Re: SQL Injection - Waitfor delay

["Anthony Cicalla" <anthony.cicalla () gmail com>]

If you use 2 sql servers you can use the wait for delay to identify
blind sql injection vectors. If you use IF statements in your query
you can say if Blah blah wait for delay and specify the time to wait.
If it's true it will wait. If not it won't. But the simple wait for
delay just allows you to find the vector. You have to use either the
IF method or INSERT INTO method to dump the data to another sql server
that you host remotely. I have dumped entire tables using the insert
into method. You might want to do a TOP 10 in your query cause dumping
the whole table can take alot of time and timeout sometimes.  Look
into the book the database hackers handbook. It has specific stuff for
each database to get you started. You can get a used copy fairly cheap
through amazon.

Anthony Cicalla

On Tue, Oct 14, 2008 at 12:32 PM, Parity <pty.err () gmail com> wrote:
> Attackers use the waitfor delay syntax to do two things:
>
> #1 - as a quick test to indicate whether or not a serious
> vulnerability may be present. If the waitfor delay trick works, that's
> a reliable indication that the app has a serious vulnerability, and an
> attacker could use commands other than waitfor delay to do very bad
> things.  (There's a lot of literature available on the net for
> exploring this topic; Google is your friend.)
>
> #2 - as part of a more complicated method for extracting data from the
> application database. The waitfor delay syntax offers just one way
> among many for attackers to exfiltrate data from a vulnerable
> database.  My favorite tool for this particular job is sqlbrute
> written by the very capable Justin Clarke.
>
> The bottom line is, if somebody has demonstrated that the waitfor
> delay syntax works against your app, the issue is very real.  Anyone
> who says otherwise just hasn't seen it demo'd yet.
>
> pty
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Security Trends Report from Cenzic
> Stay Ahead of the Hacker Curve!
> Get the latest Q2 2008 Trends Report now
>
> www.cenzic.com/landing/trends-report
> ------------------------------------------------------------------------



--
Anthony,
CNA,CEH,CISSP,GSNA,MCP,SCTA
925-262-7565

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------