Class: Msf::Exploit::SQLi::MySQLi::BenchmarkBasedBlind

Inherits:
Common
  • Object
show all
Includes:
TimeBasedBlindMixin
Defined in:
lib/msf/core/exploit/sqli/mysqli/benchmark_based_blind.rb

Overview

Time-Based Blind SQL injection support for MySQL/MariaDB using BENCHMARK()

instead of SLEEP(). This is useful when the target application's database
abstraction layer uses prepared statements that prevent SLEEP() and also
reject subqueries inside IF(condition, BENCHMARK(...), 0).

Uses BENCHMARK(N * (condition), SHA1(rand)) instead of IF(), which embeds
the boolean condition as a multiplier on the iteration count. When condition
evaluates to 1 (true), BENCHMARK runs N iterations causing a delay; when 0
(false), it runs 0 iterations and returns instantly.

The iteration count is calibrated at runtime using a probe with the same
multiplication structure to account for any overhead from prepared statements.

Constant Summary

Constants inherited from Common

Common::ENCODERS

Instance Attribute Summary

Attributes inherited from Common

#concat_separator, #datastore, #framework, #null_replacement, #safe, #second_concat_separator, #truncation_length

Attributes included from Rex::Ui::Subscriber::Input

#user_input

Attributes included from Rex::Ui::Subscriber::Output

#user_output

Instance Method Summary collapse

Methods included from TimeBasedBlindMixin

#blind_request, #run_sql

Methods inherited from Common

#current_database, #current_user, #dump_table_fields, #enum_database_encoding, #enum_database_names, #enum_dbms_users, #enum_table_columns, #enum_table_names, #enum_view_names, #initialize, #read_from_file, #sleep_call, #version, #write_to_file

Methods inherited from Common

#initialize, #raw_run_sql, #run_sql

Methods included from Module::UI

#init_ui

Methods included from Module::UI::Message

#print_error, #print_good, #print_prefix, #print_status, #print_warning

Methods included from Module::UI::Message::Verbose

#vprint_error, #vprint_good, #vprint_status, #vprint_warning

Methods included from Module::UI::Line

#print_line, #print_line_prefix

Methods included from Module::UI::Line::Verbose

#vprint_line

Methods included from Rex::Ui::Subscriber

#copy_ui, #init_ui, #reset_ui

Methods included from Rex::Ui::Subscriber::Input

#gets

Methods included from Rex::Ui::Subscriber::Output

#flush, #print, #print_blank_line, #print_error, #print_good, #print_line, #print_status, #print_warning

Constructor Details

This class inherits a constructor from Msf::Exploit::SQLi::MySQLi::Common

Instance Method Details

#test_vulnerableObject

Override test_vulnerable to use table subquery conditions that match the cost profile of real extraction payloads. Simple conditions like (SELECT 1)=1 cost ~10x more per iteration than table subqueries due to MySQL’s prepare() handling, causing massive delay overshoot with the calibrated iteration count.



37
38
39
40
41
 
# File 'lib/msf/core/exploit/sqli/mysqli/benchmark_based_blind.rb', line 37

def test_vulnerable
  out_true = blind_request(time_blind_payload('(SELECT count(1) from information_schema.schemata)>0'))
  out_false = blind_request(time_blind_payload('(SELECT count(1) from information_schema.schemata)<0'))
  out_true && !out_false
end

#time_blind_payload(condition) ⇒ String

Wraps a boolean condition into a BENCHMARK multiplication payload. BENCHMARK(N * (condition), SHA1(rand)) - delays when condition is true (1), instant when false (0). This bypasses prepare() limitations that reject subqueries inside IF(condition, BENCHMARK(…), 0).

Parameters:

  • condition (String)

    A SQL boolean expression

Returns:

  • (String)

    The BENCHMARK multiplication payload



26
27
28
29
 
# File 'lib/msf/core/exploit/sqli/mysqli/benchmark_based_blind.rb', line 26

def time_blind_payload(condition)
  calibrate unless @benchmark_iterations
  "BENCHMARK(#{@benchmark_iterations}*(#{condition}),SHA1(0x#{Rex::Text.rand_text_hex(8)}))"
end