Blind SQL Injection results from an insufficient mitigation for SQL Injection. Although suppressing database error messages are considered best practice, the suppression alone is not sufficient to prevent SQL Injection. Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the adversary constructs input strings that probe the target through simple Boolean SQL expressions. The adversary can determine if the syntax and structure of the injection was successful based on whether the query was executed or not. Applied iteratively, the adversary determines how and where the target is vulnerable to SQL Injection.
Description
Attack Execution Flow
6
1
Step 1
Explore[Hypothesize SQL queries in application]Generated hypotheses regarding the SQL queries in an application. For example, the adversary may hypothesize that their input is passed directly into a query that looks like:
'SELECT * FROM orders WHERE ordernum = _____'or'SELECT * FROM orders WHERE ordernum IN (_____)'or'SELECT * FROM orders WHERE ordernum in (_____) ORDER BY _____'
Of course, there are many other possibilities.
Research types of SQL queries and determine which ones could be used at various places in an application.
AI Translation
[Ipotesi di query SQL nell'applicazione] Ipotesi generate riguardo alle query SQL in un'applicazione. Ad esempio, l'attaccante può ipotizzare che il proprio input venga passato direttamente in una query che assomiglia a:
"SELECT * FROM orders WHERE ordernum = _____" oppure "SELECT * FROM orders WHERE ordernum IN (_____)" oppure "SELECT * FROM orders WHERE ordernum in (_____) ORDER BY _____"
Naturalmente, ci sono molte altre possibilità.
Ricerca sui tipi di query SQL e determinare quali potrebbero essere utilizzate in vari punti di un'applicazione.
Attack Techniques
-
Research types of SQL queries and determine which ones could be used at various places in an application.
2
Step 2
Explore[Determine how to inject information into the queries]Determine how to inject information into the queries from the previous step such that the injection does not impact their logic. For example, the following are possible injections for those queries:
'5' OR 1=1; --'and'5) OR 1=1; --'and'ordernum DESC; --'
Add clauses to the SQL queries such that the query logic does not change.
Add delays to the SQL queries in case server does not provide clear error messages (e.g. WAITFOR DELAY '0:0:10' in SQL Server or BENCHMARK(1000000000,MD5(1) in MySQL). If these can be injected into the queries, then the length of time that the server takes to respond reveals whether the query is injectable or not.
AI Translation
[Determina come iniettare informazioni nelle query]Determina come iniettare informazioni nelle query dal passaggio precedente in modo che l'iniezione non influenzi la loro logica. Ad esempio, le seguenti sono possibili iniezioni per quelle query:
"5' OR 1=1; --" e "5) OR 1=1; --" e "ordernum DESC; --"
Aggiungi clausole alle query SQL in modo che la logica della query non cambi.
Aggiungi ritardi alle query SQL nel caso in cui il server non fornisca messaggi di errore chiari (ad esempio WAITFOR DELAY '0:0:10' in SQL Server o BENCHMARK(1000000000,MD5(1) in MySQL). Se queste possono essere iniettate nelle query, allora il tempo impiegato dal server per rispondere rivela se la query è iniettabile o meno.
Attack Techniques
-
Add clauses to the SQL queries such that the query logic does not change.
-
Add delays to the SQL queries in case server does not provide clear error messages (e.g. WAITFOR DELAY '0:0:10' in SQL Server or BENCHMARK(1000000000,MD5(1) in MySQL). If these can be injected into the queries, then the length of time that the server takes to respond reveals whether the query is injectable or not.IT: Per favore, fornisci le query SQL a cui desideri aggiungere clausole, così posso aiutarti a modificarle senza alterarne la logica.
3
Step 3
Experiment[Determine user-controllable input susceptible to injection] Determine the user-controllable input susceptible to injection. For each user-controllable input that the adversary suspects is vulnerable to SQL injection, attempt to inject the values determined in the previous step. If an error does not occur, then the adversary knows that the SQL injection was successful.
Use web browser to inject input through text fields or through HTTP GET parameters.
Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc.
Use network-level packet injection tools such as netcat to inject input
Use modified client (modified by reverse engineering) to inject input.
AI Translation
Sperimentazione
[Determinare l'input controllabile dall'utente suscettibile di injection] Determinare l'input controllabile dall'utente suscettibile di injection. Per ogni input controllabile dall'utente che l'attaccante sospetta sia vulnerabile a SQL injection, tentare di iniettare i valori determinati nel passaggio precedente. Se non si verifica un errore, allora l'attaccante sa che la SQL injection è riuscita.
Utilizzare il browser web per iniettare input tramite campi di testo o tramite parametri HTTP GET.
Utilizzare uno strumento di debugging di applicazioni web come Tamper Data, TamperIE, WebScarab, ecc. per modificare i parametri HTTP POST, campi nascosti, campi non liberi, ecc.
Utilizzare strumenti di injection di pacchetti a livello di rete come netcat per iniettare input.
Utilizzare client modificati (modificati tramite reverse engineering) per iniettare input.
Attack Techniques
-
Use web browser to inject input through text fields or through HTTP GET parameters.
-
Use network-level packet injection tools such as netcat to inject inputIT: Utilizzare il browser web per iniettare input tramite campi di testo o tramite parametri HTTP GET.
-
Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc.IT: Utilizzare il browser web per iniettare input tramite campi di testo o tramite parametri HTTP GET.
-
Use modified client (modified by reverse engineering) to inject input.IT: Utilizzare il browser web per iniettare input tramite campi di testo o tramite parametri HTTP GET.
4
Step 4
Experiment[Determine database type] Determines the type of the database, such as MS SQL Server or Oracle or MySQL, using logical conditions as part of the injected queries
Try injecting a string containing char(0x31)=char(0x31) (this evaluates to 1=1 in SQL Server only)
Try injecting a string containing 0x313D31 (this evaluates to 1=1 in MySQL only)
Inject other database-specific commands into input fields susceptible to SQL Injection. The adversary can determine the type of database that is running by checking whether the query executed successfully or not (i.e. whether the adversary received a normal response from the server or not).
AI Translation
[Determinare il tipo di database] Determina il tipo di database, come MS SQL Server o Oracle o MySQL, utilizzando condizioni logiche come parte delle query iniettate
Prova a iniettare una stringa contenente char(0x31)=char(0x31) (questo si valuta come 1=1 solo in SQL Server)
Prova a iniettare una stringa contenente 0x313D31 (questo si valuta come 1=1 solo in MySQL)
Inietta altri comandi specifici del database nei campi di input suscettibili a SQL Injection. L'attaccante può determinare il tipo di database in esecuzione verificando se la query è stata eseguita con successo o meno (cioè se l'attaccante ha ricevuto una risposta normale dal server o meno).
Attack Techniques
-
Try injecting a string containing char(0x31)=char(0x31) (this evaluates to 1=1 in SQL Server only)
-
Inject other database-specific commands into input fields susceptible to SQL Injection. The adversary can determine the type of database that is running by checking whether the query executed successfully or not (i.e. whether the adversary received a normal response from the server or not).IT: Prova a iniettare una stringa contenente char(0x31)=char(0x31) (questo si valuta come 1=1 solo in SQL Server)
-
Try injecting a string containing 0x313D31 (this evaluates to 1=1 in MySQL only)IT: Prova a iniettare una stringa contenente char(0x31)=char(0x31) (questo si valuta come 1=1 solo in SQL Server)
5
Step 5
Exploit[Extract information about database schema] Extract information about database schema by getting the database to answer yes/no questions about the schema.
Automatically extract database schema using a tool such as Absinthe.
Manually perform the blind SQL Injection to extract desired information about the database schema.
AI Translation
[Estrazione di informazioni sullo schema del database] Estrai informazioni sullo schema del database facendo in modo che il database risponda con yes/no alle domande sullo schema.
Estrazione automatica dello schema del database utilizzando uno strumento come Absinthe.
Eseguire manualmente l'SQL Injection cieco per estrarre le informazioni desiderate sullo schema del database.
Attack Techniques
-
Manually perform the blind SQL Injection to extract desired information about the database schema.
-
Automatically extract database schema using a tool such as Absinthe.IT: Esegui manualmente l'iniezione SQL cieca per estrarre le informazioni desiderate sul schema del database.
6
Step 6
Exploit[Exploit SQL Injection vulnerability] Use the information obtained in the previous steps to successfully inject the database in order to bypass checks or modify, add, retrieve or delete data from the database
Use information about how to inject commands into SQL queries as well as information about the database schema to execute attacks such as dropping tables, inserting records, etc.
AI Translation
[Exploit vulnerabilità SQL Injection] Utilizza le informazioni ottenute nelle fasi precedenti per iniettare con successo nel database al fine di bypassare controlli o modificare, aggiungere, recuperare o eliminare dati dal database
Utilizza informazioni su come iniettare comandi nelle query SQL, nonché dettagli sullo schema del database, per eseguire attacchi come la cancellazione di tabelle, l'inserimento di record, ecc.
Attack Techniques
-
Use information about how to inject commands into SQL queries as well as information about the database schema to execute attacks such as dropping tables, inserting records, etc.
Mitigations
2
Security By Obscurity Is Not A Solution To Preventing Sql Injection. Rather Than Suppress Error Messages And Exceptions, The Application Must Handle Them Gracefully, Returning Either A Custom Error Page Or Redirecting The User To A Default Page, Without Revealing Any Information About The Database Or The Application Internals.
Strong Input Validation - All User-Controllable Input Must Be Validated And Filtered For Illegal Characters As Well As Sql Content. Keywords Such As Union, Select Or Insert Must Be Filtered In Addition To Characters Such As A Single-Quote(') Or Sql-Comments (--) Based On The Context In Which They Appear.
Consequences
Security Scopes Affected
Availability
Confidentiality
Integrity
Potential Impacts
Execute Unauthorized Commands
Modify Data
Read Data
Indicators
1
The only indicators of successful Blind SQL Injection are the application or database logs that show similar queries with slightly differing logical conditions that increase in complexity over time. However, this requires extensive logging as well as knowledge of the queries that can be used to perform such injection and return meaningful information from the database.
Relationships
Parent CAPECs
Resources Required
1
None: No specialized resources are required to execute this type of attack.