Re: Using Binary Search with SQL Injection

[<dave () immunitysec com>]

In-Reply-To: <20030826161916.GA8708 () thathost com>

That's not useless. That's actually really cool. Once
upon a time I was going to write a talk on how to do
SQL Injection when you don't get error messages back.
Most people I've seen have it marked as "potentially
possible, but just way to hard to do" which is true for
everything until someone makes a tool to do it. 

You really only need one bit at a time of information
leakage, be that timing info, different response pages,
or another information tunnel to make SQL Injection
possible. And the best part about exploiting this kind
of web app is that all the automated tools (like SPIKE
Proxy) that do QA work to test for SQL Injection by
looking for ODBC messages or similar error pages don't
find it. :>


-dave


> Received: (qmail 3634 invoked from network); 26 Aug
2003 20:03:38 -0000
> Received: from outgoing2.securityfocus.com
(205.206.231.26)
>  by mail.securityfocus.com with SMTP; 26 Aug 2003
20:03:38 -0000
> Received: from lists.securityfocus.com
(lists.securityfocus.com [205.206.231.19])
>       by outgoing2.securityfocus.com (Postfix) with QMQP
>       id D000D8FAF3; Tue, 26 Aug 2003 14:02:41 -0600 (MDT)
> Mailing-List: contact
webappsec-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <webappsec.list-id.securityfocus.com>
> List-Post: <mailto:webappsec () securityfocus com>
> List-Help: <mailto:webappsec-help () securityfocus com>
> List-Unsubscribe:
<mailto:webappsec-unsubscribe () securityfocus com>
> List-Subscribe:
<mailto:webappsec-subscribe () securityfocus com>
> Delivered-To: mailing list webappsec () securityfocus com
> Delivered-To: moderator for webappsec () securityfocus com
> Received: (qmail 24804 invoked from network); 26 Aug
2003 10:18:32 -0000
> Date: Tue, 26 Aug 2003 18:19:16 +0200
> From: "Sverre H. Huseby" <shh () thathost com>
> To: webappsec () securityfocus com
> Subject: Using Binary Search with SQL Injection
> Message-ID: <20030826161916.GA8708 () thathost com>
> Mime-Version: 1.0
> Content-Type: text/plain; charset=us-ascii
> Content-Disposition: inline
> User-Agent: Mutt/1.4.1i
> X-Virus-Scanned: by AMaViS 0.3.12
>
> When being bored, one often does strange and useless
things, such as
> this:
>
>
>
> Using Binary Search with SQL Injection
> ======================================
>
>  Sverre H. Huseby
>  shh () thathost com
>  2003-08-26
>
> With SQL Injection one may perform many cool attacks
on a web site.
> This text will not tell you how, as it assumes you're
already familiar
> with advanced SQL Injection.
>
> Getting access to information using SQL Injection is
sometimes
> trivial, and sometimes hard.  How hard it is depends
on many factors,
> such as: Is it possible to use UNION SELECT?  Is it
possible to batch
> requests in order to INSERT or UPDATE something based
on subselects?
> The following presents a method to get access to
values of textual
> database fields when neither batched queries nor UNION
SELECT will
> help.  [...]
>
> Read the rest of this text here:
http://shh.thathost.com/text/binary-search-sql-injection.txt
> Sverre.
>
> -- 
> shh () thathost com
> http://shh.thathost.com/