Deep-blind SQL Injection Technology

Deep-blind SQL Injection Technology
Ferruh Mavituna www. portc ullis-sec urity. c om
Translation: daokers

Note: I have translated Deep Blind SQL Injection into SQL Deep Blind Injection technology or SQL advanced Blind Injection technology.

Deep-blind SQL injection has been described in many articles. if the injection points are completely blind, the only method for extracting database data is Time Difference-based attacks, such as waitfor delay and BENCHMARK.
There are currently two known methods to read data,
1. Read data by byte
2. Use the binary search algorithm to read data in Character Mode

Both methods have the "one request-one response" restriction, and each character needs to send 6 requests to the server on average.
Reading data in deep-blind SQL injection is more complex than traditional blind injection. However, it is still possible to obtain data, and the number of requests sent to the server may be reduced by 66%, because only two requests instead of six requests are required to obtain each character.

Deep-blind SQL Injection works well on ms SQL servers, and may also work on other databases, such as ORACLE and PostgreSQL.

The injection method for a request to receive multiple responses is based on the time difference. For example, if the first half of the character is 6, the database waits for 12 seconds. If the second half is 1, the database waits for 2 seconds. Attackers should store the server's response times and divide the response every two times. As a result, in the two requests, we get 0x61, that is, 'A '. Obviously, it is also possible to use units larger or smaller than 2 to split the response information.

Instance
An SQL Server attack feature:

Program Code DECLARE @ x as int; DECLARE @ w as char (6 );
SET @ x = ASCII (SUBSTRING (master. dbo. fn_varbintohexstr (CAST ({QUERY} as varbinary (8000), {POSITION}, 1 ));
IF @ x> 97 SET @ x = @ x-87 else set @ x = @ x-48; SET @ w = '0: 0: '+ CAST (@ x * {SECONDS} as char); waitfor delay @ w

{QUERY} is the data you want to obtain. The data can be used to make variables such as USER, functions such as db_name (2), or return the Select statement for one row and one column.
{POSITION} is the half byte to be read. You need to add 2 to replace the "0x" of the start part of the SQL Server Response ".
{SECONDS} is the multiplier of the wait time. The waiting time can be measured in milliseconds, but the score can also be calculated, for example, the waiting delay is '0: 0: 0.51 '.

The same Code can be expressed in different ways, with a little different, shorter, but more difficult to read.

Program Code DECLARE @ x as int; DECLARE @ w as char (6 );
SET @ x = ASCII (SUBSTRING (master. dbo. fn_varbintohexstr (CAST ({QUERY} as varbinary (8000), {POSITION}, 1 ));
SET @ w = '0: 0: '+ CAST (@ x + (@ x & 79)/8) + (@ x/64) & 15) * 2) as char );

Waitfor delay @ w

Actual attack

In general, deep-blind SQL attacks are not suitable for manual attacks. It is wise to adopt automatic attacks. These functions have been implemented in "BSQL Hacker.

Restrictions

• If the connection time is too slow or the server cannot predict the number of responses due to other reasons, the software will be unstable
• Most server scripts and database connections have a connection timeout limit of about 30 seconds (although for 2 RMB 2 multiplication (?) To enumerate a half byte, 30 seconds is enough. However, to increase the stability of the results in other environments, a longer timeout limit may be required. We recommend that you set this parameter to 60 seconds)

Author
Nico Leidecker-http: // www. le ide cker. info /,
Thanks for shorter he x stri ng to I nte ger conversion algori thm.

References

• 0 3/02/20 07-I dea
• 01/05/2007-Priv ate Release
• 19/0 8/2007-BSQL Hac ker implementatio n
• 10/0 9/2007-Formatting etc.
• 26/10/2007-Ready fo r Public Release
• 26/0 2/200 8-Hex Enco ding Improved

1 More Advanced SQL Injections, NGS Blind SQL Injecti on, SPI LS-DYNA mics Blind SQL Server Injecti on, Im perva
2 No error is dis played a nd no indicators are visi ble in the response that a n error occ urred
3 TB t outbound communica tion channels
4 At the time of writi ng BSQL Hacker is avai lable a t https: // la bs. por tcullis. co. uk/

Address: https://labs.portcullis.co.uk/application/deep-blind-sql-injection/
: Https://labs.portcullis.co.uk/download/Deep_Blind_ SQL _Injection.pdf
BSQL Hacker English: https://labs.portcullis.co.uk/download/BSQLHackerSetup-0909.exe
BSQL Hacker Chinese version: http://www.daokers.com/attachments/month_0907/f2009719161313.rar

Note:

For the Blind SQL Inject example, you can refer to the OWASP WebGot example and demonstration video. In addition, you can also use the JHijack Fuzz tool for Blind injection.

OWASP description of Blind SQL Injection:

Https://www.owasp.org/index.php/Blind_ SQL _Injection

When an attacker executes SQL Injection attacks, sometimes the server responds with error messages from the database server complaining that the SQL Query's syntax is incorrect. blind SQL injection is identical to normal SQL Injection failed t that when an attacker attempts to exploit an application, rather then getting a useful error message, they get a generic page specified by the developer instead. this makes exploiting a potential SQL Injection attack more difficult but not impossible. an attacker can still steal data by asking a series of True and False questions through SQL statements.