Posts

Showing posts with the label Error Based MySQLi

Practical Blind-Error Based SQL Injection

Image
Its me again! So in the previous post I talked about Blind-Error Based injection and basically showed the select query you can use to conditionally force errors while still leaking content from the database. This all happened from within a MySQL prompt, not much use to those who want to see the attack in action. Here I'm going to do just that, show you a practical example of the attack against an actual web application.

I'll be using the mod_security challenge set up by spiderlabs a about year ago. It may still ring all the mod_sec alarms but the purpose is not to threaten mod_sec---not yet---instead to show what the attack would look like in full swing.

Using Server Errors to Leak Password Hashes: Blind Error Based SQL Injection

Image
I don't know if this attack has been documented, or if its been documented this way before but I think its either going to be a good reminder to some penetration testers or at most another new way to leak information from a stubborn SQLi vulnerable server.

Some Database servers---in this example MySQL database servers---will not respond to run of the mill blind, error based or time based injection attacks. I'm talking about those that won't return any indication of your query evaluating either true or false, but will notify you of an erroneous query through either something being dumped on screen like 'system error' even returning a 500 HTTP status.

In this post I'll document a technique I just thought up for using the server errors to indicate either the true or false evaluation of an injected query.


NoNoScript : ByPassing NoScript's XSS filters via Error Basd SQLi

Image
NoScript is a firefox add-on or `extension' in charge of stopping reflected XSS attacks. It operates by inspecting and auditing responses---much like other XSS filters---AND requests made by browsers.

Largely NoScript provides a great service, and manages to stop most attacks provided that the injection data is recognizable in the requests---meaning both POST and GET requests. Though because of how it works, when injection data
is not recognizable in requests, NoScript---and for that matter no other XSS filters---will be able to detect the attacks. This largely happens when data is injected in encrypted/hashed/encoded* format.

granted some encodings are accounted for in NoScript and other XSS filters, don't expect to get around the best XSS filters known to man by simply %-encoding your injection data!

One example of a XSS attack where payloads are injected in a way that is not
recognizable to NoScript is in SQL injections. Namely Error Based SQL injection. The following demo…

GooDork : Super Charging your Google Hacking

Image
I recently started work on a very exciting project called GooDork in its most basic function this python script allows you to run google dorks straight from your command line.

Though its real power lies what it allows you to do with the results from a google dork.

Injecting Insert statements: MySQL error based injection

Image
One night while banging injection payloads into a random page I suddenly found myself in an insert statement! This is when I got the idea to use insert statements for MySQL error based injection vectors.
Some people might be wondering why on earth would one would want to inject an insert? Would that even work?
The answer is YES! you can use INSERT statements to leak data via Error based injection much like people already do using SELECT statements

Injecting javascript via MySQL error based injection

Image
I've written about this in a couple of other articles, but I needed it to be on my new blog because it makes a good attack especially when dealing with MySQL databases, because:

MySQL on *nix servers can be configured pretty well, making access to the database very difficult and therefore pwnage can be very difficult!!You have the ability to extend MySQL Error based injection into other attacks that may not be viable on the web application like:non-persistent XSSDefacement of the siteHTTP parameter pollutionDDos (more on this in another post!!) ---using this web application to make requests to other servers at the expense of the person visiting the page