The WIse SECurity
[ Back ]
Friday, October 05, 2007, 17:47
Optimizing the number of requests in blind SQL injection
Blind injection is often considered as an On/Off binary research accomplished using the bisection algorithm.
Let's suppose the rest of the application gives no clue about SQL errors or the possibility to use other tricks in order to force the web application to display the informations we want.
This is a classical Blind SQL Injection case.
But what happens if by changing 'id' values results displaying different pages?
The attacker could use the different responses in order to map the results of an injected conditional sql statement.
Let's suppose there are more than 255 values for the 'id' parameter
then let's map every single snippet of unique text content for every request.
Then by setting
the attacker will have to accomplish only
requests, because for every request the application will return the page mapped to the character value.
Now, this is the best case.
For every character value exists a single id value.
There could be a number of id values which is less than 255
(or # printable chars for non binary information).
Let's suppose there exist only 4 unique id values corresponding to 4 unique responses.
Then the injected query will be (in pseudo code):
For each result, the set of values we are analysing will be 1/4 of the previous set.
This algorithm has O(Log4 255), which will correspond to
LEN*Log4 255 = LEN*3.9
requests to be sent.
The worst case is the On/Off bisection algorithm already described in several papers.
I don't have the time to implement it now, but I hope to see some tool with this (maybe) new approach in it:)
Wisec, Tuesday, October 09, 2007, 00:20
Just a couple of corrections:
Bedirhan Urgun, Tuesday, October 09, 2007, 15:54
Wisec, Tuesday, October 09, 2007, 16:27
Bedirhan Urgun, Tuesday, October 09, 2007, 19:29
Hi Stefano, :)
Wisec, Tuesday, October 09, 2007, 19:38
Thanks Bedirhan :)
Wisec, Tuesday, October 09, 2007, 19:43
Ah, thanks to your definition Bedirhan,
Bedirhan Urgun, Wednesday, October 10, 2007, 07:50
You are right. It shouldn't be that hard for an automatic scanner to find "maps" for a blind sql injection. :) Just one bit, IDs might not just comprise of numerical/incrementing values but, for example, some sparse account numbers or even e-mail addresses. Anyways, for a really less noisy blind SQLi exploits, your approach should help a lot!
Bernardo Damele, Thursday, October 11, 2007, 15:43
Comments are disabled
Wisec is brought to you by...
Wisec is written and mantained by Stefano Di Paola.
Wisec uses open standards, including XHTML, CSS2, and XML-RPC.
All Rights Reserved 2004
All hosted messages and metadata are owned by their respective authors.