MySQL injection
RootedCON ni tukio muhimu zaidi la usalama wa mtandao nchini Hispania na moja ya muhimu zaidi barani Ulaya. Kwa kukuza maarifa ya kiufundi, mkutano huu ni sehemu ya kukutana kwa wataalamu wa teknolojia na usalama wa mtandao katika kila fani.
Maoni
Kazi za Kuvutia
Thibitisha Mysql:
Kazi Zinazofaa
The following functions can be useful when performing MySQL injection:
version()
version()
This function returns the version of the MySQL database.
database()
database()
This function returns the name of the current database.
user()
user()
This function returns the username used to connect to the MySQL database.
current_user()
current_user()
This function returns the current user.
@@hostname
@@hostname
This function returns the hostname of the MySQL server.
@@datadir
@@datadir
This function returns the data directory of the MySQL server.
@@basedir
@@basedir
This function returns the base directory of the MySQL server.
@@version_compile_os
@@version_compile_os
This function returns the operating system on which the MySQL server is compiled.
@@secure_file_priv
@@secure_file_priv
This function returns the directory where the server can access files.
@@global.have_ssl
@@global.have_ssl
This function returns whether the server has SSL support enabled.
@@global.version
@@global.version
This function returns the version of the MySQL server.
@@global.plugin_dir
@@global.plugin_dir
This function returns the directory where the server plugins are located.
@@global.datadir
@@global.datadir
This function returns the data directory of the MySQL server.
@@global.innodb_data_home_dir
@@global.innodb_data_home_dir
This function returns the InnoDB data home directory.
@@global.innodb_log_group_home_dir
@@global.innodb_log_group_home_dir
This function returns the InnoDB log group home directory.
@@global.tmpdir
@@global.tmpdir
This function returns the temporary directory used by the server.
@@global.max_allowed_packet
@@global.max_allowed_packet
This function returns the maximum allowed packet size for the server.
@@global.max_connections
@@global.max_connections
This function returns the maximum number of connections allowed by the server.
@@global.max_user_connections
@@global.max_user_connections
This function returns the maximum number of connections allowed for a single user.
@@global.wait_timeout
@@global.wait_timeout
This function returns the wait timeout value for the server.
@@global.interactive_timeout
@@global.interactive_timeout
This function returns the interactive timeout value for the server.
@@global.log_error
@@global.log_error
This function returns the path to the error log file.
@@global.log_output
@@global.log_output
This function returns the log output destination.
@@global.log_bin
@@global.log_bin
This function returns whether binary logging is enabled.
@@global.log_bin_trust_function_creators
@@global.log_bin_trust_function_creators
This function returns whether function creators are trusted for binary logging.
@@global.log_slave_updates
@@global.log_slave_updates
This function returns whether updates received by a slave server are logged.
@@global.log_slow_queries
@@global.log_slow_queries
This function returns whether slow queries are logged.
@@global.log_warnings
@@global.log_warnings
This function returns whether warnings are logged.
@@global.log_queries_not_using_indexes
@@global.log_queries_not_using_indexes
This function returns whether queries not using indexes are logged.
@@global.log_throttle_queries_not_using_indexes
@@global.log_throttle_queries_not_using_indexes
This function returns whether throttling is applied to queries not using indexes.
@@global.log_slow_admin_statements
@@global.log_slow_admin_statements
This function returns whether slow administrative statements are logged.
@@global.log_slow_slave_statements
@@global.log_slow_slave_statements
This function returns whether slow slave statements are logged.
@@global.log_bin_trust_routine_creators
@@global.log_bin_trust_routine_creators
This function returns whether routine creators are trusted for binary logging.
@@global.log_bin_trust_trigger_creators
@@global.log_bin_trust_trigger_creators
This function returns whether trigger creators are trusted for binary logging.
@@global.log_bin_trust_event_creators
@@global.log_bin_trust_event_creators
This function returns whether event creators are trusted for binary logging.
@@global.log_bin_trust_table_creators
@@global.log_bin_trust_table_creators
This function returns whether table creators are trusted for binary logging.
@@global.log_bin_trust_function_creators
@@global.log_bin_trust_function_creators
This function returns whether function creators are trusted for binary logging.
@@global.log_bin_trust_procedure_creators
@@global.log_bin_trust_procedure_creators
This function returns whether procedure creators are trusted for binary logging.
@@global.log_bin_trust_view_creators
@@global.log_bin_trust_view_creators
This function returns whether view creators are trusted for binary logging.
@@global.log_bin_trust_trigger_creators
@@global.log_bin_trust_trigger_creators
This function returns whether trigger creators are trusted for binary logging.
@@global.log_bin_trust_event_creators
@@global.log_bin_trust_event_creators
This function returns whether event creators are trusted for binary logging.
@@global.log_bin_trust_table_creators
@@global.log_bin_trust_table_creators
This function returns whether table creators are trusted for binary logging.
@@global.log_bin_trust_function_creators
@@global.log_bin_trust_function_creators
This function returns whether function creators are trusted for binary logging.
@@global.log_bin_trust_procedure_creators
@@global.log_bin_trust_procedure_creators
This function returns whether procedure creators are trusted for binary logging.
@@global.log_bin_trust_view_creators
@@global.log_bin_trust_view_creators
This function returns whether view creators are trusted for binary logging.
Uingizaji wote
Maelezo
Uingizaji ni mbinu ya kuingiza au kubadilisha data katika programu au mfumo wa kompyuta kwa njia ambayo haikutarajiwa au iliyokusudiwa. Katika uwanja wa uingizaji wa SQL, tunazungumzia juu ya kuingiza au kubadilisha data katika mfumo wa usimamizi wa database (DBMS) kama vile MySQL.
MySQL Uingizaji
MySQL ni mfumo maarufu wa usimamizi wa database ambao hutumiwa sana katika maendeleo ya wavuti. Kwa sababu ya umaarufu wake, MySQL ni lengo kuu la mashambulizi ya uingizaji wa SQL.
Katika uingizaji wa MySQL, tunajaribu kuingiza au kubadilisha data katika database ya MySQL kwa kutumia mbinu za uingizaji wa SQL. Hii inaweza kufanyika kupitia maeneo ya kuingiza data katika fomu za wavuti, maombi ya wavuti, au hata URL za wavuti.
Aina za Uingizaji wa MySQL
Kuna aina kadhaa za uingizaji wa MySQL ambazo zinaweza kutumiwa kutekeleza mashambulizi ya uingizaji wa SQL. Hapa kuna baadhi ya aina maarufu:
Uingizaji wa kawaida (Classic SQL Injection): Hii ni aina ya uingizaji ambapo tunatumia maingizo ya kawaida ya SQL kubadilisha au kuingiza data katika database ya MySQL.
Uingizaji wa kuchelewesha (Time-based SQL Injection): Hii ni aina ya uingizaji ambapo tunatumia kuchelewesha muda wa kutekeleza maagizo ya SQL ili kupata habari kutoka kwa database ya MySQL.
Uingizaji wa kosa (Error-based SQL Injection): Hii ni aina ya uingizaji ambapo tunatumia makosa yanayotokea katika maagizo ya SQL ili kupata habari kutoka kwa database ya MySQL.
Uingizaji wa kipengele (Blind SQL Injection): Hii ni aina ya uingizaji ambapo hatupati matokeo ya moja kwa moja ya maagizo ya SQL, lakini tunaweza kuthibitisha au kukana hali fulani kwa kutumia maswali ya kweli au ya uwongo.
Kuzuia Uingizaji wa MySQL
Kuzuia uingizaji wa MySQL ni muhimu ili kulinda database yako na data yako. Hapa kuna baadhi ya hatua unazoweza kuchukua kuzuia uingizaji wa MySQL:
Tumia vigezo vya maandalizi (prepared statements) au vigezo vya kuingiza (parameterized queries) badala ya kuunda maagizo ya SQL moja kwa moja.
Tumia ukaguzi wa kuingiza (input validation) ili kuhakikisha kuwa data inayopokelewa ni sahihi na salama.
Sanitiza data kabla ya kuiingiza katika database kwa kuondoa au kubadilisha wahusika hatari.
Funga na sasisha mfumo wako wa usimamizi wa database mara kwa mara ili kusahihisha kasoro za usalama.
Kwa kufuata hatua hizi za kuzuia, unaweza kuchukua hatua muhimu za kulinda database yako dhidi ya mashambulizi ya uingizaji wa MySQL.
kutoka https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/
Mchakato
Kumbuka kwamba katika toleo "la kisasa" la MySQL unaweza kubadilisha "information_schema.tables" na "mysql.innodb_table_stats" (Hii inaweza kuwa na manufaa ya kuepuka WAFs).
Thamani 1 tu
group_concat()
Limit X,1
Blind moja baada ya nyingine
substr(version(),X,1)='r'
ausubstring(version(),X,1)=0x70
auascii(substr(version(),X,1))=112
mid(version(),X,1)='5'
Blind kuongeza
LPAD(version(),1...lenght(version()),'1')='asd'...
RPAD(version(),1...lenght(version()),'1')='asd'...
SELECT RIGHT(version(),1...lenght(version()))='asd'...
SELECT LEFT(version(),1...lenght(version()))='asd'...
SELECT INSTR('foobarbar', 'fo...')=1
Kugundua idadi ya nguzo
Kwa kutumia ORDER rahisi
MySQL Kulinganisha Kulingana
Maelezo
MySQL Union Based ni mbinu ya kuingiza SQL ambayo inatumika kudhibiti na kupata data kutoka kwa database ya MySQL. Mbinu hii hutumia kauli ya UNION kufanya muunganisho kati ya matokeo ya maswali tofauti ya SQL.
Hatua za Kutekeleza
Kuchunguza tovuti na kutambua maeneo yanayoweza kuwa na udhaifu wa SQL Injection.
Tafuta maeneo ambapo unaweza kuingiza SQL Injection.
Jaribu kuingiza kificho cha SQL Injection kwa kutumia kauli ya UNION.
Angalia ikiwa kuna makosa au ujumbe wa kosa unaonyesha kuwa SQL Injection imefanikiwa.
Ikiwa SQL Injection imefanikiwa, jaribu kubaini muundo wa database na jina la meza.
Tumia kauli ya UNION kufanya muunganisho kati ya maswali tofauti ya SQL na kupata data kutoka kwa database.
Tathmini na utumie data iliyopatikana kwa madhumuni yako ya uchunguzi au uvumbuzi.
Vidokezo vya Usalama
Hakikisha kuwa tovuti yako imefungwa na imeboreshwa dhidi ya mashambulizi ya SQL Injection.
Tumia vifaa vya usalama kama vile WAF (Web Application Firewall) kuzuia mashambulizi ya SQL Injection.
Fanya ukaguzi wa mara kwa mara wa tovuti yako ili kugundua na kurekebisha udhaifu wa SQL Injection.
Tumia mbinu za kuzuia kama vile kuchuja na kusafisha data kabla ya kuiingiza kwenye maswali ya SQL.
SSRF
Jifunze hapa chaguzi tofauti za kutumia Mysql injection ili kupata SSRF.
Mbinu za kuvuka WAF
Badala ya Information_schema
Kumbuka kuwa katika toleo "jipya" la MySQL unaweza kubadilisha information_schema.tables na mysql.innodb_table_stats au sys.x$schema_flattened_keys au sys.schema_table_statistics
MySQLinjection bila COMMAS
Chagua safu 2 bila kutumia comma yoyote (https://security.stackexchange.com/questions/118332/how-make-sql-select-query-without-comma):
Kupata thamani bila jina la safu
Ikiwa kwa wakati fulani unajua jina la meza lakini hujui majina ya safu ndani ya meza hiyo, unaweza jaribu kupata idadi ya safu kwa kutekeleza kitu kama:
Kukisia kuna safu 2 (ambapo ya kwanza ni ID) na nyingine ni bendera, unaweza kujaribu kuvunja nguvu maudhui ya bendera kwa kujaribu herufi kwa herufi:
Maelezo zaidi katika https://medium.com/@terjanq/blind-sql-injection-without-an-in-1e14ba1d4952
Historia ya MySQL
Unaweza kuona utekelezaji mwingine ndani ya MySQL kwa kusoma meza: sys.x$statement_analysis
Chaguzi za toleo
Miongozo mingine ya MYSQL injection
Marejeo
RootedCON ni tukio muhimu zaidi la usalama wa mtandao nchini Hispania na moja ya muhimu zaidi barani Ulaya. Kwa madhumuni ya kukuza maarifa ya kiufundi, mkutano huu ni sehemu ya kukutana kwa wataalamu wa teknolojia na usalama wa mtandao katika kila fani.
Last updated