SQL Injection Inference Attacks
Understanding the fundamentals inference attacks
Inference technique is the pillar of blind SQL injection and it is used in many advanced attacks. It allows testing for vulnerabilities and even extract information when no data is returned to the end user. Moreover, mastering its fundamentals will greatly help you understanding advanced attack vectors such as time-based SQL injection and data extraction through binary operations.
What Is an Inference Attack?
Basically, an inference attack is an SQL injection containing a conditional construct. It uses specific instructions (time delay, errors, etc.) to trigger noticeable database behavior depending which branch of the condition was executed. This will allow the attacker to deduct (infer) if the tested expression was true or false even if no data is returned to the end user. This is better explained with an example.
Example
The example below shows an error-based SQL injection (a derivate of inference attack). When the stacked condition is executed by the database engine, it verifies if the current user is the system administrator (sa). If the condition is true, the statement forces the database to throw an error by executing a division by zero. Otherwize, a valid instruction is executed.
Malicious parameter (inference attack on SQL Server).
1; IF SYSTEM_USER='sa' SELECT 1/0 ELSE SELECT 5
Query generated (two possible outcomes for the injected IF).
SELECT name, email FROM members WHERE id=1; IF SYSTEM_USER='sa' SELECT 1/0 ELSE SELECT 5
As you can guess, the attacker will be able to conclude the database is run by the system administrator user if he sees a database error. Notice that the last part of the condition could be removed since the branch created by the ELSE instruction is not necessary.
Conditional Structures
As mentionned earlier, inference attacks rely on conditional structures. Even though the syntax is similar from a DBMS to another, there are subtle differences. The reference table below shows how to integrate conditional construct for each database management system.
DBMS |
Condition syntax |
Notes |
MySQL |
IF(condition, when_true, when_false) |
Valid in any SQL statement. In stored procedures the syntax is identic to Oracle's. More info here. |
CASE expression WHEN value THEN instruction [WHEN value THEN instruction] [ELSE instruction] END CASE |
Only valid in stored procedures. This is the minimal syntax, a more complete one can be found here. | |
SQL Server |
IF condition when_true [ELSE when_false] |
Can only be used in stored procedures or in an independent stacked query. More info here. |
CASE expression WHEN value THEN instruction [WHEN value THEN instruction] [ELSE instruction] END |
Can only be used in stored procedures. You can also find a more complete syntax here. | |
Oracle |
IF condition THEN when_true [ELSE when_false] END IF |
Can only be used in PL/SQL. More information can be found here. |
CASE [expression] WHEN value THEN instruction [WHEN value THEN instruction] [ELSE result] END | Can only be used in PL/SQL. More information and complete syntax here. |
A clear distinction must be made about how those instructions can be integrated in queries. Oracle will require a vulnerability in a PL/SQL block since there is no other way to get the conditional structure executed. Other DBMS support the injection of conditions in stored procedures too, but they also give the attacker more flexibility. For example, injecting a new query in SQL Server will allow executing the condition. MySQL makes it even easier by providing an IF() function which can be integrated in any query (or WHERE clause).
Data Extraction
By combining inference attacks with bit operations, it is possible to extract almost any information from the database one bit at the time. This principle relies on the fact that inference attacks allows the attacker to find the status of one bit of data. When using some specific functions, it is possible identify precisely which bit we want to test. In other words, any bit of any string or number contained in the database can be tested. This technique is explained in details in the section about data extraction through binary operations.
More Information
If you want more examples and more information about inference SQL injection, take a look at the section about blind attacks.