Nytro Posted October 21, 2013 Report Posted October 21, 2013 [h=1]Deep Blind SQL Injection[/h]Deep Blind SQL Injection is a new way to exploit Blind SQL Injections with a 66% reduction in the number of requests. However it is still possible to retrieve data, moreover it is possible with a 66% reduction in the number of requests made of the server, requiring two rather than six requests to retrieve each char.Ferruh Mavitunawww.portcullis-security.comBlind SQL Injection attacks are described in several papers1. If the injection point is completely blind2 then the only way3 to extract data is using time based attacks like WAITFOR DELAY, BENCHMARK etc.When it comes to reading data there are two known ways,1. Reading data bit by bit2. Reading data through a binary search algorithm with character patternsBoth methods have a one request – one response limit and on average for each char you need to make six requests to the server.In Deep Blind SQL Injection reading data is more complex than in classic blind injection. However it is still possible to retrieve data, moreover it is possible with a 66% reduction in the number of requests made of the server, requiring two rather than six requests to retrieve each char.Deep Blind SQL Injection works well within MS SQL Server and may work in other databases such as like ORACLE, PostgreSQL etc.This method of injection, which retrieves more that one response per request is achieved using time delay differences. For example if the first half byte of char is 6, the database is going to wait for 12 seconds, if second half byte of char is 1 it?s going to wait for 2 seconds. An attacker should store server response times and divide them by 2 to understand the response. Finally, in 2 requests we got 0x61 which is „a?. Obviously depending on the condition it?s possible to use larger or smaller dividers than 2.Download:http://labs.portcullis.co.uk/download/Deep_Blind_SQL_Injection.pdf Quote
