Fuzzing SQL Stored Procedures
Another fun fuzzing target are SQL Stored Procedures. This was a hotbed for exploits a number of years ago and remains a hot topic thanks to the plethora of web applications providing a target rich environment. Oddly, there are few tools available for fuzzing stored procedure, most of which are simple one offs with limited abilities.
Peach seeâ€™s stored procedures as callable methods with parameters and possible return types. This allows creating anything from super simple to very complex state machines around your set of stored procedures. Additionally there is the typical rich set of data modeling tools available for specifying the parameter data.
The example provided in this article is taken from the SQL Stored Procedure Fuzzing Tutorial and uses MySQL v5.1 as the test database.
Example 1 â€“ Simple Stored Procedure
Our first example is very simple, we will have a single stored procedure called â€œtestprocâ€ that accepts a single parameter â€œparameter1â€ that is typed as a â€œvarchar(255).â€
The MySQL database schema looks like this:
create table if not exists testtable (
msg varchar(255) ); delimiter // CREATE PROCEDURE testproc(IN parameter1 VARCHAR(255)) BEGIN insert into testtable (msg) values (parameter1); END; //
Next we need to create out Peach PIT file, this will contain a data model for our parameter, a state machine that calls our method, and finally a publisher configured to talk with MySQL.
<?xml version="1.0" encoding="utf-8"?> <Peach xmlns="http://phed.org/2008/Peach" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://phed.org/2008/Peach /peach/peach.xsd"> <Include ns="default" src="file:defaults.xml"/> <Include ns="pt" src="file:PeachTypes.xml"/> <DataModel name="TheDataModel"> <String value="Peachy"/> </DataModel> <StateModel name="TheState" initialState="Initial"> <State name="Initial"> <Action type="call" method="call testproc(?)"> <Param name="p1" type="in"> <DataModel ref="TheDataModel"/> </Param> </Action> </State> </StateModel> <Test name="TheTest"> <StateModel ref="TheState"/> <Publisher class="sql.Odbc"> <Param name="dsn" value="TestMySql/root/password"/> </Publisher> </Test> <Run name="DefaultRun"> <Test ref="TheTest"/> </Run> </Peach>
And thats it! Now, obviously there is little point to fuzzing our example method. The real targets for our fuzzing are the built in methods that ship with most SQL servers, or 3rd party â€œnativeâ€ stored procedures (those written in languages like C, or C++).
Well, I hope this was a good introduction to fuzzing SQL stored procedures with Peach! If you have any questions please post them on the Peach mailing list.