lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 28 Aug 2008 18:52:16 +0200
From: Haroon Meer <haroon@...sepost.com>
To: nummish <nummish@...0.org>
Cc: Full Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Deep Blind SQL Injection Whitepaper

Hi nummish..

* On 28/08/2008, [at 11:36:23 -0500] nummish [nummish@...0.org] seemed to say:
>Sorry to resurrect a 9 day old thread here...
>It's an interesting concept, but like all timing based attacks, won't
>the digits be more susceptible to noise due to possible network
>latency? Even with two queries, there is still a large volume of
>requests getting made, and one little bump can invalidate the
>information you are pulling out.

We bumped into the same problem when we took the ordinal(char) approach.
A small hiccup on the line easily makes an A an E

The bit by bit approach we use
(http://www.sensepost.com/research/squeeza/) makes this problem much
easier to deal with.. i.e. we once had an insanely bad connection to a
box and upp'ed the delay per bit to 14 seconds.. i.e, 14 secs == 1, 0 ==
0. The analyst aged a few years while waiting for the output he needed,
but you can be fairly confident of the integrity of the data.

(its why squeeza happlily does a transfer of binary files from the
server using just timing (and patience))

/mh
 
Ps.. checkout the paper on the same page for snippets of the sql we are
using..
-- 
Haroon Meer, SensePost Information Security  |                                                              
http://www.sensepost.com/blog/                                                                              
PGP: http://www.sensepost.com/pgp/haroon.txt |  Tel: +27 83786 6637 

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ