Re: Deep Blind SQL Injection Whitepaper

[Haroon Meer <haroon () sensepost com>]

Hey guys..

* On 19/08/2008, [at 14:38:55 +0100] Ferruh Mavituna [ferruh () mavituna com] seemed to say:
> This is a short whitepaper about a new way to exploit Blind SQL
> Injections. It's implemented in BSQL Hacker (
> http://labs.portcullis.co.uk/application/bsql-hacker/ ).
>
> It is possible gather information from a target server with a 66%
> reduction in the number of requests made of the server (compared to
> normal Blind SQL Injection), requiring two rather than six requests to
> retrieve each char.

if you like, you can also check out squeeza
[http://www.sensepost.com/research/squeeza/] and its associated
whitepaper
[http://www.sensepost.com/research/squeeza/dc-15-meer_and_slaviero-WP.pdf]

squeeza allowed sql injection attacks to extract info via
DNS/Timing/Error Messages also, but its timing method extracted data one
bit at a time with retransmits / state control, effectively allowing for
full binary safe data transfer from the injectable .db

squeeza is written in ruby, and not as pretty as bsql-hacker, but in its
defense _did_ have an ascii art logo..

/mh
--
Haroon Meer, SensePost Information Security  |                                                              
http://www.sensepost.com/blog/                                                                              
PGP: http://www.sensepost.com/pgp/haroon.txt |  Tel: +27 83786 6637

Attachment: _bin
Description: