{"id":3557,"date":"2013-07-16T08:47:37","date_gmt":"2013-07-16T07:47:37","guid":{"rendered":"http:\/\/andreas-wolter.com\/vortrag-sql-server-sicherheit-sql-attack-ed\/"},"modified":"2017-11-20T17:23:55","modified_gmt":"2017-11-20T16:23:55","slug":"security-session-sql-attack-ed","status":"publish","type":"post","link":"https:\/\/andreas-wolter.com\/en\/security-session-sql-attack-ed\/","title":{"rendered":"Security Session \u201eSQL Attack..ed\u201c \u2013 Attack scenarios on SQL Server (&#8220;Hacking SQL Server&#8221;)"},"content":{"rendered":"\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-av_heading-ab8b6c071f4f5f48306e652e897a315c\">\n#top .av-special-heading.av-av_heading-ab8b6c071f4f5f48306e652e897a315c{\npadding-bottom:10px;\n}\nbody .av-special-heading.av-av_heading-ab8b6c071f4f5f48306e652e897a315c .av-special-heading-tag .heading-char{\nfont-size:25px;\n}\n.av-special-heading.av-av_heading-ab8b6c071f4f5f48306e652e897a315c .av-subheading{\nfont-size:15px;\n}\n<\/style>\n<div  class='av-special-heading av-av_heading-ab8b6c071f4f5f48306e652e897a315c av-special-heading-h3 blockquote modern-quote  avia-builder-el-0  el_before_av_textblock  avia-builder-el-first '><h3 class='av-special-heading-tag'  itemprop=\"headline\"  >Security Session <span class='special_amp'>\u201e<\/span>SQL Attack..ed<span class='special_amp'>\u201c<\/span><\/h3><div class='av-subheading av-subheading_below'><p>\u2013 Attack scenarios on SQL Server (&#8220;Hacking SQL Server&#8221;)<\/p>\n<\/div><div class=\"special-heading-border\"><div class=\"special-heading-inner-border\"><\/div><\/div><\/div>\r\n\r\n<section  class='av_textblock_section av-av_textblock-2de302bf1aa3cf4c9157dbe6f50ac7eb '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>At this year\u2019s <a href=\"http:\/\/sqlsaturday.com\/230\/\" target=\"_blank\" rel=\"noopener\">SQLSaturday<\/a> in Germany I have shown one of my sessions again, in which I concentrate on \u201cattack\u201d. For me a great opportunity to dive deep into SQL Server Security and several penetration-test-tool, and to explore SQL Server for pitfalls and security configuration. At the end I had a long list of possible demonstrations. <!--more-->Among them a just recently developed DoS-attack via SQL Injection (at least I did not find any cue on a description for this kind of attack anywhere or got an answer on my inquiries), as well as a \u201cprivilege elevation\u201d, which in this form seems to be quite unknown as well. \u2013 Everything is just done by exploiting customized settings and not by weaknesses in the engine (!).<\/p>\n<p>Since there are barely any nameable sessions on this topic specifically for SQL Server in Germany (even at the Summits in the US I tended to be quite alone with my sessions on security), and I enjoy this topic in this a lot, I have decided to collect all <u>possible<\/u> topics here. I will not only present them on upcoming conferences in Europe or the US, but also I am offering these to the regional chapter leaders in Germany \u00a0\u2013 \u201chelp yourself\u201d &#8211; style \ud83d\ude42<\/p>\n<\/div><\/section>\r\n\r\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-av_textblock-95bed5ec9a067e36747f807e99517494\">\n#top .av_textblock_section.av-av_textblock-95bed5ec9a067e36747f807e99517494 .avia_textblock{\nfont-size:10px;\n}\n<\/style>\n<section  class='av_textblock_section av-av_textblock-95bed5ec9a067e36747f807e99517494 '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>An einem Abend schafft man n\u00e4mlich vermutlich maximal ein Drittel der m\u00f6glichen Themen. \u2013 Und damit w\u00e4lze ich nun die Qual der Wahl auf die Kollegen RGVs ab \ud83d\ude09<\/p>\n<\/div><\/section>\r\n\r\n<section  class='av_textblock_section av-av_textblock-2de302bf1aa3cf4c9157dbe6f50ac7eb '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>Session Description:<\/p>\n<p>SQL Server is considered &#8220;secure by default&#8221;, but one of the most often successfully attacked targets is the data that resides in a Database Server. Most of the exploited weaknesses in a SQL Server environment are due to misconfiguration weak security settings or inadequate coding practices.<\/p>\n<p>In this purely demo-based security session, I am showing several attack scenarios on different layers. Due to special request this includes some special SQL Injection types. Furthermore I show how an evaluation of privileges attack is possible due to a not uncommon configuration as well as an \u201cinsider-exploit\u201d with a database root kit.<\/p>\n<p>Note that in this kind of session I do not give instructions on \u201chow to hack\u201d but rather I am highlighting common weaknesses &#8211; \u201cwhat can happen and under which circumstances\u201d.<\/p>\n<p>(Almost) no slides: just Demos Demos Demos<\/p>\n<p>Contents<\/p>\n<p>Web)Application Layer<\/p>\n<ul>\n<li>My form and the WAF don\u2019t let anything pass through \u2013 or do they?\n<ul>\n<li>Standard SQL Injection<\/li>\n<li>Blind \/ Error-based \/Time-based SQL Injection, Encoding Injection<\/li>\n<li>2nd Order SQL Injection<\/li>\n<li>Privilege Escalation via SQL Injection and trustworthy<\/li>\n<li>automated attacks using tools, further \u201cfeatures\u201d<\/li>\n<li>\u201ccase of the unkillable transaction\u201d &#8211; DoS Attack via SQL Injection<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li><a href=\"http:\/\/www.insidesql.org\/blogs\/andreaswolter\/2014\/01\/sql-server-row-and-cell-level-security-disclosure-vulnerability\" target=\"_blank\" rel=\"noopener\">SQL Server Row- and Cell-Level Security \u2013 Disclosure vulnerability<\/a><\/li>\n<li>XML Bomb<\/li>\n<li>A bit of fun with collation\n<ul>\n<li>Tables without a name? Or no tables at all?<br \/>\n\u201cguaranteed unique objectnames\u201d \ud83d\ude09<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/div><\/section>\r\n\r\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-av_image-f45d411c1368cde5748018866686ffdc\">\n.avia-image-container.av-av_image-f45d411c1368cde5748018866686ffdc img.avia_image{\nbox-shadow:none;\n}\n.avia-image-container.av-av_image-f45d411c1368cde5748018866686ffdc .av-image-caption-overlay-center{\ncolor:#ffffff;\n}\n<\/style>\n<div  class='avia-image-container av-av_image-f45d411c1368cde5748018866686ffdc av-styling- avia-align-center  avia-builder-el-4  el_after_av_textblock  el_before_av_textblock '   itemprop=\"image\" itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/ImageObject\" ><div class=\"avia-image-container-inner\"><div class=\"avia-image-overlay-wrap\"><img decoding=\"async\" class='wp-image-3551 avia-img-lazy-loading-not-3551 avia_image ' src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1307_unknown_Tables.png\" alt='' title='1307_unknown_Tables'  height=\"280\" width=\"193\"  itemprop=\"thumbnailUrl\"  \/><\/div><\/div><\/div>\r\n\r\n<section  class='av_textblock_section av-av_textblock-2de302bf1aa3cf4c9157dbe6f50ac7eb '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>Inside the Network<\/p>\n<ul>\n<li>Reconnaissance: Detecting SQL Server Instances<\/li>\n<li>SQL authentication\n<ul>\n<li>Watching SQL Traffic (Login + Select)<\/li>\n<li>Cracking Passwords \u2013 possible? How?<\/li>\n<li>Reading passwords from memory<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/div><\/section>\r\n\r\n<section  class='av_textblock_section av-av_textblock-2de302bf1aa3cf4c9157dbe6f50ac7eb '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p><a href=\"http:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1307_SQL_Netmon_Capture.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-3552\" src=\"http:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1307_SQL_Netmon_Capture.png\" alt=\"\" width=\"780\" height=\"206\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1307_SQL_Netmon_Capture.png 780w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1307_SQL_Netmon_Capture-600x158.png 600w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1307_SQL_Netmon_Capture-300x79.png 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1307_SQL_Netmon_Capture-768x203.png 768w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1307_SQL_Netmon_Capture-705x186.png 705w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1307_SQL_Netmon_Capture-450x119.png 450w\" sizes=\"auto, (max-width: 780px) 100vw, 780px\" \/><\/a><\/p>\n<p>Network Monitor TDS frame capture<\/p>\n<\/div><\/section>\r\n\r\n<section  class='av_textblock_section av-av_textblock-2de302bf1aa3cf4c9157dbe6f50ac7eb '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>Server &#038; database-Level \u2013 attacks from inside, Part 1: evil Consultant<\/p>\n<ul>\n<li>Was ein Consultant so hinterlassen kann\n<ul>\n<li>Automated install of a SQL Server rootkit<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>\u201eWhen the guest switches the party\u201c\n<ul>\n<li>Circumventing denies by \u201c<a href=\"http:\/\/www.vb-magazin.de\/forums\/blogs\/andreaswolter\/archive\/2010\/09\/24\/security-issue-developer-with-dbo-db-owner-role-can-use-guest-to-connect-to-other-databases.aspx\" target=\"_blank\" rel=\"noopener\">guest-guest-impersonation<\/a>\u201c \u2013 first shown at PASS Summit 2010 in Seattle \ud83d\ude42<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Server &#038; database-Level \u2013 attacks from inside, Part 2: evil Developer<\/p>\n<ul>\n<li>\u201eKnow your rights\u201c<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Transfer-Schema Attack \u2013 first shown at PASS Summit 2010 in Seattle \ud83d\ude42<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>\u00a0\u201eEverything belongs to me\u201c \u2013 does it?<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Database-ownership-chaining<\/li>\n<li>Db_owner underestimated &#038; exploited<\/li>\n<li>Schema-ownership-chaining<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/div><\/section>\r\n\r\n<section  class='av_textblock_section av-av_textblock-2de302bf1aa3cf4c9157dbe6f50ac7eb '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>Recent Security Reports:<\/p>\n<ul>\n<li>Data Breach Investigations\u00a0Report\n<ul>\n<li><a href=\"http:\/\/www.verizonenterprise.com\/DBIR\/2013\/\" target=\"_blank\" rel=\"noopener\">http:\/\/www.verizonenterprise.com\/DBIR\/2013<\/a><a href=\"http:\/\/www.verizonenterprise.com\/DBIR\/2013\/\" target=\"_blank\" rel=\"noopener\">\/<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>White Hat \u2013 Website Security Statistics Report, May 2013\n<ul>\n<li><a href=\"http:\/\/www.slideshare.net\/duncant75\/whitehat-security-website-security-statistics-report-may-2013\" target=\"_blank\" rel=\"noopener\">http:\/\/<\/a><a href=\"http:\/\/www.slideshare.net\/duncant75\/whitehat-security-website-security-statistics-report-may-2013\" target=\"_blank\" rel=\"noopener\">www.slideshare.net\/duncant75\/whitehat-security-website-security-statistics-report-may-2013<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>PASS Essential <span id=\"dnn_ctr1070_dnnTITLE_titleLabel\" class=\"Contitle_Transparent\">&#8220;SQL Server 2012 Database-Security, Best Practices &#038; Pitfalls<\/span>&#8221;<\/p>\n<ul>\n<li>25 Sept. 2013, D\u00fcsseldorf<a href=\"http:\/\/www.sqlpass.de\/Portals\/0\/PassEssentials\/2013-09-25_PE_AWO_Datenbank-Sicherheit_Datenblatt_web.pdf\" target=\"_blank\" rel=\"noopener\"><br \/>\nwww.sqlpass.de\/Portals\/0\/PassEssentials\/2013-09-25_PE_AWO_Datenbank-Sicherheit_Datenblatt_web.pdf<\/a><\/li>\n<\/ul>\n<p>Security Workshops, November 2013:<\/p>\n<ul>\n<li><a href=\"http:\/\/www.sarpedonqualitylab.com\/SQL_Master-Classes.htm\" target=\"_blank\" rel=\"noopener\">Securityworkshop (SID) f\u00fcr SQL Server Entwickler<\/a> (1 Tag) &#8220;Die Basis f\u00fcr ein sicheres Backend: Von Ausf\u00fchrungskontext bis zu Verschl\u00fcsselung.&#8221; Frankfurt am Main, 21 Nov. 2013<\/li>\n<li><a href=\"http:\/\/www.sarpedonqualitylab.com\/SQL_Master-Classes.htm\" target=\"_blank\" rel=\"noopener\">Securityworkshop (SIA) f\u00fcr SQL Server Administratoren<\/a> (1Tag) &#8220;Systemsicherheit f\u00fcr SQL Server: Von Authentifizierung bis zur Sicherheits-\u00dcberwachung.&#8221; Frankfurt am Main 2 Dec. 2013<\/li>\n<\/ul>\n<p>enjoy and until soon &#8211; in your regional chapter, in your company, at a SQL Server Master-Class or at some conference &#8211; just say hello if you see me<\/p>\n<p>Andreas<\/p>\n<\/div><\/section>\r\n\r\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-av_one_full-97c650ae075063b375f558a776c570f8\">\n#top .flex_column.av-av_one_full-97c650ae075063b375f558a776c570f8{\nmargin-top:40px;\nmargin-bottom:40px;\n}\n.flex_column.av-av_one_full-97c650ae075063b375f558a776c570f8{\nborder-radius:0px 0px 0px 0px;\npadding:0px 0px 0px 0px;\n}\n.responsive #top #wrap_all .flex_column.av-av_one_full-97c650ae075063b375f558a776c570f8{\nmargin-top:40px;\nmargin-bottom:40px;\n}\n<\/style>\n<div  class='flex_column av-av_one_full-97c650ae075063b375f558a776c570f8 av_one_full  avia-builder-el-9  el_after_av_textblock  el_before_av_hr  first flex_column_div av-zero-column-padding  column-top-margin'     ><section  class='av_textblock_section av-av_textblock-2de302bf1aa3cf4c9157dbe6f50ac7eb '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><div><\/div>\n<div><\/div>\n<\/div><\/section><\/div>\r\n\r\n<div  class='hr av-av_hr-0ff602b3e980a3377077ff3c1c834df6 hr-default  avia-builder-el-11  el_after_av_one_full  el_before_av_social_share '><span class='hr-inner '><span class=\"hr-inner-style\"><\/span><\/span><\/div>\r\n\r\n<div  class='av-social-sharing-box av-av_social_share-8644d330ffb238fff0cfa858c5295467 av-social-sharing-box-default  avia-builder-el-12  el_after_av_hr  avia-builder-el-last  av-social-sharing-box-fullwidth'><div class=\"av-share-box\"><h5 class='av-share-link-description av-no-toc '>Share<\/h5><ul class=\"av-share-box-list noLightbox\"><li class='av-share-link av-social-link-facebook' ><a target=\"_blank\" aria-label=\"Share on Facebook\" href=\"https:\/\/www.facebook.com\/sharer.php?u=https:\/\/andreas-wolter.com\/en\/security-session-sql-attack-ed\/&#038;t=Security%20Session%20%E2%80%9ESQL%20Attack..ed%E2%80%9C%20%E2%80%93%20Attack%20scenarios%20on%20SQL%20Server%20%28%E2%80%9CHacking%20SQL%20Server%E2%80%9D%29\" aria-hidden=\"false\" data-av_icon=\"\ue8f3\" data-av_iconfont=\"entypo-fontello\" title=\"\" data-avia-related-tooltip=\"Share on Facebook\" rel=\"noopener\"><span class='avia_hidden_link_text'>Share on Facebook<\/span><\/a><\/li><li class='av-share-link av-social-link-twitter' ><a target=\"_blank\" aria-label=\"Share on Twitter\" href=\"https:\/\/twitter.com\/share?text=Security%20Session%20%E2%80%9ESQL%20Attack..ed%E2%80%9C%20%E2%80%93%20Attack%20scenarios%20on%20SQL%20Server%20%28%E2%80%9CHacking%20SQL%20Server%E2%80%9D%29&#038;url=https:\/\/andreas-wolter.com\/en\/?p=3557\" aria-hidden=\"false\" data-av_icon=\"\ue8f1\" data-av_iconfont=\"entypo-fontello\" title=\"\" data-avia-related-tooltip=\"Share on Twitter\" rel=\"noopener\"><span class='avia_hidden_link_text'>Share on Twitter<\/span><\/a><\/li><li class='av-share-link av-social-link-linkedin' ><a target=\"_blank\" aria-label=\"Share on LinkedIn\" href=\"https:\/\/linkedin.com\/shareArticle?mini=true&#038;title=Security%20Session%20%E2%80%9ESQL%20Attack..ed%E2%80%9C%20%E2%80%93%20Attack%20scenarios%20on%20SQL%20Server%20%28%E2%80%9CHacking%20SQL%20Server%E2%80%9D%29&#038;url=https:\/\/andreas-wolter.com\/en\/security-session-sql-attack-ed\/\" aria-hidden=\"false\" data-av_icon=\"\ue8fc\" data-av_iconfont=\"entypo-fontello\" title=\"\" data-avia-related-tooltip=\"Share on LinkedIn\" rel=\"noopener\"><span class='avia_hidden_link_text'>Share on LinkedIn<\/span><\/a><\/li><\/ul><\/div><\/div>","protected":false},"excerpt":{"rendered":"At this year\u2019s SQLSaturday in Germany I have shown one of my sessions again, in which I concentrate on \u201cattack\u201d. For me a great opportunity to dive deep into SQL Server Security and several penetration-test-tool, and to explore SQL Server for pitfalls and security configuration. At the end I had a long list of possible [&hellip;]","protected":false},"author":4,"featured_media":3696,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[97,57,66,64],"tags":[260,245,246],"class_list":["post-3557","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-conferences-en","category-security-en","category-seminare","category-sqlpass-en","tag-hacking-en","tag-session-en","tag-vortrag-en"],"_links":{"self":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/3557","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/comments?post=3557"}],"version-history":[{"count":5,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/3557\/revisions"}],"predecessor-version":[{"id":3560,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/3557\/revisions\/3560"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/media\/3696"}],"wp:attachment":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/media?parent=3557"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/categories?post=3557"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/tags?post=3557"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}