Difference between revisions of "SQL injection/Blind/Extraction"

Revision as of 17:06, 19 November 2012

Bitwise Extraction

There are multiple types of bitwise extraction attacks:

• Timing based
• Pre-computation based

The only three things that all of these methods have in common is:

• These attacks are all limited in some fashion because of local environment and latency or remote environment and dataset.
• The target environment must not filter or otherwise restrict the use of commas (,); regular expressions will not work here because injected queries are selecting rather than comparing the value of a single byte.
• You must not be afraid of programming.

Timing-based bitwise extraction

If not on a LAN when this technique is utilized, buggy and unpredictable results will be attained.

This testing is ideal when:

• It is taking place on a relatively low latency network
• There is access to a consistent latency and the remote page has a consistent load time (may not vary by more than 0.5 seconds)

Single byte exfiltration takes less queries to perform the same results, and leaves a smaller log footprint.

• A timer will need to be used to see how long it takes the remote server to serve the page.

Examples of timing-based single-byte exfiltration:

• Exfiltrating the first character of the database name in a single request:

 
  AND sleep(ascii(SUBSTRING(@@DATABASE,1,1)))                  -- MySQL
  AND pg_sleep(ascii(SUBSTRING(current_database,1,1))) IS NULL -- PostgreSQL
 

By timing these (in seconds) the integer value of the ascii code of the first character of the database will be attained.