MSSQL时间盲注攻击技术完全指南(mssql时间盲注教程)
Time-based blind SQL Injection attacks are an incredibly powerful technique in the arsenal of any hacker. This guide will show you how to execute a time-based blind attack against a vulnerable Microsoft SQL Server (MSSQL) database.
Time-based blind SQL injection is a technique which relies on the use of a web application’s response time to determine whether a given query produces a positive or negative result. Essentially, the attacker will craft a SQL query which contains a clause that will cause it to take a certain amount of time to execute, depending on the result. By carefully manipulating the length of an HTTP request, the attacker can then determine whether the clause evaluated to true (positive result) or false (negative result).
To execute a time-based blind attack, an attacker must first identify a vulnerable MSSQL query in the application code. This can be done using a variety of methods: error-based SQL injection, URL manipulation, and parameter tampering. Once suspicious activity is detected, the attacker can start testing for SQL injection vulnerabilities by entering malicious strings. In this guide, the syntax used will be the MSSQL query language known as T-SQL.
Once the injection vulnerability has been identified, the attacker must construct a query which will cause a delay in the response time. This is usually done using the WAITFOR command, which allows the attacker to specify a period of time (in milliseconds) in which the DBMS should wait before returning the response. A simple example would be:
WAITFOR DELAY ’00:00:05′
By including this command in a malicious query, the application will wait for five seconds before returning a response. If the clause evaluates to true, the response will take five seconds to return. If the clause evaluates to false, the response will be instantaneous.
Armed with this knowledge, the attacker can now start probing for sensitive data. For example, if the attacker wanted to identify the existence of a particular user account within the DBMS, he or she could craft a query like this:
SELECT * FROM Users WHERE Name = ‘johndoe’ WAITFOR DELAY ’00:00:05′
If the “johndoe” account exists, the query will take five seconds to execute and return a response; if it doesn’t exist, the response will be instantaneous. The attacker can even construct queries which probe for more sensitive data such as passwords or credit card information.
Time-based blind attacks provide an effective method to probe a vulnerable MSSQL database without leaving a trace. By using a combination of clever query construction, URL manipulation, and carefully crafted input strings, an attacker can discover sensitive data which the application is meant to protect. Proper security controls, such as input validation and defensive coding techniques, should always be employed to prevent such attacks from succeeding.
