These days SQL injection vulnerabilities may seem like a dime a dozen, but creative penetration testers and attackers continue to come up with new ways to take advantage of this vulnerability class that developers persist in allowing to linger like a bad cold. Last month at BSides Las Vegas, a pair of researchers from FishNet Security demonstrated that type of creativity with a new SQL injection attack technique against websites that serve up binary file content like PDFs from dynamically built URLs.

Their methods give attackers the means to stealthily extract data and serve up hidden malware by attacking SQL injection vulnerabilities on these types of sites -- even if the back-end database serving up content to the Web application is hardened in every other way.

The technique they developed was precipitated by a real-world penetration test and code review conducted by Shawn Asmus and Kristov Widak, security consultants for FishNet Security, against a customer Web application that was designed to retrieve stored PDFs within a database and return them as a Web page. Asmus and Widak found that through a SQL vulnerability and some pretty big configuration problems -- passwords stored that were hashed but not salted, wide-open table permissions, and the like -- attacks starting with the SQL injection yielded the ability to not only extract data from the database, but also write to it.

"So [there was] major ownage," Asmus said. "We could execute XP command shell, upload a Webshell to the Webserver, get root access and all that."

Following that penetration test, though, Asmus said he felt his "Spidey sense" tingle about applications similar to that one that returned binary files like PDFs. The question he and Widak posed to themselves was how SQL injection could be used against such applications even when configuration mistakes weren't made.

"We wondered, 'What if the Web server was hardened? What if those tables were read-only? What could an attacker really get away with or do to make the application respond in a way he or she wanted?'" Asmus says.

The answer was, quite a lot. SQL injection-prone sites returning PDFs could be a treasure trove for attackers, particularly due to the forgiving nature of PDF syntax, Widak said.

"You can mangle all kinds of stuff and still get it to render in your reader," he says, explaining that if an attacker is able to inject things into the PDF data stream, and the syntax allows rendering anyhow, there are a number of opportunities to do harm.

The three main ways Asmus and Widak found that a PDF could be manipulated with the technique were to inject JavaScript into a PDF, to inject static text or hidden text into the PDF content stream -- including the results of database queries, and finally the attacker could also replace the whole PDF being returned with a brand new maliciously crafted PDF. During the presentation, they demonstrated how techniques like these could use JavaScript to pop up the calculator application or redirect to a unique website when PDFs were rendered by a test application.

The impact of these attack scenarios is that a hacker could perform data exfiltration through social engineering or simply deliver malicious payloads through the application vulnerable to SQL injection.

"So the root cause is still the same -- you've got SQL injection in your website and you need to fix it -- but the impact is what may be different," Asmus warns.

Though the attacks were against Microsoft SQL databases, the technique would be adaptable to other database syntaxes, Asmus and Widak said. They also believe that it could be used against Web applications that deliver other content types beyond PDF. At the show they announced a tool to help spot these kind of vulnerabilities, called SQL Squirrel.

"Currently all of the attacks that the tool is performing are based on returning a PDF," Widak said. "In the future we'll be looking to extend that to other kinds of content types as well."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.