Auditing an Oracle database for security issues is very important. provides all of the information and tools that you will need Click here for details of Limited's detailed Oracle database security audit service Click here for details of Limited's Oracle Security Training Courses
There are 43 visitors online    
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Pete Finnigan's Oracle security weblog

Home » Archives » October 2007 » Nice paper on time based blind SQL

[Previous entry: "Creating a SYSDBA backdoor"] [Next entry: "October 2007 Critical Patch Update (CPU) is out"]

Nice paper on time based blind SQL

October 16th, 2007 by Pete

Yesterday I got an email from Chema Alonso who told me about his recent paper titled "Time-Based Blind SQL Injection with Heavy Queries" which explores the techniques of blind SQL Injection using time based delays to infer values in the database that cannot be read directly. This technique uses heavy queries (using anti-tuning technques) that deliberatley take a long time to run when a value in the where clause turns out to be TRUE or FALSE. The technique can also use packages such as xp_cmdshell in SQL Server or DBMS_LOCK in Oracle to cause a specific delay. In this way the hacker doesn't need to see any data coming back but simply needs to see the response time of the query. The paper looks at a technique of creating badly performing queries that execute por not based on a value (any value) in the database. This way a "newton raphson" like technique can be used to home in on the value sought based on whether the query takes a long time or runs quickly.

This is a nice paper summarising the technqiues.

October 2007

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Weblog Home
Weblog Archives

Oracle Security Tools page
Oracle security papers
Oracle Security alerts

Web Development
SQL Server Security

Atom 0.3 FEED
Powered by gm-rss 2.0.0

Valid XHTML 1.0!