Tag Archives: SQL

Exploiter une injection SQL les doigts dans le nez

Si au petit-déj, vous aimez manger des injections SQL, voici un petit outil qui va vous permettre de tester votre site afin de voir si celui-ci est vulnérable.

Cet outil, c’est The Mole. C’est tout en ligne de commande pour les barbus et ça permet simplement à partir d’une URL contenant une chaine de caractère valide, de voir s’il est possible d’y injecter du SQL.

Mole3 Exploiter une injection SQL les doigts dans le nez

C’est pratique, car tout automatique et ça gère aussi bien MySQL, SQL Server, Postgres et Oracle.

The Mole est téléchargeable ici et pour apprendre à vous en servir, il y a un très bon tuto ici.

A utiliser sur votre propre machine, car sur les machines des autres, c’est illégal.

flattr this!

CodeSOD: The Anti-SQL Coalition

"There is a small coalition of developers at the office who are vehemently anti-database," writes Bob, "naturally, this faction also doesn’t value 'experience' — mostly, because they have none. At least, not outside their university studies. They'll often liken a database server to a file system, and suggest that it's just a convenient way to store blobs of data — but everything else is inelegant bloat."

"Of course, since this coalition doesn't have any actual decision making power, their strong opinions remain just that, and we stick with a standard tech of technology. Of course, their attitude often leaks into the code, as in this example of a simple search query that was used to search for an employee by name. The trick is we have employees with accented characters in our directory but, if a user search for the name without the accented char (e instead of é), it needs to return the result anyway."

SELECT *
  FROM Persons
 WHERE /* HACK! Being SQL, there's no concept of 
          RegEx, so we have to this horrible hack  */
       Replace(Replace(Replace(Replace(
       Replace(Replace(Replace(Replace(
       Replace(Replace(Replace(Replace(
       Replace(Replace(Replace(Replace(name, ' ',''),
         'É','E'),'È','E'),'Ê','E'),'Ë','E'),
	 'À','A'),'Â','A'),'Ä','A'),
	 'Ï','I'),'Î','I'),
	 'Ç','C'),
	 'Ô','O'),'Ö','O'),
	 'Ü','U'),'Ù','U'),'Û','U') 
       LIKE @name AND 
       /* HACK AGAIN! Oh yeah, no cod reuse.
          Why are we doing this in SQL!? */
       Replace(Replace(Replace(Replace(
       Replace(Replace(Replace(Replace(
       Replace(Replace(Replace(Replace(
       Replace(Replace(Replace(Replace(surname, ' ',''),
       'É','E'),'È','E'),'Ê','E'),'Ë','E'),
       'À','A'),'Â','A'),'Ä','A'),
       'Ï','I'),'Î','I'),
       'Ç','C'),
       'Ô','O'),'Ö','O'),
       'Ü','U'),'Ù','U'),'Û','U') 
       LIKE @surname 
 ORDER BY name, surname

Bob added, "like most of their code, I was able to replace it with a much simpler block."

SELECT * 
  FROM Persons 
 WHERE name collate Latin1_General_CI_AI LIKE @name 
   AND surname collate Latin1_General_CI_AI LIKE @surname 
 ORDER BY name, surname

sqlsus 0.7.1 Released – MySQL Injection & Takeover Tool

sqlsus is an open source MySQL injection and takeover tool, written in perl. Via a command line interface, you can retrieve the database(s) structure, inject your own SQL queries (even complex ones), download files from the web server, crawl the website for writable directories, upload and control a backdoor, clone the database(s), and much…

Read the full post at darknet.org.uk

CodeSOD: The Query of Despair

Jeroen's colleague had the misfortune of being assigned to debug an intermittent, unspecified error in the one of the oldest of the legacy applications. "The good news is that I've isolated it to a database query," he told Jeroen, "the bad news is that I've isolated it to a database query."

Knowing that his colleague wasn’t a big fan of databases, Jeroen offered his assistance. In response, he received the following image.

"I don't think anyone can help me," the his colleague wrote.