Re: SQL Injection - Waitfor delay

[Parity <pty.err () gmail com>]

Attackers use the waitfor delay syntax to do two things:

#1 - as a quick test to indicate whether or not a serious
vulnerability may be present. If the waitfor delay trick works, that's
a reliable indication that the app has a serious vulnerability, and an
attacker could use commands other than waitfor delay to do very bad
things.  (There's a lot of literature available on the net for
exploring this topic; Google is your friend.)

#2 - as part of a more complicated method for extracting data from the
application database. The waitfor delay syntax offers just one way
among many for attackers to exfiltrate data from a vulnerable
database.  My favorite tool for this particular job is sqlbrute
written by the very capable Justin Clarke.

The bottom line is, if somebody has demonstrated that the waitfor
delay syntax works against your app, the issue is very real.  Anyone
who says otherwise just hasn't seen it demo'd yet.

pty

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------