MySQL: Hacking a Black Box

Published on December 10, 2011

MySQL: Hacking a Black Box

    What will we talk about: a fun and extravagant way of “hacking" a website where quotes of one of the parameters are not "escaped". In this case, we skip the discussion about why everything is not shielded on the side of the programming language or ORM.

    Introductory: a website that does not have one of the parameters escaped in a simple SELECT query. At the same time, all errors are intercepted, processed and a modest “No data” or “An error occurred” is displayed.

    It would seem: the trouble is not great. To update or change the data in it, rub it in, the data does not open out, it all comes down to "Sorry, no data" - a black box.

    But, what can actually be done in this situation?

    Immediately salt: the technique is based on the sleep (N) function which we will use as a litmus. We measure how much the page is "given" in ordinary life. And how much time it is "given" if we introduce ' OR sleep(10)instead of all the parameters that are present in the form. If the page’s return time has increased - the matter is in the hat and then only a matter of technology.

    For example, we select the name of the table based on the INFORMATION_SCHEMA meta-database, which is always present and accessible to everyone:

    ' OR 1 = if((select count(*) from INFORMATION_SCHEMA.tables where TABLE_SCHEMA=database() and TABLE_NAME='users') = 1, sleep(10), null)

    If the page’s "return" time has increased significantly - guessed it, if not, try more options, usually up to 10. Next, guess the field names:

    ' OR 1 = if((select count(*) from INFORMATION_SCHEMA.columns where TABLE_SCHEMA=database() and TABLE_NAME='users' and COLUMN_NAME='login') = 1, sleep(5), null)

    Knowing the names of the table and fields, you can "pick up" the length of the login, password, and also pull out the login and password character by character.

    if((select count(*) from users where login='admin') = 1, sleep(5), null)
    if((select length(password) from users where login='admin') = 1, sleep(5), null)
    select if((select mid(password, 5,1) from users where login='admin') = 'a', sleep(5), null)

    In binary password search, only 8 requests per character are required character by character.

    Yes, not so much hacking, but a fun way to explore the database structure blindly, field names (you can also select character by character), as well as the data itself.

    By the way, it is necessary to shield including page navigation - the method is the same, but with the use of UNION SELECT ... The

    moral of this fable: even the only non-escapable parameter, due to which, well, the maximum will be "sorry, error" can merge the entire database.

    The note was born as a result of the analysis of requests to one of the sites and attempts to comprehend them.

    Please do not holivat regarding the inferiority of MySQL as a database as well as the "only true" way of data shielding.