sql injection: inference attack
SQL Injection is the process of injecting SQL commands into strings processed by an application. This is possible when there is insufficient validation of user input before it is executed in dynamic SQL queries.
Different types of attack exist and not all of them are suitable for every situation.
This is a first of a series of two articles regarding SQL inference attacks.
From Data-mining with SQL Injection and Inference (see References at the end) we can classify SQL attacks into three different categories:
- In-band attacks extract data over the same channel between the client and the web server, for example, results are embedded in a web page via a union select.
- Out-of-band attacks employ a different communications channel to drill for data by using database mail or HTTP functions for example.
- Inference attacks stand alone in the fact that no actual data is transferred - rather, a difference in the way an application behaves can allow an attacker to infer the value of the data.
Typically, an attacker would initially look to exploit an SQL injection vulnerability by getting the results in-band. However, some times this is not possible. Say for instance that the injected code is executed in two very different SQL queries, chances are that given enough time you would be able to create a piece of code that can be injected in both queries and will return results in-band. But there are instances were time is a factor, as a result in-band attack vectors are not always exploitable and out-of-band or inference techniques are then required.
An inference attack tries to gather information from the underlaying database by examining different responses from the application when specially crafted data is injected.
At the core of the inference attack is a simple question. If the answer to this question is A then do Y; if the answer is B then do Z.
This can be translated into SQL like this:
SELECT CASE WHEN condition THEN do_Y ELSE do_Z END
So the main idea behind inference is to inject an SELECT CASE or similar statement into the application query. Usually the condition will include SQL functions such as ASCII or SUBSTR and the Y and Z operation would contain calls to the WAITFOR method.
By injecting not only data but also logic into the application’s query, we are able to control the output of the application and depending on what this output looks like, we could infer the value stored in the database.
In the next article regarding SQL inference attacks sql injection: inference attack (part 2) we will see a hands on example of this technique. In the mean time, here are some references:
References
