Time Based SQL Injection - PowerPoint PPT Presentation

1 / 27
About This Presentation
Title:

Time Based SQL Injection

Description:

Time based SQL Injection. Presented by Muhaimin Dzulfakar. Who am I ... Why we need Time Based SQL Injection ... Time Based Blind injection (for MySQL) ... – PowerPoint PPT presentation

Number of Views:1250
Avg rating:3.0/5.0
Slides: 28
Provided by: pben
Category:
Tags: sql | based | injection | time

less

Transcript and Presenter's Notes

Title: Time Based SQL Injection


1
Time Based SQL Injection
Presented by Muhaimin Dzulfakar
2
Who am I
  • Muhaimin Dzulfakar
  • Security Consultant Security-Assessment.com
  • Application and network pen-tester

3
Agenda
  • What is time based SQL Injection
  • Differences between blind and time based SQL
    Injection
  • Time based injection with heavy queries
  • Limitation of time based SQL Injection

4
Different types of SQL Injection
  • In Band Injection
  • Out of Band Injection
  • Blind SQL Injection
  • Time Based SQL Injection

5
In Band Injection
  • Results are embedded via union select
  • Useful when SQL error message is displayed
  • Fastest way to extract data
  • Ex http//www.buyviagra.com/buy.php?id1 UNION
    ALL null, null, null, null, concat(username,0x3a,a
    dmin_password), null from admin/

6
In Band Injection
7
Out of Band Injection
  • Use a different communication channel to drill
    for data
  • Ex Web Mail application in which data
    received via SMTP is
  • processed
  • Example of attack Accessing your neighbour
    database server with OOB injection
  • Ex http//www.buyviagra.com/buy.asp?id1
    UNION ALL SELECT
  • a. FROM OPENROWSET('SQLOLEDB','uidsapw
    d
  • NetworkDBMSSOCNAddress10.1.1.1timeout
    1','SELECT
  • user, pass FROM users') AS a--

8
Out of Band Injection
www.buyviagra.com
Web server
OOB Injection
Database A
Database B
10.1.1.1
9
Blind SQL Injection
  • Application generates custom error message for
    failed response and normal page for successful
    response
  • Comparison between true and false response
  • AND 11 -gt true AND 12 -gt false
  • Read data byte by byte

10
Blind SQL Injection
11
Blind SQL Injection
12
Time Based SQL Injection
  • Use time delay to differentiate between true and
    false
  • True response time delay is executed
  • Failed response time delay is not executed
  • Read data byte by byte exactly the same method
    as blind injection
  • First example by Chris Anley's paper More
    advanced SQL Injection
  • Another example is in David Litchfield paper
    Data Mining with SQL Injection and Inference

13
When we need Time Based SQL Injection
  • When the application generates default page for
    true or false response
  • When the application generates the same custom
    error page for true or false response
  • Injection is successful but can't be seen by the
    attacker

14
Scenario 1 (Blind Injection attack)?
  • default1
  • if value is not between 1-20
  • redirect user to
    page.php?iddefault
  • execute SQL statement

  • 1 AND 11 TRUE -gt default page displayed
  • 1 AND 12 FALSE -gt default page displayed
  • BLIND
    INJECTION FAILED!

15
Scenario 1 (Time Based Blind Injection attack)?
  • default1
  • if value is not between 1-20
  • redirect user to
    page.php?iddefault
  • execute SQL statement
  • 1 AND 11 TRUE -gt takes 5 seconds
    to response
  • 1 AND 12 FALSE -gt takes 1 second to
    response
  • TIME BASED BLIND
    INJECTION
  • WORKS!

16
Time Based SQL Injection
TRUE 2478ms
FALSE 117ms
17
Spot the different
  • Blind Injection (for MySql)?
  • 1 AND ASCII(substring((_at__at_version),1,1))lt52
  • If the first character of the database
    version is less than 4,
  • it is true
  • If the first character of database
    version is 4 or more, it is
  • false

position
query
operator
char
18
Spot the different
  • Time Based Blind injection (for MySQL)?
  • 1 AND (SELECT IF((IFNULL(ASCII(SUBSTRING((SELECT
    _at__at_version),1,1)),0)lt52),BENCHMARK(900000,SHA1(1)),
    1))?
  • If the first character of database
    version is less than 4,
  • execute BENCHMARK
  • If the first character of database
    version is not less than
  • 4,do not execute BENCHMARK

char
count time
operator
time delay
query
position
19
Time Based Injection on MSSQL
  • Time Based Injection (MSSQL)?
  • 1 AND if not(substring((select
    _at_version),25,1) lt 52)?
  • waitfor delay '009'--
  • If the first character less than 4,
    execute waitfor delay

query
time delay
position
operator
char
20
Other Databases
  • Oracle (without PL/SQL support) MS Access, DB2 do
    not have delay functions
  • Time Based Injection is possible by using heavy
    queries
  • Chema Alonso and Jose Prada talked about this in
    Defcon 2008
  • 2 types of conditions in 'where clause'
  • Light Condition first
  • Heavy Condition first
  • Select A from B where ConditionA and ConditionB

21
Heavy condition first
Result from Alonso research
22
Light condition first
Result from Alonso research
23
Heavies Queries
  • Oracle evaluates the conditions from left to
    right
  • MS Access evaluates the conditions from right to
    left
  • MSSQL evaluates light condition first
  • Table name needs to be known
  • Some of the well known default tables
  • MSSQL sysussers
  • MySQL information_schema.c
    olums
  • Oracle - all_users

24
Heavies Queries
  • Example of time based injection using heavy
    queries on MSSQL (light condition evaluates
    first)?
  • 1 AND (select count() FROM sysusers as sys1,
    sys2, sysusers as sys2, sysusers as sys3,
    sysusers as sys4, sysusers as sys5, sysusers as
    sys6, sysusers as sys7, sysusers as sys8)gt 0 AND
    52 lt (select top 1 ASCII(substring(name,1,1))
    from sysusers)?
  • Suitable for databases that do not support time
    delay functions
  • Ex Oracle and MS Access

heavy query
light query
25
Limitation
  • Results are not efficient during the busy times
  • Time delay results also depend on how much data
    stored in the table

26
Demo
27
Question ?
muhaimin.dzulfakar_at_security-assessment.com
Write a Comment
User Comments (0)
About PowerShow.com