|
|
| (12 intermediate revisions by 2 users not shown) |
| Line 1: |
Line 1: |
| − | = Expert: Automated Single-byte exfiltration = | + | === Blind extraction === |
| | | | |
| − | '''There are multiple types of single byte exfiltration attacks:''' | + | '''There are two types of blind SQL extraction attacks:''' |
| − | * Timing based | + | * Partial-blind: [[comparative precomputation|Pre-computation based]] (Tool: [[mysqli-blindutils]] > [[sqli-hap.py]]) |
| − | * Pre-computation based
| + | * Full-blind: [[timing based extraction|Timing based]] |
| − | '''The only three things that all of these methods have in common is:'''
| + | |
| − | * <u>These attacks</u> are all limited in some fashion because of local environment and latency or remote environment and dataset.
| + | |
| − | * <u>The target environment</u> must not filter or otherwise restrict the use of commas (''','''); [[#Testing_with_Regular_Expression_Operators_.28REGEXP.2C_.7E.2C_and_RLIKE.29|regular expressions]] will not work here because injected queries are <i>selecting</i> rather than <i>comparing</i> the value of a single [[byte]].
| + | |
| − | * <u>You</u> must not be afraid of programming.
| + | |
| | | | |
| − | ==Timing-based single-byte exfiltration==
| |
| − | {{warning|<i>If not on a '''LAN''' when this technique is utilized, buggy and unpredictable results '''will''' be attained.</i>}}
| |
| − | This testing is ideal when''':
| |
| − | * It is taking place on a relatively low latency network
| |
| − | * There is access to a consistent latency and the remote page has a consistent load time (may not vary by more than 0.5 seconds)
| |
| | | | |
| − | Single byte exfiltration takes less queries to perform the same results, and leaves a smaller log footprint.
| + | '''The only things that these methods have in common is:''' |
| − | * A timer will need to be used to see how long it takes the remote server to serve the page.
| + | * <u>These attacks</u> are all limited in some fashion because of environment and latency or dataset, respectively. |
| − | Examples of timing-based single-byte exfiltration:
| + | * <u>Successful exploitation</u> requires automation [[programming]]. |
| − | * <i>Exfiltrating the first character of the database name in a single request:</i>
| + | |
| − | {{code|text=<source lang="sql">
| + | |
| − | and sleep(ascii(substring(@@database,1,1))) -- MySQL
| + | |
| − | and pg_sleep(ascii(substring(current_database,1,1))) is null -- PostgreSQL
| + | |
| − | </source>}}
| + | |
| − | :'''By timing these (in seconds) the integer value of the ascii code of the first character of the database will be attained.'''
| + | |
| − | | + | |
| − | ==The comparative precomputation attack==
| + | |
| − | | + | |
| − | '''This attack relies heavily on the <i>remote dataset</i> for successful exploitation and is thus less reliable than other methods.''' '''This significantly differs from previously discovered <u>[[#Expert:_Automated_Single-byte_exfiltration|single-byte exfiltration techniques]]</u> because:'''{{code|text=
| + | |
| − | * <i>It is based on precomputation</i>
| + | |
| − | * <i>It is not a timing attack</i>
| + | |
| − | }}{{code|text=
| + | |
| − | '''Requirements:'''
| + | |
| − | * <u>The query which is being injecting into must have at least 254 rows</u> | + | |
| − | * <u>The precomputation attack is compatible with all database backends.</u>
| + | |
| − | }} '''Precomputation is done for performance reasons. At the very least, a comparative test will be required. The more complex a remote site is (random content generation, etc), the more difficult this type of attack becomes to automate.'''{{code|text=
| + | |
| − | * Examining the following query: | + | |
| − | {{code|text=<source lang="php"> $query = "select * from articles where id=$input"; </source>}}
| + | |
| − | * And the following uri:
| + | |
| − | /articles.php?id=1
| + | |
| − | | + | |
| − | * Testing can be used to see if there are 255 articles by visiting:
| + | |
| − | /articles.php?id=255 '''Follow the next steps for automation (and sanity's) sake:'''{{code|text=
| + | |
| − | * Choose a language supporting something similar to [http://php.net/manual/en/function.array-flip.php '''array_flip()'''] for programming the automation tool.
| + | |
| − | * Write a loop to download each article
| + | |
| − | * In the loop, populate an array (using integer indexes) with checksum hashes as values
| + | |
| − | * Flip the array}}
| + | |
| − | '''Almost done!'''{{code|text=
| + | |
| − | * Then the following visit can take place:
| + | |
| − | /articles.php?id=ascii(substr(user(),1,1))
| + | |
| − | * Checksum the output
| + | |
| − | * Now accessing the checksums array using the checksum of the output as the key:
| + | |
| − | {{code|text=<source lang="php"> $ascii_code = $checksums[$output_checksum]; </source>
| + | |
| − | }}
| + | |
| − | }}
| + | |
| − | '''<i><u>And the value of a byte has been determined.</u></i>'''
| + | |
| − | {{protip|'''This attack can be extended by:'''{{code|text=
| + | |
| − | * Using arithmetic operators to get sequential id's offset from 0-255 (e.g. /articles.php?id=(select ascii(substr(user(),1,1))+67)
| + | |
| − | * Using MySQL field operators and a static query that returns id's to bypass the requirement for the id's to be sequential
| + | |
| − | }}
| + | |
| − | }}
| + | |
| − | }}
| + | |
