Re: Deep Blind SQL Injection Whitepaper

[nummish <nummish () 0x90 org>]

> 2008/8/19 David Litchfield <davidl () ngssoftware com>
> > Hi Ferruh,
> >
> > > This is a short whitepaper about a new way to exploit Blind SQL
> > > Injections.
> >
> > I just had a read of your paper. You open with: "If the injection point is
> > completely blind then the only way to extract data is using time based
> > attacks like WAITFOR DELAY, BENCHMARK etc." This is not the case. You can
> > use other non-time based (and therefore faster) methods to infer the value
> > of data. See "Data-mining with SQL Injection and Inference" -
> > http://www.ngssoftware.com/papers/sqlinference.pdf
> >
> > Cheers,
> > David
> On Tue, Aug 19, 2008 at 1:09 PM, Ferruh Mavituna <ferruh () mavituna com> wrote:
> Hi David,
>
> I'm aware of the other methods which mostly explained on your paper.
> Footnote 2 which clears up the definition "completely blind" was supposed to
> be "No error is displayed and no indicators are visible in the response"
> instead of "No error is displayed and no indicators are visible in the
> response that an error occurred".
>
> Hopefully will update the paper soon, thanks for pointing it out.
>
> Cheers,

Sorry to resurrect a 9 day old thread here...

It's an interesting concept, but like all timing based attacks, won't
the digits be more susceptible to noise due to possible network
latency? Even with two queries, there is still a large volume of
requests getting made, and one little bump can invalidate the
information you are pulling out.

If that really isn't an issue, you may want to consider putting the 6
digit first, then 1,2,3,4,5,7,8,9 as that's going to show up far more
frequently.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/