DarkReading.com
New tool to be unleashed at Amsterdam conference uses SQL injection to gain a foothold into the underlying database server
By Kelly Jackson Higgins - DarkReading
A researcher at Black Hat Europe this month will demonstrate a new hack that uses SQL injection as a stepping stone to take control of a database server.
"SQL injection becomes a stepping stone to the real target: the operating system," says Bernardo Damele Assumpcao Guimaraes, an IT security engineer based in London. "I will focus on exploiting SQL injection in a Web application to get control over the underlying OS," in addition to the database software, says the researcher, who goes by the surname Damele .
SQL injection is a popular attack vector in Web applications, (Editor's Note: 450,000 Attacks PER DAY!) mainly because it's one of the most common flaws found in these apps. Web application SQL injection attacks typically target client browsers, infecting them when the victim visits a compromised Website. Another SQL injection attack is on the database itself, via a Web application carrying that vulnerability.
But Damele's new hack kicks SQL injection up a notch, using it as a first level of attack to gain control of the database server itself, as well as any systems connected to it. That includes other servers in the same LAN, plus the data in the database itself. His attack goes after MySQL, Microsoft's SQL Server, and PostgreSQL running on Windows or Linux servers. "[This] possible scenario of attack for a SQL injection is the most overlooked and [under]researched," he says.
In one attack demo, Damele will show how to exploit a buffer overflow flaw in the database software by injecting valid SQL code. He has a few other attacks up his sleeve for Black Hat, too: "I will demonstrate other possible techniques to exploit other Windows design flaws to escalate privileges via a SQL injection," he says. "The idea is to take advantage of some of the design weaknesses of the database management system, and combine it with [weaknesses] in the programming development of the Web app to execute arbitrary code, upload binary infection files, and carry out also buffer overflow exploitation."
Editor's Note: Again I have to ask...when peoples PIN's are eventually obtained due to inherent weaknesses in ALL software, who has the liability? Cause it's going to be one helluva'n expensive breach...who pays the bill?
The consumers? No, they just get to go through two weeks of hell...
The merchants? They'll lose their cost of goods bought with the fake transactions, but, I don't think that hackers will be wasting their time buying goods when they can go straight to the ATM and get CASH.
If they go straight to the ATM's the banks lose the cash, but then do they go after the EFT Networks to get it back? It'll be one mell of a hess when it (or, I suppose in "fairness" I should say) "if" it happens...
Continue "DarkReading"