#/usr/bin/env python import getopt import xmlrpclib import traceback import struct import debugger #needed on old ID for removeHook from immlib import * LICENSE="BSD 3-clause non-attribution" #yay! copyright="(C) Immunity, Inc., jms@bughunter.ca" """ This script supports the SQLOLEDB method of executing queries and, when combined with sql_listener.py will send you all the queries executed by a web application. Server-side filtering (necessary to avoid sending thousands of queries a second to you on a busy server) is stubbed in for later. We hooked IIS rather than SQL Server because common practice is to have your SQL tier un-routable, but the web tier is likely to have Internet access. Somewhat later we'll have this integrate into SPIKE Proxy and other tools to automate detection of blind-sql attacks/detection and sql injection in general. In order to use this script: 1. Run a few queries against your target server, this will start up two dllhost.exe's 2. Load Immunity Debugger and attach to the second dllhost.exe (this can be slightly tricky if the PID for the second one is lower than the first, but eventually we'll automate it) 3. run !sqlhooker -s myhostip:myport. For example, I use !sqlhooker 192.168.1.1:8081, and then on my .1 machine I run "python sql_listener.py 8081". Here's an example snippet of ASP script this would work against: _start cut_ set conn = server.createObject("ADODB.Connection") set rs = server.createObject("ADODB.Recordset") query = "select count(*) from users where userName='" & userName & "' and userPass='" & password & "'" conn.Open "Provider=SQLOLEDB; Data Source=(local); Initial Catalog=myDB; User Id=sa; Password=" rs.activeConnection = conn rs.open query _end cut_ We currently support: WinXPPro Sp2, IIS 5.0 SQLServer 2000 Win2K3, IIS 6.0, SQLServer 2000 Win2K, IIS 5.0, SQLServer 2000 Win2K Old,IIS 5.0, SQLServer 2000 If anyone has requests for other database systems, they should email us, along with the necessary information to get an application running, and we will spend the time to find you hook spots. Or just submit a patch to forum.immunityinc.com. """ class ole_hooker(LogBpHook): def __init__(self,hook_version,xmlhost=None,xmlport=0): LogBpHook.__init__(self) self.imm = Debugger() self.hook_version = hook_version self.xmlhost = xmlhost self.xmlport = int(xmlport) def run(self,regs): ''' Called everytime the SQL hook is hit. ''' self.imm.Log("Hook version: %s" % self.hook_version) if self.hook_version == "winxp_pro_sp2" or self.hook_version == "win2k3": sql_addr = regs['EDI'] if self.hook_version == "win2k": sql_addr = regs['ESI'] if self.hook_version == "win2k_old": buffer_ptr = self.imm.readMemory(regs['ESP'] + 4, 4) buffer_ptr = struct.unpack("L", buffer_ptr) sql_addr = buffer_ptr[0] sql_query = self.imm.readWString(sql_addr) sql_query = sql_query.replace("\x00","") self.imm.Log("SQL Query: %s" % sql_query) using_xml_rpc = False if self.xmlport != 0: server = xmlrpclib.ServerProxy("http://%s:%d/"%(self.xmlhost,self.xmlport), allow_none=True) self.imm.Log("Using server: %s:%d"%(self.xmlhost, self.xmlport)) using_xml_rpc = True else: server = None if using_xml_rpc: #send our xml request to the remove side #if self.filter matches...(stub for now) try: result = server.sendsql(("sqlquery",[sql_query])) except: data=traceback.format_exc() self.imm.Log("Failed to connect to remote server, sorry") self.imm.LogLines("Error was: %s"%data) return #Now parse what we got back - a command and list of arguments command, arguments = result if command=="NEWFILTER": #stub self.filter=arguments[0] elif command=="UNHOOK": #stub self.imm.Log("Unhook called") #etc return def usage(imm): imm.Log("!sqlhooker.py") imm.Log("-u (to uninstall hook)") imm.Log("-s host:port (Server to send XML-RPC data to)") def main(args): imm = Debugger() xmlhost = None xmlport = 0 sql_oledb = imm.getModule("sqloledb.dll") if not sql_oledb.isAnalysed(): imm.analyseCode(sql_oledb.getCodebase()) try: opts,argo = getopt.getopt(args, "ius:") except: return usage(imm) for o,a in opts: if o == "-u": if hasattr(imm, "removeHook"): imm.removeHook("query") elif hasattr(debugger, "Removehook"): debugger.Removehook("query") else: imm.Log("Could not remove hook - no remove hook function found!") return "Removed hook on SQL function." if o == "-s": xmlhost,xmlport = a.split(":") # Various versions, we need to match on winxp_pro_sp2 = "2000.085.1117.00 (xpsp_sp2_rtm." win2k3 = "2000.086.3959.00 (srv03_sp2_rtm" win2k = "2000.081.9031.018" win2k_old = "2000.080.0194" version = sql_oledb.getVersion() sql_base = sql_oledb.getBaseAddress() if version == winxp_pro_sp2: offset = 0xF6F5 hook_version = "winxp_pro_sp2" if version == win2k3: offset = 0x6522 hook_version = "win2k3" if version == win2k: offset = 0xFA2D hook_version = "win2k" if version == win2k_old: offset = 0x4034 hook_version = "win2k_old" bp_address = sql_base + offset # Set a hook hooker = ole_hooker(hook_version,xmlhost,xmlport) hooker.add("query",bp_address) return "SQL Hooks in Place. Ready for Test Cases."