Damon Cortesi's blog

Musings of an entrepreneur.

Blind SQL Haxoring

| Comments

I’ve been playing with 0x90’s Absinthe quite a bit lately and while it’s an amazing tool, I’m a little disappointed in some of the methods it uses to gather database information. According to the presentation given at BlackHat in ‘04, table id’s are gathered first and then the table names are gathered using that information. The same is done with fields. Through my usage, I’ve noticed two things wrong with this approach, at least in terms of speed.

First, although I’m not completely sure of the size of the id field, it can be quite large…at least 10 digits…and can range in value to any number that will fit in those 10 digits (or a signed 32-bit integer if you want to get technical…). However, every single time Absinthe tries to identify the id, the search_value (see pdf) is initialized at 2 and increases exponentially. This becomes an increasingly expensive operation as the id value becomes larger and larger. Why not sort the id’s in the SQL query and then initialize search_value with the previously identified id? It seems to me that would save quite a few queries, especially when blind SQL injection is quite the expensive operation in the first place.

Second, querying for the id’s isn’t quite necessary. I’ve had Absinthe running for over 24 hours straight and it’s still querying for id’s. In approximately that same amount of time, although not contiguous, I’ve been able to code up some perl to pull the database structure without any use of id’s. Granted it uses inner joins, which can also be somewhat expensive, but I get much more immediate results. Gotta love immediate gratification. :-)

Well enough of that…time to hit up the town!