This article discusses the time-delay techniques involved in discovering SQL injection issues from the perspective of interacting with Web apps using a browser.
When testing an application for SQL injection vulnerabilities, it is often found that a potential vulnerability is difficult to confirm. This may be due to a variety of reasons, but it is primarily because the Web app does not display any errors and therefore cannot retrieve any data.
In this case, to identify the vulnerability, you can inject a time delay into the database and check that the server's response has also been delayed. Time delay is a powerful technique, although the Web server can hide errors or data, but must wait for the database to return the results, so you can use it to confirm the existence of SQL injection. This technique is particularly suitable for blinds.
The Microsoft SQL Server server contains a built-in command to introduce delays to the query:WAITFOR delay ' hours:minutes:seconds '. For example, to send the following request to the victim Web server, the server's response would take approximately 5 seconds:
http://www.victim.com/basket.aspx?uid=45; WAITFOR DELAY
The delay in the server response convinced us that we were injecting SQL code into the backend database.
The MySQL database does not have a command equivalent to WAITFOR delay, but it can use a function that takes a long time to introduce the delay. The benchmark function is a good choice. MySQL 's BENCHMARK function executes an expression many times, and it is often used to evaluate the speed at which MySQL executes an expression. Depending on the server workload and the compute resources, the time required for the database will vary. However, if the delay is obvious, you can also use this technique to identify the vulnerability. Take a look at the following example:
BENCHMARK (10000000,encode (' hello ', ' Mom ')); +----------------------------------------------+ | BENCHMARK (10000000,encode (' hello ', ' Mom ')) | +----------------------------------------------+ | 0 | +----------------------------------------------+ 1 row in Set (3.65 sec)
It took 3.65 seconds to execute the query. If you inject this code into a SQL injection vulnerability, the server's response is delayed. If you want to delay the response further, simply increase the number of iterations, as follows:
http://www.victim.com/display.php?id=32; SELECT BENCHMARK (10000000,encode (' hello ', ' Mom '));--
In Oracle PL/SQL , the following instruction set can be used to create the delay:
BEGIN Dbms_lock. SLEEP (5); END;
Dbms_lock. The sleep () function allows a process to hibernate for many seconds, but there are many limitations to using the function. First, you cannot inject the function directly into a subquery because Oracle does not support stack queries (stacked query). Second, only the database administrator can use the Dbms_lock package.
In Oracle PL/SQL, there is a better way to inject latency inline with the following directives:
http://www.victim.com/display.php?id=32 or 1=dbms_pipe.receive_
Dbms_pipe. The Receive_message function waits 10 seconds for the data returned from the RDS pipeline. By default, the package is allowed to execute with the public permission. Dbms_lock. SLEEP () In contrast, it is a function that can be used in SQL statements.
In the latest version of PostgreSQL database (8.2 and later), you can use the pg_sleep function to cause delays:
Pg_sleep (10)
Time-delay technology in various databases