The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Despite all of the sophisticated techniques already described, there may yet be

situations in which none of these tricks are effective. In some cases, you may

be able to inject a query that returns no results to the browser, cannot be used

to open an out-of-band channel, and that has no effect on the application’s

behavior, even if it induces an error within the database itself.

In this situation, all is not lost, thanks to a technique invented by Chris

Anley and Sherief Hammad of NGSSoftware. They devised a way of crafting

a query that would cause a time delay, contingent upon some condition speci-

fied by the attacker. The attacker can submit his query, and then monitor the

time taken for the server to respond. If a delay occurs, then the attacker may

infer that the condition is true. Even if the actual content of the application’s

response is identical in the two cases, the presence or absence of a time delay

enables the attacker to extract a single bit of information from the database. By

performing numerous such queries, the attacker can systematically retrieve

arbitrarily complex data from the database, one bit at a time.

The precise means of inducing a suitable time delay depends upon the tar-

get database being used. MS-SQL contains a built-in 

WAITFOR

command, which

can be used to cause a specified time delay. For example, the following query

will cause a time delay of 5 seconds if the current database user is 

sa

:

if (select user) = ‘sa’ waitfor delay ‘0:0:5’