Introduction to SQL Injection

Stefan Friese

11 April, 2024

Topics

  • How an SQL Injection is Created
  • How to Exploit an SQL Injection
  • SPOILER: How to Prevent an SQL Injection in the Next Presentation

How Does it Happen

An SQL injection occurs when two things come together.

Number 1

An SQL Query as a string embedded in other languages

sql_query = 
  cursor.execute(
    "SELECT * FROM user_data where username = 'foo' and password = 's3cur3P4ssw0rd"
  )

Number 2

User input is possible as a part of said SQL query

sql_query = cursor.execute("SELECT * FROM user_data where username = '%s'" % username)

How to Exploit an SQL Injection

Work is a product of power by time.
P is your power to solve an issue.

W = P x t

The smarter you tackle work, the less time you need to solve an issue.

Knowledge is a Map

You conventiently drive around the city using the underground. That’s how you get to know the main spots of the city.

London Underground

Knowledge is a Map

Invest some time and explore deeper on foot. That’s how you get to know the back alleys.

London by Foot

Ghidra – an Overview

Main View of Ghidra

Watch Out for Low Hanging Fruits

  • Data Segment
  • Names of Functions
  • Conditions & Comparisons
  • Strings: Usernames, Passwords
  • URLs, IP & Port Numbers

Do not try to understand the whole code at once, it will only drive you mad.

Data Segments

A look into the read only data segment

A look into the read only data segment

Name of Functions

Functions contained in the binary a.k.a. Symbol Tree

Conditions & Comparisions

Input is Compared to a Hard Coded String

Input is compared to a hard coded string

Function Graph

Take a Look at the Flow Graph of Functions

Take a look at the flow graph of functions

Strings

Open the Defined Strings Menu

Strings can not only be located in data but also in other code segments, sometimes obfuscated

Strings

An old friend

Binary Patching

Bypass any undesireable condition via a NOP instruction.

NOP, export your patched binary

NOP, export your patched binary

Do It Yourselves!

A Word On Binary Obfuscation

Software Obfuscation was born in 1984 at the International Obfuscated C Code Contest

A donut as code compiles to a spinning donut by Jim Hague

What Exactly might be Obfuscated in Your Code?

Layered obfuscation: a taxonomy of software obfuscation techniques for layered security by Hui Xu et. al
  • Code Element Layers
    • Layout
    • Controls
    • Data
    • Methods
    • Classes
  • Component
    • Library Calls
    • Used Resources
  • Application Layer
    • DRM System
    • Neural Networks

Techniques of Obfuscation

Splitting & Merging of Strings

a = "BABE"
b = "CAFFEE"
f"{b}{a}"

String Deobfuscation with FLOSS

Packing

Compress binary data

            ooooo     ooo  ooooooooo.  ooooooo  ooooo
            `888'     `8'  `888   `Y88. `8888    d8'
             888       8    888   .d88'   Y888..8P
             888       8    888ooo88P'     `8888'
             888       8    888           .8PY888.
             `88.    .8'    888          d8'  `888b
               `YbodP'     o888o       o888o  o88888o

UPX Packer/Unpacker

Mangling

Library symbols in compiled code for data that have the same name 

c++filt
_ZNSt7__cxx1114collate_bynameIcEC2ERKNS_12basic_stringIcSt11char_traitsIcESaIcEEEm
std::__cxx11::collate_byname::collate_byname(std::__cxx11::basic_string, std::allocator > const&, unsigned long)
Online Demangler

Code Elements

  • Adding Unnecessary Instructions
  • Changing Control Flows
  • Protecting Data

Convoluted Code

Deobfuscation Tools

The End