MySQL: Breaking the black box
What it will be about: an amusing and extravagant way of “hacking” a website that doesn’t have quotation marks for one of the parameters. At the same time, let's skip the reasoning about why everything is not screened on the side of the programming language or ORM itself.
Introductory: a website that does not screen one of the parameters in a simple SELECT query. In this case, all errors are intercepted, processed and displayed modest "No data" or "An error has occurred."
It would seem: not great trouble. Update or change the data in it to rub, the data outside does not open, it all comes down to "Sorry, no data" - a black box.
')
But what can actually be done in this situation?
Immediately salt: the technique is based on the function sleep (N) which we will use as a litmus. We measure how much the page is “given” in ordinary life. And how much time it “gives” if we enter
For example, we select the name of the table based on the INFORMATION_SCHEMA meta-database, which is always present and accessible to everyone:
If the “return” time of the page has significantly increased - we guessed; if not, try more options, usually up to 10. Next, we “guess” the field names:
Knowing the names of the table and fields, you can "pick up" the length of the username, password, as well as pull out the username and password by character.
When searching for a binary password, the character will need only 8 requests for each character.
Yes, not so hot what hacking, but a funny way to explore blindly the structure of the database, the names of the fields (you can also pick up symbolically) as well as the data itself.
By the way, it is necessary to screen including page-by-page navigation - the method is the same, but using UNION SELECT ...
The moral of this fable: even the only unshielded parameter due to which, well, the maximum will be “sorry, an error” can drain the entire base.
The note was born as a result of analyzing requests to one of the sites and attempts to comprehend them.
Please do not cholivariate regarding the inferiority of MySQL as a database, as well as the “only true” method of screening data.
Introductory: a website that does not screen one of the parameters in a simple SELECT query. In this case, all errors are intercepted, processed and displayed modest "No data" or "An error has occurred."
It would seem: not great trouble. Update or change the data in it to rub, the data outside does not open, it all comes down to "Sorry, no data" - a black box.
')
But what can actually be done in this situation?
Immediately salt: the technique is based on the function sleep (N) which we will use as a litmus. We measure how much the page is “given” in ordinary life. And how much time it “gives” if we enter
' OR sleep(10) instead of all the parameters that are present in the form. If the time to return the page has grown - the matter is in the hat and then only the matter of technology.For example, we select the name of the table based on the INFORMATION_SCHEMA meta-database, which is always present and accessible to everyone:
' OR 1 = if((select count(*) from INFORMATION_SCHEMA.tables where TABLE_SCHEMA=database() and TABLE_NAME='users') = 1, sleep(10), null)If the “return” time of the page has significantly increased - we guessed; if not, try more options, usually up to 10. Next, we “guess” the field names:
' OR 1 = if((select count(*) from INFORMATION_SCHEMA.columns where TABLE_SCHEMA=database() and TABLE_NAME='users' and COLUMN_NAME='login') = 1, sleep(5), null)Knowing the names of the table and fields, you can "pick up" the length of the username, password, as well as pull out the username and password by character.
if((select count(*) from users where login='admin') = 1, sleep(5), null)
if((select length(password) from users where login='admin') = 1, sleep(5), null)
select if((select mid(password, 5,1) from users where login='admin') = 'a', sleep(5), null)
When searching for a binary password, the character will need only 8 requests for each character.
Yes, not so hot what hacking, but a funny way to explore blindly the structure of the database, the names of the fields (you can also pick up symbolically) as well as the data itself.
By the way, it is necessary to screen including page-by-page navigation - the method is the same, but using UNION SELECT ...
The moral of this fable: even the only unshielded parameter due to which, well, the maximum will be “sorry, an error” can drain the entire base.
The note was born as a result of analyzing requests to one of the sites and attempts to comprehend them.
Please do not cholivariate regarding the inferiority of MySQL as a database, as well as the “only true” method of screening data.
Source: https://habr.com/ru/post/134372/
All Articles