Time-based Blind

Context

This article describes how to exploit time-based blind SQL injection vulnerabilities specifically in IBM Db2 databases. This technique leverages timing attacks to infer data without direct feedback from the database. It assumes you have prior knowledge of SQL query execution and understand how database response time can be used advantageously.

Theory

Understanding Time-based Blind SQL Injection

Time-based blind SQL injection is a method whereby attackers use database response times to infer information. Unlike traditional SQL injection, which might return direct results, this method manipulates SQL queries to induce timed delays based on conditional logic. For example, by injecting a query that delays the response when a condition is true, an attacker can infer whether the condition was met based solely on the time taken to receive a response.

The attack sequence typically involves the following steps:

  • Formulate a conditional SQL query.
  • Use timing functions to introduce delays for specific conditions.
  • Analyze the response delays to deduce true or false.

Conditional Timing in IBM Db2

In the context of IBM Db2, conditional timing uses SQL functions to create processing delays based on query conditions. This method exploits vulnerabilities where user input is not sufficiently validated, allowing attackers to execute timing-based queries.

Key concepts include:

  • Conditional delays in queries can reveal data by the timing of responses.
  • The lack of input validation allows the execution of time-based conditions.

Key Functions and Techniques

To implement a time-based blind SQL injection, certain functions and techniques are vital:

  • BENCHMARK() and SLEEP(): These functions are used to artificially introduce delays in SQL execution. By checking the time taken to execute a query, insights about database values can be gleaned.
  • SYSDUMMY1: A special table in Db2 often utilized to execute test queries.
  • MON_GET_ACTIVITY and MON_GET_CONNECTION: These functions are employed for monitoring query execution time. Using these functions, one can track and analyze the duration of executed queries, which is pivotal in identifying the impact of injected conditional statements.

Practice

Time-based Blind SQL Injection

This technique involves crafting SQL queries that exploit timing delays to infer data.

  • Execute the following command to introduce a delay based on a condition:

    SELECT CASE WHEN (condition) THEN SLEEP(5) ELSE SLEEP(0) END FROM SYSDUMMY1;

    This command performs a sleep operation if the condition is true. By observing the time taken for the database response, you can determine whether the condition was true or false.

  • To monitor execution time and further refine your attack:

    SELECT MON_GET_ACTIVITY(NULL, NULL) WHERE EXECUTION_TIME > threshold;

    Here, you track the execution time of queries to ensure they match expected delay patterns, which helps validate your inferences about the database content.

Monitoring Execution Time

Monitoring execution time is a crucial part of exploiting and understanding the potential vulnerabilities in time-based attacks.

  • Use the following command to check if execution time exceeds a safe threshold:

    SELECT MON_GET_CONNECTION(NULL) WHERE QUERY_EXEC_TIME > threshold;

    By setting appropriate thresholds, you can identify timing discrepancies indicative of successful injection attempts.

Tools

  • Db2 Command Line Processor
  • Wireshark

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.