full-disclosure-uk August 2008 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] Deep Blind SQL Injecti

Re: [Full-disclosure] Deep Blind SQL Injection Whitepaper

From: Haroon Meer <haroon_at_nospam>
Date: Thu Aug 28 2008 - 16:52:16 GMT
To: nummish <nummish@0x90.org>

Hi nummish..

  • On 28/08/2008, [at 11:36:23 -0500] nummish [nummish@0x90.org] seemed to say:
    >Sorry to resurrect a 9 day old thread here...
    >It's an interesting concept, but like all timing based attacks, won't
    >the digits be more susceptible to noise due to possible network
    >latency? Even with two queries, there is still a large volume of
    >requests getting made, and one little bump can invalidate the
    >information you are pulling out.

We bumped into the same problem when we took the ordinal(char) approach. A small hiccup on the line easily makes an A an E

The bit by bit approach we use
(http://www.sensepost.com/research/squeeza/) makes this problem much easier to deal with.. i.e. we once had an insanely bad connection to a box and upp'ed the delay per bit to 14 seconds.. i.e, 14 secs == 1, 0 == 0. The analyst aged a few years while waiting for the output he needed, but you can be fairly confident of the integrity of the data.

(its why squeeza happlily does a transfer of binary files from the server using just timing (and patience))


Ps.. checkout the paper on the same page for snippets of the sql we are using.. -- Haroon Meer, SensePost Information Security | http://www.sensepost.com/blog/ PGP: http://www.sensepost.com/pgp/haroon.txt | Tel: +27 83786 6637

** CRM114 Whitelisted by: From haroon@sensepost.com **

_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ** CRM114 Whitelisted by: From haroon@sensepost.com **