Research on time-based SQL injection

SQL injection attacks are a popular attack in the industry and were first proposed by the RFP in the "NT Web technology Vulnerabilities" article in the 54th issue of Phrack Magazine in 1998. The technology and tools of SQL injection have been evolving and evolving. SQL injection is now a big area of information security, whether small to personal sites, or large to e-commerce sites, there are more or less SQL injection vulnerabilities. Why SQL injection vulnerability will be repeated, the reason is to prevent SQL injection vulnerability, the need for SQL statements, business process behavior, a variety of mainstream database-related mechanisms have a deep understanding and understanding, in order to really do SQL injection attack and prevention.

SQL Injection and Blinds

The definition of SQL injection and the general method of judging, is nothing more than the famous three-paragraph. Ordinary SQL injection is through the construction of SQL statements, sensitive information directly exposed to the Web page, there are two ways, one is through the error mode, one is through union Select Federated Query mode. Normal SQL injection is not perfect, and once the developer handles the error page, the Unionselect keyword is filtered and the injection is no longer valid. In fact, there is a big problem with this kind of repair method. If you do not take other measures, simply changing to a unified error page does not prevent SQL injection, which will result in a more advanced approach to SQL injection blinds. The blinds are judged by constructing SQL judgment statements and by returning the different pages. There are three types of returned pages: The results page, the 0 results page, and the error filtering page. As long as there are two of these pages, no matter which two pages can be, you can determine the presence of an injection vulnerability. Of course, there is a premise that these different pages are caused by the different execution of the SQL statements entered into the URL. But the common blind is not absolutely effective, once there are no more than two differences in the page, or can not be different from the page to determine the validity of the SQL statement in the URL, you should use a time-based SQL blind. The characteristics and usage of time-based SQL Blinds Suppose there is such a file, no matter how injected, the page content is the same, but this file does have an injection point. The key is not to get the difference page through the ordinary blind, no difference can not be blind. Why there are no differences, there are several situations:

The first scenario is that no information is displayed, such as a landing page, regardless of what you enter. In this case, there may only be a login failure page, the error page is blocked, and in the absence of a password, the login successful page is generally not known. In this case, it is possible that time-based SQL injection will work.

The second case: only the normal information page is displayed regardless of what you enter. For example, a module page that collects logged-in user information. Collect the user's IP, browser type, refer field, Session field, and no matter what the user enters, the normal page is displayed.

Third case: The diff page is not determined by the SQL statement in the input URL. In this case, you can only use time-based blinds.

In short, there are many scenarios, as long as there is no way to make a general SQL blind through the diff page, the time-based SQL blinds are possible.

Oracle Database Blinds

Time-based blinds in Oracle mainly use Dbms_pipe. Receive_message () function and Casewhen? Then? statement. Here is an example:

5593= (Casewhen (ASCII (SUBSTRC (SELECTNVL (Columnname]asvarchar), CHR) from  (SELECT   [ Columnname],rownum  as  LIMIT  from  (selectdistinct ([ColumnName])  from   [TableName]  ) WHERE  Limit=[stringindex]), [charindex],1])   [Guesschar]) thendbms_pipe. Receive_message (CHR (90) | | CHR (80) | | CHR (71) | | CHR (5) ELSE 5593 END)

Select all the data under [ColumnName] field in [TableName], choose each data individually, select each character in each data individually, determine if the ASCII value of the character is greater than [Guesschar], and if it is greater than, wait 5 seconds, If no greater than will return 5593, when 5593, the entire judging condition is true. The above statement is used to get the data in the specified column of the specified table. We can also use User_tab_columns, All_tab_columns,

Tables or views such as All_tables and user_tables to get the table name and column name you want. If you filter ",", you can use like to make equivalent changes. MSSQL Database Blind Note

1) Common injection method

The time-based blinds in MSSQL mainly use WAITFOR delay and if statements. Here is an example:

; if (ASCII (substring (SELECT top 1 name from [DatabaseName]: sysobjects where Xtype=uand name in (selecttop [StringIndex] name from [DatabaseName]: sysobjects wherextype=u)), [charindex],1))%3e[guesschar]) waitfor DELAY 0:0:4--SELECT [DatabaseName] Database sysobjects table Name field, and select each entry individually, each of the characters in the entry is judged by the ASCII code value, and if it is greater than the code value specified in [Guesschar], the response will be delayed by 4 seconds.

2) Advanced Injection method

In addition to the method of using delay function directly, there is another method in MSSQL, which is simply the execution order of WHERE clause in MSSQL database. Because the MSSQL database is optimized using CBR technology, the WHERE clause is not necessarily executed in the order in which the clauses are written, but according to the complexity of each clause, the database executes the less complex clauses, and if each clause uses and to connect, Then the return result of the smaller clause is false, resulting in the overall return of false, the results of other high-complexity statements will be irrelevant, resulting in other high-complexity statements are exempt from execution, and because the high-complexity clauses consume time and the system resources are large, thereby shortening the system execution time. If the individual clauses behind the where are not a side-by-side relationship, but rather a dependency or progressive relationship, special handling, such as case-when or subquery, is required.

In short, the true and false of the return result of a small complex clause will determine whether the more complex clauses are executed or not, and determine the length of time to return the entire SQL statement execution. With such a time difference, it is possible to determine whether a clause with a smaller complexity has been executed successfully.

3) Using the example

If you determine whether the site has a time-based blind, you can use the following statement:

Http://xxx/index.asp?id=1 and (SelectCount (*) from syscolumns as Sys1,syscolumns Assys2,syscolumns as sys3,syscolumns as Sys4,syscolumns as sys5,syscolumns as SYS6) 0 and 1=1

Where (SELECT count (*) from syscolumns as Sys1, syscolumns as sys2,syscolumns as

Sys3,syscolumns as sys4,syscolumns as sys5,syscolumns as SYS6) 0 is a more complex clause, 1=1

is a less complex statement. 1=1 returns to True, the earlier clause with greater complexity is exempt from execution. The entire query result will be returned immediately. If it is 1=2, the database will execute a more complex clause, and the results of the query will be greatly delayed. For example, the following statement can be used to determine whether the current user rights are sufficient.

Http://xxx/index.asp?id=1 and (SELECT count (*) from syscolumns as Sys1, syscolumns Assys2,syscolumns as sys3,syscolumns as Sys4,syscolumns as sys5,syscolumns as SYS6) 0 and1= (SELECT is_member (sysadmin))

MySQL Database Blinds

Time-based blind in MySQL database there are two options for using the delay function, one for the benchmark (count,expr) function and one for the sleep function. The former achieves the purpose of delay by executing the expr statement count times, which is a direct delay in time. For example, the use of the benchmark function can be written as:

id=1  Union  Select 1,benchmark (1000000,MD5 (Test)), 1 from use where  userid=1 andord (substring (username, )) =97/*

Can also be written as:

Id=1unionselectif (substring (password,1,1) =a,benchmark (10000000,sha (1)), 0) Username,password from Cms_users where Username = admin/*

An example of using the Sleep function is as follows:

8468=if ((ORD ((Select%20ifnull ([Columnname]%20as%20char), 0x20)%20from%20[databasename].[ tablename]%20limit%20[stringindex],1), [charindex],1])%20%3e%20[guesschar]), SLEEP ([Delaytime]), 8468)

In order to deal with some of the WAF firewalls, you can remove the IF keyword, or you can remove the "", "" and other symbols, using like or in to replace.

Defense methods

The way to deal with time-based SQL blinds and other types of blinds is to do three things: filtering the input data, processing the output data, and setting the SQL statement access rights.

Returns whether the information is filtered: Only control the return information can not completely avoid the existence of injection vulnerability, only to make use of the difficulty increases, there may be a succession of note, blind, time-based blind. Even if the error page is redirected, it may not be possible to note, for example, using union Select to go through the normal input page to output. The filtering of the return information is only necessary, not sufficient.

Whether the connection permission is SA: If the connection permissions are set very tightly, then the injection of the system table can be very difficult to succeed, only by brute-force guessing the table name guessing the way the data, the luck component is very large, but if you have the right to update the current data table, it is possible to insert or delete data into the normal business table. Whether the input data is filtered: input data filtering This section is more complex, need to combine with WAF, middleware, application of the three to filter, if the filter is tight, SQL injection will be very difficult. However, in some special business and some special circumstances, it is impossible to filter out all the keywords and symbols, if filtered out, may cause the business is not available.

Summarize

The most important feature of the common SQL blinds or time-based SQL blinds is that they are different and can be injected as long as they are different. This is the so-called line. The database connection user is the best administrator account, otherwise you can only use brute force. This is the so-called hard and easy question. Of course, these are in the case of keywords and symbol filtering is not strict. The injection method mentioned above can only be a few simple examples. If you have enough knowledge of the database, you can use your imagination to construct SQL statements to accomplish specific functions.

Research on time-based SQL injection