[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] SFX-SQLi: A new SQL injection technique for SQL Server (dumps a table in one request!)



Dear Paul:

Thanks for your comments. And yes, I think you are 100% right. The SFX-SQLi 
"injection technique/method" (is there a better name for it?) will not help 
you to extract more data than other existing techniques.

The XMLSCHEMA option is only an alternative way to get the column names 
(instead of using SYSOBJECTS, for instance). Maybe it can also bypass some 
basic filters (e.g. there is no need to use the WHERE clause), but this is 
secondary...

The main difference is this:
- Time-based SQL injection:  1 request -> 1/2 char using Deep Blind (but 
very slowly)
- Blind SQL injection:  1 request -> 1/7 char
- Union / error-based SQL injection:  1 request -> 1 field
- SFX-SQL injection:  1 request -> 1 table

So yes, this technique will extract the same data, but thousands of times 
faster than other methods.

Regards,
  Daniel Kachakil
--------------------------------------------------
From: "Paul Schmehl" <pschmehl_lists@xxxxxxxxx>
Sent: Sunday, February 08, 2009 5:10 AM
To: <full-disclosure@xxxxxxxxxxxxxxxxx>
Cc: "Daniel Kachakil" <dani@xxxxxxxxxxxx>
Subject: Re: [Full-disclosure] SFX-SQLi: A new SQL injection technique for 
SQL     Server (dumps a table in one request!)

> --On February 7, 2009 10:02:21 AM -0600 Daniel Kachakil 
> <dani@xxxxxxxxxxxx> wrote:
>>
>> I have written a paper describing how the technique works and in which
>> fundamentals it is based, and I have also developed a tool which
>> implements
>> this technique as a proof of concept (with the source code included).
>>
>> You can get them through this URL:
>>
>> http://www.kachakil.com/papers/SFX-SQLi-en.htm
>
> Having read your paper, I'm a bit confused about what you think the "new 
> SQL injection technique" is that you've discovered.  I understand you have 
> determined a way to *extract* data in a more compact and efficient format, 
> but I didn't see any new *injection* technique.  IOW, the FOR XML 
> construct isn't going to assist you in obtaining the data - only in 
> obtaining it more efficiently.
>
> Did I miss something?
>
> Paul Schmehl, If it isn't already
> obvious, my opinions are my own
> and not those of my employer.
> ******************************************
> WARNING: Check the headers before replying
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/