Vulnerable Application
I would be demonstrating a time-based SQL injection issue on a vulnerable application called
Peruggia 1.2, which is a part of OWASP Broken Web Applications Project live CD. The applica-
tion looks like this:
362
◾
Ethical Hacking and Penetration Testing Guide
Testing for Time-Based SQL Injection
We are going to use sleep() function as I am up against a MYSQL server. We will use wget com-
mand to download the webpage and compare the responses.
Wget
“http://192.168.75.147/peruggia/index.php?action=comment&pic_id=1”
Syntax [with time delay]
Wget
“http://192.168.75.147/peruggia/index.php?action=comment&pic_id=1 and sleep(5)”
From this screenshot, you can see that we have made two requests to the application: first one
without inducing a delay and the second one by inducing a delay of 5 s. In the first request, you
can see that there is no delay in response. The page was requested at “14:16:00” and download was
completed at the same time.
However, in the second request, you can see that there is a delay of 5 s. The page was requested
at “14:16:25” and the response time was “14:16:30,” which proves a delay of 5 s.
Enumerating the DB User
Next, we will enumerate the database user. We would need to enumerate one character at a time
just like we did it with blind SQL injection. The syntax is almost the same as what we used for
Boolean-based sql injection; however, there is an additional “if” clause and a sleep query. So the
following queries simply ask the database if the first character of the
db _ user
is equal to “a” or
“p”, and to delay the response for 5 s.
Web Hacking
◾
Dostları ilə paylaş: |
