Time-Based Blind SQL Injection with Heavy Queries

[Nytro]

Time-Based Blind SQL Injection with Heavy Queries

Published: September 12, 2007

By Chema Alonso, Microsoft Security MVP

Introduction

This article describes how attackers take advantage of SQL Injection vulnerabilities by using time-based blind SQL injection with heavy queries. Our goal is to highlight the need for establishing secure development best practices for Web applications instead of relying only on the security provided by the perimeter defenses. This article shows exploit examples for Microsoft SQL Server and Microsoft Access database engines, but the present technique is applicable to any other database product in the market.

Time-Based Blind SQL Injection

The first references to “blind attacks” can be found in Chris Anley’s June 2002 paper “(More) Advanced SQL Injection” [1], in which he calls attention to the possibility of creating such attacks -- in this specific case, time-based, one of the less common. Chris gives some examples of blind SQL injection techniques:

<<•••••• if (ascii(substring(@s, @byte, 1)) & ( power(2, @BIT))) > 0 waitfor delay '0:0:5'

…it is possible to determine whether a given bit in a string is '1' or ’0’.That is, the above query will pause for five seconds if bit @BIT' of byte @byte' in string '@s' is '1.'

For example, the following query:

declare @s varchar(8000) select @s = db_name() if (ascii(substring(@s, 1, 1)) & ( power(2, 0))) > 0 waitfor delay '0:0:5'

will pause for five seconds if the first bit of the first byte of the name of the current database is 1.

As these examples show, the information is extracted from the database using a vulnerable parameter. Code is then injected to generate a delay in response time when the condition is true.

After this first reference, blind SQL injection techniques continued to be studied with most techniques generating error messages from the attack system, because of the simplicity, quick execution, and extension of showing an error message versus delaying the database. One year later, in September 2003, Ofer Maor and Amichai Shulman published the paper “Blindfolded SQL Injection” [2]. Here, they analyze different ways to identify a vulnerable parameter on a SQL Injection system, even when the information processed and returned by the system is not visible.

At the 2004 BlackHat Conference, Cameron Hotchkies presented his paper “Blind SQL Injection Automation Techniques” [3]. He proposed alternative methods to automate the exploitation of a Blind SQL Injection vulnerable parameter, using different custom tools. He suggested three different solutions for the automation: (1) Searching for keywords on positive and negative results; (2) Using MD5 signatures to discriminate positive and negative results; (3) Using textual difference engine. He also introduced SQueal, an automatic tool to extract information through Blind SQL Injection, which evolved later to another tool called Absinthe [4].

In September 2005, David Litchfield published the article “Data Mining with SQL Injection and Inference” [5], where he discussed the time-based inference techniques, and proposed other ways to obtain time delays using calls to stored procedures, such as xp_cmdshell on MS SQL Server to do a ping.

xp_cmdshell ‘ping –n 10 127.0.0.1’ ? application paused 10 seconds.

Time-based techniques can be extended to any action performed by a stored procedure and able to generate a time delay or any other measurable action.

In December 2006, Ronald van den Heetkamp published the “SQL Injection Cheat Sheet” [6], including Blind SQL Injection tricks for MySQL with some examples based on benchmark functions that can generate time delays. For instance:

SELECT BENCHMARK(10000000,ENCODE('abc','123')); [around 5 sec]

SELECT BENCHMARK(1000000,MD5(CHAR(116))) [ around 7 sec]

Example: SELECT IF( user = 'root', BENCHMARK(1000000,MD5( 'x' )),NULL) FROM login

A recent exploit [7], published in June 2007 at http://www.milw0rm.com (a Web site dedicated to exploits and security) shows how this technique could be used to attack a game server called Solar Empire:

¡$sql="F***You'),(1,2,3,4,5,(SELECT IF (ASCII (SUBSTRING(se_games.admin_pw, ".$j.", 1)) =".$i.") & 1, benchmark(200000000,CHAR(0)),0) FROM se_games))/*";

As the studies of the time-based Blind SQL Injection techniques are moving forward, some new tools have been created, such as SQL Ninja [8], which uses the Wait-for method for Microsoft SQL Server engines, or SQL PowerInjector[9], which implements the Wait-for method for Microsoft SQL Server Database engines, Benchmark functions for MySQL engines, and an extension of the Wait-for method for Oracle engines, using calls to DBMS_LOCK methods.

Articol complet: Time-Based Blind SQL Injection with Heavy Queries