SQL Injection Inference Attacks

Understanding the fundamentals inference attacks

Inference technique is the pillar of blind SQL injection and it is used in many advanced attacks. It allows testing for vulnerabilities and even extract information when no data is returned to the end user. Moreover, mastering its fundamentals will greatly help you understanding advanced attack vectors such as time-based SQL injection and data extraction through binary operations.

What Is an Inference Attack?

Basically, an inference attack is an SQL injection containing a conditional construct. It uses specific instructions (time delay, errors, etc.) to trigger noticeable database behavior depending which branch of the condition was executed. This will allow the attacker to deduct (infer) if the tested expression was true or false even if no data is returned to the end user. This is better explained with an example.

Example

The example below shows an error-based SQL injection (a derivate of inference attack). When the stacked condition is executed by the database engine, it verifies if the current user is the system administrator (sa). If the condition is true, the statement forces the database to throw an error by executing a division by zero. Otherwize, a valid instruction is executed.

Malicious parameter (inference attack on SQL Server).

1; IF SYSTEM_USER='sa' SELECT 1/0 ELSE SELECT 5

Query generated (two possible outcomes for the injected IF).

SELECT name, email FROM members WHERE id=1; IF SYSTEM_USER='sa' SELECT 1/0 ELSE SELECT 5

As you can guess, the attacker will be able to conclude the database is run by the system administrator user if he sees a database error. Notice that the last part of the condition could be removed since the branch created by the ELSE instruction is not necessary.

Conditional Structures

As mentionned earlier, inference attacks rely on conditional structures. Even though the syntax is similar from a DBMS to another, there are subtle differences. The reference table below shows how to integrate conditional construct for each database management system.

DBMS	Condition syntax	Notes
MySQL	IF(condition, when_true, when_false)	Valid in any SQL statement. In stored procedures the syntax is identic to Oracle's. More info here.
MySQL	CASE expression WHEN value THEN instruction [WHEN value THEN instruction] [ELSE instruction] END CASE	Only valid in stored procedures. This is the minimal syntax, a more complete one can be found here.
SQL Server	IF condition when_true [ELSE when_false]	Can only be used in stored procedures or in an independent stacked query. More info here.
SQL Server	CASE expression WHEN value THEN instruction [WHEN value THEN instruction] [ELSE instruction] END	Can only be used in stored procedures. You can also find a more complete syntax here.
Oracle	IF condition THEN when_true [ELSE when_false] END IF	Can only be used in PL/SQL. More information can be found here.
Oracle	CASE [expression] WHEN value THEN instruction [WHEN value THEN instruction] [ELSE result] END	Can only be used in PL/SQL. More information and complete syntax here.

A clear distinction must be made about how those instructions can be integrated in queries. Oracle will require a vulnerability in a PL/SQL block since there is no other way to get the conditional structure executed. Other DBMS support the injection of conditions in stored procedures too, but they also give the attacker more flexibility. For example, injecting a new query in SQL Server will allow executing the condition. MySQL makes it even easier by providing an IF() function which can be integrated in any query (or WHERE clause).

Data Extraction

By combining inference attacks with bit operations, it is possible to extract almost any information from the database one bit at the time. This principle relies on the fact that inference attacks allows the attacker to find the status of one bit of data. When using some specific functions, it is possible identify precisely which bit we want to test. In other words, any bit of any string or number contained in the database can be tested. This technique is explained in details in the section about data extraction through binary operations.