Introducing SQL Injection 341
Let’s analyze the final result here. When you string all the code together, you can see
that the code is altering the database so that the original e-mail address, [email protected], is
replaced with another e-mail address, [email protected]. The result is that the attacking
party’s code uses the website’s reset password function to change the password and the
request is then sent to the attacker’s address. Additionally, the login information for the site
has now been changed to a new account.
Once you have performed this action successfully, as the attacker you can go about
performing additional functions such as browsing information in the system or inputting
new data (or possibly worse).
Injecting Blind
What if the target you are trying to penetrate does not return messages no matter what
actions you take? In this situation you are flying blind, so it makes sense to attempt a blind
SQL injection. This type of attack is not dependent on the presence of error messages.
Much like any other SQL injection, a blind SQL injection can be used to manipulate
information, destroy information, or extract data.
Unlike regular SQL injection attacks, blind SQL injection attacks are much
more time-consuming because every time new information is obtained,
new statements must be crafted.This attack works by indirectly obtaining information, such as through the use of
true or false statements or through the use of timing information about the nature of the
environment. Let’s take a look at one example:
:; IF EXISTS(SELECT * FROM users) WAITFOR DELAY '0 :0 :10 '-
This code first checks whether the database users exists. If it doesn’t, the code displays,
“We are unable to process your request. Please try back later.” If the database does exist,
it will pause for 10 seconds. After 10 seconds, it displays, “We are unable to process your
request. Please try back later.”
Since no error messages are returned, you can use the WAITFOR DELAY command to check
the SQL execution status:
WAITFOR DELAY , 'time' (Seconds)
So what is happening in this attack? Well, let’s look at the first line::; IF EXISTS(SELECT * FROM users) WAITFOR DELAY '0 :0 :10 '-
The first part of the statement (which ends right before the WAITFOR statement) is sent
to the system for it to process. If the system cannot run it, the system is therefore not
vulnerable. It will discard the whole line and return control back to the user, or it may
return an application error message (which will not help you). If the system can run the first
part, it will process the whole line, which will cause a momentary but noticeable pause,
indicating to you, the attacker, that the whole line was processed.