DetSql: Implement Time-Based Injection?

by SLV Team 40 views
DetSql: Time-Based Injection Feature Request

Hey everyone!

I'm writing to propose a feature addition to the fantastic DetSql tool. First off, I want to give a massive shoutout to the creator of DetSql – your tool is incredibly simple and effective, and I genuinely appreciate your work!

The Challenge: Dealing with "Tricky" Websites

I've recently encountered a particularly challenging website during my penetration testing. This website is a bit “sneaky” because it returns identical pages regardless of whether my injected SQL statement is correct or incorrect. This behavior effectively renders the current “Boolean-based blind injection” method in DetSql unusable since we can't distinguish between true and false conditions based on page content.

That's where time-based injection comes to the rescue. By using commands like sleep(5), we can force the server to pause for a specific duration (e.g., 5 seconds). By observing the response time, we can infer whether the injection was successful. If the server delays its response, we know the condition we injected is true. This is a powerful technique for extracting data even when standard methods fail.

The Solution: Time-Based Injection

Time-based injection is a SQL injection technique that relies on the database server's ability to execute time delay functions. By injecting a SQL query that includes a time delay, an attacker can infer information about the database by observing the response time. If the injected query causes a delay, it indicates a successful injection and a true condition. This method is particularly useful when the application doesn't display any error messages or data, making it difficult to exploit using other injection techniques.

Why Time-Based Injection is Essential

Time-based injection fills a critical gap in SQL injection testing. It's especially effective in scenarios where:

  • Error messages are suppressed: The application doesn't reveal database errors, making it harder to identify vulnerabilities.
  • No data is displayed: The injected query doesn't directly output data to the user, requiring alternative methods to extract information.
  • Blind SQL injection is necessary: The attacker must infer information based on the application's behavior rather than direct feedback.

How Time-Based Injection Works

The basic principle of time-based injection involves injecting a SQL query that includes a time delay function. The most common functions used for this purpose are:

  • SLEEP() in MySQL
  • pg_sleep() in PostgreSQL
  • WAITFOR DELAY in SQL Server
  • DBMS_LOCK.SLEEP() in Oracle
  • RANDOMBLOB() in SQLite

By observing the response time, the attacker can determine whether the injected condition is true or false. For example, if the injected query includes a condition that, when true, causes a 5-second delay, a 5-second delay in the response indicates that the condition is true.

The Request: Adding Time Injection to DetSql

Therefore, I'd like to ask if there are any plans to add time-based injection functionality to DetSql. Implementing this feature would make the tool even more powerful and versatile, allowing it to tackle a broader range of websites and scenarios.

With time-based injection, DetSql could effectively test for vulnerabilities in applications that suppress error messages or data, making it an invaluable asset for security professionals. This addition would significantly enhance the tool's capabilities and make it an even more comprehensive solution for SQL injection testing.

Database-Specific Time Delay Functions

To help illustrate how time-based injection works across different databases, let's look at the specific functions and syntax used in some popular database systems. Understanding these differences is crucial for crafting effective time-based injection payloads.

1. MySQL

In MySQL, the SLEEP() function is used to introduce a time delay. It takes the delay duration in seconds as an argument.

  • Delaying Execution:

    • Confirming Injection Point: You can use AND sleep(5) to test for a SQL injection vulnerability. If the server delays its response by 5 seconds, it indicates a successful injection.

      AND sleep(5)
' AND sleep(5)
" AND sleep(5)
OR sleep(5)

    • Another effective method is to use the IF() function in conjunction with SLEEP(). This allows you to introduce a delay based on a condition.

      AND IF(1=1, sleep(5), 0)

  • Conditional Injection:

    • The IF() function is also instrumental in conditional time-based injection. You can craft payloads that delay the response based on specific conditions, such as the result of a query.

      AND IF([CONDITION], sleep(5), 0)

    • For example, you can use this technique to determine the ASCII value of a character in a database name.

      AND IF(ASCII(SUBSTRING(DATABASE(),1,1)) > 100, sleep(5), 0)

      This query checks if the ASCII value of the first character of the database name is greater than 100. If it is, the server will delay its response by 5 seconds.

2. PostgreSQL

PostgreSQL uses the pg_sleep() function to introduce time delays. It also accepts the delay duration in seconds.

  • Delaying Execution:

    • To confirm an injection point, you can use the following payloads:

      ; SELECT pg_sleep(5)
' ; SELECT pg_sleep(5)--

      These queries will cause the server to pause for 5 seconds if the injection is successful.

  • Conditional Injection:

    • PostgreSQL's conditional time-based injection relies on the CASE statement along with pg_sleep(). This allows for more complex conditional delays.

      AND (SELECT CASE WHEN ([CONDITION]) THEN pg_sleep(5) ELSE NULL END) IS NOT NULL

    • For instance, you can determine the first character of the current user by using the following query:

      AND (SELECT CASE WHEN (SUBSTRING(USER,1,1) = 'p') THEN pg_sleep(5) ELSE NULL END) IS NOT NULL

      This query checks if the first character of the current user is 'p'. If it is, the server will delay its response by 5 seconds.

3. SQL Server

SQL Server employs the WAITFOR DELAY command to create time delays. The delay duration is specified in the format 'hours:minutes:seconds'.

  • Delaying Execution:

    • You can use the following payloads to confirm an injection point:

      ; WAITFOR DELAY '0:0:5'
' ; WAITFOR DELAY '0:0:5'--

      These queries will cause a 5-second delay in the server's response if the injection is successful.

  • Conditional Injection:

    • SQL Server uses the IF statement in conjunction with WAITFOR DELAY to perform conditional time-based injection.

      IF ([CONDITION]) WAITFOR DELAY '0:0:5'

    • For example, to determine the first character of the database name, you can use the following query:

      IF (SUBSTRING(DB_NAME(),1,1) = 'm') WAITFOR DELAY '0:0:5'

      This query checks if the first character of the database name is 'm'. If it is, the server will delay its response by 5 seconds.

4. Oracle

Oracle offers a couple of methods for implementing time delays: DBMS_PIPE.RECEIVE_MESSAGE and DBMS_LOCK.SLEEP. Both methods can be used for time-based injection.

  • Delaying Execution:

    • Using DBMS_PIPE:

      AND 1=DBMS_PIPE.RECEIVE_MESSAGE('a',5)

      This query uses DBMS_PIPE.RECEIVE_MESSAGE to introduce a 5-second delay.

    • Using DBMS_LOCK:

      AND 1=DBMS_LOCK.SLEEP(5)

      This query utilizes DBMS_LOCK.SLEEP to create a 5-second delay.

  • Conditional Injection:

    • To perform conditional time-based injection, you can use a CASE statement with either DBMS_PIPE.RECEIVE_MESSAGE or DBMS_LOCK.SLEEP.

      AND 1=(SELECT CASE WHEN ([CONDITION]) THEN DBMS_PIPE.RECEIVE_MESSAGE('a',5) ELSE 1 END FROM DUAL)

    • For example, you can check the length of the current user using the following query:

      AND 1=(SELECT CASE WHEN (LENGTH(USER) > 3) THEN DBMS_PIPE.RECEIVE_MESSAGE('a',5) ELSE 1 END FROM DUAL)

      This query checks if the length of the current user is greater than 3. If it is, the server will delay its response by 5 seconds.

5. SQLite

SQLite doesn't have a built-in sleep function, so time delays are typically emulated by performing computationally intensive operations. One common method is to use the RANDOMBLOB function.

  • Delaying Execution:

    • To simulate a delay, you can use the LIKELY(RANDOMBLOB(length)) function. The length parameter determines the size of the random blob, which affects the execution time.

      AND LIKELY(RANDOMBLOB(100000000))

      The number 100000000 is an example and needs to be adjusted based on the target system's performance.

  • Conditional Injection:

    • For conditional time-based injection, you can use a CASE statement with LIKELY(RANDOMBLOB(length)).

      AND (CASE WHEN ([CONDITION]) THEN LIKELY(RANDOMBLOB(100000000)) ELSE 0 END)

    • For instance, you can check the length of the first table name in the sqlite_master table using the following query:

      AND (CASE WHEN (LENGTH((SELECT name FROM sqlite_master LIMIT 0,1)) > 5) THEN LIKELY(RANDOMBLOB(100000000)) ELSE 0 END)

      This query checks if the length of the first table name is greater than 5. If it is, a delay is simulated.

By understanding these database-specific techniques, you can craft effective time-based injection payloads to exploit vulnerabilities in various applications.

Conclusion

I truly believe that adding time-based injection to DetSql would significantly enhance its capabilities and make it an even more valuable tool for the security community. It would enable users to tackle those “tricky” websites and scenarios where other injection methods fall short.

Again, thank you for your fantastic tool and your dedication to the community! I look forward to hearing your thoughts on this proposal. Let me know if there is anything else I can provide to clarify the use case or help make it happen. If you guys need any help testing this, feel free to ask.

Thanks again for your time and consideration!