Questions about this topic? Sign up to ask in the talk tab.
SQL injection/Blind/Extraction
From NetSec
Revision as of 17:55, 19 November 2012 by LashawnSeccombe (Talk | contribs) (moved SQL injection/Blind extraction to SQL injection/Blind/Extraction)
Blind extraction
There are multiple types of blind data extraction attacks:
- Timing based
- Pre-computation based
The only three things that all of these methods have in common is:
- These attacks are all limited in some fashion because of local environment and latency or remote environment and dataset.
- You must not be afraid of programming.
Timing-based extraction
|
If not on a LAN when this technique is utilized, buggy and unpredictable results will be attained. |
This testing is ideal when:
- It is taking place on a relatively low latency network
- There is access to a consistent latency and the remote page has a consistent load time (may not vary by more than 0.5 seconds)
Single byte exfiltration takes less queries to perform the same results, and leaves a smaller log footprint.
- A timer will need to be used to see how long it takes the remote server to serve the page.
Examples of timing-based single-byte exfiltration:
- Exfiltrating the first character of the database name in a single request:
AND sleep(ascii(SUBSTRING(@@DATABASE,1,1))) -- MySQL AND pg_sleep(ascii(SUBSTRING(current_database,1,1))) IS NULL -- PostgreSQL |
- By timing these (in seconds) the integer value of the ascii code of the first character of the database will be attained.
