Questions about this topic? Sign up to ask in the talk tab.

SQL injection/Blind/Extraction/Timing

From NetSec
Revision as of 19:23, 19 November 2012 by JtRIPper (Talk | contribs) (Created page with "{{warning|<i>If not on a '''LAN''' when this technique is utilized, buggy and unpredictable results '''will''' be attained.</i>}} This testing is ideal when''': * It is taking pl...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
RPU0j.png If not on a LAN when this technique is utilized, buggy and unpredictable results will be attained.

This testing is ideal when:

  • It is taking place on a relatively low latency network
  • There is access to a consistent latency and the remote page has a consistent load time (may not vary by more than 0.5 seconds)

Single byte exfiltration takes less queries to perform the same results, and leaves a smaller log footprint.

  • A timer will need to be used to see how long it takes the remote server to serve the page.

Examples of timing-based single-byte exfiltration:

  • Exfiltrating the first character of the database name in a single request:
 
  AND sleep(ascii(SUBSTRING(@@DATABASE,1,1)))                  -- MySQL
  AND pg_sleep(ascii(SUBSTRING(current_database,1,1))) IS NULL -- PostgreSQL
 
By timing these (in seconds) the integer value of the ascii code of the first character of the database will be attained.
Retrieved from "http://nets.ec/index.php?title=SQL_injection/Blind/Extraction/Timing&oldid=9944"