Time-Based Blind SQL Injection Attacks
測(cè)試應(yīng)用是否存在SQL注入漏洞時(shí),經(jīng)常發(fā)現(xiàn)某一潛在的漏洞難以確認(rèn)。這可能源于多種原因,但主要是因?yàn)閃eb應(yīng)用未顯示任何錯(cuò)誤,因而無(wú)法檢索任何數(shù)據(jù)。
對(duì)于這種情況,要想識(shí)別漏洞,向數(shù)據(jù)庫(kù)注入時(shí)間延遲并檢查服務(wù)器響應(yīng)是否也已經(jīng)延遲會(huì)很有幫助。時(shí)間延遲是一種很強(qiáng)大的技術(shù),Web服務(wù)器雖然可以隱藏錯(cuò)誤或數(shù)據(jù),但必須等待數(shù)據(jù)庫(kù)返回結(jié)果,因此可用它來(lái)確認(rèn)是否存在SQL注入。該技術(shù)尤其適合盲注。
代碼位置:在checkSqlInjection函數(shù)中(/lib/controller/checks.py 文件,大約第444行左右)
# In case of time-based blind or stacked queries# SQL injectionselif method == PAYLOAD.METHOD.TIME: # Perform the test's request trueResult = Request.queryPage(reqPayload, place, timeBasedCompare=True, raise404=False) if trueResult: # Confirm test's results trueResult = Request.queryPage(reqPayload, place, timeBasedCompare=True, raise404=False) if trueResult: infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title) logger.info(infoMsg) injectable = True
其中,重點(diǎn)注意Request.queryPage函數(shù),將參數(shù)timeBasedCompare設(shè)置為T(mén)rue,所以在Request.queryPage函數(shù)內(nèi)部,有這么一段代碼:
if timeBasedCompare: return wasLastRequestDelayed()
而函數(shù)wasLastRequestDelayed()的功能主要是判斷最后一次的請(qǐng)求是否有明顯的延時(shí),方法就是將最后一次請(qǐng)求的響應(yīng)時(shí)間與之前所有請(qǐng)求的響應(yīng)時(shí)間的平均值進(jìn)行比較,如果最后一次請(qǐng)求的響應(yīng)時(shí)間明顯大于之前幾次請(qǐng)求的響應(yīng)時(shí)間的平均值,就說(shuō)明有延遲。
wasLastRequestDelayed函數(shù)的代碼如下:
def wasLastRequestDelayed(): """ Returns True if the last web request resulted in a time-delay """ # 99.9999999997440% of all non time-based sql injection affected # response times should be inside +-7*stdev([normal response times]) # Math reference: http://www.answers.com/topic/standard-deviation deviation = stdev(kb.responseTimes) threadData = getCurrentThreadData() if deviation: if len(kb.responseTimes) < MIN_TIME_RESPONSES: warnMsg = "time-based standard deviation method used on a model " warnMsg += "with less than %d response times" % MIN_TIME_RESPONSES logger.warn(warnMsg) lowerStdLimit = average(kb.responseTimes) + TIME_STDEV_COEFF * deviation retVal = (threadData.lastQueryDuration >= lowerStdLimit) if not kb.testMode and retVal and conf.timeSec == TIME_DEFAULT_DELAY: adjustTimeDelay(threadData.lastQueryDuration, lowerStdLimit) return retVal else: return (threadData.lastQueryDuration - conf.timeSec) >= 0
每次執(zhí)行http請(qǐng)求的時(shí)候,會(huì)將執(zhí)行所響應(yīng)的時(shí)間append到kb.responseTimes列表中,但不包括time-based blind所發(fā)起的請(qǐng)求。
為什么?
從以下代碼就可以知道了,當(dāng)timeBasedCompare為T(mén)rue(即進(jìn)行time-based blind注入檢測(cè))時(shí),直接返回執(zhí)行結(jié)果,如果是其他類(lèi)型的請(qǐng)求,就保存響應(yīng)時(shí)間。
if timeBasedCompare: return wasLastRequestDelayed()elif noteResponseTime: kb.responseTimes.append(threadData.lastQueryDuration)
另外,為了確保基于時(shí)間的盲注的準(zhǔn)確性,sqlmap執(zhí)行了兩次queryPage。
作 者:曾是土木人
轉(zhuǎn)載請(qǐng)注明出處:http://m.survivalescaperooms.com/hongfei/p/sqlmap-time-based-blind.html
新聞熱點(diǎn)
疑難解答
圖片精選
網(wǎng)友關(guān)注
