conducted by Shawn Asmus and Kristov Widak, security consultants for FishNet Security, against a customer Web application designed to retrieve stored PDFs within a database and return them as a Web page.
Through a SQL vulnerability and some pretty big configuration problems — passwords stored that ended up hashed but not salted, wide-open table permissions, and the like — attacks starting with the SQL injection yielded the ability to not only extract data from the database, but also write to it.
“We could execute XP command shell, upload a Webshell to the Webserver, get root access and all that,” Asmus said.
Asmus and Widak then investigated how they could use SQL injection against such applications even when there were no configuration mistakes.
“We wondered, ‘What if the Web server was hardened? What if those tables were read-only? What could an attacker really get away with or do to make the application respond in a way he or she wanted?'” Asmus asked.
SQL injection-prone sites returning PDFs could be a treasure trove for attackers, particularly due to the forgiving nature of PDF syntax, Widak said.
“You can mangle all kinds of stuff and still get it to render in your reader,” he said. If an attacker is able to inject code into the PDF data stream, and the syntax allows rendering anyhow, there are a number of opportunities to do harm.
The impact of these attack scenarios is a hacker could perform data exfiltration through social engineering or simply deliver malicious payloads through the application vulnerable to SQL injection.
Though the attacks were against Microsoft SQL databases, the technique would be adaptable to other database syntaxes, Asmus and Widak said.