We introduce the SQL Agent technique and implementation, an efficient translator from SQL to HTTP requests, that we use for removing the burden in the exploitation and post-exploitation of SQL-injection vulnerabilities. This helps to engineer post-exploitation tasks against a web application and lends itself to better understanding the impact of each vulnerability, while hiding the compexity of the communication channel (e.g., in a blind SQL-injection exploit it might be troublesome to perform an arbitrary query and get the result, unless a script is devised for this purpose) and taking care of authentication and session management tasks.
Following the spirit of the Syscall Proxying agent technology (an agent that allows to proxy machine code-execution from the attacker’s machine to a compromised computer hosting a syscall agent), after installing a SQL agent in a web application the attacker can execute SQL queries in a console in his computer much as if he were connected to the DBMS.
Given an exploit against a SQL-injection vulnerability, for each query input by the user, our implementation translates the SQL expression into an abstract tree-structured representation. This abstract representation is then applied a series of transformations to adapt it to the communication channel to be used. Communications are divided in two phases: the attack-rendering phase, and the response-decoding phase. During the attack-rendering phase, the structured representation is transformed into one or more attack requests, each of which implements a data extraction method. An attack-request comprises all the information needed to perform an HTTP request that exploits a given vulnerability. It includes session information, authentication and the knowledge of which user input is needed to complete the attack-string (the actual attack). The response-decoding phase uses the knowledge of the previous phase to extract significative information from the attack-request’s response.