Blind SQL Injection
Identifying the Vulnerability
Scenario
Digcraft Hosting want us to conduct a security assessment of their main website.
Playing with Headers
Looking at the website there don't seem to be any sources for user input, however, we shouldn't forget to test the HTTP headers! If there are any custom headers we should look at them first since they are surely used by the server, and next we can try common ones such as Host, User-Agent, and X-Forwarded-For which may be used.
In this case, we want to look specifically for time-based MSSQL injections. To do this we can use the following payload in the header values:
';WAITFOR DELAY '0:0:10'--
WAITFOR is a keyword which blocks the SQL query until a specific time; here we specify a delay of 10 seconds.
After playing around with the request headers we eventually identify a time-based SQL injection in the User-Agent header.
We can be fairly certain it's the payload we injected causing the 10-second wait by sending another query and verifying that the result comes back quicker.
Payloads
Time-based injections are of course not specific to MSSQL, but the syntax does differ a little bit for each language, so here are some example payloads we can use for other DBMSs:
| Database | Payload |
|---|---|
| MSSQL | WAITFOR DELAY '0:0:10' |
| MySQL/MariaDB | AND (SELECT SLEEP(10) FROM dual WHERE database() LIKE '%') |
| PostgreSQL | || (SELECT 1 FROM PG_SLEEP(10)) |
| Oracle | AND 1234=DBMS_PIPE.RECEIVE_MESSAGE('RaNdStR',10) |
Table of Contents
Introduction
Introduction to MSSQL/SQL Server Introduction to Blind SQL InjectionBoolean-based SQLi
Identifying the Vulnerability Designing the Oracle Extracting Data OptimizingTime-based SQLi
Identifying the Vulnerability Oracle Design Data Extraction Out-of-Band DNSMSSQL-specific Attacks
Remote Code Execution Leaking NetNTLM Hashes File ReadTools of the Trade
Tools of the TradePreventing SQL Injection Vulnerabilities
Defending against SQL InjectionSkills Assessment
Skills AssessmentMy Workstation
OFFLINE
/ 1 spawns left
