time based sql injections
TRANSCRIPT
-
7/31/2019 Time Based SQL Injections
1/27
2008 Security-Assessment.com
1
Time Based SQL Injection
Presented by MuhaiminDzulfakar
-
7/31/2019 Time Based SQL Injections
2/27
2008 Security-Assessment.com
2
Who am I
Muhaimin Dzulfakar
Security Consultant Security-Assessment.com
Application and network pen-tester
-
7/31/2019 Time Based SQL Injections
3/27
2008 Security-Assessment.com
3
Agenda
What is time based SQL Injection
Differences between blind and time based SQL Injection
Time based injection with heavy queries
Limitation of time based SQL Injection
-
7/31/2019 Time Based SQL Injections
4/27
2008 Security-Assessment.com
4
Different types of SQL Injection
In Band Injection
Out of Band Injection
Blind SQL Injection
Time Based SQL Injection
-
7/31/2019 Time Based SQL Injections
5/27
2008 Security-Assessment.com
5
In Band Injection
Results are embedded via union select
Useful when SQL error message is displayed
Fastest way to extract data
Ex: http://www.buyviagra.com/buy.php?id=1 UNION ALL null, null,
null, null, concat(username,0x3a,admin_password), null fromadmin/*
-
7/31/2019 Time Based SQL Injections
6/27
2008 Security-Assessment.com
6
In Band Injection
-
7/31/2019 Time Based SQL Injections
7/27 2008 Security-Assessment.com
7
Out of Band Injection
Use a different communication channel to drill for data
Ex: Web Mail application in which data received via SMTP is
processed
Example of attack: Accessing your neighbour database server with
OOB injectionEx: http://www.buyviagra.com/buy.asp?id=1 UNION ALL SELECT
a.* FROM OPENROWSET('SQLOLEDB','uid=sa;pwd=;
Network=DBMSSOCN;Address=10.1.1.1;timeout=1','SELECT
user, pass FROM users') AS a--
-
7/31/2019 Time Based SQL Injections
8/27 2008 Security-Assessment.com
8
Out of Band Injection
Web server
Database BDatabase A
OOB Injection
www.buyviagra.com
10.1.1.1
-
7/31/2019 Time Based SQL Injections
9/27 2008 Security-Assessment.com
9
Blind SQL Injection
Application generates custom error message for failed response and
normal page for successful response
Comparison between true and false response
AND 1=1 -> true AND 1=2 -> false
Read data byte by byte
-
7/31/2019 Time Based SQL Injections
10/27 2008 Security-Assessment.com
10
Blind SQL Injection
-
7/31/2019 Time Based SQL Injections
11/27 2008 Security-Assessment.com
11
Blind SQL Injection
-
7/31/2019 Time Based SQL Injections
12/27 2008 Security-Assessment.com
12
Time Based SQL Injection
Use time delay to differentiate between true and false
True response time delay is executed
Failed response time delay is not executed
Read data byte by byte exactly the same method as blindinjection
First example by Chris Anley's paperMore advanced SQLInjection
Another example is in David Litchfield paperData Mining withSQL Injection and Inference
-
7/31/2019 Time Based SQL Injections
13/27 2008 Security-Assessment.com
13
When we need Time Based SQL Injection
When the application generates default page for true or false
response When the application generates the same custom error page for
true or false response
Injection is successful but can't be seen by the attacker
-
7/31/2019 Time Based SQL Injections
14/27 2008 Security-Assessment.com
14
Scenario 1 (Blind Injection attack)
$default=1
if value is not between 1-20
{
redirect user to page.php?id=$default
execute SQL statement
}
1 AND 1=1 [TRUE] -> default page displayed
1 AND 1=2 [FALSE] -> default page displayed
BLIND INJECTION FAILED!
-
7/31/2019 Time Based SQL Injections
15/27 2008 Security-Assessment.com
15
Scenario 1(Time Based Blind Injection attack)
$default=1
if value is not between 1-20
{
redirect user to page.php?id=$default
execute SQL statement
}
1 AND 1=1 [TRUE] -> takes 5 seconds to response
1 AND 1=2 [FALSE] -> takes 1 second to response
TIME BASED BLIND INJECTION
WORKS!
-
7/31/2019 Time Based SQL Injections
16/27 2008 Security-Assessment.com
16
Time Based SQL Injection
TRUE = 2478msFALSE = 117ms
S t th diff t
-
7/31/2019 Time Based SQL Injections
17/27 2008 Security-Assessment.com
17
Spot the different
Blind Injection (for MySql)
1 AND ASCII(substring((@@version),1,1))
-
7/31/2019 Time Based SQL Injections
18/27 2008 Security-Assessment.com
18
Spot the different
Time Based Blind injection (for MySQL)
1 AND (SELECT IF((IFNULL(ASCII(SUBSTRING((SELECT@@version),1,1)),0)
-
7/31/2019 Time Based SQL Injections
19/27 2008 Security-Assessment.com
19
Time Based Injection on MSSQL
Time Based Injection (MSSQL)
1 AND if not(substring((select @version),25,1) < 52)
waitfor delay '0:0:9'--
If the first character less than 4, execute waitfor delay
time delay
query
position operator char
Oth D t b
-
7/31/2019 Time Based SQL Injections
20/27 2008 Security-Assessment.com
20
Other Databases
Oracle (without PL/SQL support) MS Access, DB2 do not have delay
functions
Time Based Injection is possible by using heavy queries
Chema Alonso and Jose Prada talked about this in Defcon 2008
2 types of conditions in 'where clause'
Light Condition first
Heavy Condition first
Select A from B where ConditionA and ConditionB
H diti fi t
-
7/31/2019 Time Based SQL Injections
21/27 2008 Security-Assessment.com
21
Heavy condition first
100
Seconds
False-False
110
Seconds
TrueTrueTrue
110
Seconds
FalseFalseTrue
ResultHeavy & Light
Condition
Light Condition
10sec
Heavy condition
100sec
Result from Alonso research
Li ht diti fi t
-
7/31/2019 Time Based SQL Injections
22/27 2008 Security-Assessment.com
22
Light condition first
10Secon
ds
False-False
110
Seconds
TrueTrueTrue
110
Seconds
FalseFalseTrue
ResultHeavy & Light
Condition
Heavy Condition
100sec
Light condition
10sec
Result from Alonso research
H i Q i
-
7/31/2019 Time Based SQL Injections
23/27
2008 Security-Assessment.com
23
Heavies Queries
Oracle evaluates the conditions from left to right
MS Access evaluates the conditions from right to left
MSSQL evaluates light condition first
Table name needs to be known
Some of the well known default tables
MSSQL sysussers
MySQL information_schema.colums
Oracle - all_users
H i Q i
-
7/31/2019 Time Based SQL Injections
24/27
2008 Security-Assessment.com
24
Heavies Queries
Example of time based injection using heavy queries on MSSQL
(light condition evaluates first)
1 AND (select count(*) FROM sysusers as sys1, sys2, sysusers assys2, sysusers as sys3, sysusers as sys4, sysusers as sys5, sysusersas sys6, sysusers as sys7, sysusers as sys8)> 0 AND 52 < (selecttop 1 ASCII(substring(name,1,1)) from sysusers)
Suitable for databases that do not support time delay functions
Ex: Oracle and MS Access
heavy query
light query
Limitation
-
7/31/2019 Time Based SQL Injections
25/27
2008 Security-Assessment.com
25
Limitation
Results are not efficient during the busy times
Time delay results also depend on how much data stored in thetable
-
7/31/2019 Time Based SQL Injections
26/27
-
7/31/2019 Time Based SQL Injections
27/27
27
Question ?