More Related Content Similar to Out-of-band Sql Injection Attacks (#hacktrickconf) (20) More from Ömer Çıtak (11) Out-of-band Sql Injection Attacks (#hacktrickconf)2. whoami
Security Researcher @ Netsparker Ltd.
Developer @ Another Times
Writer @ Ethical Hacking “Offensive & Defensive” Book
Blog: omercitak.com
All Social Platform: @Om3rCitak
9. sql injection
● Inband
○ Error Based
● Indirect Inference
○ Boolean Based
○ Blind (Time Based)
● Out-of-band
○ Blind (HTTP, DNS)
10. sql injection
● Inband
○ Error Based
....
ini_set('display_errors', 'On');
error_reporting(E_ALL);
$sql = "SELECT * FROM users WHERE username like '%".$_GET["username"]."%'";
$results = mysql_query($sql);
...
12. sql injection
● Indirect Inference
○ Boolean Based
....
ini_set('display_errors', 'Off');
error_reporting(~E_ALL);
$sql = "SELECT * FROM users WHERE username like '%".$_GET["username"]."%'";
$results = mysql_query($sql);
$row_count = mysql_num_rows($results);
if($row_count > 0)
echo 'user exist';
else
echo 'user not exist';
...
14. sql injection
● Indirect Inference
○ Blind (Time Based)
....
ini_set('display_errors', 'Off');
error_reporting(~E_ALL);
$sql = "SELECT * FROM users WHERE username like '%".$_GET["username"]."%'";
$results = mysql_query($sql);
...
16. sql injection
● Indirect Inference
○ Blind (Time Based)
payload> ay' and if(substring(user(),1,1) = 'r', sleep(3), false) --
17. sql injection
● Indirect Inference
○ Blind (Time Based)
payload> ay' and if(substring(user(),1,1) = 'a', sleep(3), false) --
18. sql injection
● Out-of-band
○ Blind (HTTP, DNS)
....
ini_set('display_errors', 'Off');
error_reporting(~E_ALL);
$sql = "SELECT * FROM users WHERE (username like '%".$_GET["param"]."%')";
$results = pg_query($sql);
...
19. demo
● dependencies;
○ 1 DNS server => 207.154.219.61
■ Ubuntu 16
■ Spiderlab Responder
○ 1 app & database server => 207.154.246.88
■ Ubuntu 16
■ Php7
■ Postgresql 9.5
and 1 unit attacker