Blind SQL Injection


Description

Blind SQL (Structured Query Language) injection is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.
When an attacker exploits SQL injection, sometimes the web application displays error messages from the database complaining that the SQL Query's syntax is incorrect. Blind SQL injection is nearly identical to normal SQL Injection, the only difference being the way the data is retrieved from the database. When the database does not output data to the web page, an attacker is forced to steal data by asking the database a series of true or false questions. This makes exploiting the SQL Injection vulnerability more difficult, but not impossible. .

Threat Modeling

Same as for SQL Injection

Risk Factors

Same as for SQL Injection

Examples

An attacker may verify whether a sent request returned true or false in a few ways:

Content-based

Using a simple page, which displays an article with given ID as the parameter, the attacker may perform a couple of simple tests to determine if the page is vulnerable to SQL Injection attacks.
Example URL: 
http://newspaper.com/items.php?id=2
sends the following query to the database: 
SELECT title, description, body FROM items WHERE ID = 2
The attacker may then try to inject a query that returns 'false': 
http://newspaper.com/items.php?id=2 and 1=2
Now the SQL query should looks like this: 
SELECT title, description, body FROM items WHERE ID = 2 and 1=2
If the web application is vulnerable to SQL Injection, then it probably will not return anything. To make sure, the attacker will inject a query that will return 'true': 
http://newspaper.com/items.php?id=2 and 1=1
If the content of the page that returns 'true' is different than that of the page that returns 'false', then the attacker is able to distinguish when the executed query returns true or false.
Once this has been verified, the only limitations are privileges set up by the database administrator, different SQL syntax, and the attacker's imagination.


Time-based

This type of blind SQL injection relies on the database pausing for a specified amount of time, then returning the results, indicating successful SQL query executing. Using this method, an attacker enumerates each letter of the desired piece of data using the following logic:
If the first letter of the first database's name is an 'A', wait for 10 seconds.
If the first letter of the first database's name is an 'B', wait for 10 seconds. etc.
Microsoft SQL Server 
http://www.site.com/vulnerable.php?id=1' waitfor delay '00:00:10'--
MySQL 
SELECT IF(expression, true, false)
Using some time-taking operation e.g. BENCHMARK(), will delay server responses if the expression is True. 
BENCHMARK(5000000,ENCODE('MSG','by 5 seconds'))
- will execute the ENCODE function 5000000 times. Depending on the database server's performance and load, it should take just a moment to finish this operation. The important thing is, from the attacker's point of view, to specify a high-enough number of BENCHMARK() function repetitions to affect the database response time in a noticeable way.
Example combination of both queries: 
1 UNION SELECT IF(SUBSTRING(user_password,1,1) = CHAR(50),BENCHMARK(5000000,ENCODE('MSG','by 5 seconds')),null) FROM users WHERE user_id = 1;
If the database response took a long time, we may expect that the first user password character with user_id = 1 is character '2'. 
(CHAR(50) == '2')
Using this method for the rest of characters, it's possible to enumerate entire passwords stored in the database. This method works even when the attacker injects the SQL queries and the content of the vulnerable page doesn't change.
Obviously, in this example, the names of the tables and the number of columns was specified. However, it's possible to guess them or check with a trial and error method.
Databases other than MySQL also have time-based functions which allow them to be used for time-based attacks:
  • MS SQL 'WAIT FOR DELAY '0:0:10
  • PostgreSQL - pg_sleep()
Conducting Blind_SQL_Injection attacks manually is very time consuming, but there are a lot of tools which automate this process. One of them is SQLMap (http://sqlmap.org/) partly developed within OWASP grant program. On the other hand, tools of this kind are very sensitive to even small deviations from the rule. This includes:
  • scanning other website clusters, where clocks are not ideally synchronized,
  • WWW services where argument acquiring method was changed, e.g. from /index.php?ID=10 to /ID,10

Remote Database Fingerprinting

If the attacker is able to determine when his query returns True or False, then he may fingerprint the RDBMS. This will make the whole attack much easier. If the time-based approach is used, this helps determine what type of database is in use. Another popular methods to do this is to call functions which will return the current date. MySQL, MSSQL, and Oracle have different functions for that, respectively now(), getdate(), and sysdate().

Comments

Post a Comment

Popular posts from this blog

Reliance to Launch 4G Smartphones Under 'Lyf' Brand

Image
Reliance Retail, part of the  Reliance Industries  group, said Friday it will soon launch its own brand of 4G LTE smartphones under the brand Lyf. In an emailed statement, Reliance Retail said the brand is "built on the premise of unmatched user experience will offer high performance handsets that deliver a true 4G experience comparableto the best in the world." To that end, Reliance Retail said the Lyf range of smartphones will come with features like voice over LTE (VoLTE), voice over Wi-Fi (VoWi-FI), as well as HD voice and HD quality video calling. The company has earlier talked about  launching 4G smartphones at Rs. 4,000  and offering services at Rs. 300 per month. Apart from Reliance Retail, the Lyf brand of smartphones will be available through a wider distribution and retail network including multi-brand outlets. Earlier this month, Reliance Industries (which owns Reliance Jio Infocomm) and Reliance Communications announced  a partnersh...
Read more

14 Things You Can Do in Android Marshmallow That You Couldn't Do in Lollipop

Image
Whether you’ve put in an order for a  Nexus 6P  or you’re patiently waiting for Android version 6.0 to reach your  Galaxy S6 , you’ll want to know what Marshmallow can do for you. It’s not a dramatic leap forward for Google’s mobile OS, but there are still a number of useful new features you’re going to want to know about. Of course,  unlike Apple , Google updates all its key apps independently of the OS as a whole—that means there’s not quite as much to talk about with an Android update as there is with an iOS one. At this stage (stock) Android is pretty much Google Now with a settings page and a dialer app, but Marshmallow still offers plenty of reasons to look forward to your upgrade. 1. Get Google Now on tap Google Now on Tap  is the biggest new feature here and is activated with a long-press on the Home button. It’s designed to understand context better than ever before, so songs, movies, venues and the like are automatically identified inside t...
Read more

How to Make Your Computer Faster – 10 Proven tips

Image
Proven tips to make your Computer or Laptop run faster. How to make your computer faster  is a question that may be bothering many of you struggling hard with slower machines. Computers/Laptops start to slow down as they get older and clogged up with files, unused software and other digital debris. Even laptops with the fastest processors can start to run slow over time. However, that doesn’t necessarily mean you need to replace your machine with a new one or hire a computer geek to  make your Laptop run faster . Thankfully, you can  speed up your machine nearly to its full speed a lot easier than you think with few easy maintenance steps or inexpensive upgrades. Here are 10 proven simple tips on how to make your computer or laptop run faster, some of which of course, have been suggested many times before by computer experts. 1. How to make your Computer faster – Check free space on hard disk As you use your computer and load program...
Read more