Blog|Login|Chinese German Japanese|Follow @imperva
February 02, 2012
 SQL Injection Part II: Seeing A Blind SQL Injection
Share

We started a blog series in January on SQL injection.  Today, Groundhog Day, the groundhog predicted a longer winter full of SQL injection so now is a fitting time to post Part II of our series. Today's post was authored by Tal Be'ery (who is not pictured below).

TinKode, a famous hacker, has reportedly been caught.  TinKode was talented and best known for his mastery of the black art of Blind SQL injection.  (The term Blind SQL injection was coined by Imperva CTO Amichai Shulman almost a decade ago.)

Using Blind SQL injection, TinKode was able to hack many sites, including the following:

  • Army.mil
  • Nasa.gov
  • UK Ministry of Defence (mod.uk)
  • Yahoo.com
  • European Space Agency (ESA.INT)

First, let’s define a blind SQL injection.  According to Wikipedia:

Blind SQL Injection is used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. This type of attack can become time-intensive because a new statement must be crafted for each bit recovered. There are several tools that can automate these attacks once the location of the vulnerability and the target information has been established.

We can demonstrate it with the picures taken by TinKode himself describing the Yahoo hack published more than two years ago.  In this case he found a page will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. When the logical condition evaluates to TRUE (and 1=1) “Rich Media Options” gets populated (click any photos to BIGGIFY):

Blind1

But when the logical condition evaluates to FALSE (and 1=2) “Rich Media Options” remains empty:

Blind2

Now TinKode was able to guess his way through the database using this method to tell him whether his guesses were right or wrong.  In this query, he was able to guess that the default “mysql.user” table exists, accessible and holds the columns, user and password:

Blind3

For full live demo, see also “Blindfolded SQL Injection Demonstration“ video on ImpervaChannel in youtube http://www.youtube.com/watch?v=DclGr44UDNA.

Lastly, how do you mitigate against Blind SQL injections?  See Part I for the gory details.

Share |

Posted by Rob Rachwald at 08:15:12 AM | Tal Be'ery


Comments

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

« The FBI's Social Media Monitoring | Main | VeriSign Breached »