Thus far, SQL injection has focused on altering data within the database, rather than attacking the underlying operating system. But researcher Bernardo Damele Assumpcao Guimaraes will be upgrading his SQLmap tool with functionality to execute arbitrary code on a database server.
"Modern database management systems are very powerful applications. They have built-in stored procedures and functions to read or write functions on the systems," Damele said. "They are not always enabled, but they can be re-enabled by attackers."
"In other cases, you can abuse some 'create function' privileges," he added. "By abusing that privilege, you can create any function from C source code. Having access to the C source code, you can write it to do whatever you want at a low level."
Damele will demonstrate three techniques. He will show how SQL injection on SQL Server 2000 and 2005 can be used to exploit a known buffer overflow bug in SQL Server that has already been patched by Microsoft.
A separate privilege escalation attack based on abuse of Windows Access Tokens renders SQL Server 2005 and 2008 vulnerable, alongside MySQL under certain circumstances.
Finally, he will unveil a third technique that he is keeping quiet until the event, but which involves file system access, and which will enable arbitrary command execution. That mystery attack will affect MySQL and Postgres.
"With any of these vectors, what you get is a full duplex connection, out of bounds. Using that tunnel, you can inject a shell connection, or a terminal service-like connection, which is a virtual network connection, or you can use meterpreter," said Damele. Meterpreter is an exploit contained in the Metaspolit framework.
Damele warned administrators to be careful when setting and maintaining account privileges on their database implementations.