Penetration Testing mailing list archives
Re: SQL Injection - Waitfor delay
From: Parity <pty.err () gmail com>
Date: Tue, 14 Oct 2008 12:32:57 -0700
Attackers use the waitfor delay syntax to do two things: #1 - as a quick test to indicate whether or not a serious vulnerability may be present. If the waitfor delay trick works, that's a reliable indication that the app has a serious vulnerability, and an attacker could use commands other than waitfor delay to do very bad things. (There's a lot of literature available on the net for exploring this topic; Google is your friend.) #2 - as part of a more complicated method for extracting data from the application database. The waitfor delay syntax offers just one way among many for attackers to exfiltrate data from a vulnerable database. My favorite tool for this particular job is sqlbrute written by the very capable Justin Clarke. The bottom line is, if somebody has demonstrated that the waitfor delay syntax works against your app, the issue is very real. Anyone who says otherwise just hasn't seen it demo'd yet. pty ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- SQL Injection - Waitfor delay xelerated (Oct 13)
- Re: SQL Injection - Waitfor delay rajat swarup (Oct 13)
- Re: SQL Injection - Waitfor delay Krugger (Oct 14)
- Re: SQL Injection - Waitfor delay p1g (Oct 16)
- Re: SQL Injection - Waitfor delay Anthony Cicalla (Oct 16)
- Re: SQL Injection - Waitfor delay Haroon Meer (Oct 16)
- Re: SQL Injection - Waitfor delay xelerated (Oct 16)
- Re: SQL Injection - Waitfor delay Robin Wood (Oct 16)
- <Possible follow-ups>
- Re: SQL Injection - Waitfor delay Parity (Oct 14)
- Re: SQL Injection - Waitfor delay Anthony Cicalla (Oct 15)