Thomas Stig Jacobsen's constant why

Sooo hi! I hope you have a great summer so far. I finally got of from school so now I got time to do some more fun security stuff. I’ll start by talking about some SQLi things I' did today after reading a couple of papers/posts some time ago.

Faster blind MySQL injection using bit shifting

The first post I want to tie some thoughts to is the one by Jelmer De Hen (http://h.ackack.net/faster-blind-mysql-injection-using-bit-shifting.html). He came up with a method for blind SQLi using bit shifting, pretty clever, I really enjoyed that post for a couple of reasons:

• First of all this method gets rid of the normal and very request-heavy method where you basicly takes a character at a time and tries requests like: “substr(user(), 1, 1) = ‘a’”, then “substr(user(), 1, 1) = ‘b’” etc. or by taking the ascii value of the character and then checking if it’s higher or lower than some value (and then using simple binary search)
• Secondly the method Jelmer came up with uses only 8 requests per  character (assuming that not just ascii characters is the target).

But this method have some annoying features as well (when doing it manually), fx. the fact that you’ll have to a lot of binary –> decimal convertions (when using Jelmers exact method) which I for one find rather trivial but still time consuming. Furthermore when it comes to filter evasion this method is reliant on the shifting operator “>>” which I see as a disadvantage as well when evading simple filters (eventhough those could maybe still be evading using diffent encodings)

Blind Sql Injection with Regular Expressions Attack

This is a paper done by IHTeam (http://www.ihteam.net/papers/blind-sqli-regexp-attack.pdf) which uses regular expressions for blind SQLi which turns out to be pretty handy. They also uses some time on time attacks but I find that description trivial and will be for the reader it self to read.

So basicly the IHTeam uses regular expressions to do almost the same thing as the standard method with checking a characters ascii value and then using a binary search for getting the character. The thing I like with this method is that it’s very easy to see what you’ve found so far (take a look at the examples on page 5-6). But the method also got some pretty big disadvantages I think. It’s easy to find a letter or number using binary search on a regex range (a-z, A-Z, 0-9), but it’s not really as easy to find a special character like “!” or some UTF-8 character like “å” since there are no regex ranges for that kind of characters.

Furthermore the amount of requests of used by this method can end up being quite big if the character needed to find is not within the above commented ranges.

Therefore I find the regex method not as relevant for value extracting. But I see another use for it, more clever ways for locating data in a great dataset where a simple “=” or “LIKE” is sufficient. 

Blind SQLi using binary attributes and an and

So what I did today is a bit of a development on some of Jelmers stuff and a bit of my own thinking lately. I for some time have been enjoying the use of binary stuff in SQLi, which is also why I like the method Jelmer came up with. But as stated above there are some disadvangtes I would like to avoid.

First of all, the use of “&” in SQLi I think is really been overlooked. Maybe because of the fact that “&” is not allowed directly in querystings since it’s used as the delimiter. Nevertheless it’s still rather handy since it in SQL is used as the binary “AND” operator. The operator like any other AND operator got the property and 1 AND 1 is true and all other combinations are false. Futhermore the “&” operator got the property that it don’t need whitespace characters sourounding it for it function. “&” and be squeezed together like “1&1”. So just by url encode “&” it’s “allowed” in the querystring, so in a page with a blind SQLi “1%261” would return true (“1%260” would of course return false). The use of the binary and I’ll get back to.

Take a look at “bin(ascii('e'))” it’ll return the binary representation of “e” (1100101). Using this feature together with substr you can get the binary representation of each character in fx. user() like so: “bin(ascii(substr(user(),1,1)))”. But there’s still a bit of a problem, this is a blind SQLi so if we do a substr on the binary representation of the character we get: “substr(bin(ascii(substr(user(),1,1))),1,1)” which will return only “1” or “0”. This gives us a attack vector like: “id=1%26substr(bin(ascii(substr(user(),1,1))),1,1)—“ given that “1” is a valid id. I added “—“ at the end just for the sake of it. Now we can cycle through the bits of each character using the outer substr and cycle through the characters using the innner substr.

The vector not care whether the character is a number, letter, special character in ascii or an UTF-8 character. Just like the Jelmer method, but without the hazzel of converting the binary back to decimal before each request.

You should have gotten the idea by now. It’s easy and quick to get each character, if you do more with it let me know.

I know this can be improved, fx. by taking account for the length of each character you can save even more requests since some characters will only require 6 (the low ascii ones) requests while some will require 8 (UTF-8 ones).

Have a great summer, more will come!