Pete Finnigan's SQL Server Security Blog

Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

SQL Server Security
Blog Archives
Oracle Security
Oracle Security Blog

Greymatter Forums

October 2007

Atom 0.3 FEED
Powered by gm-rss 2.0.0

Valid XHTML 1.0!

Powered By Greymatter

Home » Archives » October 2007 » Time based blind SQL Injection

[Previous entry: "SQL Injection cheat sheet"]

10/16/2007: "Time based blind SQL Injection"

Yesterday I got an email from Chema Alonso to tell me about his recent paper "Time-Based Blind SQL Injection with Heavy Queries". This is an excellent summary paper of the technique and includes an example of how writing heavy (read, badly performing) queries and then controlling the execution of the badly performing bit to test whether a value (any value) in the database is above or below a value using a newton-raphson like technique. The idea is that is a value is TRUE or FALSE the query take either a long time to run or a short time. This means that the value can be arrived at based on the time the query takes to run. This enables SQL Injection to be used where the data is not returned to the hacker but he can control the query sent and also view the time taken for the query to respond. Nice paper.