SQL Injection Attack Helps Hack OS
Multi-step hack using SQL injection provides interactive, GUI access to OS
SQL injection isn’t just for hacking databases and Web apps -- the pervasive flaw can serve as a stepping stone to the operating system as well, a European researcher has found.
Alberto Revelli, senior penetration tester for Portcullis Computer Security, on Thursday at EUSecWest in London will demonstrate a multi-step hack using SQL injection that ultimately gives an attacker interactive, GUI access to the underlying OS.
Revelli, also known as "icesurfer," points out that database management systems today come with tools and features that hook directly into the OS and to the network. “This means that if I can attack a Web application through a SQL injection, I am not limited to access the data stored on the database, but I can try to get an interactive access to the host where the DBMS resides,” he says.
His hack, which combines a SQL injection attack, IPS, and Web application firewall evasion for brute-force hacking of the system administrator password using the database’s CPU resources, uses the Web app as an initial stage of the attack. “The Web application in these cases is a sort of stepping stone to the actual target, which is the host where the DBMS is deployed,” says Revelli, who is keeping some of the details under wraps until giving his presentation at EUSec.
The hack lets the attacker issue commands on the compromised system and see the results of the attack as well, he says. “Usually, this kind of attack results in a DOS prompt, which is not very powerful. My idea is that it's possible to go further and, in a lot of cases, obtain a graphical access on the desktop of the remote DB server."
Revelli will use examples of Microsoft’s SQL Server in the demo, but says the attack would apply to all database technologies. And the weaknesses aren’t just in the database software -- the Web application, firewall rule sets, and other configurations also make it possible, he says. “Each of the 'building blocks' that constitute the attack exploits a weakness or a misconfiguration of a different part of the infrastructure,” he says.
Once the attacker gains remote access to the database, he can look at files, grab data, shut down the database, or even hack deeper into the network, he says.
Revelli also plans to release this week a new version of his Sqlninja hacking tool, which he’ll use in his demo.
Defending against this database/OS hack requires a combination of things, including instituting least privilege rights, defense in depth, and designing the network and Web apps with security in mind, Revelli says.
“The key point is that when assessing the risk to which a network is exposed, we should consider SQL injection not only a threat to the data stored on the database, but also to the network as a whole."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
Microsoft Corp. (Nasdaq: MSFT)
About the Author
You May Also Like
How to Evaluate Hybrid-Cloud Network Policies and Enhance Security
September 18, 2024DORA and PCI DSS 4.0: Scale Your Mainframe Security Strategy Among Evolving Regulations
September 26, 2024Harnessing the Power of Automation to Boost Enterprise Cybersecurity
October 3, 202410 Emerging Vulnerabilities Every Enterprise Should Know
October 30, 2024
State of AI in Cybersecurity: Beyond the Hype
October 30, 2024[Virtual Event] The Essential Guide to Cloud Management
October 17, 2024Black Hat Europe - December 9-12 - Learn More
December 10, 2024SecTor - Canada's IT Security Conference Oct 22-24 - Learn More
October 22, 2024