Thursday, 5 June 2014

SQL Injection types

  1. Boolean Based Blind SQL Injection
    1. For SQLMap, a Boolean based blind is a technique where in there is a lot of involvement of HTTP request and response reading character by character, comparison and detecting the right output.
    2. Once a vulnerable parameter is detected, SQLMap replaces or appends syntactically valid SQL statements for which we can expect some output.
    3. Say, there is an original un-tampered request with a vulnerable parameter, it has certain response and in next stage there is a request-response from an injected statement, then SQLMap performs comparison between these two responses.
    4. The tool uses bisection algorithm to fetch each character of the response with a maximum of seven HTTP requests and comparing their responses.
    5. Where the output is not within the clear-text plain charset, sqlmap will adapt the algorithm with bigger ranges to detect the output.
  2. Time Based Blind SQL Injection
    1. “Time based” itself suggests that there is some comparison on the basis of time the request and response by injecting syntactically valid SQL statement to the vulnerable parameter.
    2. SQLMap uses SQL statements which put the back-end database on hold to return for a certain number of seconds.
    3. Using the same technique i.e. bisection algorithm to inference the output character by character, SQLMap compares various HTTP responses time with the original request.
  3. Error-Based SQL Injection
    1. The tool uses SQL statements which would provoke the target database to generate database-specific error.
    2. HTTP response to such request is then parsed by sqlmap in search of DBMS error messages containing the injected pre-defined chain of characters and the subquery statement output within.
    3. This technique works only when the web application has been configured to disclose back-end database management system error messages.
  4. UNION Query
    1. A syntactically valid SQL Statement starting with an UNION ALL SELECT is injected to the vulnerable parameter.
    2. UNION query based SQL injection works on the basis of the application behavior i.e. when the application passes the output of written SELECT query through certain loop or line of statements which allow the output to be printed on the page content.
    3. In case the output is not cycled through any “for loop” or other line of statements, SQLMap uses single entry UNION query SQL injection.
  5. Stacked Queries
    1. Stacked queries exploitation occurs when an application is supporting stacked queries. SQLMap adds a semi-colon (;) to the vulnerable parameter value and appends SQL statement which is to be executed.
    2. Using this technique it is possible to run SQL statements other thank SELECT. This is useful for data manipulation, to get system read-write access and finally own the operating system.
  6. Out-of-band
    1. This technique uses a secondary or different communication channel to dump the output of the queries fired on the vulnerable application.
    2. For example, the injection is made to a web application and a secondary channel such as DNS queries is used to dump the data back to the attacker domain.

0 comments:

Post a Comment