SQLite Time-based Blind SQL Injection Techniques

Context

In this article, we will explore the exploitation of SQLite time-based blind SQL injection vulnerabilities. This technique leverages delay emulation to infer database information in environments where direct feedback is unavailable. It is assumed that readers are knowledgeable about basic SQL injection concepts, have an understanding of SQLite database structures, can navigate HTTP request/response cycles, and are familiar with SQLite Blind SQL Injection techniques.

Theory

Time-based blind SQL injection is a method of extracting information from a database by causing time delays. This technique is particularly useful when the database does not provide direct responses indicating success or failure. Instead, it exploits the server's response time to deduce the outcome of queries.

Vulnerability Model

The core vulnerability in time-based blind SQL injection lies in the application's failure to properly sanitize input, allowing attackers to execute arbitrary SQLite commands. Attackers can leverage this flaw by crafting queries that cause the server to intentionally delay its response based on the accuracy of the injected SQL condition.

Delay Emulation Techniques in SQLite

Unlike some other SQL databases, SQLite does not have a built-in sleep function to create intentional delays. Therefore, attackers must emulate delays using computationally expensive operations.

Core Principle

To emulate a delay, attackers invoke complex SQLite operations that are resource-intensive. This can involve generating large data blobs or performing operations on large sets of data, which naturally take longer to execute.

Attack Sequence

Input a condition: Begin by constructing SQL queries that evaluate certain conditions.
Induce delays: Use SQLite functions and operations to create a significant delay only when conditions are met.
Measure response time: Observe the time it takes for the server to respond to determine if the condition is true or false.

Functions for Delay Emulation

Several SQLite functions can aid in creating the computational load necessary for inducing delay:

randomblob(): Generates random binary data, which can be utilized for creating heavy operations when large datasets are involved.
RANDNUM: A conceptual placeholder for operations involving randomness; however, SQLite uses randomblob() in practice.
UPPER: Converts text data to uppercase, which can increase computational complexity when used repetitively.
HEX: Converts binary data to a hexadecimal string, further adding to processing demands.

Practice

To execute time-based blind SQL injection in SQLite, follow these steps to exploit delay induction:

Perform a test to confirm the vulnerability by injecting benign SQL payloads to observe any response changes.

Execution Steps

Using randomblob for delay:
```
SELECT CASE WHEN (condition) THEN randomblob(1000000) ELSE 0 END;
```
- This query will generate a large random blob of data when the condition is true, causing a noticeable delay.
Combining UPPER and HEX:
```
SELECT CASE WHEN (condition) THEN UPPER(HEX(randomblob(1000000))) ELSE 0 END;
```
- By combining the UPPER and HEX functions with randomblob, you significantly increase the server's processing time when the condition is met.
Counting rows in a large table:
```
SELECT CASE WHEN (condition) THEN (SELECT COUNT(*) FROM large_table) ELSE 0 END;
```
- This query counts the number of rows in a large table, creating a delay that directly correlates to the table's size, thus serving as an effective timing attack vector.

When applied strategically, these steps can lead to data exfiltration by analyzing the timing differences and correlating them with the accuracy of each condition.

Tools

Burp Suite
SQLMap

These tools assist in the automation and exploitation of SQL injection vulnerabilities, helping to streamline the process for attackers.

Boolean Based Blind

Column And Data Type Discovery

Time-based Blind