|
|
| Line 10: |
Line 10: |
| | | | |
| | ===Timing-based extraction=== | | ===Timing-based extraction=== |
| − | {{warning|<i>If not on a '''LAN''' when this technique is utilized, buggy and unpredictable results '''will''' be attained.</i>}}
| |
| − | This testing is ideal when''':
| |
| − | * It is taking place on a relatively low latency network
| |
| − | * There is access to a consistent latency and the remote page has a consistent load time (may not vary by more than 0.5 seconds)
| |
| − |
| |
| − | Single byte exfiltration takes less queries to perform the same results, and leaves a smaller log footprint.
| |
| − | * A timer will need to be used to see how long it takes the remote server to serve the page.
| |
| − | Examples of timing-based single-byte exfiltration:
| |
| − | * <i>Exfiltrating the first character of the database name in a single request:</i>
| |
| − | {{code|text=<source lang="sql">
| |
| − | and sleep(ascii(substring(@@database,1,1))) -- MySQL
| |
| − | and pg_sleep(ascii(substring(current_database,1,1))) is null -- PostgreSQL
| |
| − | </source>}}
| |
| − | :'''By timing these (in seconds) the integer value of the [[ascii]] code of the first character of the database will be attained.'''
| |
Revision as of 18:23, 19 November 2012
There are multiple types of blind data extraction attacks:
- Timing based
- Pre-computation based
The only three things that all of these methods have in common is:
- These attacks are all limited in some fashion because of local environment and latency or remote environment and dataset.
- You must not be afraid of programming.
