Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Out-of-band Sql Injection Attacks (#hacktrickconf)

645 views

Published on

Out-of-band Sql Injection Attacks (#hacktrickconf)

Published in: Software
  • Be the first to comment

Out-of-band Sql Injection Attacks (#hacktrickconf)

  1. 1. Out-of-band SQL Injection Attacks Omer Citak Hacktrick, May 2017
  2. 2. whoami Security Researcher @ Netsparker Ltd. Developer @ Another Times Writer @ Ethical Hacking “Offensive & Defensive” Book Blog: omercitak.com All Social Platform: @Om3rCitak
  3. 3. http
  4. 4. http
  5. 5. http
  6. 6. http
  7. 7. http - server side
  8. 8. server side
  9. 9. sql injection ● Inband ○ Error Based ● Indirect Inference ○ Boolean Based ○ Blind (Time Based) ● Out-of-band ○ Blind (HTTP, DNS)
  10. 10. sql injection ● Inband ○ Error Based .... ini_set('display_errors', 'On'); error_reporting(E_ALL); $sql = "SELECT * FROM users WHERE username like '%".$_GET["username"]."%'"; $results = mysql_query($sql); ...
  11. 11. sql injection ● Inband ○ Error Based
  12. 12. sql injection ● Indirect Inference ○ Boolean Based .... ini_set('display_errors', 'Off'); error_reporting(~E_ALL); $sql = "SELECT * FROM users WHERE username like '%".$_GET["username"]."%'"; $results = mysql_query($sql); $row_count = mysql_num_rows($results); if($row_count > 0) echo 'user exist'; else echo 'user not exist'; ...
  13. 13. sql injection ● Indirect Inference ○ Boolean Based
  14. 14. sql injection ● Indirect Inference ○ Blind (Time Based) .... ini_set('display_errors', 'Off'); error_reporting(~E_ALL); $sql = "SELECT * FROM users WHERE username like '%".$_GET["username"]."%'"; $results = mysql_query($sql); ...
  15. 15. sql injection ● Indirect Inference ○ Blind (Time Based)
  16. 16. sql injection ● Indirect Inference ○ Blind (Time Based) payload> ay' and if(substring(user(),1,1) = 'r', sleep(3), false) --
  17. 17. sql injection ● Indirect Inference ○ Blind (Time Based) payload> ay' and if(substring(user(),1,1) = 'a', sleep(3), false) --
  18. 18. sql injection ● Out-of-band ○ Blind (HTTP, DNS) .... ini_set('display_errors', 'Off'); error_reporting(~E_ALL); $sql = "SELECT * FROM users WHERE (username like '%".$_GET["param"]."%')"; $results = pg_query($sql); ...
  19. 19. demo ● dependencies; ○ 1 DNS server => 207.154.219.61 ■ Ubuntu 16 ■ Spiderlab Responder ○ 1 app & database server => 207.154.246.88 ■ Ubuntu 16 ■ Php7 ■ Postgresql 9.5 and 1 unit attacker
  20. 20. demo
  21. 21. where is the guvenlik?
  22. 22. thanks www.omercitak.com All Social Platform: @Om3rCitak

×