If successfully exploited, the attacks give the hacker complete control over the database server operating system, file system and the rest of the internal network machines.
A security researcher plans to demonstrate attacks that use SQL injection as a stepping stone to take full control of database servers at the upcoming Black Hat Europe conference.
Security researcher Bernardo Damele Assumpcao Guimaraes plans to explore ways SQL injection can be used in a multistage attack to threaten internal networks at the conference later this month.
The presentation will focus on how to exploit a single vulnerability in a Web application to get complete control of the database server and endanger the internal network as a whole, he explained.
“The vulnerability itself can be considered as a stepping stone to the actual target, which is the complete control of its server, either operating system, file system or the rest of the internal network machines,” he said. “Once the attacker detects a SQL injection flaw on the Web application, he can manipulate the SQL statement that is passed from the application to the database server, which is then executed. By abusing some database design flaws and functionalities it is possible for an attacker to perform a multistage attack to get complete control over the database server operating system, file system and internal network.”
The presentation will cover MySQL, PostgreSQL and Microsoft SQL Server running on either Linux or Windows in combination with the PHP, ASP and ASP.Net Web application programming languages.
Among other things, the attacks will demonstrate how to access files on the database’s underlying file system and operating system memory protection bypass.
As is standard at Black Hat conferences, the security researcher will also be releasing a tool – in this case, a new version of sqlmap – that can be used to launch these attacks as well as an exploit for a vulnerability affecting Microsoft SQL Server that was patched in February. A whitepaper on the hacks is forthcoming as well.
In general, to protect themselves against SQL injection, enterprises should look to harden their database servers properly as well as maintain a commitment to the security development lifecycle, he said. They should also look to implement well-configured Web Intrusion Prevention System solutions based on anomaly detection, the researcher added.
“There is still not enough attention in the software development lifecycle to security,” he said. “It’s an easy-to-detect flaw and can easily lead to data exfiltration and manipulation… a lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered yet.”
The Black Hat Europe conference will be held in Amsterdam from 14-17 April.