SQL Injection Attacks and Defense - 2009

Blind SQL Injection Exploitation • Chapter 5 259
■■
■■
■■
■■
■■
URL: www.0x90.org/releases/absinthe/
Requirements: Windows/Linux/Mac (.NET Framework or Mono)
Scenario: Generic error page, controlled output
Supported databases: Oracle, PostgreSQL, SQL Server, and Sybase
Methods: Inference response-based binary search; classic errors
Absinthe provides a handy GUI that enables an attacker to extract the full contents of
a database; in addition, it contains enough configuration options to satisfy most injection
scenarios and can utilize both classic error methods and response-based inference methods
for data extraction. The response string that differentiates between two inference states
must be easy for Absinthe to identify. One drawback to the tool is that the user cannot
provide a customized signature for TRUE or FALSE states. Instead, the tool attempts to
perform a diff on a TRUE and FALSE request, and this causes the tool to fail in cases
where the page includes other data not influenced by the inference question. One example
is in search pages that echo the search string back in the response. If two separate but
equivalent inference exploits are provided, the two responses will each contain a unique
search string rendering the diff meaningless. There is a tolerance you can fiddle with, but
this is not as efficient as providing signatures.
Figure 5.11 shows the main Absinthe screen. First, you select the injection type, either
Blind Injection or Error Based, and then choose the database from a list of supported
plug-ins. Enter the Target URL along with whether the request is formatted as a POST or
a GET. Finally, enter in the Name textbox each parameter that should be contained in the
request, along with a Default Value. If the parameter is susceptible to SQL injection, select
the Injectable Parameter check box; also, select the Treat Value as String check box if
the parameter is of type string in the SQL query. Do not forget to add in all parameters
needed for the vulnerable page to process the request; this includes hidden fields such as
__VIEWSTATE on .NET pages.
Once the configuration is complete, click Initialize Injection. This sends a bunch of
test requests to determine the response difference on which the inference will be based.
If no errors are reported, click the DB Schema tab, which displays two active buttons:
Retrieve Username and Load Table Info. The first button will retrieve and display the
database login used by the vulnerable page and the second button will retrieve a list of userdefined
tables from the current database. Once table information has been loaded, click a
table name in the tree view of database objects and then click Load Field Info, which will
retrieve a list of all column names in the selected table. As soon as that has completed, click
the Download Records tab, provide an output filename in the Filename textbox, select
the columns you wish to retrieve by clicking the column name and then clicking Add,
and finally click Download Fields to XML. This will dump the selected columns to the
output file, producing an XML document containing all rows from the selected columns in
the target table.