Showing posts with label MySQL. Show all posts
Showing posts with label MySQL. Show all posts

Saturday, 12 October 2013

Even Faster Blind SQL injection methods

A method presented at DerbyCon and BlackHat involves extracting not the bits of the character but the bits of a characters position in a look up table which contains a number of character ascii values---more on this later. This post discusses the conceptual advantages and fundamental drawbacks of the bin2pos method and introduces a new variant I've developed which provides better stability and only requires a maximum of 4 requests per character extraction but imposes some configurational requirements to the target web server.



Monday, 16 July 2012

NoNoScript : ByPassing NoScript's XSS filters via Error Basd SQLi

NoScript is a firefox add-on or `extension' in charge of stopping reflected XSS attacks. It operates by inspecting and auditing responses---much like other XSS filters---AND requests made by browsers.

Largely NoScript provides a great service, and manages to stop most attacks provided that the injection data is recognizable in the requests---meaning both POST and GET requests. Though because of how it works, when injection data
is not recognizable in requests, NoScript---and for that matter no other XSS filters---will be able to detect the attacks. This largely happens when data is injected in encrypted/hashed/encoded* format.  

granted some encodings are accounted for in NoScript and other XSS filters, don't expect to get around the best XSS filters known to man by simply %-encoding your injection data!

One example of a XSS attack where payloads are injected in a way that is not
recognizable to NoScript is in SQL injections. Namely Error Based SQL injection. The following demonstration will show you how to beat NoScript using
MySQL error based injection.