Out-of-band Sql Injection Attacks (#hacktrickconf)

•

3 likes•1,745 views

Ömer Çıtak

Software

Out-of-band
SQL Injection Attacks
Omer Citak
Hacktrick, May 2017

whoami
Security Researcher @ Netsparker Ltd.
Developer @ Another Times
Writer @ Ethical Hacking “Offensive & Defensive” Book
Blog: omercitak.com
All Social Platform: @Om3rCitak

sql injection
● Inband
○ Error Based
● Indirect Inference
○ Boolean Based
○ Blind (Time Based)
● Out-of-band
○ Blind (HTTP, DNS)

sql injection
● Inband
○ Error Based
....
ini_set('display_errors', 'On');
error_reporting(E_ALL);
$sql = "SELECT * FROM users WHERE username like '%".$_GET["username"]."%'";
$results = mysql_query($sql);
...

sql injection
● Indirect Inference
○ Boolean Based
....
ini_set('display_errors', 'Off');
error_reporting(~E_ALL);
$sql = "SELECT * FROM users WHERE username like '%".$_GET["username"]."%'";
$results = mysql_query($sql);
$row_count = mysql_num_rows($results);
if($row_count > 0)
echo 'user exist';
else
echo 'user not exist';
...

sql injection
● Indirect Inference
○ Boolean Based

sql injection
● Indirect Inference
○ Blind (Time Based)
....
ini_set('display_errors', 'Off');
error_reporting(~E_ALL);
$sql = "SELECT * FROM users WHERE username like '%".$_GET["username"]."%'";
$results = mysql_query($sql);
...

sql injection
● Indirect Inference
○ Blind (Time Based)

sql injection
● Indirect Inference
○ Blind (Time Based)
payload> ay' and if(substring(user(),1,1) = 'r', sleep(3), false) --

sql injection
● Indirect Inference
○ Blind (Time Based)
payload> ay' and if(substring(user(),1,1) = 'a', sleep(3), false) --

sql injection
● Out-of-band
○ Blind (HTTP, DNS)
....
ini_set('display_errors', 'Off');
error_reporting(~E_ALL);
$sql = "SELECT * FROM users WHERE (username like '%".$_GET["param"]."%')";
$results = pg_query($sql);
...

demo
● dependencies;
○ 1 DNS server => 207.154.219.61
■ Ubuntu 16
■ Spiderlab Responder
○ 1 app & database server => 207.154.246.88
■ Ubuntu 16
■ Php7
■ Postgresql 9.5
and 1 unit attacker

thanks
www.omercitak.com
All Social Platform: @Om3rCitak

Similar to Out-of-band Sql Injection Attacks (#hacktrickconf)

Out-of-band SQL Injection Attacks (#cypsec'17)

Ömer Çıtak

This talk walks through the basics of web security without focussing too much on the particular tools that you choose. The concepts are universal, although most examples will be in Perl. We'll also look at various attack vectors (SQL Injection, XSS, CSRF, and more) and see how you can avoid them. Whether you're an experienced web developer (we all need reminding) or just starting out, this talk can help avoid being the next easy harvest of The Bad Guys.

Web Security 101

Michael Peters

Php Security - OWASP

Mizno Kruge

PHP Secure Programming

Balavignesh Kasinathan

Greensql2007

Kaustav Sengupta

Code injection and green sql

Kaustav Sengupta

PHPUG Presentation

Damon Cortesi

DEFCON 23 - Lance buttars Nemus - sql injection on lamp

Felipe Prado

Prevention of SQL Injection Attack in Web Application with Host Language

IRJET Journal

SQL Injection in PHP

Dave Ross

SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto

Pichaya Morimoto

The UNM Information Architects and the UNM Arts LAB invite you to to a presentation by ABQ Web Geeks' own Chris Kenworthy at the UNM SUB this Wednesday the 27th of August. Chris will be discussing SQL Injection and Cross Site Scripting Vulnerabilities. These types of attacks against websites are both common and potentially devastating. Chris will bring us up to speed on them and give us some tips on how to prevent them. Please mark your calendars for Wednesday, August 27 from 10:00 - 11:30 at the UNM Student Union Building, Lobo Rooms A & B.

Protecting Your Web SiteFrom SQL Injection & XSS

skyhawk133

ASP.NET Web Security

SharePointRadi

SQL Injection in action with PHP and MySQL

Pradeep Kumar

Simple web security

裕夫傅

Посмотрим на новый веб-фреймворк Microsoft с точки зрения безопасности. ASP.NET Core является продолжением развития платформы ASP.NET и, в отличие от старшего брата, код его полностью открыт и поддерживается сообществом. Архитектура фреймворка была переосмыслена, появились новые security features, часть существующих сильно переписана. В докладе поговорим об этих различиях и разберем как теперь работают встроенные механизмы защиты от XSS и CSRF, какие возможности криптографии доступны из коробки, как устроено управление сессиями. Доклад будет интересен в первую очередь разработчикам, пишущим защищенные ASP.NET-приложения, специалистам, проводящим security review .NET-проектов, и всем желающим разобраться в реализации компонентов безопасности на примере этой платформы.

.NET Fest 2017. Михаил Щербаков. Механизмы предотвращения атак в ASP.NET Core

NETFest

Security: Odoo Code Hardening

Odoo

This talk educates developers on common security vulnerabilities, how they are exploited, and how to protect against them. We will explore several of the OWASP top 10 attack vectors, such as SQL injection, XSS, CSRF, and session hijacking. Each topic will be approached from the perspective of an attacker to learn how these vulnerabilities are detected and exploited using several realistic examples. We will then apply this knowledge to learn how web applications can be secured against such vulnerabilities.

Hacking Your Way To Better Security - php[tek] 2016

Colin O'Dell

Php & Web Security - PHPXperts 2009

mirahman

Ppt on sql injection

ashish20012

Similar to Out-of-band Sql Injection Attacks (#hacktrickconf) (20)

Out-of-band SQL Injection Attacks (#cypsec'17)

Web Security 101

Php Security - OWASP

PHP Secure Programming

Greensql2007

Code injection and green sql

PHPUG Presentation

DEFCON 23 - Lance buttars Nemus - sql injection on lamp

Prevention of SQL Injection Attack in Web Application with Host Language

SQL Injection in PHP

SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto

Protecting Your Web SiteFrom SQL Injection & XSS

ASP.NET Web Security

SQL Injection in action with PHP and MySQL

Simple web security

.NET Fest 2017. Михаил Щербаков. Механизмы предотвращения атак в ASP.NET Core

Security: Odoo Code Hardening

Hacking Your Way To Better Security - php[tek] 2016

Php & Web Security - PHPXperts 2009

Ppt on sql injection

Recently uploaded

The title is not connected to what is inside

shinachiaurasa2

A Secure and Reliable Document Management System is Essential.docx

ComplianceQuest1

InShot proinshot.com stands tall among its peers as the ultimate video editing app, offering simplicity, versatility, and power in one package. With its intuitive interface and comprehensive feature set, InShot caters to both beginners and seasoned editors alike. Whether you're creating content for social media, YouTube, or personal projects, InShot empowers you to unleash your creativity and transform your videos into captivating masterpieces. Join the millions of users who trust InShot https://www.proinshot.com/ for all their video editing needs and discover the difference for yourself!

Exploring the Best Video Editing App.pdf

proinshot.com

MakeMyPass" Online Bus Pass Management System illustrates the flow of activities and actions that occur within the system to accomplish specific tasks or use cases. This type of diagram focuses on representing the sequence of activities and decision points involved in a particular process. Below is an example outline and description of key elements that could be included in an Activity Diagram for the system:

BUS PASS MANGEMENT SYSTEM USING PHP.pptx

alwaysnagaraju26

(Vivek)Call Us, 8448380779,Call girls in Delhi NCr – We Offer best in class call girls. escort Service At Affordable Price At low Rate with Space Night 8000 We Are One Of The Oldest Escort and Call girls Agencies in Delhi. You Will Find That Our Female Escorts Are Full Of Fun, Sexy And They Would Love Enjoy Your Company. We Have A Fantastic Selection Of Escort Ladies Available For In-Calls As Well As Out-Calls. Our Escorts Are Not Only Beautiful But All Have Great Personalities Making Them The Perfect Companion For Any Occasion. In-Call:- You Can Come At Our Place in Delhi Our place Which Is Very Clean Hygienic 100% safe Accommodation. Out-Call:- You have To Come Pick The Girl From My Place We Are Also Provide Door Step Services (Delhi Ncr, Noida, Gurgaon, Faridabad, Ghaziabad Note:- Pic Collectors Time Passers Bargainers Stay Away As We Respect The Value For Your Money Time And Expect The Same From You Hygienic:- Full Ac room And Clean Rooms Available In Hotel 24 * 7 Hourly In Delhi NCR More Details, With WhatsApp Number, +91-8448380779

Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified

Delhi Call girls

HR Software Buyers Guide in 2024 - HRSoftware.com

Fatema Valibhai

%in tembisa+277-882-255-28 abortion pills for sale in tembisa

masabamasaba

Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts In Chinsurah ❤Personal Whatsapp Number Chinsurah Call Girls 8617697112 💦✅. Chinsurah escorts we are avaliable for our all types budget customers with offer great deals in Chinsurah.Call Now our Chinsurah escort service & call girls ... Independent call girls in Chinsurah escorts available 24 hours a day for discreet incall and outcall bookings from trusted call girls - Elis.in. Nitya salvi Chinsurah escorts service agency # Are you looking for sexy call girls ? Call our agency to get you dream independent call girl, ... One shot: ₹2000/in-call, ₹5000/out-call Two shots with one girl: ₹3500/in-call, ₹6000/out-call Body to body massage with sex: ₹3000/in-call Full night for one person: ₹7000/in-call, ₹10000/out-call Flexibility Choices and options Lists of many beauty fantasies Turn your dream into reality Perfect companionship Cheap and convenient In-call and Out-call services And many more. WhatsApp Chat: 📞 8617697112 Visit The Website : https://www.nityasalvi.com/

Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...

Nitya salvi

Data spaces in distributed environments should be allowed to evolve in agile ways providing data space owners with large flexibility about which data they store. Agility and heterogeneity, however, jeopardize data exchanges because representations may build on varying ontologies and data consumers may not rely on the semantic correctness of their queries in the context of semantically heterogeneous, evolving data spaces. Graph data spaces are one example of a powerful model for representing and querying data whose semantics may change over time. To assert and enforce conditions on individual graph data spaces, shape languages (e.g SHACL) have been developed. We investigate the question of how querying and programming can be guarded by reasoning over SHACL constraints in a distributed setting and we sketch a picture of how a future landscape based on semantically heterogeneous data spaces might look like.

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...

Steffen Staab

+971565801893 Mtp-Kit (500MG) Prices » Dubai [(+971565801893**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Leen Whatsapp +971565801893 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971565801893''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971565801893' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Clinic in Abu Dhabi, United Arab Emirates.+971565801893

+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...

Health

At the recent Microsoft Ignite 2023 conference, Microsoft unveiled a groundbreaking strategy that will redefine enterprise work management. The plan involves integrating Microsoft’s key planning tools, Microsoft To Do, Microsoft Planner, and Microsoft Project for the web into a unified experience called “Microsoft Planner.” What does this new strategy from Microsoft mean for current users? Join us and learn how best to take advantage of this announcement while gaining a clear path on how to elevate the current state of Microsoft Planner from a basic task manager to a comprehensive tool for Enterprise Work Management using OnePlan. Learn how OnePlan’s integration with Microsoft Planner allows for strategic alignment with business goals through advanced features like strategic planning, portfolio management, resource management, financial management, and more!

Introducing Microsoft’s new Enterprise Work Management (EWM) Solution

OnePlan Solutions

Define the academic and professional writing..pdf

PearlKirahMaeRagusta1

%in Midrand+277-882-255-28 abortion pills for sale in midrand

masabamasaba

Direct Style Effect Systems -The Print[A] Example- A Comprehension Aid

Philip Schwarz

Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...

SelfMade bd

How To Troubleshoot Collaboration Apps for the Modern Connected Worker

ThousandEyes

%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein

masabamasaba

Craft an AI & Machine Learning Pitch with our Editable Professional PowerPoint Template. Ignite your AI & Machine Learning pitch with our cutting-edge PowerPoint template tailored for the industry. Perfect for AI conferences, investor presentations, sales pitches to tech-focused companies, training sessions, and educational programs. - 20+ editable slides: Get a variety of options to choose from for your presentation. - Time-saving solution: Download, replace text/images with a few clicks. - User-friendly customization: Easy to use and personalize. - Modern and attractive design: Captivating visuals, sleek layout. - Tailored to your requirements: Fully alterable for customization. - Well-organized slides: Complete control over content. - Thematic specificity: Reflects healthcare industry with relevant graphics. - Showcase your business idea: Communicate value proposition effectively.

AI & Machine Learning Presentation Template

Presentation.STUDIO

Looking for an efficient way to manage your finances? Look no further than our money management app. With easy-to-use features, you can track your expenses, create budgets, and monitor your savings goals all in one place. Our app provides real-time updates on your spending habits and helps you make smarter financial decisions. Take control of your finances today with our user-friendly money management app.

Right Money Management App For Your Financial Goals

Jhone kinadey

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

Delhi Call girls

Recently uploaded (20)

The title is not connected to what is inside

A Secure and Reliable Document Management System is Essential.docx

Exploring the Best Video Editing App.pdf

BUS PASS MANGEMENT SYSTEM USING PHP.pptx

Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified

HR Software Buyers Guide in 2024 - HRSoftware.com

%in tembisa+277-882-255-28 abortion pills for sale in tembisa

Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...

+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...

Introducing Microsoft’s new Enterprise Work Management (EWM) Solution

Define the academic and professional writing..pdf

%in Midrand+277-882-255-28 abortion pills for sale in midrand

Direct Style Effect Systems -The Print[A] Example- A Comprehension Aid

Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...

How To Troubleshoot Collaboration Apps for the Modern Connected Worker

%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein

AI & Machine Learning Presentation Template

Right Money Management App For Your Financial Goals

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

Out-of-band Sql Injection Attacks (#hacktrickconf)

1. Out-of-band SQL Injection Attacks Omer Citak Hacktrick, May 2017

2. whoami Security Researcher @ Netsparker Ltd. Developer @ Another Times Writer @ Ethical Hacking “Offensive & Defensive” Book Blog: omercitak.com All Social Platform: @Om3rCitak

3. http

4. http

5. http

6. http

7. http - server side

8. server side

9. sql injection ● Inband ○ Error Based ● Indirect Inference ○ Boolean Based ○ Blind (Time Based) ● Out-of-band ○ Blind (HTTP, DNS)

10. sql injection ● Inband ○ Error Based .... ini_set('display_errors', 'On'); error_reporting(E_ALL); $sql = "SELECT * FROM users WHERE username like '%".$_GET["username"]."%'"; $results = mysql_query($sql); ...

11. sql injection ● Inband ○ Error Based

12. sql injection ● Indirect Inference ○ Boolean Based .... ini_set('display_errors', 'Off'); error_reporting(~E_ALL); $sql = "SELECT * FROM users WHERE username like '%".$_GET["username"]."%'"; $results = mysql_query($sql); $row_count = mysql_num_rows($results); if($row_count > 0) echo 'user exist'; else echo 'user not exist'; ...

13. sql injection ● Indirect Inference ○ Boolean Based

14. sql injection ● Indirect Inference ○ Blind (Time Based) .... ini_set('display_errors', 'Off'); error_reporting(~E_ALL); $sql = "SELECT * FROM users WHERE username like '%".$_GET["username"]."%'"; $results = mysql_query($sql); ...

15. sql injection ● Indirect Inference ○ Blind (Time Based)

16. sql injection ● Indirect Inference ○ Blind (Time Based) payload> ay' and if(substring(user(),1,1) = 'r', sleep(3), false) --

17. sql injection ● Indirect Inference ○ Blind (Time Based) payload> ay' and if(substring(user(),1,1) = 'a', sleep(3), false) --

18. sql injection ● Out-of-band ○ Blind (HTTP, DNS) .... ini_set('display_errors', 'Off'); error_reporting(~E_ALL); $sql = "SELECT * FROM users WHERE (username like '%".$_GET["param"]."%')"; $results = pg_query($sql); ...

19. demo ● dependencies; ○ 1 DNS server => 207.154.219.61 ■ Ubuntu 16 ■ Spiderlab Responder ○ 1 app & database server => 207.154.246.88 ■ Ubuntu 16 ■ Php7 ■ Postgresql 9.5 and 1 unit attacker

20. demo

21. where is the guvenlik?

22. thanks www.omercitak.com All Social Platform: @Om3rCitak

Out-of-band Sql Injection Attacks (#hacktrickconf)

Recommended

Recommended

More Related Content

Similar to Out-of-band Sql Injection Attacks (#hacktrickconf)

Similar to Out-of-band Sql Injection Attacks (#hacktrickconf) (20)

More from Ömer Çıtak

More from Ömer Çıtak (11)

Recently uploaded

Recently uploaded (20)

Out-of-band Sql Injection Attacks (#hacktrickconf)