Page 96 - Hands-On Bug Hunting for Penetration Testers
P. 96
SQL, Code Injection, and Scanners Chapter 5
Time-based SQLi is when 4-&&1 or another similar function is called to inject a delay
into the query being processed. This delay, combined with conditionals and other logic, is
then used to extract information from a database by slowly enumerating resources. If your
payload produces a delay, you can infer your condition evaluated to USVF and the
assumptions you made are correct. Doing this enough can expose sensitive information to
determined attackers. As an attack, time-based SQLi is very noisy. The impact on
application logs is relatively small, but repeated use of time-based SQLi will cause large
CPU consumption spikes, easily detectable by an attentive sysadmin or SRE.
If we take the payload from the TRMNBQ time-based results ( 3-*,& 4-&&1 ) and
plug it into the JE1BHJOB URL parameter, we find it's successful! The page takes longer to
load as our 4-&&1 command is not sanitized and gets mistakenly executed by the
application's SQL server. This is a bona fide bug.
Error-based SQLi is also returned as a vector for JE1BHJOB. Error-based SQLi is when a
SQL command can be made to expose sensitive database information through error
messages. Again, let's use this payload as the JE1BHJOB URL parameter and enter it all into
the browser:
We're successful! The page returns a table ID. Exposing sensitive database info more than
meets the threshold for a valid SQLi vulnerability.
Scanning for SQLi With Arachni
As we mentioned in the Technical requirements section, BSBDIOJ is our weapon of choice for
SQLi scanners because it's open source, extensible, multi-threaded, and can be used from a
CLI that plays nicely with other forms of automation.
[ 81 ]
