Dark Reading

SQL injection isn’t just for hacking databases and Web apps -- the pervasive flaw can serve as a stepping stone to the operating system as well, a European researcher has found.

Alberto Revelli, senior penetration tester for Portcullis Computer Security, on Thursday at EUSecWest in London will demonstrate a multi-step hack using SQL injection that ultimately gives an attacker interactive, GUI access to the underlying OS.

Revelli, also known as "icesurfer," points out that database management systems today come with tools and features that hook directly into the OS and to the network. “This means that if I can attack a Web application through a SQL injection, I am not limited to access the data stored on the database, but I can try to get an interactive access to the host where the DBMS resides,” he says.

His hack, which combines a SQL injection attack, IPS, and Web application firewall evasion for brute-force hacking of the system administrator password using the database’s CPU resources, uses the Web app as an initial stage of the attack. “The Web application in these cases is a sort of stepping stone to the actual target, which is the host where the DBMS is deployed,” says Revelli, who is keeping some of the details under wraps until giving his presentation at EUSec.

The hack lets the attacker issue commands on the compromised system and see the results of the attack as well, he says. “Usually, this kind of attack results in a DOS prompt, which is not very powerful. My idea is that it's possible to go further and, in a lot of cases, obtain a graphical access on the desktop of the remote DB server."

Revelli will use examples of Microsoft’s SQL Server in the demo, but says the attack would apply to all database technologies. And the weaknesses aren’t just in the database software -- the Web application, firewall rule sets, and other configurations also make it possible, he says. “Each of the 'building blocks' that constitute the attack exploits a weakness or a misconfiguration of a different part of the infrastructure,” he says.

Once the attacker gains remote access to the database, he can look at files, grab data, shut down the database, or even hack deeper into the network, he says.

Revelli also plans to release this week a new version of his Sqlninja hacking tool, which he’ll use in his demo.

Defending against this database/OS hack requires a combination of things, including instituting least privilege rights, defense in depth, and designing the network and Web apps with security in mind, Revelli says.

“The key point is that when assessing the risk to which a network is exposed, we should consider SQL injection not only a threat to the data stored on the database, but also to the network as a whole."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.