Time Based SQL Injection

1
Time Based SQL Injection
Presented by Muhaimin Dzulfakar
2
Who am I

• Muhaimin Dzulfakar
• Security Consultant Security-Assessment.com
• Application and network pen-tester

3
Agenda

• What is time based SQL Injection
• Differences between blind and time based SQL
  Injection
• Time based injection with heavy queries
• Limitation of time based SQL Injection

4
Different types of SQL Injection

• In Band Injection
• Out of Band Injection
• Blind SQL Injection
• Time Based SQL Injection

5
In Band Injection

• Results are embedded via union select
• Useful when SQL error message is displayed
• Fastest way to extract data
• Ex http//www.buyviagra.com/buy.php?id1 UNION
  ALL null, null, null, null, concat(username,0x3a,a
  dmin_password), null from admin/

6
In Band Injection
7
Out of Band Injection

• Use a different communication channel to drill
  for data
• Ex Web Mail application in which data
  received via SMTP is
• processed
• Example of attack Accessing your neighbour
  database server with OOB injection
• Ex http//www.buyviagra.com/buy.asp?id1
  UNION ALL SELECT
• a. FROM OPENROWSET('SQLOLEDB','uidsapw
  d
• NetworkDBMSSOCNAddress10.1.1.1timeout
  1','SELECT
• user, pass FROM users') AS a--

8
Out of Band Injection
www.buyviagra.com
Web server
OOB Injection
Database A
Database B
10.1.1.1
9
Blind SQL Injection

• Application generates custom error message for
  failed response and normal page for successful
  response
• Comparison between true and false response
• AND 11 -gt true AND 12 -gt false
• Read data byte by byte

10
Blind SQL Injection
11
Blind SQL Injection
12
Time Based SQL Injection

• Use time delay to differentiate between true and
  false
• True response time delay is executed
• Failed response time delay is not executed
• Read data byte by byte exactly the same method
  as blind injection
• First example by Chris Anley's paper More
  advanced SQL Injection
• Another example is in David Litchfield paper
  Data Mining with SQL Injection and Inference

13
When we need Time Based SQL Injection

• When the application generates default page for
  true or false response
• When the application generates the same custom
  error page for true or false response
• Injection is successful but can't be seen by the
  attacker

14
Scenario 1 (Blind Injection attack)?

• default1
• if value is not between 1-20
• redirect user to
  page.php?iddefault
• execute SQL statement
• 
  
• 1 AND 11 TRUE -gt default page displayed
• 1 AND 12 FALSE -gt default page displayed
• BLIND
  INJECTION FAILED!

15
Scenario 1 (Time Based Blind Injection attack)?

• default1
• if value is not between 1-20
• redirect user to
  page.php?iddefault
• execute SQL statement
• 1 AND 11 TRUE -gt takes 5 seconds
  to response
• 1 AND 12 FALSE -gt takes 1 second to
  response
• TIME BASED BLIND
  INJECTION
• WORKS!

16
Time Based SQL Injection
TRUE 2478ms
FALSE 117ms
17
Spot the different

• Blind Injection (for MySql)?
• 1 AND ASCII(substring((_at__at_version),1,1))lt52
• If the first character of the database
  version is less than 4,
• it is true
• If the first character of database
  version is 4 or more, it is
• false

position
query
operator
char
18
Spot the different

• Time Based Blind injection (for MySQL)?
• 1 AND (SELECT IF((IFNULL(ASCII(SUBSTRING((SELECT
  _at__at_version),1,1)),0)lt52),BENCHMARK(900000,SHA1(1)),
  1))?
• If the first character of database
  version is less than 4,
• execute BENCHMARK
• If the first character of database
  version is not less than
• 4,do not execute BENCHMARK

char
count time
operator
time delay
query
position
19
Time Based Injection on MSSQL

• Time Based Injection (MSSQL)?
• 1 AND if not(substring((select
  _at_version),25,1) lt 52)?
• waitfor delay '009'--
• If the first character less than 4,
  execute waitfor delay

query
time delay
position
operator
char
20
Other Databases

• Oracle (without PL/SQL support) MS Access, DB2 do
  not have delay functions
• Time Based Injection is possible by using heavy
  queries
• Chema Alonso and Jose Prada talked about this in
  Defcon 2008
• 2 types of conditions in 'where clause'
• Light Condition first
• Heavy Condition first
• Select A from B where ConditionA and ConditionB

21
Heavy condition first
Result from Alonso research
22
Light condition first
Result from Alonso research
23
Heavies Queries

• Oracle evaluates the conditions from left to
  right
• MS Access evaluates the conditions from right to
  left
• MSSQL evaluates light condition first
• Table name needs to be known
• Some of the well known default tables
• MSSQL sysussers
• MySQL information_schema.c
  olums
• Oracle - all_users
  

24
Heavies Queries

• Example of time based injection using heavy
  queries on MSSQL (light condition evaluates
  first)?
• 1 AND (select count() FROM sysusers as sys1,
  sys2, sysusers as sys2, sysusers as sys3,
  sysusers as sys4, sysusers as sys5, sysusers as
  sys6, sysusers as sys7, sysusers as sys8)gt 0 AND
  52 lt (select top 1 ASCII(substring(name,1,1))
  from sysusers)?
• Suitable for databases that do not support time
  delay functions
• Ex Oracle and MS Access

heavy query
light query
25
Limitation

• Results are not efficient during the busy times
• Time delay results also depend on how much data
  stored in the table

26
Demo
27
Question ?
muhaimin.dzulfakar_at_security-assessment.com