RE: SQL injection attacks

From: Craig Wright (cwright@bdosyd.com.au)
Date: Fri Mar 09 2007 - 18:54:58 EST

• Next message: Password Crackers, Inc.: "RE: Winzip and Due Diligence"
• Previous message: Stuart Thomas: "Re: FAX virus"
• In reply to: Sir Mordred: "Re: SQL injection attacks"
• Next in thread: Aditya K Sood: "Re: SQL injection attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Again - you have missed the point of the post.

Non-interactive. You get nothing back from the server - no response - no feedback. No time delay.

Not HTTP - I have stated NOT an interactive attack on a web page. Yes - blind SQL attacks exist fopr web pages. The comment is that they do not for non-interactive data input.

Regards,
Craig

________________________________

From: listbounce@securityfocus.com on behalf of Sir Mordred
Sent: Wed 7/03/2007 9:25 PM
To: Craig Wright
Cc: pen-test@securityfocus.com
Subject: Re: SQL injection attacks

Hello.

> It is necessary that some information is returned to the attacker. The
> process involved separating valid requests from invalid requests on the
> server which enable the attacker to identify these responses.

> Error responses include monitoring the HTTP 500: Internal Server Error
> messages, 'Internal Server Error' messages (which are still linked to
> valid 200 Ok responses) and any application handles errors generated by
> the SQL server.

A quite common technique is to inject a conditional with a call to
BENCHMARK() and measure the time delay. Even if the appliation handles
errors gracefully and displays no information, the time delay still
leaks one bit of information. This will also work for statements
like DELETE and INSERT. With well-prepared statements, you can do
binary search on unknown values, meaning ~16 attempts per byte
(assuming we try both the condition and its reverse and measure the
time difference between two, this can be optimised of course).

> To exploit the SQL injection, it is necessary to have identified the
> specific database in use. Normal SQL injection testing techniques, such
> as adding SQL keywords (OR, AND, etc.), and META characters (such as; or
> ') rely on the knowledge of the system that the attacker has gained in
> the afore mentioned stages.

We can identify the DBS not only by its use of syntactic characters,
but by trying to call system-specific functions.

> Without the knowledge of the system, it is not possible to determine the
> database, the entity names, relationships or any other database field.
> This is important as the attacker has to craft the Select statement
> along the lines of valid input fields. An example would be:

(snip)

> Without this information, the attacker can not hope to "guess" the
> database and entity names. Blank entries on a form do nothing to help
> identify either a database instance used or the naming structure in
> play.

Some of the DBS (MS SQL and MySQL (>5 I think) for sure) have
meta-tables with known names, which can be accessed to learn more
about the table structure. This is also another mechanism to identify
the DBS.

That said, guessing table and field names is by no means out of the
question. First, people are remarkably uninventive when they need to
name something, and second, they would often reuse the name in other
places - for example HTTP variable names for column names and script
names for table names (update_member.php?member_id=123)

Cheers,
Mordred

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: Password Crackers, Inc.: "RE: Winzip and Due Diligence"
• Previous message: Stuart Thomas: "Re: FAX virus"
• In reply to: Sir Mordred: "Re: SQL injection attacks"
• Next in thread: Aditya K Sood: "Re: SQL injection attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:39 EDT