Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "SQL injection/Blind/Extraction"

From NetSec
Jump to: navigation, search
(Created page with "= Expert: Automated Single-byte exfiltration = '''There are multiple types of single byte exfiltration attacks:''' * Timing based * Pre-computation based '''The only three thing...")
 
Line 1: Line 1:
= Expert: Automated Single-byte exfiltration =
+
== Bitwise Extraction ==  
  
'''There are multiple types of single byte exfiltration attacks:'''
+
'''There are multiple types of bitwise extraction attacks:'''
 
* Timing based
 
* Timing based
 
* Pre-computation based
 
* Pre-computation based
 +
 
'''The only three things that all of these methods have in common is:'''
 
'''The only three things that all of these methods have in common is:'''
 
* <u>These attacks</u> are all limited in some fashion because of local environment and latency or remote environment and dataset.
 
* <u>These attacks</u> are all limited in some fashion because of local environment and latency or remote environment and dataset.
Line 9: Line 10:
 
* <u>You</u> must not be afraid of programming.
 
* <u>You</u> must not be afraid of programming.
  
==Timing-based single-byte exfiltration==
+
===Timing-based bitwise extraction===
 
{{warning|<i>If not on a '''LAN''' when this technique is utilized, buggy and unpredictable results '''will''' be attained.</i>}}
 
{{warning|<i>If not on a '''LAN''' when this technique is utilized, buggy and unpredictable results '''will''' be attained.</i>}}
 
This testing is ideal when''':
 
This testing is ideal when''':
Line 24: Line 25:
 
</source>}}
 
</source>}}
 
:'''By timing these (in seconds) the integer value of the ascii code of the first character of the database will be attained.'''
 
:'''By timing these (in seconds) the integer value of the ascii code of the first character of the database will be attained.'''
 
==The comparative precomputation attack==
 
 
'''This attack relies heavily on the <i>remote dataset</i> for successful exploitation and is thus less reliable than other methods.''' '''This significantly differs from previously discovered <u>[[#Expert:_Automated_Single-byte_exfiltration|single-byte exfiltration techniques]]</u> because:'''{{code|text=
 
* <i>It is based on precomputation</i>
 
* <i>It is not a timing attack</i>
 
}}{{code|text=
 
'''Requirements:'''
 
* <u>The query which is being injecting into must have at least 254 rows</u>
 
* <u>The precomputation attack is compatible with all database backends.</u>
 
}} '''Precomputation is done for performance reasons.  At the very least, a comparative test will be required.  The more complex a remote site is (random content generation, etc), the more difficult this type of attack becomes to automate.'''{{code|text=
 
* Examining the following query:
 
{{code|text=<source lang="php">  $query = "select * from articles where id=$input"; </source>}}
 
* And the following uri:
 
  /articles.php?id=1
 
 
* Testing can be used to see if there are 255 articles by visiting:
 
  /articles.php?id=255 '''Follow the next steps for automation (and sanity's) sake:'''{{code|text=
 
* Choose a language supporting something similar to [http://php.net/manual/en/function.array-flip.php '''array_flip()'''] for programming the automation tool.
 
* Write a loop to download each article
 
* In the loop, populate an array (using integer indexes) with checksum hashes as values
 
* Flip the array}}
 
'''Almost done!'''{{code|text=
 
* Then the following visit can take place:
 
  /articles.php?id&#x3d;ascii(substr(user(),1,1))
 
* Checksum the output
 
* Now accessing the checksums array using the checksum of the output as the key:
 
{{code|text=<source lang="php">  $ascii_code = $checksums[$output_checksum]; </source>
 
}}
 
}}
 
'''<i><u>And the value of a byte has been determined.</u></i>'''
 
{{protip|'''This attack can be extended by:'''{{code|text=
 
* Using arithmetic operators to get sequential id's offset from 0-255 (e.g.  /articles.php?id=(select ascii(substr(user(),1,1))+67)
 
* Using MySQL field operators and a static query that returns id's to bypass the requirement for the id's to be sequential
 
}}
 
}}
 
}}
 

Revision as of 17:05, 19 November 2012

Bitwise Extraction

There are multiple types of bitwise extraction attacks:

  • Timing based
  • Pre-computation based

The only three things that all of these methods have in common is:

  • These attacks are all limited in some fashion because of local environment and latency or remote environment and dataset.
  • The target environment must not filter or otherwise restrict the use of commas (,); regular expressions will not work here because injected queries are selecting rather than comparing the value of a single byte.
  • You must not be afraid of programming.

Timing-based bitwise extraction

RPU0j.png If not on a LAN when this technique is utilized, buggy and unpredictable results will be attained.

This testing is ideal when:

  • It is taking place on a relatively low latency network
  • There is access to a consistent latency and the remote page has a consistent load time (may not vary by more than 0.5 seconds)

Single byte exfiltration takes less queries to perform the same results, and leaves a smaller log footprint.

  • A timer will need to be used to see how long it takes the remote server to serve the page.

Examples of timing-based single-byte exfiltration:

  • Exfiltrating the first character of the database name in a single request:
 
  AND sleep(ascii(SUBSTRING(@@DATABASE,1,1)))                  -- MySQL
  AND pg_sleep(ascii(SUBSTRING(current_database,1,1))) IS NULL -- PostgreSQL
 
By timing these (in seconds) the integer value of the ascii code of the first character of the database will be attained.
Retrieved from "http://nets.ec/index.php?title=SQL_injection/Blind/Extraction&oldid=9933"