Database Exploitation with Time Based SQL Injection
There are different types of SQL Injection attacks such as Error based, Time based and Boolean based. Each of the types of SQLi has the potential to cause a complete data breach in an organization. In this article, we are going to explore the Time Based SQL Injection attack. This type of SQL Injection utilizes the database time delays function to extract or dump the database. Let’s explore this in detail. The article is divided into below sections – What is Time Based SQL Injection Attack? SQL Delay Query Examples Time Based SQL Injection Payloads Identify if the Application is Vulnerable to Time-Based SQLi Dumping the database using Time Based SQL Injection Find MySQL Schema names using Time Based SQLi Find names of all tables under the schema in MySQL Time Based SQL Injection Prevention Techniques Conclusion What is Time Based SQL Injection Attack? We can define the Time Based SQL Injection Attack as follows – Time Based SQL Injection attack is a type of SQL Injection attack that relies on time delays in SQL query execution to infer information about database schema structure and the database contents. It is a type of inferential injection attack in which the attacker has to infer (guess, enumerate) the database structure to exploit it. Unlike in Error based SQL Injection attacks, here the application does not send any database information back to the attacker in any form. Instead, the attacker uses database time delay functions to dump the data. After executing a query that triggers a time delay on the database server, the attacker monitors the application’s response time to note whether the time delay has happened on the database server or not. If the application responds slowly as per the time delay set by an attacker, then the attacker gets a clue that the application is vulnerable to Time based SQL Injection. Let’s now first see what these SQL delay queries look like. SQL Delay Query Examples The below tables mention the delay query syntax of different database server vendors. Database Type SQL Delay Query Description MySQL select sleep(5); Takes 5 seconds for execution. do sleep(10); Takes 10 seconds for execution. MS SQL Server wait for delay ’00:00:02’; Takes 2 seconds for execution. PostgreSQL pg_sleep(4); Adds a sleep time of 4 seconds. For example, if you run the below query in the MySQL server, it will take 5 seconds before the query returns the version number result. select version(), sleep(10); Now, let’s understand how these time delay queries are used in time based SQL Injection payloads. Time Based SQL Injection Payloads Using the time delay queries of various database server vendors, below are some Time-based SQL Injection payloads for MySQL. ,(select * from (select(sleep(10)))a) %2c(select%20*%20from%20(select(sleep(10)))a) ‘;WAITFOR DELAY ‘0:0:30′– This GitHub repo has a comprehensive list of time-based SQL Injection payloads. Identify if the Application is Vulnerable to Time-Based SQLi Now, you can use the above time based payloads to identify if the application is vulnerable or not. For this, find just one vulnerable input parameter of the application using the below steps – Identify all input parameters of all APIs of the application using a tool like BurpSuite. Insert the time delay SQLi payloads mentioned in the above section in each parameter 1 by 1 and observe the application response time. Any parameter that triggers a slow application response, is the vulnerable one. Note: Even if just 1 parameter is vulnerable, that’s enough to dump the entire database using a Time based SQLi vulnerability. Here, we can surely say and report that the application is vulnerable to time-based SQLi. Dumping the database using Time Based SQL Injection To dump the database using a Time-based SQL injection vulnerability, you need to use conditional expressions. Let’s understand how it works under the hood. For MySQL, below is the syntax for a conditional expression. if(condition, when_true, when_false) Now, the logic to dump the data is, we have to make a guess and then conclude that whether our guess is right or wrong. We use our guesses in the ‘condition’ part and put the query delay function in the True part. If you observe a delay in application response, then it means the condition was evaluated to True. Meaning, that our guess used in the condition is correct. Now, here’s the interesting part. We will now enumerate or guess the database details piece by piece i.e. character by character. For example, if we have to guess the database has a table named ‘products’, then we will guess it, character by character i.e. p,r,o,d,u,c,t,s. So, for the first letter ‘p’, we enumerate all characters between ‘a’ to ‘z’. So, we need a total of 26 enumerations just to guess the first letter of a table. Let’s walk through this process with some real examples. Find MySQL Schema names using Time Based SQLi As mentioned before, for dumping data with time-based SQLi, you need to make guesses and try out all the guesses. For example, with the below query, we try to guess the name of 1 schema from the MySQL database. We know schema name can be read from MySQL table information_schema.SCHEMATA from column name ‘SCHEMA_NAME’ using the below query- select SCHEMA_NAME from information_schema.SCHEMATA s limit 1; Now, let’s use the query delay function and conditional expression to get the first letter of the schema name. Refer the below query – select if(substring(SCHEMA_NAME,1,1) = ‘a’, sleep(5), ”) from information_schema.SCHEMATA s limit 1; Here, we checked if the first letter of the schema name is ‘a’ or not. If it is, the query will sleep for 5 seconds. We make all 26 permutations and for 1 character we will see the query execution sleep for 5 seconds. So, this way using time-based SQL Injection, the database can be dumped. Find names of all tables under the schema in MySQL Once you identified the schema name, you can find table names using the below query and make guesses for every character using the sleep function. SELECT table_name FROM information_schema.tables limit 1; Query with sleep function – select if(substring(TABLE_NAME,1,1) = ‘a’, sleep(5), ”) from information_schema.TABLES s limit 1; Time Based SQL Injection Prevention Techniques There is no special