Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "SQL injection/Blind/Extraction"

From NetSec
Jump to: navigation, search
(Blind extraction)
 
(10 intermediate revisions by 2 users not shown)
Line 1: Line 1:
== Bitwise Extraction ==  
+
=== Blind extraction ===
  
'''There are multiple types of bitwise extraction attacks:'''
+
'''There are two types of blind SQL extraction attacks:'''
* Timing based
+
* Partial-blind: [[comparative precomputation|Pre-computation based]] (Tool: [[mysqli-blindutils]] > [[sqli-hap.py]])
* Pre-computation based
+
* Full-blind: [[timing based extraction|Timing based]]
  
'''The only three things that all of these methods have in common is:'''
 
* <u>These attacks</u> are all limited in some fashion because of local environment and latency or remote environment and dataset.
 
* <u>The target environment</u> must not filter or otherwise restrict the use of commas (''','''); [[#Testing_with_Regular_Expression_Operators_.28REGEXP.2C_.7E.2C_and_RLIKE.29|regular expressions]] will not work here because injected queries are <i>selecting</i> rather than <i>comparing</i> the value of a single [[byte]].
 
* <u>You</u> must not be afraid of programming.
 
  
===Timing-based bitwise extraction===
+
'''The only things that these methods have in common is:'''
{{warning|<i>If not on a '''LAN''' when this technique is utilized, buggy and unpredictable results '''will''' be attained.</i>}}
+
* <u>These attacks</u> are all limited in some fashion because of environment and latency or dataset, respectively.
This testing is ideal when''':
+
* <u>Successful exploitation</u> requires automation [[programming]].
* It is taking place on a relatively low latency network
+
* There is access to a consistent latency and the remote page has a consistent load time (may not vary by more than 0.5 seconds)
+
 
+
Single byte exfiltration takes less queries to perform the same results, and leaves a smaller log footprint.
+
* A timer will need to be used to see how long it takes the remote server to serve the page.
+
Examples of timing-based single-byte exfiltration:
+
* <i>Exfiltrating the first character of the database name in a single request:</i>
+
{{code|text=<source lang="sql">
+
  and sleep(ascii(substring(@@database,1,1)))                  -- MySQL
+
  and pg_sleep(ascii(substring(current_database,1,1))) is null -- PostgreSQL
+
</source>}}
+
:'''By timing these (in seconds) the integer value of the ascii code of the first character of the database will be attained.'''
+

Latest revision as of 03:01, 21 November 2012

Blind extraction

There are two types of blind SQL extraction attacks:


The only things that these methods have in common is:

  • These attacks are all limited in some fashion because of environment and latency or dataset, respectively.
  • Successful exploitation requires automation programming.