Difference between revisions of "SQL injection/Blind"
(→Blind SQL injection) |
|||
(5 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
− | There are primarily two types of blind [[sql injection]] [[vulnerability|vulnerabilities]]: partial blind and total blind. | + | |
+ | :''Related tools: [[mysqli-blindutils]]'' | ||
+ | There are primarily two types of blind [[sql injection]] [[vulnerability|vulnerabilities]]: '''partial blind''' and '''total blind'''. | ||
Partial blind injection is referred to as ''partial'' because data returned by the [[application]] changes to some extent. This may mean it simply does not display in one instance while it displays in the other. | Partial blind injection is referred to as ''partial'' because data returned by the [[application]] changes to some extent. This may mean it simply does not display in one instance while it displays in the other. | ||
− | + | Completely blind [[vulnerability|vulnerabilities]] will not result in a change of the returned dataset in the page output, thus timing attacks must be utilized for successful exploitation because they affect the [[HTTP]] response ''time'' rather than the HTTP response ''data''. | |
There are traditionally two types of [[exploitation]] for blind [[sql injection]]: | There are traditionally two types of [[exploitation]] for blind [[sql injection]]: | ||
Line 9: | Line 11: | ||
* Boolean enumeration | * Boolean enumeration | ||
− | Each exploitation method has viable options for both partial blind and total blind injection. Blind data extraction is by far faster than boolean enumeration. When using boolean enumeration for exploitation of sql injection, an attacker is able to receive only one bit of data per request. With printable text characters this usually requires 7 requests (because the highest order bit is never set in latin1 printable characters), however this will require up to 8 requests for binary data. In comparison, blind extraction can be used to retrieve values exceeding a full byte per request. | + | Each exploitation method has viable options for both partial blind and total blind injection. Blind data extraction is by far faster than boolean enumeration. When using boolean enumeration for exploitation of sql injection, an attacker is able to receive only one bit of data per request. With printable text characters this usually requires 7 requests (because the highest order bit is never set in latin1 printable characters), however this will require up to 8 requests for a [[byte]] of [[binary]] data. In comparison, blind extraction can be used to retrieve values exceeding a full byte per request. |
{{:SQL injection/Blind/Extraction}} | {{:SQL injection/Blind/Extraction}} | ||
+ | |||
+ | {{:SQL injection/Blind/Boolean}} |
Latest revision as of 17:35, 21 November 2012
- Related tools: mysqli-blindutils
There are primarily two types of blind sql injection vulnerabilities: partial blind and total blind.
Partial blind injection is referred to as partial because data returned by the application changes to some extent. This may mean it simply does not display in one instance while it displays in the other.
Completely blind vulnerabilities will not result in a change of the returned dataset in the page output, thus timing attacks must be utilized for successful exploitation because they affect the HTTP response time rather than the HTTP response data.
There are traditionally two types of exploitation for blind sql injection:
- Blind data extraction
- Boolean enumeration
Each exploitation method has viable options for both partial blind and total blind injection. Blind data extraction is by far faster than boolean enumeration. When using boolean enumeration for exploitation of sql injection, an attacker is able to receive only one bit of data per request. With printable text characters this usually requires 7 requests (because the highest order bit is never set in latin1 printable characters), however this will require up to 8 requests for a byte of binary data. In comparison, blind extraction can be used to retrieve values exceeding a full byte per request.
Blind extraction
There are two types of blind SQL extraction attacks:
- Partial-blind: Pre-computation based (Tool: mysqli-blindutils > sqli-hap.py)
- Full-blind: Timing based
The only things that these methods have in common is:
- These attacks are all limited in some fashion because of environment and latency or dataset, respectively.
- Successful exploitation requires automation programming.
Boolean Enumeration
There are primarily two types of attacks used for boolean enumeration:
- Partial-blind: Response based (Tool: mysqli-blindutils > sqli-p.pl)
- Full-blind: Timing based (Tool: mysqli-blindutils > sqli-slee.py)