CAPEC-7

Blind SQL Injection
HIGH
HIGH
Draft
2014-06-23 00:00 +00:00
2022-09-29 00:00 +00:00

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.
Alert management

Description

Blind SQL Injection results from an insufficient mitigation for SQL Injection. Although suppressing database error messages are considered best practice, the suppression alone is not sufficient to prevent SQL Injection. Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the adversary constructs input strings that probe the target through simple Boolean SQL expressions. The adversary can determine if the syntax and structure of the injection was successful based on whether the query was executed or not. Applied iteratively, the adversary determines how and where the target is vulnerable to SQL Injection.

Informations

Execution Flow

1) Explore

[Hypothesize SQL queries in application]

Generated hypotheses regarding the SQL queries in an application. For example, the adversary may hypothesize that their input is passed directly into a query that looks like:

"SELECT * FROM orders WHERE ordernum = _____"
or
"SELECT * FROM orders WHERE ordernum IN (_____)"
or
"SELECT * FROM orders WHERE ordernum in (_____) ORDER BY _____"

Of course, there are many other possibilities.

Technique
  • Research types of SQL queries and determine which ones could be used at various places in an application.

2) Explore

[Determine how to inject information into the queries]

Determine how to inject information into the queries from the previous step such that the injection does not impact their logic. For example, the following are possible injections for those queries:

"5' OR 1=1; --"
and
"5) OR 1=1; --"
and
"ordernum DESC; --"

Technique
  • Add clauses to the SQL queries such that the query logic does not change.
  • Add delays to the SQL queries in case server does not provide clear error messages (e.g. WAITFOR DELAY '0:0:10' in SQL Server or BENCHMARK(1000000000,MD5(1) in MySQL). If these can be injected into the queries, then the length of time that the server takes to respond reveals whether the query is injectable or not.

3) Experiment

[Determine user-controllable input susceptible to injection] Determine the user-controllable input susceptible to injection. For each user-controllable input that the adversary suspects is vulnerable to SQL injection, attempt to inject the values determined in the previous step. If an error does not occur, then the adversary knows that the SQL injection was successful.

Technique
  • Use web browser to inject input through text fields or through HTTP GET parameters.
  • Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc.
  • Use network-level packet injection tools such as netcat to inject input
  • Use modified client (modified by reverse engineering) to inject input.

4) Experiment

[Determine database type] Determines the type of the database, such as MS SQL Server or Oracle or MySQL, using logical conditions as part of the injected queries

Technique
  • Try injecting a string containing char(0x31)=char(0x31) (this evaluates to 1=1 in SQL Server only)
  • Try injecting a string containing 0x313D31 (this evaluates to 1=1 in MySQL only)
  • Inject other database-specific commands into input fields susceptible to SQL Injection. The adversary can determine the type of database that is running by checking whether the query executed successfully or not (i.e. whether the adversary received a normal response from the server or not).

5) Exploit

[Extract information about database schema] Extract information about database schema by getting the database to answer yes/no questions about the schema.

Technique
  • Automatically extract database schema using a tool such as Absinthe.
  • Manually perform the blind SQL Injection to extract desired information about the database schema.

6) Exploit

[Exploit SQL Injection vulnerability] Use the information obtained in the previous steps to successfully inject the database in order to bypass checks or modify, add, retrieve or delete data from the database

Technique
  • Use information about how to inject commands into SQL queries as well as information about the database schema to execute attacks such as dropping tables, inserting records, etc.

Prerequisites

SQL queries used by the application to store, retrieve or modify data.
User-controllable input that is not properly validated by the application as part of SQL queries.

Skills Required

Determining the database type and version, as well as the right number and type of parameters to the query being injected in the absence of error messages requires greater skill than reverse-engineering database error messages.

Resources Required

None: No specialized resources are required to execute this type of attack.

Mitigations

Security by Obscurity is not a solution to preventing SQL Injection. Rather than suppress error messages and exceptions, the application must handle them gracefully, returning either a custom error page or redirecting the user to a default page, without revealing any information about the database or the application internals.
Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as SQL content. Keywords such as UNION, SELECT or INSERT must be filtered in addition to characters such as a single-quote(') or SQL-comments (--) based on the context in which they appear.

Related Weaknesses

CWE-ID Weakness Name
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-209 Generation of Error Message Containing Sensitive Information
The product generates an error message that includes sensitive information about its environment, users, or associated data.
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-697 Incorrect Comparison
The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.
CWE-707 Improper Neutralization
The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.

Submission

Name Organization Date Date Release
CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

Modifications

Name Organization Date Comment
CAPEC Content Team The MITRE Corporation 2017-01-09 +00:00 Updated Related_Attack_Patterns
CAPEC Content Team The MITRE Corporation 2017-08-04 +00:00 Updated Attack_Phases, Description, Description Summary, Examples-Instances, Payload_Activation_Impact, Resources_Required
CAPEC Content Team The MITRE Corporation 2018-07-31 +00:00 Updated References, Related_Weaknesses
CAPEC Content Team The MITRE Corporation 2020-07-30 +00:00 Updated Execution_Flow
CAPEC Content Team The MITRE Corporation 2020-12-17 +00:00 Updated Taxonomy_Mappings
CAPEC Content Team The MITRE Corporation 2021-06-24 +00:00 Updated Related_Weaknesses
CAPEC Content Team The MITRE Corporation 2022-09-29 +00:00 Updated Example_Instances, Execution_Flow
Click on the button to the left (OFF), to authorize the inscription of cookie improving the functionalities of the site. Click on the button to the left (Accept all), to unauthorize the inscription of cookie improving the functionalities of the site.