Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Creating a SYSDBA backdoor"] [Next entry: "October 2007 Critical Patch Update (CPU) is out"]

Nice paper on time based blind SQL



Yesterday I got an email from Chema Alonso who told me about his recent paper titled http://www.microsoft.com/technet/community/columns/secmvp/sv0907.mspx - (broken link) Time-Based Blind SQL Injection with Heavy Queries which explores the techniques of blind SQL Injection using time based delays to infer values in the database that cannot be read directly. This technique uses heavy queries (using anti-tuning technques) that deliberatley take a long time to run when a value in the where clause turns out to be TRUE or FALSE. The technique can also use packages such as xp_cmdshell in SQL Server or DBMS_LOCK in Oracle to cause a specific delay. In this way the hacker doesn't need to see any data coming back but simply needs to see the response time of the query. The paper looks at a technique of creating badly performing queries that execute por not based on a value (any value) in the database. This way a "newton raphson" like technique can be used to home in on the value sought based on whether the query takes a long time or runs quickly.

This is a nice paper summarising the technqiues.