Dark Mode

Settings

Capec-7 Detail

Blind SQL Injection

Detailed Software Likelihood: High Typical Severity: High

Parents: 66

Threats: T254 T255 T256 T259 T268 T290

Tools: 1

Description

Blind SQL Injection results from an insufficient mitigation for SQL Injection. Although suppressing database error messages are considered best practice, the suppression alone is not sufficient to prevent SQL Injection. Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the adversary constructs input strings that probe the target through simple Boolean SQL expressions. The adversary can determine if the syntax and structure of the injection was successful based on whether the query was executed or not. Applied iteratively, the adversary determines how and where the target is vulnerable to SQL Injection.

Not present

Explore

  1. [Hypothesize SQL queries in application]Generated hypotheses regarding the SQL queries in an application. For example, the adversary may hypothesize that their input is passed directly into a query that looks like: "SELECT * FROM orders WHERE ordernum = _____"or"SELECT * FROM orders WHERE ordernum IN (_____)"or"SELECT * FROM orders WHERE ordernum in (_____) ORDER BY _____" Of course, there are many other possibilities.

    2. Techniques
    Research types of SQL queries and determine which ones could be used at various places in an application.

  2. [Determine how to inject information into the queries]Determine how to inject information into the queries from the previous step such that the injection does not impact their logic. For example, the following are possible injections for those queries: "5' OR 1=1; --"and"5) OR 1=1; --"and"ordernum DESC; --"

    3. Techniques
    Add clauses to the SQL queries such that the query logic does not change.
    Add delays to the SQL queries in case server does not provide clear error messages (e.g. WAITFOR DELAY '0:0:10' in SQL Server or BENCHMARK(1000000000,MD5(1) in MySQL). If these can be injected into the queries, then the length of time that the server takes to respond reveals whether the query is injectable or not.
Experiment

  1. Determine user-controllable input susceptible to injection: Determine the user-controllable input susceptible to injection. For each user-controllable input that the adversary suspects is vulnerable to SQL injection, attempt to inject the values determined in the previous step. If an error does not occur, then the adversary knows that the SQL injection was successful.

    2. Techniques
    Use web browser to inject input through text fields or through HTTP GET parameters.
    Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc.
    Use network-level packet injection tools such as netcat to inject input
    Use modified client (modified by reverse engineering) to inject input.

  2. Determine database type: Determines the type of the database, such as MS SQL Server or Oracle or MySQL, using logical conditions as part of the injected queries

    3. Techniques
    Try injecting a string containing char(0x31)=char(0x31) (this evaluates to 1=1 in SQL Server only)
    Try injecting a string containing 0x313D31 (this evaluates to 1=1 in MySQL only)
    Inject other database-specific commands into input fields susceptible to SQL Injection. The adversary can determine the type of database that is running by checking whether the query executed successfully or not (i.e. whether the adversary received a normal response from the server or not).
Exploit

  1. Extract information about database schema: Extract information about database schema by getting the database to answer yes/no questions about the schema.

    2. Techniques
    Automatically extract database schema using a tool such as Absinthe.
    Manually perform the blind SQL Injection to extract desired information about the database schema.

  2. Exploit SQL Injection vulnerability: Use the information obtained in the previous steps to successfully inject the database in order to bypass checks or modify, add, retrieve or delete data from the database

    3. Techniques
    Use information about how to inject commands into SQL queries as well as information about the database schema to execute attacks such as dropping tables, inserting records, etc.
  1. SQL queries used by the application to store, retrieve or modify data.
  2. User-controllable input that is not properly validated by the application as part of SQL queries.
  1. None: No specialized resources are required to execute this type of attack.
Medium
Determining the database type and version, as well as the right number and type of parameters to the query being injected in the absence of error messages requires greater skill than reverse-engineering database error messages.
Integrity Availability Confidentiality
Modify Data Execute Unauthorized Commands (Run Arbitrary Code) Read Data
Execute Unauthorized Commands (Run Arbitrary Code) Execute Unauthorized Commands (Run Arbitrary Code)
  1. An adversary may try entering something like "username' AND 1=1; --" in an input field. If the result is the same as when the adversary entered "username" in the field, then the adversary knows that the application is vulnerable to SQL Injection. The adversary can then ask yes/no questions from the database server to extract information from it. For example, the adversary can extract table names from a database using the following types of queries: "username' AND ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 108". If the above query executes properly, then the adversary knows that the first character in a table name in the database is a letter between m and z. If it doesn't, then the adversary knows that the character must be between a and l (assuming of course that table names only contain alphabetic characters). By performing a binary search on all character positions, the adversary can determine all table names in the database. Subsequently, the adversary may execute an actual attack and send something like: "username'; DROP TABLE trades; --
  2. In the PHP application TimeSheet 1.1, an adversary can successfully retrieve username and password hashes from the database using Blind SQL Injection. If the adversary is aware of the local path structure, the adversary can also remotely execute arbitrary code and write the output of the injected queries to the local path. Blind SQL Injection is possible since the application does not properly sanitize the $_POST['username'] variable in the login.php file. See also: CVE-2006-4705

We use cookies to ensure you get the best experience on our website.