Penetration Testing mailing list archives
Re: SQL injection attacks
From: Sir Mordred <sir.mordred.lists () gmail com>
Date: Wed, 7 Mar 2007 12:25:05 +0200
Hello.
It is necessary that some information is returned to the attacker. The process involved separating valid requests from invalid requests on the server which enable the attacker to identify these responses.
Error responses include monitoring the HTTP 500: Internal Server Error messages, 'Internal Server Error' messages (which are still linked to valid 200 Ok responses) and any application handles errors generated by the SQL server.
A quite common technique is to inject a conditional with a call to BENCHMARK() and measure the time delay. Even if the appliation handles errors gracefully and displays no information, the time delay still leaks one bit of information. This will also work for statements like DELETE and INSERT. With well-prepared statements, you can do binary search on unknown values, meaning ~16 attempts per byte (assuming we try both the condition and its reverse and measure the time difference between two, this can be optimised of course).
To exploit the SQL injection, it is necessary to have identified the specific database in use. Normal SQL injection testing techniques, such as adding SQL keywords (OR, AND, etc.), and META characters (such as; or ') rely on the knowledge of the system that the attacker has gained in the afore mentioned stages.
We can identify the DBS not only by its use of syntactic characters, but by trying to call system-specific functions.
Without the knowledge of the system, it is not possible to determine the database, the entity names, relationships or any other database field. This is important as the attacker has to craft the Select statement along the lines of valid input fields. An example would be:
(snip)
Without this information, the attacker can not hope to "guess" the database and entity names. Blank entries on a form do nothing to help identify either a database instance used or the naming structure in play.
Some of the DBS (MS SQL and MySQL (>5 I think) for sure) have meta-tables with known names, which can be accessed to learn more about the table structure. This is also another mechanism to identify the DBS. That said, guessing table and field names is by no means out of the question. First, people are remarkably uninventive when they need to name something, and second, they would often reuse the name in other places - for example HTTP variable names for column names and script names for table names (update_member.php?member_id=123) Cheers, Mordred ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- SQL injection attacks Craig Wright (Mar 06)
- Re: SQL injection attacks Sir Mordred (Mar 09)
- RE: SQL injection attacks Craig Wright (Mar 10)
- Re: SQL injection attacks Aditya K Sood (Mar 09)
- RE: SQL injection attacks Craig Wright (Mar 10)
- RE: SQL injection attacks Erez Metula (Mar 09)
- RE: SQL injection attacks Craig Wright (Mar 09)
- Re: SQL injection attacks Frank Fan (Mar 13)
- Re: SQL injection attacks Sir Mordred (Mar 09)