Month: July 2015

Error Based SQL Injection Using EXP

Overview

This is another overflow in the DOUBLE data type in MySQL I found. You can refer to my previous post on BIGINT Overflow Error based injections if you want to understand exploiting overflows in extracting data. Also the queries are similar to my previous post. When we take the functions in MySQL I was interested in the mathematical functions. They too should contain some data type to hold values. So I went on testing for functions which would cause any overflow errors and I found out that exp() would cause a overflow error when we pass a large value above 709.

mysql> select exp(709);

+-----------------------+

| exp(709)              |

+-----------------------+

| 8.218407461554972e307 |

+-----------------------+

1 row in set (0.00 sec)



mysql> select exp(710);

ERROR 1690 (22003): DOUBLE value is out of range in 'exp(710)'

The exp is the opposite of the ln and log functions of MySQL. If I briefly explain the functionality of these, log and ln and both returns the answer to the natural logarithm or to the base e. In common e is approximated to: $latex e \approx 2.71828183&bg=FFFFFF&s=1$ .

$latex ln(15) = log_ {e} (15) = 2.70805020110221 &bg=FFFFFF&s=1$
(more…)

Installing GCC on iOS 8

I recently entered the world of mobile security and pen-testing. I wanted to install GCC in a jailbroken iOS 8.3 and had to face lots of issues in finding the correct package for it. So I somehow managed to install and run my own C apps 🙂 I thought of sharing this with you, if you are too struggling like me here’s how I managed to install this.

First install OpenSSH and essential bash commands like apt-get, sed, ps, etc. After that you have to install few debian packages along with gcc. Download this zip file I made and drop it into any folder in your iPhone using a SFTP connection or a desktop file browser. After that install all the packages in it.

[code language=”bash”]
$ dpkg -i *.deb
[/code]
(more…)

BIGINT Overflow Error Based SQL Injection

Overview

I was interested in finding out new techniques that we can use in extracting data via MySQL errors. This is a detailed write-up which will make you understand how I made these queries. When we look how MySQL handles integers I was interested in causing overflows. This is how MySQL stores integers.

View post on imgur.com


(Source: http://dev.mysql.com/doc/refman/5.5/en/integer-types.html)
These overflow errors will cause in MySQL versions 5.5.5 and above only. In below versions integer overflows would result in a silent wraparound.
The data type BIGINT is of 8 bytes in size which means it’s of 64 bits. If we take the maximum signed value of a BIGINT its “0b0111111111111111111111111111111111111111111111111111111111111111”, “0x7fffffffffffffff”, “9223372036854775807” in binary, hex and decimal respectively. Once we evaluate numerical expressions on this value like adding will cause a “BIGINT value is out of range” error. 

mysql> select 9223372036854775807+1; 

ERROR 1690 (22003): BIGINT value is out of range in '(9223372036854775807 + 1)'

(more…)

Getting Shellcode from ARM Binaries

For x86 and x86_64 there are already commands for extracting shellcode and printing them nicely formatted. But when it comes to ARM none of them work would because of the way objdump would dump the opcodes. For example if this is my sample program:

.section .text

.global _start



_start:



    .code 32

    # Thumb-Mode on

    add     r6, pc, #1

    bx  r6



    .code   16

    # _write()

    mov     r2, #7

    mov r1, pc

    add r1, #12

    mov     r0, $0x1

    mov     r7, $0x4

    svc     0



    # _exit()

    sub r0, r0, r0

    mov     r7, $0x1

    svc 0



.ascii "Osanda\n"

(more…)