Blind SQL Injection, What is Blind SQL Injection & How it is Work? Best Way to Figure Out.
Written by Appsbd Blog. Posted in SQL, MySQL No Comments
Description
Blind SQL Injection is a type of SQL injection attack that asks true or false questions to the database and determines the response based on the application’s response. This attack is often used when the web application is configured to display generic error messages, but has not mitigated code that is vulnerable to SQL injection.
When an attacker takes advantage of SQL injection, sometimes the Web application displays database error messages complaining that the SQL query syntax is incorrect. Blind SQL injection is almost identical to normal SQL injection, the only difference being the way data is retrieved from the database. When the database does not send data to the web page, an attacker is forced to steal data by asking the database a series of true or false questions. This makes exploiting the SQL injection vulnerability more difficult, but not impossible. .
Threat Modeling
- SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
- SQL Injection is very common with PHP and ASP applications due to the prevalence of older functional interfaces. Due to the nature of programmatic interfaces available, J2EE and ASP.NET applications are less likely to have easily exploited SQL injections.
- The severity of SQL Injection attacks is limited by the attacker’s skill and imagination, and to a lesser extent, defense in depth countermeasures, such as low privilege connections to the database server and so on. In general, consider SQL Injection a high impact severity.
Risk Factors
The platform affected can be:
- Language: SQL
- Platform: Any (requires interaction with a SQL database)
SQL Injection has become a common issue with database-driven web sites. The flaw is easily detected, and easily exploited, and as such, any site or software package with even a minimal user base is likely to be subject to an attempted attack of this kind.
Essentially, the attack is accomplished by placing a meta character into data input to then place SQL commands in the control plane, which did not exist there before. This flaw depends on the fact that SQL makes no real distinction between the control and data planes.
Examples
An attacker may verify whether a sent request returned true or false in a few ways:
Content-based
Using a simple page, which displays an article with given ID as the parameter, the attacker may perform a couple of simple tests to determine if the page is vulnerable to SQL Injection attacks.
Example URL:
http://newspaper.com/items.php?id=2
sends the following query to the database:
SELECT title, description, body FROM items WHERE ID = 2
The attacker may then try to inject a query that returns ‘false’:
http://newspaper.com/items.php?id=2 and 1=2
Now the SQL query should looks like this:
SELECT title, description, body FROM items WHERE ID = 2 and 1=2
If the web application is vulnerable to SQL Injection, then it probably will not return anything. To make sure, the attacker will inject a query that will return ‘true’:
http://newspaper.com/items.php?id=2 and 1=1
If the content of the page that returns ‘true’ is different than that of the page that returns ‘false’, then the attacker is able to distinguish when the executed query returns true or false.
Once this has been verified, the only limitations are privileges set up by the database administrator, different SQL syntax, and the attacker’s imagination.
Time-based
This type of blind SQL injection relies on the database pausing for a specified amount of time, then returning the results, indicating successful SQL query executing. Using this method, an attacker enumerates each letter of the desired piece of data using the following logic:
If the first letter of the first database’s name is an ‘A’, wait for 10 seconds.
If the first letter of the first database’s name is an ‘B’, wait for 10 seconds. etc.
Microsoft SQL Server
http://www.site.com/vulnerable.php?id=1' waitfor delay '00:00:10'--
MySQL
SELECT IF(expression, true, false)
Using some time-taking operation e.g. BENCHMARK(), will delay server responses if the expression is True.
BENCHMARK(5000000,ENCODE('MSG','by 5 seconds'))
will execute the ENCODE function 5000000 times.
Depending on the database server’s performance and load, it should take just a moment to finish this operation. The important thing is, from the attacker’s point of view, to specify a high-enough number of BENCHMARK() function repetitions to affect the database response time in a noticeable way.
Example combination of both queries:
1 UNION SELECT IF(SUBSTRING(user_password,1,1) = CHAR(50),BENCHMARK(5000000,ENCODE('MSG','by 5 seconds')),null) FROM users WHERE user_id = 1;
If the database response took a long time, we may expect that the first user password character with user_id = 1 is character ‘2’.
(CHAR(50) == '2')
Using this method for the rest of characters, it’s possible to enumerate entire passwords stored in the database. This method works even when the attacker injects the SQL queries and the content of the vulnerable page doesn’t change.
Obviously, in this example, the names of the tables and the number of columns was specified. However, it’s possible to guess them or check with a trial and error method.
Databases other than MySQL also have time-based functions which allow them to be used for time-based attacks:
- MS SQL:
'WAIT FOR DELAY '0:0:10''
- PostgreSQL:
pg_sleep()
Conducting Blind SQL Injection attacks manually is very time consuming, but there are a lot of tools which automate this process. One of them is SQLMap partly developed within OWASP grant program. On the other hand, tools of this kind are very sensitive to even small deviations from the rule. This includes:
- scanning other website clusters, where clocks are not ideally synchronized,
- WWW services where argument acquiring method was changed, e.g. from
/index.php?ID=10
to/ID,10
Remote Database Fingerprinting
If the attacker is able to determine when their query returns True or False, then they may fingerprint the RDBMS. This will make the whole attack much easier. If the time-based approach is used, this helps determine what type of database is in use. Another popular methods to do this is to call functions which will return the current date. MySQL, MSSQL, and Oracle have different functions for that, respectively now()
, getdate()
, and sysdate()
.
Related Attacks
- Blind_XPath_Injection
- SQL_Injection
- XPATH_Injection
- LDAP_injection
- [Server-Side_Includes_%28SSI%29Injection](https://owasp.org/www-community/attacks/Server-Side_Includes(SSI)_Injection)
Related Vulnerabilities
Related Controls
See the OWASP SQL Injection Prevention Cheat Sheet.
References
- http://www.cgisecurity.com/questions/blindsql.shtml
- http://www.imperva.com/application_defense_center/white_papers/blind_sql_server_injection.html
- http://www.securitydocs.com/library/2651
- http://seclists.org/bugtraq/2005/Feb/0288.html
- http://ferruh.mavituna.com/makale/sql-injection-cheatsheet/
Online Resources
- more Advanced SQL Injection – by NGS
- Blind SQL Injection Automation Techniques – Black Hat Pdf
- Blind Sql-Injection in MySQL Databases
- Cgisecurity.com: What is Blind SQL Injection?
- Kevin Spett from SPI Dynamics: