THP Wisec USH DigitalBullets TheHackersPlace network
The WIse SECurity
.italian
.english
Wisec Home SecSearch Projects Papers Security Thoughts
 
News
Flash Application Testing: A New Vector for XSS and Cross Site Flashing.
IE and Firefox Digest Authentication Request Splitting.
Php import_req_var globals overwrite Advisory.
Subverting Ajax - The Paper.
Adobe Plugin Multiple Vulnerabilities.
Wisec@23rd.CCC Congress in Berlin - 29th Dec. 2006 - Subverting Ajax.
SecSearch. Search Engine for Security Community.
Mysql COM_TABLE_DUMP Flaws.
Mysql Anonymous login Flaw.
A new project to stop embed passwords in Php scripts: PassBroker.
MySQL new three vulnerabilities unleashed
PHP shmop safemode bypass
PHP RFC1867 Vuln - POC Released!
Search on Wisec
Google

Security Thoughts

[ Back ]

Monday, November 05, 2007, 22:54

Bursting Performances in Blind SQL Injection - Take 2 (Bandwidth)

Today my colleague Giorgio Fedon of Minded Security, talked me about an idea regarding how to save bandwidth while exploiting blind SQL Injection.
His question was:


"When a pentester is trying to get the content of a DB by exploiting a blind injection how can s/he get the content-length header without effectively getting all
the response body, so that s/he can save time and bandwidth?"

My answer was: "use HEAD! (in both senses :)"
It came out that RFC says it's not possible to use it.
Infact, Apache doesn't satisfy a HEAD request with Content-Length header in response.

HEAD /index.php HTTP/1.1
Host: 127.0.0.1
Accept: */*

HTTP/1.1 200 OK
Date: Mon, 05 Nov 2007 21:00:07 GMT
Server: Apache
Content-Type: text/html


See? no Content-Length in response even if my localhost home page is 90 bytes long (as Rfc suggests).
Let's try it with Range header:


GET /index.php HTTP/1.1
Host: 127.0.0.1
Accept: */*
Range: bytes=-1

HTTP/1.1 206 Partial Content
Date: Mon, 05 Nov 2007 21:03:15 GMT
Server: Apache
Content-Range: bytes 89-89/90
Content-Length: 1
Content-Type: text/html


Ahhhh, so the Range header in a request will fullfill my request without sending me the whole body but with a Content-Range which shows me how big would be the body itself.

Unfortunately, not all Web Servers acts the same.
IIS 6.0 doesn't follow HTTP 1.1 Rfc and simply sends the whole body in response to GET or POST requests.
But..Yes there is a but.
HEAD requests are fullfilled with the right Content-Length:


HEAD /search.aspx HTTP/1.1
Host: 127.0.0.1
Accept: */*
Content-Length: 22

search=all'+AND+'1'='1

HTTP/1.1 200 OK
Date: Mon, 05 Nov 2007 21:14:00 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 4790
Content-Type: text/html
Expires: Mon, 05 Nov 2007 21:14:00 GMT
Set-Cookie: ASPSESSIONIDSQTCRTQA=XXXXXXXXXXXXXXXXXXX; path=/
Cache-control: private



This means that we get the length of the response body even when there's no body in response.

How to use these infos?
By improving blind sql injection tools.

Often blind sql injection tools use the differences in response bodies to understand if the sql injection accomplishes a true or false response.
Using Content-Length or Content-Range could improve performances a lot.

The following look up table is for server and method:


SERVER      METHOD   RANGE



IIS 6.0      HEAD

APACHE       GET/POST  X

IBM HTTP     GET/POST  X

WEBSPHERE    GET/POST  X


We (me and Giorgio) hope some reader will provide informations about other web servers.

Comments:

Giorgio, Monday, November 05, 2007, 23:16

Just to clarify the method to discriminate between valid and wrong requests: it is supposed to be based upon the Content-Lenght field of the response.

 

Stefano, Monday, November 05, 2007, 23:29

As Giorgio said, the problem in discriminating between True / False response will move from the content of response body to the Content-Length in header.
This is, obviously, in case of constant length response, which is not always satisfied (even if quite unusual).

 

floyd, Thursday, September 16, 2010, 15:17

Apache tomcat 6.0.26 only works with the HEAD request and only with GET parameters.

I set up a script that simply reflects GET and POST parameters. Tomcat ends every HTTP response body with a newline. In the next request abc=123 and the ending newline character makes a content-length of 8.

HEAD /forEach.jsp?abc=123 HTTP/1.1
Host: localhost:8080
Accept-encoding: identity
Accept: */*
User-agent: faked


HTTP/1.1 200 OK
date: Thu, 16 Sep 2010 12:53:56 GMT
set-cookie: JSESSIONID=B8A0F0B3193D13CAB9432C9F894596F5; Path=/
content-length: 8
content-type: text/html
server: Apache-Coyote/1.1


Unfortunately you can not send POST data this way (the POST data is ignored and only the newline is counted as content-length):

HEAD /forEach.jsp HTTP/1.1
Host: localhost:8080
Accept-encoding: identity
Accept: */*
User-agent: faked

abc=123


HTTP/1.1 200 OK
date: Thu, 16 Sep 2010 13:04:51 GMT
content-length: 1
content-type: text/html
server: Apache-Coyote/1.1


The range thing doesn't work (returns content!):

GET /forEach.jsp?abc=123 HTTP/1.1
Host: localhost:8080
Accept-encoding: identity
Accept: */*
User-agent: faked
Range: bytes=-1

HTTP/1.1 200 OK
date: Thu, 16 Sep 2010 13:02:18 GMT
content-length: 8
content-type: text/html
server: Apache-Coyote/1.1


abc=123


Same for POST with the Range header.

 

Stefano, Thursday, September 16, 2010, 16:25

Floyd,
thanks for the valuable infos and for taking your time to extract them!

 
Comments are disabled

Admin login | This weblog is from www.mylittlehomepage.net

Wisec is brought to you by...

Wisec is written and mantained by Stefano Di Paola.

Wisec uses open standards, including XHTML, CSS2, and XML-RPC.

All Rights Reserved 2004
All hosted messages and metadata are owned by their respective authors.