Time based blind SQL Injection
Yesterday I got an email from Chema Alonso to tell me about his recent paper "Time-Based Blind SQL Injection with Heavy Queries". This is an excellent summary paper of the technique and includes an example of how writing heavy (read, badly performing) queries and then controlling the execution of the badly performing bit to test whether a value (any value) in the database is above or below a value using a newton-raphson like technique. The idea is that is a value is TRUE or FALSE the query take either a long time to run or a short time. This means that the value can be arrived at based on the time the query takes to run. This enables SQL Injection to be used where the data is not returned to the hacker but he can control the query sent and also view the time taken for the query to respond. Nice paper.
Pete on 10.16.07 @ 10:16 AM GMT [link]