Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2008 Security-Assessment.com 1 Time Based SQL Injection Presented by Muhaimin Dzulfakar.

Similar presentations


Presentation on theme: "© 2008 Security-Assessment.com 1 Time Based SQL Injection Presented by Muhaimin Dzulfakar."— Presentation transcript:

1 © 2008 Security-Assessment.com 1 Time Based SQL Injection Presented by Muhaimin Dzulfakar

2 © 2008 Security-Assessment.com 2 Who am I Muhaimin Dzulfakar Security Consultant – Security-Assessment.com Application and network pen-tester

3 © 2008 Security-Assessment.com 3 Agenda What is time based SQL Injection Differences between blind and time based SQL Injection Time based injection with heavy queries Limitation of time based SQL Injection

4 © 2008 Security-Assessment.com 4 Different types of SQL Injection In Band Injection Out of Band Injection Blind SQL Injection Time Based SQL Injection

5 © 2008 Security-Assessment.com 5 In Band Injection Results are embedded via union select Useful when SQL error message is displayed Fastest way to extract data Ex: UNION ALL null, null, null, null, concat(username,0x3a,admin_password), null from admin/*

6 © 2008 Security-Assessment.com 6 In Band Injection

7 © 2008 Security-Assessment.com 7 Out of Band Injection Use a different communication channel to drill for data Ex: Web Mail application in which data received via SMTP is processed Example of attack: Accessing your neighbour database server with OOB injection Ex: UNION ALL SELECT a.* FROM OPENROWSET('SQLOLEDB','uid=sa;pwd=; Network=DBMSSOCN;Address= ;timeout=1','SELECT user, pass FROM users') AS a--

8 © 2008 Security-Assessment.com 8 Out of Band Injection Web server Database B Database A OOB Injection

9 © 2008 Security-Assessment.com 9 Blind SQL Injection Application generates custom error message for failed response and normal page for successful response Comparison between true and false response AND 1=1 -> true AND 1=2 -> false Read data byte by byte

10 © 2008 Security-Assessment.com 10 Blind SQL Injection

11 © 2008 Security-Assessment.com 11 Blind SQL Injection

12 © 2008 Security-Assessment.com 12 Time Based SQL Injection Use time delay to differentiate between true and false True response – time delay is executed Failed response – time delay is not executed Read data byte by byte – exactly the same method as blind injection First example by Chris Anley's paper – More advanced SQL Injection Another example is in David Litchfield paper – Data Mining with SQL Injection and Inference

13 © 2008 Security-Assessment.com 13 When we need Time Based SQL Injection When the application generates default page for true or false response When the application generates the same custom error page for true or false response Injection is successful but can't be seen by the attacker

14 © 2008 Security-Assessment.com 14 Scenario 1 (Blind Injection attack)$default=1 if value is not between 1-20 { redirect user to page.php?id=$default redirect user to page.php?id=$default execute SQL statement execute SQL statement } 1 AND 1=1 [TRUE] -> default page displayed 1 AND 1=2 [FALSE] -> default page displayed BLIND INJECTION FAILED! BLIND INJECTION FAILED!

15 © 2008 Security-Assessment.com 15 Scenario 1 (Time Based Blind Injection attack)$default=1 if value is not between 1-20 { redirect user to page.php?id=$default redirect user to page.php?id=$default execute SQL statement execute SQL statement } 1 AND 1=1 [TRUE] -> takes 5 seconds to response 1 AND 1=2 [FALSE] -> takes 1 second to response TIME BASED BLIND INJECTION TIME BASED BLIND INJECTION WORKS! WORKS!

16 © 2008 Security-Assessment.com 16 Time Based SQL Injection TRUE = 2478msFALSE = 117ms

17 © 2008 Security-Assessment.com 17 Spot the different Blind Injection (for MySql) 1 AND If the first character of the database version is less than 4, it is true If the first character of database version is 4 or more, it is false query position operator char

18 © 2008 Security-Assessment.com 18 Spot the different Time Based Blind injection (for MySQL) 1 AND (SELECT IF((IFNULL(ASCII(SUBSTRING((SELECT If the first character of database version is less than 4, execute BENCHMARK If the first character of database version is not less than 4,do not execute BENCHMARK position operatortime delay query char count time

19 © 2008 Security-Assessment.com 19 Time Based Injection on MSSQL Time Based Injection (MSSQL) 1 AND if < 52) waitfor delay '0:0:9'-- If the first character less than 4, execute waitfor delay time delay query positionoperatorchar

20 © 2008 Security-Assessment.com 20 Other Databases Oracle (without PL/SQL support) MS Access, DB2 do not have delay functions Time Based Injection is possible by using heavy queries Chema Alonso and Jose Prada talked about this in Defcon types of conditions in 'where clause' Light Condition first Heavy Condition first ConditionAConditionB Select A from B where ConditionA and ConditionB

21 © 2008 Security-Assessment.com 21 Heavy condition first 100 Seconds False- 110 Seconds True 110 Seconds False True ResultHeavy & Light Condition Light Condition 10sec Heavy condition 100sec Result from Alonso research

22 © 2008 Security-Assessment.com 22 Light condition first 10Secon ds False- 110 Seconds True 110 Seconds False True ResultHeavy & Light Condition Heavy Condition 100sec Light condition 10sec Result from Alonso research

23 © 2008 Security-Assessment.com 23 Heavies Queries Oracle evaluates the conditions from left to right MS Access evaluates the conditions from right to left MSSQL evaluates light condition first Table name needs to be known Some of the well known default tables MSSQL – sysussers MySQL – information_schema.colums Oracle - all_users

24 © 2008 Security-Assessment.com 24 Heavies Queries Example of time based injection using heavy queries on MSSQL (light condition evaluates first) 1 AND (select count(*) FROM sysusers as sys1, sys2, sysusers as sys2, sysusers as sys3, sysusers as sys4, sysusers as sys5, sysusers as sys6, sysusers as sys7, sysusers as sys8)> 0 AND 52 < (select top 1 ASCII(substring(name,1,1)) from sysusers) Suitable for databases that do not support time delay functions Ex: Oracle and MS Access heavy query light query

25 © 2008 Security-Assessment.com 25 Limitation Results are not efficient during the busy times Time delay results also depend on how much data stored in the table

26 © 2008 Security-Assessment.com 26 Demo

27 © 2008 Security-Assessment.com 27 Question ?


Download ppt "© 2008 Security-Assessment.com 1 Time Based SQL Injection Presented by Muhaimin Dzulfakar."

Similar presentations


Ads by Google