The Shed is going Social! Join us on FaceBook and Twitter and chime in on the conversation.
|
 |
|
Dev Shed Forums
> Programming Languages
> PHP Development
|
Blind Time-Based SQLi
Discuss Blind Time-Based SQLi in the PHP Development forum on Dev Shed.
Blind Time-Based SQLi PHP Development forum discussing coding practices, tips on PHP, and other PHP-related topics. PHP is an open source scripting language that has taken the web development industry by storm.
|
|
 |
|
|
|
|
Dev Shed Forums Sponsor:
|
|
|
October 7th, 2012, 09:03 PM
|
|
Registered User
|
|
Join Date: Oct 2012
Posts: 4
Time spent in forums: 34 m 54 sec
Reputation Power: 0
|
|
|
Blind Time-Based SQLi
Good evening guys,
I'm working on pentesting a vulnerable web app hosted by myself, and I am struggling with SQL queries here. In the code below, the "Referer" HTTP header is vulnerable to SQL injection. However, I've determined that without the '+ before the command and +' after the command, the query comes back as an error.
Code:
GET /vulnwebapp/index.php?id=2 HTTP/1.1
Host: 192.168.127.133
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.79 Safari/537.4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: '+IF(SUBSTRING(USER(),1,1)='r',SLEEP(5),1)+' <-- This is the SQLi vulnerability. It causes the page to sleep
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
If possible, I am basically just needing assistance as to what information could be obtained by using the sleep command perhaps some sort of iteration command -- if that makes sense. For example, I was able to iterate through the command in the referer above to discover the username as "root". I was also able to do the same by replacing USER with DATABASE, and discover my database name.
I hope this isn't the inappropriate place to ask, but I would really appreciate any input. Most importantly, I am extremely frustrated and curious to know what other information can be pulled by using iteration commands such as the above which would provide beneficial information (i.e., table names, password hashes, etc.).
Thanks.
|
October 7th, 2012, 09:58 PM
|
 |
Likely to be eaten by a grue.
|
|
Join Date: Oct 2006
Location: Pennsylvania, USA
|
|
|
The way a test like that works is, it causes a delay in the server's response. If your server replies in 1 second normally, and 6 seconds with the forged referrer, that means that your database is executing the referrer name as code.
__________________
HEY! YOU! Read the New User Guide and Forum Rules
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin
"The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002
Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
|
October 7th, 2012, 10:06 PM
|
|
Registered User
|
|
Join Date: Oct 2012
Posts: 4
Time spent in forums: 34 m 54 sec
Reputation Power: 0
|
|
Quote: | Originally Posted by ManiacDan The way a test like that works is, it causes a delay in the server's response. If your server replies in 1 second normally, and 6 seconds with the forged referrer, that means that your database is executing the referrer name as code. |
I agree. I guess I am confused as to what possible information could I obtain from using if and sleep commands. I'll keep pecking away though. Thanks for your reply man.
|
October 7th, 2012, 10:29 PM
|
|
Likely to be eaten by a grue.
|
|
Join Date: Oct 2006
Location: Pennsylvania, USA
|
|
|
You don't see how usernames and database names are valuable information? It's not a password, but it's more than most people have. Even if you switched to pure social engineering tactics from here on out you could trick someone into resetting the database password for you.
|
October 7th, 2012, 10:34 PM
|
|
Registered User
|
|
Join Date: Oct 2012
Posts: 4
Time spent in forums: 34 m 54 sec
Reputation Power: 0
|
|
Quote: | Originally Posted by ManiacDan You don't see how usernames and database names are valuable information? It's not a password, but it's more than most people have. Even if you switched to pure social engineering tactics from here on out you could trick someone into resetting the database password for you. |
Yeah, but I already have the database and username. I was mostly confused as to the query commands to return the first character of perhaps a password, considering I was using time based. With time based, you do have to iterate through characters right? Unless you're entering guesses I would assume
|
October 7th, 2012, 10:49 PM
|
|
Likely to be eaten by a grue.
|
|
Join Date: Oct 2006
Location: Pennsylvania, USA
|
|
|
YOU already have the database name and password, but an ATTACKER doesn't (yet).
Regardless of the method of attack, the vulnerability remains: your server executes user-submitted data as code. Enormous problem. End of sentence.
|
October 7th, 2012, 11:06 PM
|
|
Registered User
|
|
Join Date: Oct 2012
Posts: 4
Time spent in forums: 34 m 54 sec
Reputation Power: 0
|
|
Quote: | Originally Posted by ManiacDan YOU already have the database name and password, but an ATTACKER doesn't (yet).
Regardless of the method of attack, the vulnerability remains: your server executes user-submitted data as code. Enormous problem. End of sentence. |
I think you misunderstood. Although I am hosting the vulnerable web application, I've obtained the database name and username through the same methods (SQLi) as an attacker would. That's why I was curious as to what other information could be obtained.
Anyways, thanks for your help. I've gained more information that I was looking for, and no longer need any assistance ^_^. Thanks.
|
Developer Shed Advertisers and Affiliates
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
Rate This Thread |
 Linear Mode
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
