An Early Gift for MySQL servers

Trying to keep up with all of the possible attack vectors and decreasing your attack surface is like trying to eat Minute Rice with chop sticks. It's a full time job! I used to blame a lot of attacks on PHP because it deserves it. I think PHP sucks at recursion and I just do not believe the threads are safe at all. But truth be told... SQL injections have really been beating me to death lately and on the flip side, I have been using them against targets for pen testing like a frat boy pounding 'um down on nickle beer night. SQL injections are fast becoming the preferred remote access method for hackers today. Basically, a SQL injection is kinda like telling your manager wrong information to get correct info. For example; Dude 1: "Hey man, I heard that Hank got promoted to Director" Manager: "What! I was just told by the VP he is getting demoted" Vanity it's my favorite sin.... A SQL injection is the same thing but instead of vanity or jealousy it's called lack of input validation. Let's say I want to know a username and password to log in to the DB. How about just telling the SQL server to ignore the password? You can try this SQL injection 101 string query: $sql_query = "select * from users where user='admin' or '1'='1' and password='$pass'" Now, this is very old school and taught to budding hackers before you learn the secret handshake to the clubhouse. Since SQL injections are using the SQL query language to mine tables, a hackers combination here in nearly endless. http://www.1keydata.com/sql/sql.html and of course a playground http://ha.ckers.org/sqlinjection/ You know that little "I forgot my password" email applet? That info all is stored on a SQL server record somewhere, and just possibly, I can get the SQL to email me the username and password of an account I know about: SELECT email, passwd, login_id, full_name FROM members WHERE email = 'x'; UPDATE members SET email = 'jimmyray@twtv.nu' WHERE email = 'robb@dallas.com'; The result: From: majordomo@dallas.com To: jimmyray@twtv.nu Subject: Account Information Please do not reply. This automated email is in response to your request for your site log in information. Your User ID is: robb Your password is: twtv Much simpler and ninja like then running complicated INSERT queries. So what's a geek to do? SQL DB's are just a part of our normal routine. Honestly, vendors just suck at preventing and detecting SQL injections. Up until now, my answer has to use SNORT to try and detect these but recently I started testing a great open source SQL firewall; GreenSQL. http://www.greensql.net/ I started using GreenSQL on my Ubu 9.04 server. Set up is a real piece of cake BUT before you get started make sure you have the follow packages installed and ready: - libevent - pcre - mysql client Then I just install two packages to get GreenSQL up and going: sudo dpkg -i greensql-fw.deb the console does not come in a package so brush off your tar skills: - greensql-console-0.x.x-tar.gz I did have a connectivity problem at the start trying to access the MySQL server via 127.0.0.1 when it was expecting a connection from localhost. I looked in the forums and found the GreenSQL does NOT use the localhost socket but uses 127.0.0.1 instead, so I just adding access permissions with the SQL query: mysql> GRANT SELECT,INSERT,UPDATE,DELETE ON Pika.* TO 'jimmyray.twtv'@'127.0.0.1' IDENTIFIED BY 'PASSWORD'; Then is fired right up. How did it work? Better then doughballs and liver for catfish! I was able to defend against not only the above attacks but against 100 other automated SQL injections I threw at that dude!! GreenSQL is a great database firewall for MySQL in my opinion. I will certainly be deploying them together on my networks. Don't leave your DB to just a plain ole circuit level firewall. Go out and give them a look and start testing it in your labs. Hey speaking of catfish, I think I am ready to bag this work day and fish while the lake is not froze over! Jimmy Ray Purser Trivia Files Transfer Protocol Old school spammer; In 1915 William Wrigley Jr. Sent chewing gum to everyone in the phone book.