full-disclosure-uk August 2008 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] Deep Blind SQL Injecti

Re: [Full-disclosure] Deep Blind SQL Injection Whitepaper

From: nummish <nummish_at_nospam>
Date: Thu Aug 28 2008 - 16:36:23 GMT
To: "Ferruh Mavituna" <ferruh@mavituna.com>

> 2008/8/19 David Litchfield <davidl@ngssoftware.com>
>> Hi Ferruh,
>>> This is a short whitepaper about a new way to exploit Blind SQL
>>> Injections.
>> I just had a read of your paper. You open with: "If the injection point is
>> completely blind then the only way to extract data is using time based
>> attacks like WAITFOR DELAY, BENCHMARK etc." This is not the case. You can
>> use other non-time based (and therefore faster) methods to infer the value
>> of data. See "Data-mining with SQL Injection and Inference" -
>> http://www.ngssoftware.com/papers/sqlinference.pdf
>> Cheers,
>> David
> On Tue, Aug 19, 2008 at 1:09 PM, Ferruh Mavituna <ferruh@mavituna.com> wrote:
> Hi David,
> I'm aware of the other methods which mostly explained on your paper.
> Footnote 2 which clears up the definition "completely blind" was supposed to
> be "No error is displayed and no indicators are visible in the response"
> instead of "No error is displayed and no indicators are visible in the
> response that an error occurred".
> Hopefully will update the paper soon, thanks for pointing it out.
> Cheers,

Sorry to resurrect a 9 day old thread here...

It's an interesting concept, but like all timing based attacks, won't the digits be more susceptible to noise due to possible network latency? Even with two queries, there is still a large volume of requests getting made, and one little bump can invalidate the information you are pulling out.

If that really isn't an issue, you may want to consider putting the 6 digit first, then 1,2,3,4,5,7,8,9 as that's going to show up far more frequently.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/