Penetration Testing mailing list archives
Re: SQL Injection - Waitfor delay
From: "Anthony Cicalla" <anthony.cicalla () gmail com>
Date: Wed, 15 Oct 2008 09:34:37 -0700
If you use 2 sql servers you can use the wait for delay to identify blind sql injection vectors. If you use IF statements in your query you can say if Blah blah wait for delay and specify the time to wait. If it's true it will wait. If not it won't. But the simple wait for delay just allows you to find the vector. You have to use either the IF method or INSERT INTO method to dump the data to another sql server that you host remotely. I have dumped entire tables using the insert into method. You might want to do a TOP 10 in your query cause dumping the whole table can take alot of time and timeout sometimes. Look into the book the database hackers handbook. It has specific stuff for each database to get you started. You can get a used copy fairly cheap through amazon. Anthony Cicalla On Tue, Oct 14, 2008 at 12:32 PM, Parity <pty.err () gmail com> wrote:
Attackers use the waitfor delay syntax to do two things: #1 - as a quick test to indicate whether or not a serious vulnerability may be present. If the waitfor delay trick works, that's a reliable indication that the app has a serious vulnerability, and an attacker could use commands other than waitfor delay to do very bad things. (There's a lot of literature available on the net for exploring this topic; Google is your friend.) #2 - as part of a more complicated method for extracting data from the application database. The waitfor delay syntax offers just one way among many for attackers to exfiltrate data from a vulnerable database. My favorite tool for this particular job is sqlbrute written by the very capable Justin Clarke. The bottom line is, if somebody has demonstrated that the waitfor delay syntax works against your app, the issue is very real. Anyone who says otherwise just hasn't seen it demo'd yet. pty ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
-- Anthony, CNA,CEH,CISSP,GSNA,MCP,SCTA 925-262-7565 ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- SQL Injection - Waitfor delay xelerated (Oct 13)
- Re: SQL Injection - Waitfor delay rajat swarup (Oct 13)
- Re: SQL Injection - Waitfor delay Krugger (Oct 14)
- Re: SQL Injection - Waitfor delay p1g (Oct 16)
- Re: SQL Injection - Waitfor delay Anthony Cicalla (Oct 16)
- Re: SQL Injection - Waitfor delay Haroon Meer (Oct 16)
- Re: SQL Injection - Waitfor delay xelerated (Oct 16)
- Re: SQL Injection - Waitfor delay Robin Wood (Oct 16)
- <Possible follow-ups>
- Re: SQL Injection - Waitfor delay Parity (Oct 14)
- Re: SQL Injection - Waitfor delay Anthony Cicalla (Oct 15)