
![]() The WIse SECurity
| .italian .english |
News
|
Security Thoughts[ Back ] Monday, November 05, 2007, 22:54 Bursting Performances in Blind SQL Injection - Take 2 (Bandwidth) Today my colleague Giorgio Fedon of Minded Security, talked me about an idea regarding how to save bandwidth while exploiting blind SQL Injection.
My answer was: "use HEAD! (in both senses :)" It came out that RFC says it's not possible to use it. Infact, Apache doesn't satisfy a HEAD request with Content-Length header in response.
See? no Content-Length in response even if my localhost home page is 90 bytes long (as Rfc suggests). Let's try it with Range header:
Ahhhh, so the Range header in a request will fullfill my request without sending me the whole body but with a Content-Range which shows me how big would be the body itself. Unfortunately, not all Web Servers acts the same. IIS 6.0 doesn't follow HTTP 1.1 Rfc and simply sends the whole body in response to GET or POST requests. But..Yes there is a but. HEAD requests are fullfilled with the right Content-Length:
This means that we get the length of the response body even when there's no body in response. How to use these infos? By improving blind sql injection tools. Often blind sql injection tools use the differences in response bodies to understand if the sql injection accomplishes a true or false response. Using Content-Length or Content-Range could improve performances a lot. The following look up table is for server and method:
We (me and Giorgio) hope some reader will provide informations about other web servers. Comments: Giorgio, Monday, November 05, 2007, 23:16 Just to clarify the method to discriminate between valid and wrong requests: it is supposed to be based upon the Content-Lenght field of the response. Stefano, Monday, November 05, 2007, 23:29 As Giorgio said, the problem in discriminating between True / False response will move from the content of response body to the Content-Length in header. floyd, Thursday, September 16, 2010, 15:17 Apache tomcat 6.0.26 only works with the HEAD request and only with GET parameters. Stefano, Thursday, September 16, 2010, 16:25 Floyd, Comments are disabled
Admin login | This weblog is from www.mylittlehomepage.net Wisec is brought to you by...Wisec is written and mantained by Stefano Di Paola. Wisec uses open standards, including XHTML, CSS2, and XML-RPC. |
All Rights Reserved 2004
All hosted messages and metadata are owned by their respective authors.