#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    4
    Rep Power
    0

    Blind Time-Based SQLi


    Good evening guys,

    I'm working on pentesting a vulnerable web app hosted by myself, and I am struggling with SQL queries here. In the code below, the "Referer" HTTP header is vulnerable to SQL injection. However, I've determined that without the '+ before the command and +' after the command, the query comes back as an error.

    Code:
    GET /vulnwebapp/index.php?id=2 HTTP/1.1
    Host: 192.168.127.133
    Proxy-Connection: keep-alive
    User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.79 Safari/537.4
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Referer: '+IF(SUBSTRING(USER(),1,1)='r',SLEEP(5),1)+' <-- This is the SQLi vulnerability. It causes the page to sleep
    Accept-Encoding: gzip,deflate,sdch
    Accept-Language: en-US,en;q=0.8
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
    If possible, I am basically just needing assistance as to what information could be obtained by using the sleep command perhaps some sort of iteration command -- if that makes sense. For example, I was able to iterate through the command in the referer above to discover the username as "root". I was also able to do the same by replacing USER with DATABASE, and discover my database name.

    I hope this isn't the inappropriate place to ask, but I would really appreciate any input. Most importantly, I am extremely frustrated and curious to know what other information can be pulled by using iteration commands such as the above which would provide beneficial information (i.e., table names, password hashes, etc.).

    Thanks.
  2. #2
  3. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,872
    Rep Power
    6351
    The way a test like that works is, it causes a delay in the server's response. If your server replies in 1 second normally, and 6 seconds with the forged referrer, that means that your database is executing the referrer name as code.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    4
    Rep Power
    0
    Originally Posted by ManiacDan
    The way a test like that works is, it causes a delay in the server's response. If your server replies in 1 second normally, and 6 seconds with the forged referrer, that means that your database is executing the referrer name as code.
    I agree. I guess I am confused as to what possible information could I obtain from using if and sleep commands. I'll keep pecking away though. Thanks for your reply man.
  6. #4
  7. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,872
    Rep Power
    6351
    You don't see how usernames and database names are valuable information? It's not a password, but it's more than most people have. Even if you switched to pure social engineering tactics from here on out you could trick someone into resetting the database password for you.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    4
    Rep Power
    0
    Originally Posted by ManiacDan
    You don't see how usernames and database names are valuable information? It's not a password, but it's more than most people have. Even if you switched to pure social engineering tactics from here on out you could trick someone into resetting the database password for you.
    Yeah, but I already have the database and username. I was mostly confused as to the query commands to return the first character of perhaps a password, considering I was using time based. With time based, you do have to iterate through characters right? Unless you're entering guesses I would assume
  10. #6
  11. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,872
    Rep Power
    6351
    YOU already have the database name and password, but an ATTACKER doesn't (yet).

    Regardless of the method of attack, the vulnerability remains: your server executes user-submitted data as code. Enormous problem. End of sentence.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  12. #7
  13. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    4
    Rep Power
    0
    Originally Posted by ManiacDan
    YOU already have the database name and password, but an ATTACKER doesn't (yet).

    Regardless of the method of attack, the vulnerability remains: your server executes user-submitted data as code. Enormous problem. End of sentence.
    I think you misunderstood. Although I am hosting the vulnerable web application, I've obtained the database name and username through the same methods (SQLi) as an attacker would. That's why I was curious as to what other information could be obtained.

    Anyways, thanks for your help. I've gained more information that I was looking for, and no longer need any assistance ^_^. Thanks.

IMN logo majestic logo spyfu logo threadwatch logo seochat tools logo