Error Based SQL Injection Using EXP

Overview

This is another overflow in the DOUBLE data type in MySQL I found. You can refer to my previous post on BIGINT Overflow Error based injections if you want to understand exploiting overflows in extracting data. Also the queries are similar to my previous post. When we take the functions in MySQL I was interested in the mathematical functions. They too should contain some data type to hold values. So I went on testing for functions which would cause any overflow errors and I found out that exp() would cause a overflow error when we pass a large value above 709.

mysql> select exp(709);
+-----------------------+
| exp(709) |
+-----------------------+
| 8.218407461554972e307 |
+-----------------------+
1 row in set (0.00 sec)
mysql> select exp(710);
ERROR 1690 (22003): DOUBLE value is out of range in 'exp(710)'

The exp is the opposite of the ln and log functions of MySQL. If I briefly explain the functionality of these, log and ln and both returns the answer to the natural logarithm or to the base e. In common e is approximated to: e \approx 2.71828183 .

ln(15) = log_ {e} (15) = 2.70805020110221
Continue reading

Advertisements

Installing GCC on iOS 8

I recently entered the world of mobile security and pen-testing. I wanted to install GCC in a jailbroken iOS 8.3 and had to face lots of issues in finding the correct package for it. So I somehow managed to install and run my own C apps 🙂 I thought of sharing this with you, if you are too struggling like me here’s how I managed to install this.

First install OpenSSH and essential bash commands like apt-get, sed, ps, etc. After that you have to install few debian packages along with gcc. Download this zip file I made and drop it into any folder in your iPhone using a SFTP connection or a desktop file browser. After that install all the packages in it.

$ dpkg -i *.deb

Continue reading

BIGINT Overflow Error Based SQL Injection

Overview

I was interested in finding out new techniques that we can use in extracting data via MySQL errors. This is a detailed write-up which will make you understand how I made these queries. When we look how MySQL handles integers I was interested in causing overflows. This is how MySQL stores integers.

(Source: http://dev.mysql.com/doc/refman/5.5/en/integer-types.html)
These overflow errors will cause in MySQL versions 5.5.5 and above only. In below versions integer overflows would result in a silent wraparound.
The data type BIGINT is of 8 bytes in size which means it’s of 64 bits. If we take the maximum signed value of a BIGINT its “0b0111111111111111111111111111111111111111111111111111111111111111”, “0x7fffffffffffffff”, “9223372036854775807” in binary, hex and decimal respectively. Once we evaluate numerical expressions on this value like adding will cause a “BIGINT value is out of range” error.

mysql> select 9223372036854775807+1;
ERROR 1690 (22003): BIGINT value is out of range in '(9223372036854775807 + 1)'

Continue reading

Getting Shellcode from ARM Binaries

For x86 and x86_64 there are already commands for extracting shellcode and printing them nicely formatted. But when it comes to ARM none of them work would because of the way objdump would dump the opcodes. For example if this is my sample program:

.section .text
.global _start
_start:
.code 32
# Thumb-Mode on
add r6, pc, #1
bx r6
.code 16
# _write()
mov r2, #7
mov r1, pc
add r1, #12
mov r0, $0x1
mov r7, $0x4
svc 0
# _exit()
sub r0, r0, r0
mov r7, $0x1
svc 0
.ascii "Osanda\n"

Continue reading