Ferruh Mavituna has published a short paper called “Deep Blind SQL Injection” detailing a twist on the time-based side channel attacks. Instead of leaking one bit of information per request, the time delay is modified to carry more bits.
In the paper, he suggests multilpying the delay by some small factor (to reduce the chance for measurement error) and by the actual data we want to pass. If the factor is 2 seconds and we want to leak the number 10, the delay will be set to 20 seconds.
Another suggestion is to transfer 4 bits at a time, so in two queries one can get an actual byte of data. This is somewhat suboptimal for two reasons:
1. The usual entropy of data is much less than 8 bits per character
2. The channel may be able to carry more (or less) than 4 bits of data.
For example, if we had a reliable connection with the victim (so the factor can be reduced to 1 - 1.5 seconds) and we figure that causing delays of one minute per query are suitable (to maximise the transfer rate and minimize the chance of causing problems to the server, hence detection), we can aim to pass 40-60 bits with one query.
If, on the other hand the victim’s usual responses vary between 5 and 10 seconds (so our factor can’t be lower than 20 seconds) and the “comfortable” for the server delay is 30 seconds, we’re back to 1 - 1.5 bits per query.
In short, combining a simple compression with response measurements of the particular victim, we can potentially boost the transfer speed of the side channel even further.
Powered by FireStats