基于时间的大量查询下盲SQL注入技术

本文翻译了一篇关于SQL注入技术的文章，由于对该技术了解的匮乏，翻译过于生硬。希望对能了解该技术的人有所帮助，由于原文较长，翻译周期可能较长，在这里仅给出一部分翻译内容，在今后的日子里将不断补充和完善。

原文地址：http://www.microsoft.com/technet/community/columns/secmvp/sv0907.mspx（Time-Based Blind SQL Injection with Heavy Queries）
 

简介

本文介绍了黑客使用大量查询，通过基于时间的(time-based)盲SQL注入法，如何利用漏洞进行SQL注入。本文的目标在于强调为WEB应用程序建立安全发展的最佳实践，而不是仅仅依赖于周边提供的防御措施。本文的开发案例以Microsoft SQL Server和Microsoft Access数据库为主，但是这项技术可以运用到当前市场中使用的任何数据库中。

Time-Based Blind SQL Injection

第一个论述 “blind attacks”技术的文献是 Chris Anley 在2002年6月份发表的论文： “【高级SQL注入技术】(More) Advanced SQL Injection” [1],在这个文献中，他给出了time-based的特殊案例，这些案例很不普通，他要求大家引起注意。下面是Chris给出的盲SQL注入技术的一些例子：

<<•••••• if (ascii(substring(@s, @byte, 1)) & ( power(2, @bit))) > 0 waitfor delay '0:0:5'
…it is possible to determine whether a given bit in a string is '1' or ’0’.That is, the above query will pause for five seconds if bit '@bit' of byte '@byte' in string '@s' is '1.'

例如，下面的查询，如果当前数据库的名字的第一个字节的第一位是1的话，将导致暂停5秒钟。:
declare @s varchar(8000) select @s = db_name() if (ascii(substring(@s, 1, 1)) & ( power(2, 0))) > 0 waitfor delay '0:0:5'

这些例子表明，使用一个危险的参数可以将信息从数据库中提取出来。当条件为真时，代码将被注入生成一个给定时间的延迟。

在Chris之后，由于盲SQL注入技术与延迟数据库技术相比，具有简单性、快速执行性和显示错误信息的范围，继续从攻击系统中得到在生成错误消息方面的更多研究。一年后，即2003年9月，Ofer Maor和Amichai Shulman发表了题为 “Blindfolded SQL Injection” 的论文[2]。在这篇文章中，作者分析了在SQL注入系统中，识别危险参数的不同方式，这种攻击甚至是信息处理过程和返回值是不可见的。

At the 2004 BlackHat Conference, Cameron Hotchkies presented his paper “Blind SQL Injection Automation Techniques” [3]. He proposed alternative methods to automate the exploitation of a Blind SQL Injection vulnerable parameter, using different custom tools. He suggested three different solutions for the automation: (1) Searching for keywords on positive and negative results; (2) Using MD5 signatures to discriminate positive and negative results; (3) Using textual difference engine. He also introduced SQueal, an automatic tool to extract information through Blind SQL Injection, which evolved later to another tool called Absinthe [4].

In September 2005, David Litchfield published the article “Data Mining with SQL Injection and Inference” [5], where he discussed the time-based inference techniques, and proposed other ways to obtain time delays using calls to stored procedures, such as xp_cmdshell on MS SQL Server to do a ping.

xp_cmdshell ‘ping –n 10 127.0.0.1’ → application paused 10 seconds.

Time-based techniques can be extended to any action performed by a stored procedure and able to generate a time delay or any other measurable action.

In December 2006, Ronald van den Heetkamp published the “SQL Injection Cheat Sheet” [6], including Blind SQL Injection tricks for MySQL with some examples based on benchmark functions that can generate time delays. For instance:

SELECT BENCHMARK(10000000,ENCODE('abc','123')); [around 5 sec]
SELECT BENCHMARK(1000000,MD5(CHAR(116))) [ around 7 sec]
Example: SELECT IF( user = 'root', BENCHMARK(1000000,MD5( 'x' )),NULL) FROM login

A recent exploit [7], published in June 2007 at http://www.milw0rm.com (a Web site dedicated to exploits and security) shows how this technique could be used to attack a game server called Solar Empire:

¡$sql="F***You'),(1,2,3,4,5,(SELECT IF (ASCII (SUBSTRING(se_games.admin_pw, ".$j.", 1)) =".$i.") & 1, benchmark(200000000,CHAR(0)),0) FROM se_games))/*";

As the studies of the time-based Blind SQL Injection techniques are moving forward, some new tools have been created, such as SQL Ninja [8], which uses the Wait-for method for Microsoft SQL Server engines, or SQL PowerInjector[9], which implements the Wait-for method for Microsoft SQL Server Database engines, Benchmark functions for MySQL engines, and an extension of the Wait-for method for Oracle engines, using calls to DBMS_LOCK methods. 

Time Delays

Taking into consideration the methods described above, we can see that having access to stored procedures for Microsoft SQL Server and Oracle is needed to be able to generate time delays using calls to Wait-for methods and DBMS_LOCK. However, this is not necessary on MySQL engines, because in this case a mathematic function is used to generate the time delay. Some Intrusion Detection Systems (IDS) and Firewalls applications have the ability to block the URLs that use Benchmark functions.

The question now is, if the use of stored